teslacrypt | b464d0c13debdd28629b1b90a007540ceb7fc4126948c56e46df11c84dbb5038

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe
Size

336KB
MD5

d3f2742f51910fb4a22103fdf1b21487
SHA1

ae106a029a3c157ece018ea2b23e97fc4a039357
SHA256

b464d0c13debdd28629b1b90a007540ceb7fc4126948c56e46df11c84dbb5038
SHA512

5d4638b814d939c600369cf0f3c4dc24e2d9be85752d9450b5d8c05b216bea2761b70e76fd99b48f6f1891a87d2b0d494527fa4cc1c17236f354bfa8953fc991
SSDEEP

6144:6dVu4o9uXRkondkyLVLcHBf0CNI4W8WOAHAU9M8NVgEzeJgF6vE8O5:yVuzaRkondlVLchfazOAgU9MQbzeJe

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+ljtvu.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/F75EA3C6D4D0485F 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F75EA3C6D4D0485F 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F75EA3C6D4D0485F If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/F75EA3C6D4D0485F 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/F75EA3C6D4D0485F http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F75EA3C6D4D0485F http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F75EA3C6D4D0485F *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/F75EA3C6D4D0485F

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/F75EA3C6D4D0485F

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F75EA3C6D4D0485F

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F75EA3C6D4D0485F

http://xlowfznrg4wf7dli.ONION/F75EA3C6D4D0485F

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (409) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2952	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe

