teslacrypt | c03c3fde100ab3c72104543c1dbb99f6110f24b4caa1b0846af985ebf6a45115

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
Size

376KB
MD5

050489ff4a10d6cc0897e237f6623e1b
SHA1

c2f9927d5f5a8b50f18fa0a91684c9de02345201
SHA256

c03c3fde100ab3c72104543c1dbb99f6110f24b4caa1b0846af985ebf6a45115
SHA512

b8987b7f20379205b964954644a84acb98ad0daa8258a8b6267abea399ac1d2e79f3f17181d7f0b4fa6e7faa65c217999176ea4ec6fcae598844d24868c6b9b9
SSDEEP

6144:te3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:tY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ssxhe.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/7FF72EB84ACC1343 2. http://kkd47eh4hdjshb5t.angortra.at/7FF72EB84ACC1343 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/7FF72EB84ACC1343 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/7FF72EB84ACC1343 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/7FF72EB84ACC1343 http://kkd47eh4hdjshb5t.angortra.at/7FF72EB84ACC1343 http://ytrest84y5i456hghadefdsd.pontogrot.com/7FF72EB84ACC1343 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/7FF72EB84ACC1343

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/7FF72EB84ACC1343

http://kkd47eh4hdjshb5t.angortra.at/7FF72EB84ACC1343

http://ytrest84y5i456hghadefdsd.pontogrot.com/7FF72EB84ACC1343

http://xlowfznrg4wf7dli.ONION/7FF72EB84ACC1343

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (409) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2936	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ssxhe.png	pcysgevgprqy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ssxhe.png	pcysgevgprqy.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	pcysgevgprqy.exe
2604	pcysgevgprqy.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\undojqknoagq = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\pcysgevgprqy.exe\""	pcysgevgprqy.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 2792 set thread context of 2604	2792	pcysgevgprqy.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\Recovery+ssxhe.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\Recovery+ssxhe.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\Recovery+ssxhe.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Recovery+ssxhe.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Media Player\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\Recovery+ssxhe.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\Recovery+ssxhe.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Recovery+ssxhe.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\localizedStrings.js	pcysgevgprqy.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Microsoft Games\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\Recovery+ssxhe.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+ssxhe.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Recovery+ssxhe.html	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\Recovery+ssxhe.txt	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png	pcysgevgprqy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\Recovery+ssxhe.txt	pcysgevgprqy.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\pcysgevgprqy.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
File opened for modification	C:\Windows\pcysgevgprqy.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcysgevgprqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcysgevgprqy.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{91C5E9C1-7FCE-11EF-BC08-7A9F8CACAEA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 703f5566db13db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000a890564945f95bf422427bd39aa3521e45da97dfbdc06d3ad29b3de740b72dc9000000000e8000000002000020000000626a68e5d0f5a2d520e227464b7739a48fc357d32742692d0322a605189bfbe2900000004cf62fcbf57799496932b8f0df14a3b8bb84ace077ce893506a90e5cdf8dbd7bea58404ade68d83cae4c2748b0984de55960660d549ec9f099835fe5ecf9d4de14c42b88fade03745f6612e10c5f291ceba2017ac109c57f9728d1e0713b7ff205a427cf0e9fd4577356a5e88508232ffbeddfaf8e07ec532248160abb93d935f770a1a1c3361cbc62a90faaa1bc4d1740000000e266a98830c3100b6d4cf583013f3e1501db0059dc4cd7c28a62921cdff2bc280481eb872ef29dbbe0a91604b95c1edbf1e3babfb6bc2e2e25ca4e2a85b15964	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000ed1991a16d5d39bda26c70c317f8619bc31c3904038051f1b587b58daa382733000000000e8000000002000020000000ec33c924a7e1f00aa72e34aa2ca4d6a2a4583ca809e323fc6aae0e5d8aa3b9dd20000000aaf814dcd7c84e5826f8ff1c3aaec78ebd6a45bafb08b7deaa0492740f46c6b8400000007370807e3c83d43f1d46e8e7563c50ae4b34ff37a6d8212557092f629446bfcd4ecc1104add7f508eddab9545c6bd045cfe95745674d22f4b6d656f2ee233651	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3036	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe
2604	pcysgevgprqy.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	pcysgevgprqy.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemProfilePrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeProfSingleProcessPrivilege	1840	WMIC.exe
Token: SeIncBasePriorityPrivilege	1840	WMIC.exe
Token: SeCreatePagefilePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeDebugPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeRemoteShutdownPrivilege	1840	WMIC.exe
Token: SeUndockPrivilege	1840	WMIC.exe
Token: SeManageVolumePrivilege	1840	WMIC.exe
Token: 33	1840	WMIC.exe
Token: 34	1840	WMIC.exe
Token: 35	1840	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2760	iexplore.exe
2660	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2760	iexplore.exe
2760	iexplore.exe
2132	IEXPLORE.EXE
2132	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1940 wrote to memory of 1828	1940	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	31
PID 1828 wrote to memory of 2792	1828	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	32
PID 1828 wrote to memory of 2792	1828	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	32
PID 1828 wrote to memory of 2792	1828	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	32
PID 1828 wrote to memory of 2792	1828	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	32
PID 1828 wrote to memory of 2936	1828	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	33
PID 1828 wrote to memory of 2936	1828	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	33
PID 1828 wrote to memory of 2936	1828	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	33
PID 1828 wrote to memory of 2936	1828	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2792 wrote to memory of 2604	2792	pcysgevgprqy.exe	35
PID 2604 wrote to memory of 2572	2604	pcysgevgprqy.exe	36
PID 2604 wrote to memory of 2572	2604	pcysgevgprqy.exe	36
PID 2604 wrote to memory of 2572	2604	pcysgevgprqy.exe	36
PID 2604 wrote to memory of 2572	2604	pcysgevgprqy.exe	36
PID 2604 wrote to memory of 3036	2604	pcysgevgprqy.exe	40
PID 2604 wrote to memory of 3036	2604	pcysgevgprqy.exe	40
PID 2604 wrote to memory of 3036	2604	pcysgevgprqy.exe	40
PID 2604 wrote to memory of 3036	2604	pcysgevgprqy.exe	40
PID 2604 wrote to memory of 2760	2604	pcysgevgprqy.exe	41
PID 2604 wrote to memory of 2760	2604	pcysgevgprqy.exe	41
PID 2604 wrote to memory of 2760	2604	pcysgevgprqy.exe	41
PID 2604 wrote to memory of 2760	2604	pcysgevgprqy.exe	41
PID 2760 wrote to memory of 2132	2760	iexplore.exe	43
PID 2760 wrote to memory of 2132	2760	iexplore.exe	43
PID 2760 wrote to memory of 2132	2760	iexplore.exe	43
PID 2760 wrote to memory of 2132	2760	iexplore.exe	43
PID 2604 wrote to memory of 1840	2604	pcysgevgprqy.exe	44
PID 2604 wrote to memory of 1840	2604	pcysgevgprqy.exe	44
PID 2604 wrote to memory of 1840	2604	pcysgevgprqy.exe	44
PID 2604 wrote to memory of 1840	2604	pcysgevgprqy.exe	44

