teslacrypt | 4f8feb7aa33b137b2ea3670722b29e9d6e4d66b1538a14aa445beaa0875afb63

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 17:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe
Size

340KB
MD5

af7bc2ae2fa1cd1e8a492006c1fba828
SHA1

fe0324e49160d0b206b23e10d34d6f12cd234da1
SHA256

4f8feb7aa33b137b2ea3670722b29e9d6e4d66b1538a14aa445beaa0875afb63
SHA512

84ae87530686e6b24c6139e2acb1645e67b033002e6fd0031bdda05ea837e4b819439053ce771eaa56d407553420bad163d56f466e39c8601133655fa194a73b
SSDEEP

6144:HtY1LwQ/VVMixib/6+dx040XljnZm766y0:HqdwQ/4qi3dxD+bN6y0

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lrllc.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://t54ndnku456ngkwsudqer.wallymac.com/61B49698D7BFE45 2 - http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/61B49698D7BFE45 3 - http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/61B49698D7BFE45 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/61B49698D7BFE45 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/61B49698D7BFE45 http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/61B49698D7BFE45 http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/61B49698D7BFE45 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/61B49698D7BFE45

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/61B49698D7BFE45

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/61B49698D7BFE45

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/61B49698D7BFE45

http://xlowfznrg4wf7dli.ONION/61B49698D7BFE45

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (408) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	jxcvvfakcvqt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\rlkccch = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Windows\\jxcvvfakcvqt.exe"	jxcvvfakcvqt.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\clock.js	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseover.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_ReCoVeRy_+lrllc.png	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\_ReCoVeRy_+lrllc.html	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	jxcvvfakcvqt.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\_ReCoVeRy_+lrllc.txt	jxcvvfakcvqt.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\jxcvvfakcvqt.exe	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe
File opened for modification	C:\Windows\jxcvvfakcvqt.exe	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0fd99ac46bfda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8332741-2B39-11EF-9BF8-4A0EF18FE26D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001108c3098d741a44b44e130d3bf148f9000000000200000000001066000000010000200000009b1cb42ff4315878cae7f658662d3ac73d163f02eab81b0f54d22652c5a6854c000000000e8000000002000020000000dab452524995c504ab29a425b55cd7edadb86268d34e484d4f11ce4bf3a86070200000002186104e24a3e24dae7b4d5189d484792056e46f7f06a4ea4ac68f83bd423eaf40000000513d1ba6c58f3b063ec504b9ce1aa8d50040f50eee1b2a6e8536188952c722bd376d8b83d27e1e3acd83040c0af889a3cf762fe8d20c1afae94d8312c9532965	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424633158"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001108c3098d741a44b44e130d3bf148f900000000020000000000106600000001000020000000685c69659f63de03838cd3c5af455dc9459c3143b8ae889350570d18d703634a000000000e80000000020000200000004261d55222f752c2a70fc5e27974845c32eece1319d7366175de61affb424dd7900000000b57a233438c34ca358640fc4f369a213557a330b31368a7b8d6d4cad9c4b21ed72e265eae5b33205b6f67b4f30a547112ceb69b8286ae4a218514770401c31a25a11d9fecbf79d45e3cc0f83a851de83198e63610c691593cab12522c05097413135c002cade0bab6000efb83a7def8451f909a7e0d90b0bd8a3f32c5c206ebaf463535cddd8ffdae99a43cfb41f2cb4000000070aca924d7c31f064e14d692ec57c753c20352693756f59a50dbea4c5bdbec5d17fe8368129e7e7123a589d0425afa21a56fefade496317516d5143b4864dc0c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2628	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe
2012	jxcvvfakcvqt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe
Token: SeDebugPrivilege	2012	jxcvvfakcvqt.exe
Token: SeIncreaseQuotaPrivilege	2612	WMIC.exe
Token: SeSecurityPrivilege	2612	WMIC.exe
Token: SeTakeOwnershipPrivilege	2612	WMIC.exe
Token: SeLoadDriverPrivilege	2612	WMIC.exe
Token: SeSystemProfilePrivilege	2612	WMIC.exe
Token: SeSystemtimePrivilege	2612	WMIC.exe
Token: SeProfSingleProcessPrivilege	2612	WMIC.exe