Executes dropped EXE 1 IoCs

pid	Process
2204	miwqokyqopvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfrydbpcshfv = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\miwqokyqopvc.exe\""	miwqokyqopvc.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\en-US\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Google\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_RECoVERY_+ljtvu.html	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_RECoVERY_+ljtvu.png	miwqokyqopvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_RECoVERY_+ljtvu.txt	miwqokyqopvc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	miwqokyqopvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\miwqokyqopvc.exe	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe
File opened for modification	C:\Windows\miwqokyqopvc.exe	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miwqokyqopvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B967581-6DBC-11EF-B267-4A174794FC88} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d10650c901db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431946046"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000a9c722c156c7b322c7508df0c1f0c719ea0679e666315e78ed8493b1851735a3000000000e8000000002000020000000b1dde6275c9a90116f0a6cdd7140c05e2c70f0e92547724cce30af57eb3372fa200000002733d12acdce9f55320aab923ffbca8e020d9c7376ce42ea1292a1d09821ffd54000000033335be37068e8d8b8b3e665680b1bca2730b2f3f965af68e1d5b3e0a67e0de4a1ff98652343736fd4ea855b0cc4df602487eb20e9e33db456141fbdbb16d3a4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000638679c8c9384f35ec1b6f7123eb5fdd0a23adcd03a27c28cd8cd49b5972bad7000000000e8000000002000020000000dc52ec9e4657f6609e84901ff440894d5bc42be28d416eef59dc0b06fa598548900000009f8d122f0f46bed817d9771e57a44f38cdcd4f723ff65e3d334f380462b8f541d47a4cd1ca8cad5de38d65d5a95461599752271a8ea987c426991b873a4ac46ae7f2c1fb377d70532bba0bc657978f2d25c44db7649efb50a01c81de9774d55f6d5be04250442acca3ae0f96226c43ddc71f2dcdde06c10af82a62b11f849d6631a12b1eaf1409e296525573ace5ea514000000011190f034c55b387d20db955150be0f61b971d13c8f666b2e3821b167a4277598e1287274d362dde47ce11ed78478d11986eb7fd839ddd703a00d4174a4dd3b7	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1808	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe
2204	miwqokyqopvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe
Token: SeDebugPrivilege	2204	miwqokyqopvc.exe
Token: SeIncreaseQuotaPrivilege	2568	WMIC.exe
Token: SeSecurityPrivilege	2568	WMIC.exe
Token: SeTakeOwnershipPrivilege	2568	WMIC.exe
Token: SeLoadDriverPrivilege	2568	WMIC.exe
Token: SeSystemProfilePrivilege	2568	WMIC.exe
Token: SeSystemtimePrivilege	2568	WMIC.exe
Token: SeProfSingleProcessPrivilege	2568	WMIC.exe
Token: SeIncBasePriorityPrivilege	2568	WMIC.exe
Token: SeCreatePagefilePrivilege	2568	WMIC.exe
Token: SeBackupPrivilege	2568	WMIC.exe
Token: SeRestorePrivilege	2568	WMIC.exe
Token: SeShutdownPrivilege	2568	WMIC.exe
Token: SeDebugPrivilege	2568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2568	WMIC.exe
Token: SeRemoteShutdownPrivilege	2568	WMIC.exe
Token: SeUndockPrivilege	2568	WMIC.exe
Token: SeManageVolumePrivilege	2568	WMIC.exe
Token: 33	2568	WMIC.exe
Token: 34	2568	WMIC.exe
Token: 35	2568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2568	WMIC.exe
Token: SeSecurityPrivilege	2568	WMIC.exe
Token: SeTakeOwnershipPrivilege	2568	WMIC.exe
Token: SeLoadDriverPrivilege	2568	WMIC.exe
Token: SeSystemProfilePrivilege	2568	WMIC.exe
Token: SeSystemtimePrivilege	2568	WMIC.exe
Token: SeProfSingleProcessPrivilege	2568	WMIC.exe
Token: SeIncBasePriorityPrivilege	2568	WMIC.exe
Token: SeCreatePagefilePrivilege	2568	WMIC.exe
Token: SeBackupPrivilege	2568	WMIC.exe
Token: SeRestorePrivilege	2568	WMIC.exe
Token: SeShutdownPrivilege	2568	WMIC.exe
Token: SeDebugPrivilege	2568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2568	WMIC.exe
Token: SeRemoteShutdownPrivilege	2568	WMIC.exe
Token: SeUndockPrivilege	2568	WMIC.exe
Token: SeManageVolumePrivilege	2568	WMIC.exe
Token: 33	2568	WMIC.exe
Token: 34	2568	WMIC.exe
Token: 35	2568	WMIC.exe
Token: SeBackupPrivilege	2492	vssvc.exe
Token: SeRestorePrivilege	2492	vssvc.exe
Token: SeAuditPrivilege	2492	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2512	WMIC.exe
Token: SeSecurityPrivilege	2512	WMIC.exe
Token: SeTakeOwnershipPrivilege	2512	WMIC.exe
Token: SeLoadDriverPrivilege	2512	WMIC.exe
Token: SeSystemProfilePrivilege	2512	WMIC.exe
Token: SeSystemtimePrivilege	2512	WMIC.exe
Token: SeProfSingleProcessPrivilege	2512	WMIC.exe
Token: SeIncBasePriorityPrivilege	2512	WMIC.exe
Token: SeCreatePagefilePrivilege	2512	WMIC.exe
Token: SeBackupPrivilege	2512	WMIC.exe
Token: SeRestorePrivilege	2512	WMIC.exe
Token: SeShutdownPrivilege	2512	WMIC.exe
Token: SeDebugPrivilege	2512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2512	WMIC.exe
Token: SeRemoteShutdownPrivilege	2512	WMIC.exe
Token: SeUndockPrivilege	2512	WMIC.exe
Token: SeManageVolumePrivilege	2512	WMIC.exe
Token: 33	2512	WMIC.exe
Token: 34	2512	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2672	iexplore.exe
2564	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2672	iexplore.exe
2672	iexplore.exe
2356	IEXPLORE.EXE
2356	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2204	1608	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe	28
PID 1608 wrote to memory of 2204	1608	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe	28
PID 1608 wrote to memory of 2204	1608	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe	28
PID 1608 wrote to memory of 2204	1608	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe	28
PID 1608 wrote to memory of 2952	1608	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe	29
PID 1608 wrote to memory of 2952	1608	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe	29
PID 1608 wrote to memory of 2952	1608	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe	29
PID 1608 wrote to memory of 2952	1608	d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2568	2204	miwqokyqopvc.exe	31
PID 2204 wrote to memory of 2568	2204	miwqokyqopvc.exe	31
PID 2204 wrote to memory of 2568	2204	miwqokyqopvc.exe	31
PID 2204 wrote to memory of 2568	2204	miwqokyqopvc.exe	31
PID 2204 wrote to memory of 1808	2204	miwqokyqopvc.exe	41
PID 2204 wrote to memory of 1808	2204	miwqokyqopvc.exe	41
PID 2204 wrote to memory of 1808	2204	miwqokyqopvc.exe	41
PID 2204 wrote to memory of 1808	2204	miwqokyqopvc.exe	41
PID 2204 wrote to memory of 2672	2204	miwqokyqopvc.exe	42
PID 2204 wrote to memory of 2672	2204	miwqokyqopvc.exe	42
PID 2204 wrote to memory of 2672	2204	miwqokyqopvc.exe	42
PID 2204 wrote to memory of 2672	2204	miwqokyqopvc.exe	42
PID 2672 wrote to memory of 2356	2672	iexplore.exe	44
PID 2672 wrote to memory of 2356	2672	iexplore.exe	44
PID 2672 wrote to memory of 2356	2672	iexplore.exe	44
PID 2672 wrote to memory of 2356	2672	iexplore.exe	44
PID 2204 wrote to memory of 2512	2204	miwqokyqopvc.exe	45
PID 2204 wrote to memory of 2512	2204	miwqokyqopvc.exe	45
PID 2204 wrote to memory of 2512	2204	miwqokyqopvc.exe	45
PID 2204 wrote to memory of 2512	2204	miwqokyqopvc.exe	45
PID 2204 wrote to memory of 2740	2204	miwqokyqopvc.exe	48
PID 2204 wrote to memory of 2740	2204	miwqokyqopvc.exe	48
PID 2204 wrote to memory of 2740	2204	miwqokyqopvc.exe	48
PID 2204 wrote to memory of 2740	2204	miwqokyqopvc.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	miwqokyqopvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	miwqokyqopvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3f2742f51910fb4a22103fdf1b21487_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\miwqokyqopvc.exe
  C:\Windows\miwqokyqopvc.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2204
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:1808
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2356
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MIWQOK~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D3F274~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+ljtvu.html