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pcysgevgprqy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	pcysgevgprqy.exe

C:\Users\Admin\AppData\Local\Temp\050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\pcysgevgprqy.exe
    C:\Windows\pcysgevgprqy.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\pcysgevgprqy.exe
      C:\Windows\pcysgevgprqy.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2604
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:3036
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2132
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\050489~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2936

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ssxhe.html

Filesize
7KB

MD5
22ff0283cbeaa39b94fa03247363e511

SHA1
ca61fb0d04b5ef29b225055eeb98a4c620527b84

SHA256
a322e7fb4b62701f05461fd961b0e68c8046bb06463b2d55b76a4b61980e962f

SHA512
fa04ca8e92a2e67ee79a6a42ab5d7644261fa8e9c82f3a1e018792630dd55c1a2a637c242da834c9b0b40d264d4010300d101a40170091326bf5b64e6d3470fc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ssxhe.png

Filesize
63KB

MD5
a31436e9dcdab182b9c94fa78d8ddd1c

SHA1
ae772c4aa7a0a0ab888e8a50e256eca4034beea1

SHA256
543d821f3d106aa1b23c3a7a78b822a2f36010688eb504adc049cb3fd2eeae7d

SHA512
bce9142c2276ebf3f4b2be7bab196080993766b0677ae72c1c7782029f4e0d7291e60cbf44921a10df7267bb1ffca95887ccd4ad550f8461dc0af8d447614bac

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ssxhe.txt

Filesize
1KB

MD5
e1516ff527335a78d2aeb34bfb731383

SHA1
ff7a54a78141c524547d6913faffb3f752f71889

SHA256
874f3feacb87e77698b740ac2f4c97d92a47c1e4d07604f9a034bbe922870c2b

SHA512
e2e55f9dee577d346f8c70b7f72df276bdb8a3fa5e33509892e394c2da2059fd1c2c24ed71c39ff17c10d103491187f17c7be149fa8a6cb899391b8d874dc966

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
a88fb302142423c4e7cb7af54d2763f9

SHA1
3418c9d3776f59c104667978b1c9973ac1f13934

SHA256
e3e7822a158b6ec53424ce72c10e38e188de6eca2d263d6f859e96624c0c26c6

SHA512
6bb036efc081a1e077122598441585993546b385d6d5c20ef00e12424922e06d3e5a519302a2150f1a44c828aa79e5952204d4a8308540a313fc91a37fb7b71e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
552b021d1eca4a11a022d1bd92e29a0a