Token: SeIncBasePriorityPrivilege	2612	WMIC.exe
Token: SeCreatePagefilePrivilege	2612	WMIC.exe
Token: SeBackupPrivilege	2612	WMIC.exe
Token: SeRestorePrivilege	2612	WMIC.exe
Token: SeShutdownPrivilege	2612	WMIC.exe
Token: SeDebugPrivilege	2612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2612	WMIC.exe
Token: SeRemoteShutdownPrivilege	2612	WMIC.exe
Token: SeUndockPrivilege	2612	WMIC.exe
Token: SeManageVolumePrivilege	2612	WMIC.exe
Token: 33	2612	WMIC.exe
Token: 34	2612	WMIC.exe
Token: 35	2612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2612	WMIC.exe
Token: SeSecurityPrivilege	2612	WMIC.exe
Token: SeTakeOwnershipPrivilege	2612	WMIC.exe
Token: SeLoadDriverPrivilege	2612	WMIC.exe
Token: SeSystemProfilePrivilege	2612	WMIC.exe
Token: SeSystemtimePrivilege	2612	WMIC.exe
Token: SeProfSingleProcessPrivilege	2612	WMIC.exe
Token: SeIncBasePriorityPrivilege	2612	WMIC.exe
Token: SeCreatePagefilePrivilege	2612	WMIC.exe
Token: SeBackupPrivilege	2612	WMIC.exe
Token: SeRestorePrivilege	2612	WMIC.exe
Token: SeShutdownPrivilege	2612	WMIC.exe
Token: SeDebugPrivilege	2612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2612	WMIC.exe
Token: SeRemoteShutdownPrivilege	2612	WMIC.exe
Token: SeUndockPrivilege	2612	WMIC.exe
Token: SeManageVolumePrivilege	2612	WMIC.exe
Token: 33	2612	WMIC.exe
Token: 34	2612	WMIC.exe
Token: 35	2612	WMIC.exe
Token: SeBackupPrivilege	2456	vssvc.exe
Token: SeRestorePrivilege	2456	vssvc.exe
Token: SeAuditPrivilege	2456	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1584	WMIC.exe
Token: SeSecurityPrivilege	1584	WMIC.exe
Token: SeTakeOwnershipPrivilege	1584	WMIC.exe
Token: SeLoadDriverPrivilege	1584	WMIC.exe
Token: SeSystemProfilePrivilege	1584	WMIC.exe
Token: SeSystemtimePrivilege	1584	WMIC.exe
Token: SeProfSingleProcessPrivilege	1584	WMIC.exe
Token: SeIncBasePriorityPrivilege	1584	WMIC.exe
Token: SeCreatePagefilePrivilege	1584	WMIC.exe
Token: SeBackupPrivilege	1584	WMIC.exe
Token: SeRestorePrivilege	1584	WMIC.exe
Token: SeShutdownPrivilege	1584	WMIC.exe
Token: SeDebugPrivilege	1584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1584	WMIC.exe
Token: SeRemoteShutdownPrivilege	1584	WMIC.exe
Token: SeUndockPrivilege	1584	WMIC.exe
Token: SeManageVolumePrivilege	1584	WMIC.exe
Token: 33	1584	WMIC.exe
Token: 34	1584	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1900	iexplore.exe
1716	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1900	iexplore.exe
1900	iexplore.exe
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2012	2300	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe	28
PID 2300 wrote to memory of 2012	2300	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe	28
PID 2300 wrote to memory of 2012	2300	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe	28
PID 2300 wrote to memory of 2012	2300	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe	28
PID 2300 wrote to memory of 2744	2300	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe	29
PID 2300 wrote to memory of 2744	2300	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe	29
PID 2300 wrote to memory of 2744	2300	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe	29
PID 2300 wrote to memory of 2744	2300	af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe	29
PID 2012 wrote to memory of 2612	2012	jxcvvfakcvqt.exe	31
PID 2012 wrote to memory of 2612	2012	jxcvvfakcvqt.exe	31
PID 2012 wrote to memory of 2612	2012	jxcvvfakcvqt.exe	31
PID 2012 wrote to memory of 2612	2012	jxcvvfakcvqt.exe	31
PID 2012 wrote to memory of 2628	2012	jxcvvfakcvqt.exe	38
PID 2012 wrote to memory of 2628	2012	jxcvvfakcvqt.exe	38
PID 2012 wrote to memory of 2628	2012	jxcvvfakcvqt.exe	38
PID 2012 wrote to memory of 2628	2012	jxcvvfakcvqt.exe	38
PID 2012 wrote to memory of 1900	2012	jxcvvfakcvqt.exe	39
PID 2012 wrote to memory of 1900	2012	jxcvvfakcvqt.exe	39
PID 2012 wrote to memory of 1900	2012	jxcvvfakcvqt.exe	39
PID 2012 wrote to memory of 1900	2012	jxcvvfakcvqt.exe	39
PID 1900 wrote to memory of 1268	1900	iexplore.exe	41
PID 1900 wrote to memory of 1268	1900	iexplore.exe	41
PID 1900 wrote to memory of 1268	1900	iexplore.exe	41
PID 1900 wrote to memory of 1268	1900	iexplore.exe	41
PID 2012 wrote to memory of 1584	2012	jxcvvfakcvqt.exe	42
PID 2012 wrote to memory of 1584	2012	jxcvvfakcvqt.exe	42
PID 2012 wrote to memory of 1584	2012	jxcvvfakcvqt.exe	42
PID 2012 wrote to memory of 1584	2012	jxcvvfakcvqt.exe	42