Filesize
11KB

MD5
6f5b52f4b9e42f0df144813b6b68de08

SHA1
e8f0b7cdd63de7dd41590abe6165d9446c2df716

SHA256
9fce423a5c3288262273957633ed988a88a014c450ceb3a96992b2d03fb34fa8

SHA512
13d91876f091b74dddde29f56ea6019bfc8aa8e1680811e583a1bb6f33fabfd492b0534afa663c7d4a0c1b8de7ef9691ec17e6acef75418cf4e92bc9092a99b4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+ljtvu.png

Filesize
63KB

MD5
7b35cf14b8c2fe422b56c645623a1420

SHA1
cdc1ec6c7b670bd3c49476bd36d729bd721a5c5b

SHA256
86d75c38174fc489cc4b3c3596f4d12136a6b673c9f2b006a006b5d0d508672e

SHA512
ad0041c883cf7ffb6cc60aa3de36b9cf0b3f20a885ed49987da05f39e605077e0d4d471af69e41bbe1a1d31b961d7107ce7519df892184faafdff6b9313f65ca

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+ljtvu.txt

Filesize
1KB

MD5
490f482d9abc0e885708bbd1b6dd239b

SHA1
c557ac1373a47d2a533addc7a29feb304e9620f1

SHA256
028c93394884834e02012f446d3520ff8431ecb783dc0a9fbee89917088777d9

SHA512
4099ce48c4ee69a1ff0085f73a71af91182d7351ab956271db8c0998fc291e8210673ca18ce336a71056261f23a30bb78a20e1c2d5fc5a87f9636beab6c02f6b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
bfb0636cba98b30702e5a14f096534a9

SHA1
434ae3d304387457c60b6babc9dc9c03ee475f10

SHA256
e6dd68f135f055457014c0a8aa0632ce0fc48706dc9e46460a27d5e2a85d251c

SHA512
d094769394d6efabdfa7d282f6972f1abd68672d6ae83e9c0f57eeb9033792e5e44c9a8bfe882219b198fed8ee21825209d64ec58c82d956dc411c6cd55e78af

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ef62638ef06d9090e131196285aa67ef

SHA1
fc04412d9a9df7a76ee0e372239927b2372aa869

SHA256
275740278d63805830dc0112021fb760565f5b61e01971a019dfbe5dfedebec5

SHA512
99f963f7260e317e9f3f8da35baf16229fc7f43667f060c6f3a5f795100feabe662c71b1600c1cdb777a5e64904c49bad5a093bd481163056022e6c2874a5e30

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
b22e410150a4b74f8ad120965d26f2c5

SHA1
e8e8e19b7284193a697ae2921e47a3a2201f700d

SHA256
05c8271f2d7b2f19a7c165b44bc14fe59e19c726ffb18025db814ddbdc4cd69e

SHA512
285c0d240a422def92da4fdde232756cda5ec9e6efbd947c7e4903c1a95df4bf1ed43d745ffe23351afcd7cdf0ecafe26b4e5d094f699eed3f19f82c334be1d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14f23ba778577bf9090ee8427c282c51

SHA1
55a73ccadb0e028d47e2024e0c050599ed612a2b

SHA256
e0b73534b24552f63040f46a19462ba16cc4d4411ed3e6a10f8c97481e08754d

SHA512
154409135873858644fcb6b4ab8b62073d64552184f4f9665d8c343271d19b0ee307adc3d0972ec75c542735602038ead80c2dc6a08a426283f6f3bfdb862614