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jxcvvfakcvqt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jxcvvfakcvqt.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af7bc2ae2fa1cd1e8a492006c1fba828_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\jxcvvfakcvqt.exe
  C:\Windows\jxcvvfakcvqt.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2012
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2628
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1268
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JXCVVF~1.EXE
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AF7BC2~1.EXE
  2⤵
  - Deletes itself
  PID:2744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lrllc.html

Filesize
14KB

MD5
6b6dc0b2bd2db20ba6f9e5cb0bc096e9

SHA1
0fd4af68e3277872a6a8b9721b1956b3a78b17da

SHA256
4b9cb206aa9834b56dc7c73bc7c9ce88fb3a615721e32129cec3ba0798ca73d4

SHA512
b3450f236e5c0559862eaa49e52fec6a44ef44e4f3394ec3998ef89b8c305f1bc3c9f38de598f4bb44cbee70eb65900d883bca5cd7a12a1a4c2c3d6cbd85018c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lrllc.png

Filesize
63KB

MD5
645b716b9fe74f525e6bcf8ecba4b222

SHA1
1919514ece33e244210a3a79150f506a54ed5a0f

SHA256
7be2f532506440e91e82f3cb45d27ee06db2b2e3a75aa789dd6955d1b9c839da

SHA512
392d3929f4d397145b970e0259ac8c35d0a39d8a5ea4c8aaaa45ad6044e534932ff0d03aa7739436df0f3aa830edfc671bea8210a5cfa26a4b0f4d2ed795d542

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lrllc.txt

Filesize
1KB

MD5
e3d679da937566600c8124641dbb29df

SHA1
be5dcdff418d5153710653f774ed282866ca3dcf

SHA256
926db614d498a5d8d1aff0fdff7d91a3296dd226ce630b1305e07ba07060cfed

SHA512
7fea5dee54c7c25d950d02cbfe62c8cb60535cc8c8d8c4f1a2db819dcefe66048bc952f4cdeda0c96de20af5a4326675dd2fd3800113a525a7e151a32aea4770

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
0bd0b72c8b6ee349fc28f58c5d35739d

SHA1
c1adc7239ca3f9e228dece958069e14cffb1d677

SHA256
196894f37ba846a971d3f3ecab6fee2794c09cc97a365ae3ee4d7d317fd4dce3

SHA512
3d78f50aa1eaa31327c962de36fefdf8c93a9ac8dd26f575ed7e656b51e49756b1f9408086aa5920e9f91a19642d8cfd3edb941fdaac403d140a9a58360acf63

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9dd58d667e6fb63ce312c3979d453428

SHA1
079860659f2b5c5557b0f2dccaf37fce2c89b08c

SHA256
f7d505531176aedca5760b08023d2f531dc89d8b79b89f05e0365827f9598688

SHA512
9f546e2eee2c020696830bb878f1a0dccbc242245be485f521a2c563041cba18ca3256a41cd9dee8a991fcbeb0af7ff45cd78d09121fc4d07ab76897fb2a7d24

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
75474cdce1d563ef0e6ba204db64d100

SHA1
c9ddfd46344c3294cf1b3236b6772690d90c17df

SHA256
983ccf525b28242db7cde9915c1a34d3a14aa386a0abee72f093cbe3a8e5724c

SHA512
a2c8627e586aafa93448c14fb7c8a13458c54d0beb15cba70f4a4b57099332fd78c2184ed901fa01bd0e598654eb537c9582beb59f08a605c4e654b9b56f9b0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf0d564e2d7fef7e576f5159a03e410a

SHA1
31131d4a6d75ce21d876fe2020be84fbdded801f

SHA256
f5a17d724b6a5380427bf72db30905db88da3b55b78716e486ccbcf4cbf87bec

SHA512
e0f73e0ed4b2e27d07ddb8cc25efe119574fbbc81b9e918e66f924355fea42cfd39870301dd32f6e77092a7e67e26535a852b2c1c6a511bd3b9b26947583d795

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50b6a67c467c357fdcb21a28448edca1

SHA1
9e28b94b8dc6cdd9e3f35faac0f919b6293f0310

SHA256
947a6429f3ef66ff2110b13b3b36f7c7d08f9a55d94b3397abfe445591ab7a46

SHA512
4431411918f6bd78b07e52d99cd03ab1e2cf021d5aacc0d100b18e19762a9b8372f9bea386f93390f2759be34fb25f6a4d215728cad2556b4c5d6a29765980bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67d5da467ec4fffe6d16bb30f5a48f12

SHA1
4958c398f64489775cab7c81e8f27293872e6592

SHA256
888c3b50c7b3154e3d30cd4a1047434dc7650cc3fc5b69fd15b778950395ffc0

SHA512
ac644bcbe48016dfbcbd5945c8be7fe4b4d17a82755dbf52791e2530f044940cb3549ba42d49c3c466ba8454cbe823d37e3bec80cab663af6dd3a87be1039f8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecc6109d513742723e10517bca0268dc

SHA1
1e0e56957d7b103237b8c07e1e9d894eeaee5fc6

SHA256
d598750462f1e64ac5c7cd546ceb5109999a2210aa9934d793b03e6d9269b70d

SHA512
5eb0212681d24562d29e2a3e5e6324f40f8d56628e3708511f7aeebcee1fce995f752d70f90d881ec45e4418e3612c56cb32d06ff3e09e830cb936a74588fae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30c23ee9175eeeddfebf75118f71f6d1

SHA1
eb667e8711b3403992a9949e9e17c618c9eb1912

SHA256
8252b61ea5c46f288bb1ea2e618ddf55b3a36a3c121682baac241441a0ef1c1f

SHA512
b86afb179e8b5f600f436279f1cd9510682fad3fce4389c1321f7cb863124a6721390663bebd577983d3bc6d0ec0045c5f2a1fbea09305259041914f304e1628