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b9d003c4e081caa01bfa1980b272be3

SHA1
ee735f0baaaf7e5f8d6aec1072467c5269c7a469

SHA256
33a6810b18445dd30498714c36bec15ad1e57390cd773134c15dcc8b84ad4dc8

SHA512
73602e559ef2be9202ad31aada804d328770f4295fb5900147ceaf9d534423ceb4d9eb8924783efd3ee7caeb4d147b598045dd489869482018cda36efb723957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a471db927ad1291a91cdf298ee3a7e60

SHA1
4b23b209c8718bbcc501735017115a75f10470ad

SHA256
491541509734c578681272a5e8d99d8bd7f9905c4d2b522072011246e0036d3b

SHA512
34eca8639ba263a8d35d33de3b0d3305f40f485f87a87b405f230403f3400bd44903aeb286fe1cb45d9ff40b8f5773074f8ed9205c66b3fa03e3c5dc0824af4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2633255da0744f690308d3e464ebba58

SHA1
1e64f67218dd8f176d09b41fa3df91ece02a2831

SHA256
83d8090e1198e592e75a9a59a69e03cc95a271bd308570a106fc9240a5bec13e

SHA512
8481e2b982150023965859bbeb1e35f344232a5b9026c088b0b17bff58096fc8a7168d5998d4f8ef382b745324cecc16792ef4de53fefef64f586ff8c945e47f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82d5607844af4e57ef1e2f4cfb6da64d

SHA1
bc9a19b1915660fc8ad467386c1a0b9ebcc622ea

SHA256
bd87d4b130ab9740042bf03c07ec0b6eab32dfcb81641256b80a4355c1d3a1d1

SHA512
09d78b07a45607d639843a5f707c7bd77e4d50d7db82a4e05fbf0807cdb7085da2be3f9f595dfb7ef7b46fadf6945121449f324330825fa50f2e3f6bd4870985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95b35aae2ddd64997309aec1987d7ec3

SHA1
a10e24c099987f95acdcfa29aa6f91bb4708a418

SHA256
98e891b9944ebff75702d2461e749b2ab7a45e347915f6ddb10714b2e65068ff

SHA512
65f965bbdf23ed4a720487db3de695ad54de7488f9a5c65131439d851f9738b51e5b51b40fbf9555aba6d102a9367b7d3734bdc5dbd436b321e44b96e0ce3874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ffa22c9a2f287b366bca5f301caf3d2

SHA1
a894a585e4f4cf9b198cf029ef0907f1019d5931

SHA256
135d373d5ffa31320d131f85975ab91fac78a6be9bfcbcdcc29e1049295b510f

SHA512
ae54ba2ae02bffe198e716030a7a2482ddee485c9ce5542ee9b3a0a0b4742fbfa5bac346eb3a289c91c1bd6c75f91f9ea64ba4cd61ea2edcfa1035a29beb71fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c84d2a0e1a2c5289a920dfd98130acf7

SHA1
660df3edee5e751cd8fd00367716ffba816ae9ca

SHA256
6191fb973bce0ab425511886e8af975ab7c6a0eda6f859823e33a6add9862dd4

SHA512
86c0f10f3426b99c2debbdb05f082d2f2777be9d62a8e55fa514ef71597d41ea53730c18d468010828e5a0b7699703eeb844bf9f0e897bbe518f2c3ed844f998

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1923a11a995e46f9c3f43d8aa9674bd3

SHA1
56cd94898cf55c9ab196093d50fea13b4029f379

SHA256
46ddbe54c209d4b25cb1afd5829fd4b6abc4a348eebeb1ef0cc97a52d8f32939

SHA512
e1228bd51767eb72b47a81f62ae2489a4e562610ae7043456d0c8c1b175be3df88139a4b96ff93e3af6fe3ca37ddc39ace5f2040ad696d8170bcf321695dee2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fa658cde0b792552367a63518c2eb75

SHA1
ac621626ff8cc44094bb67de6781e0b1e3b55922

SHA256
7f72141452bdfb10cfa5101b64e080f504e7e898cc835c7ff52cd2fb1f759e0c

SHA512
96536d90337234f9e8755975a9e25f79db9d618faa7d786d229b04f5a97fc2fd877953c29f51782b37f04233358e6de2cbbf27d4022513cbbf0e5a85ce78f976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6524babafb12e6be9ba67214f9cd37df