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
818969ff0077b1a2c654af2a1ad92891

SHA1
109c0f08c8c5ef109eec7c47d3bae358fd9d647f

SHA256
b68c90caec956da3b65966cf7ca8dbf97c9d81376f8d9fd91e57c7dda0905bdc

SHA512
0be04e4525a3a7c909a467f6027b4d98ecb85c848b96b7d70844ce895af8122a2169f361a8fd576b96e6785d798830aea304b6f1990b4a7f7a5f29433d5de8f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dae2f309c3a6c73ce22409bd4fa48d5

SHA1
32c4e67678b912f59dca99baedd97f0802128145

SHA256
53c77cccb61a05e343e9e777a182838065e4a7638de37b075f5b6b821eade757

SHA512
c4b17a17809032c5f629e36da38f0bac55f79f48d96fc90404f492e0929d20a043d6e6805e69b02dc506cd0cae29cb36d3f324b5718d064dba1d85cdf2e1e63f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef352b3cebfb1e13b035874fb3828644

SHA1
0e3de0f79330001143dc45f9f53c09d06ac85a32

SHA256
bc4010a03b0055a659a9b94be82f20df537b86218c6034e4bb7dc205cb560b22

SHA512
46ebaa458b00353cac3607de55ba334d3875bf974cdb8298d08964f10c68587b1b5742ceeb91a703715e91bf7a48460a30d8fd63aafbe5f4f3d6dbc8f5b28d84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa48d1a1d7fe2a900c8aa78799fec40e

SHA1
02e326805e47276c78a7d9663585a50e7d85a53e

SHA256
d12effe8984a2fbbb18b623d09537d9b06d1b6dc7ca295db885d30818c2946d0

SHA512
3b00707fba334cf3b7fef4005568dd1467e4c79fa6d27a72475b2835b86cb2e01ce3ad7aed18e334f0563d1f641a4e2d58d823a744ea5ad947ba12bbe9c16ce8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d5de57e06e9d839e3d9d1ea70fbdafd

SHA1
0f6fad2d54b894a234343f932233ffff9938cf55

SHA256
ba0ddc14574c3666193e97ef87836b06ee231f4fccfd51af6d767eb9f290ce86

SHA512
ab48293e6d8a82fd1dd89729e831acc7161d4968f57b816c51baf82ffd2e61825bb72442bfbe5d2348a28f75e403ce0810666bf4e5c2b2b134b44811f548fe23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d19e0f7b34faf4e3d4cda125904ea47a

SHA1
8162cb28018e46b231bd2a188460cf762ceabb44

SHA256
42fc60262014597906d8830b101f2a2886ca241c485dc0e0bb836ca4948a711e

SHA512
3a3928c4b7118fbb8e33bc38b138871eb58b86f72b79a2d8b6f2754b8f4a1dec27f062c74763acffd8ffd45329a16fb290be9aef2e105d4a31d91bba46cf7e46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d361315aeaeff9a5fb4cac2ee1859bbf

SHA1
b3c7f6a6b04dbfb0e0dcd8fa69e0c785ded57c94

SHA256
a50695f98952c2574b43c1b05215e61fb72d9e0f40841fad5380acb9044d17ff

SHA512
9c13e331950340cee0d3a2bd4fda95c66af96389058d2475983c68381df5f54de42d65825465e37e5d61094a851970f311845d99ba2cd9b2778486f676d1d6db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92806aff9ebb2983bef62ea61e82df83

SHA1
c0a89a4ea50d2d340311e2f2f3ee1160846a068f

SHA256
1b08fa3db2337385607d63d456c12bd8857ba02b47f5b99d9e60c40bbed022b7

SHA512
d820873b1a28a3a23ec69b261567db067a7a7e78db412fc428315eac3f5c028a6c74504145384290e5265425eb176ad46fd528ba6a08a8a06139c588b6339583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4742782771e77540d477a2379749f978