SHA1
e004d9d4317d55d8849c274cb024051a0c34cf9b

SHA256
7ab5d9ac1e0583b275aaa03486d948a27e651835a54fbae20bd97d0cb55433f2

SHA512
e910d5ba39cb869b7de783018317aaf1539d0b4d16e97ba8a90b67cf9505bffd9f922ced645f61a0df09fb7a6109ea8bdb0ad5097fb8b5247d5534b71e712628

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e638199f4ee09da236824196119c985

SHA1
cd28dd112ad540f13a51edec90cfdf49eece60ed

SHA256
8cd8a40215a7e677acb0cbde806b82f204fd88c84cef468c1a7feca487efd025

SHA512
0944ecd74fdc80bd8bb7decfb96722c7a1821a39a938516d7da2d7e63a55863d24e935c27e4ebc45bc773107fe7040d2468bb55782a35f5ef4d2f84a6e19321f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0beb89da9f41fdcc35e3eac008b56b15

SHA1
24a330cd7c35c249a81b21f7b48e403c677fdff3

SHA256
c05f96da476745d2ab7d50d07bce5a5ae38135703703b3670d1d4752200a672d

SHA512
a5d1e06fb1fd76afbaedde515c8167a0b2795d5cbb0c8ab103249715daf14b2b3a189c55e915fb1e503eeda5735ab4b67f2dd3896a44ada471a80e1a9ccbb5da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e84a13deab9032a74a1cd8109805c854

SHA1
74535bc8f051e197202128168102d14aa81f8eba

SHA256
ef26911584c353c7f253f9288a12c91c7afe6cfb13c35d9b33cde35be4165e78

SHA512
5d7137bcef27eb8e4dee4d584c3cc669a502cf4f676ee9450fbf84c89db28129037aa97dbd9c2c15aaac420b5ab9c266958cb56ebe1e512568f9ccc8e71581fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48092f6edf7321fd50076245b444eca9

SHA1
f963b9d92b0fc7fc2a433e36f8d9d55d2e986461

SHA256
e8bcbf40fee32d10f438b8439d57af35af29225eab71fa8d2bc139e9bf026bca

SHA512
34683531f69593496a6509ea5cb700f924175a409790d66c55056ae8fb8a0845cdbfc867b4d84fcd3c647ae4a20f0b8a2af37c72ce395085acb71d779901ed7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d05cc400f6df8c02ac25318aac579a7

SHA1
9be9f67c8f274c1fa3a195458ead9b93433b4a09

SHA256
565fe6836d93e1dccb89344567bc4ed84551f0852ca12f2f2c8ba6b121925d10

SHA512
956fe8928e894b1332adbb14cdaf5ead538712d0cefd01ff7d9e78f5cc212c27c313e8619c37e4fd901b4caf8f80b34c6af616ce379103915f96b138b633788f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cffdd7fc4225690fe1a7807e47c6f7d8

SHA1
2980b08028412d68d7330bfa63dca7509aa47eab

SHA256
3cdf4e116f562e0477a6bdb8e866e2cf8b6a5f712e96c8256368ce33214461dc

SHA512
da06a6fbcea1b6e1481b36510ae67438d0bb15577af7cf5e03ca688ac7b62198af8d9bb3cdef363ce8bc41483ace2fae973df346e9368f5461e21e7637a5554d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2a897a7c69df09ccfb9077cbb8b8970

SHA1
7926fa2e0c632371c6634e170a080f8ddf875355

SHA256
52c2b119ce2b06a57100387e557848ba8beca9d056842968854b72980b1f1869

SHA512
dfd54a16bb52d4a67e731ec6140f380d85a0c5ef11a8b633d4f7b3a64adb9b9191a9fd4a35984945cbcfca1fef228dce5d0a594ed670c5362838b6cefa0c11a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFB72.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE33.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\miwqokyqopvc.exe

Filesize
336KB

MD5
d3f2742f51910fb4a22103fdf1b21487

SHA1
ae106a029a3c157ece018ea2b23e97fc4a039357

SHA256
b464d0c13debdd28629b1b90a007540ceb7fc4126948c56e46df11c84dbb5038

SHA512
5d4638b814d939c600369cf0f3c4dc24e2d9be85752d9450b5d8c05b216bea2761b70e76fd99b48f6f1891a87d2b0d494527fa4cc1c17236f354bfa8953fc991

Download Submit
memory/1608-8-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1608-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1608-9-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1608-0-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download
memory/1608-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2204-11-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2204-10-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2204-6474-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2204-12-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2204-1340-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2204-6027-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2204-6023-0x0000000002C70000-0x0000000002C72000-memory.dmp

Filesize
8KB

Download
memory/2204-5243-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2204-1910-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2204-1914-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2204-1006-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2564-6024-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download