SHA1
0630038fdee61e6057969e0636324c3a81c8f17b

SHA256
27a2b8dd3a41bdfa41259cf9f5f9d52d46564645ffb5df22693155730f7d08d5

SHA512
1966468eafdcde169fc67923b870a65a914953c50c7b70ff739065e30cd5a6e74b1ca3560fd70c3a22101fb57b761905cda62860fd4d72408867ad14d5ab886c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
607bf1650c1f72b705da5e2c92c5bd29

SHA1
cf7752adf1dd1a2911e2d9d04d63484f3d4293d3

SHA256
5fc03cd20035305a95d00d6294352ab7176c5616c1a6b791290c1ec799d5aba3

SHA512
60225168a283e8dbbd9ee43e23e9ffae6a3098011c23ece8ae3a74b783b9be1a9b2fefb59aeda2fb5cc468aef72f47acbf9f33ecd4018bb666ebaa035f0d5284

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7954b84f0a02e0ac8e23fc92eab87927

SHA1
4abf117c528293f13d183a47c93051a1a9ecc2a5

SHA256
86d35e4603686efc226e73b7216e5ff034df08ae5e6b4f94956856f5c2b9cb7f

SHA512
f9cef73e578233716cf0f3faa9e7f4f1786020cd6a8c96ff4253aeb61a5f553677e745526f2304abaf8e4467f1add136f62d9e577bb63a5fc5276a4218409ca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d720bf0aff92f3002c36961d994df23

SHA1
ee7763e4b39f3e534bc8ab747189c5e95c736ae2

SHA256
1a1f5cb61025066f9c98e0f72395947bb3720cc3b8a9581f007cd7768e6342e2

SHA512
cd58dd9314b7654c017690275000bac47548bf075e7ace18874a93911d9498abba15399852fed5ec5f0bda17691e730b899333193598f111fea17f459cc1ae59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f470bf944f6f1dc5c689c898ca7dcca2

SHA1
5e1563a832748cc81f9b374fccbec64f447d6a84

SHA256
02e88a5758c24d456444de814ced5bcf338c316b5c78c68a4b05735aff62a537

SHA512
845f6849c198ef87e476abb29dcf4e6f9bd6fad93d1bbeeb7dd5702febdadb527966a7271a7dd1d7a61309507a4325ceb4ee257f133c79ff89302ac1caae5db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4294cdd6fde6a18ed5f2c57795c05c93

SHA1
c7133b7831a273483611618d76b01820c5f34fd8

SHA256
494b92e770219b7d43e7a706a57544471e80c49287a718b0ba9c4fd7c0ff4483

SHA512
fc7319bf509738a8280b4ca02893deab55c0505dc9dcefb9f7943841bde428329373f59e752e1778aa37049ac986d5e05a2846d39b250f910140faf83b397222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab891E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8A11.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\jxcvvfakcvqt.exe

Filesize
340KB

MD5
af7bc2ae2fa1cd1e8a492006c1fba828

SHA1
fe0324e49160d0b206b23e10d34d6f12cd234da1

SHA256
4f8feb7aa33b137b2ea3670722b29e9d6e4d66b1538a14aa445beaa0875afb63

SHA512
84ae87530686e6b24c6139e2acb1645e67b033002e6fd0031bdda05ea837e4b819439053ce771eaa56d407553420bad163d56f466e39c8601133655fa194a73b

Download Submit
memory/1716-5951-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2012-5954-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2012-10-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2012-2266-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2012-5146-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2012-5950-0x0000000002E20000-0x0000000002E22000-memory.dmp

Filesize
8KB

Download
memory/2300-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2300-0-0x0000000000340000-0x000000000036F000-memory.dmp

Filesize
188KB

Download
memory/2300-2-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2300-9-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2300-8-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download