SHA1
173b16273295c4ac2e391e82ad81b2bf41cf03af

SHA256
e53504a52731ad1e50be7ff1e205f0f48b37438ce6b19d2dd445a075f721bc97

SHA512
9da8372588edb39e0b03d3bc3fea0bc9a4af395e26e5e27bd9c7ff209e76230a0fd0e40c4c8042fc5baf3aa8b33ebb7838102acad2c2cd1f2e85a42b4c259739

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
b0aabb216d233a755f29aa9464ec6e79

SHA1
190f6ba05cdf8674a59040fb565ff83997e762aa

SHA256
ea1c5604d95de5293ef01d60685fd9483e4fc012f3422339dfef541af95d9f31

SHA512
457a990e88fd618ac3acdd7758affdd61beb9dd6b58931992b491331eb22e76c2b34c799c57ab5ce71d005fbd65e959d6e530e4f084a5d6d5a3d3fa6695e32b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00bd67121863440eb8026adce080b08a

SHA1
5d00f53ca16978dda1c6175aa7ced87ebef01938

SHA256
4faf6f5c6f14c59c5d7d57d4269a8b498bc893940eca05360822e2b5e61ef2c3

SHA512
a6bd8f115c5596fdd3d7033a38937fc0141367366a6c11afe364e788a7777b17790cd86d039005c910930e36c3b80d2ebf2fc0fc94febea3e7d4515331e3eb21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e93feca4bb126068c4614c0c43a6c795

SHA1
bd625cdc2e79d7454c89b09a35ee15d92d647126

SHA256
1a172e35947ee63ebace3ef9fedf2689f562167d704be3d88a303a5a5623769e

SHA512
455efb56af8c36b8aa55c60c30c68d3a852a242c77f1faf7547b2421337da96f7067d5ec08ff3f30e5b9c453a232d214f89011d2d5003bb62d7c1c1e47a5e5d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb56e1ecba188ab2f2fac653296b57f8

SHA1
ae98988027c1a3f571b9e225e1616ba20ca9aac8

SHA256
d9feb952c46a28e6e3e76c7fb2d345f92a6b69ee66b640a93024bc8bf184934e

SHA512
080191f3db5c4733d8d1e6effa80cb3f51caee2c1034d7c974dbc81714fcc895cdc1b8adf5416418249b020ee0ff98745a3f549d775a98c57e12aebe15f07fd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87f67fa3987f29347bec37994b599ad3

SHA1
6d7f77cfe219f062256760c1778d632bdd8837c0

SHA256
42d2fe4f02fd3373edfd3faa78846df357bab5d717f9b48537294e5b8e8bf820

SHA512
4831143489967ec89806cc814a37bffde6f13899c0b172cee614c6e4ecef31c69b89b73ef34b0fa8a2f66040562ced020a04a2f15a0f14769360314ab01ff6bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daaf1ac6462b90c669551d0617dfaea6

SHA1
58e81471ac0376000f0d4113dac513887f9c6e8b

SHA256
a363d7747f8c4b471900d3bb44f5dff9febc6fec0f51c70337b6e7a9c22822b3

SHA512
0e1f57cd78d20e771a688e4b0c3d6226d0824f0b4d478bdee191739344ce3e4d686e526f946e3f984c2798d668140376c018f2ab959af6017ff6dc30c5dbeeb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee2eadda6e35e0b69d890f1ee4287907

SHA1
191e50b5cb3c32befbb393a6d9cac22101bb11d2

SHA256
047205643c1c86518233a2443136f55a444fcced6a3f73397dca0dafd5fd226b

SHA512
e0250204a8a7cc16ea41f219b409d9f4ac2b1d0b06f38ffb5b494747878335c09d061b809be6172edc350c00f23cbead05c0c3935636a6c98dae52a1a2f130f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ef3e81b0bf53ec0318682b315c0d959

SHA1
522385674b5eab64e499cf6d97bcdf1e39694029

SHA256
9efb0802b9f5d80119a5392245c4945702341e8ca2f3383bfaa738e8783b13db

SHA512
2918b1d834fdfc6f1ad3ff02c177a4670482be26df0b09f25d901f3329f1c9d2c1026892c3b09fa0549c3f74cd20e1efd85409f27a9c8fc59ba74beecba4b664

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2a9f658b7745c7eeb587e9b1bc4e6a2

SHA1
8f42418f8c6ab6e345d13cfec61fa9ac537b0bfe

SHA256
09d90385535f4dbb2e4aab946137f14031215707e61485083208d637006c46e8

SHA512
f5c0edf19a3158f1b0d6be7bbbb3697e2022ca4b89914de56f23777be85b57d030f5c84d599173908f640cdb163d0aa1ceac494a3db2a53eedbd14cbcce96f54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a346fe438c714d6bea2a743e4b12fc0

SHA1
c27c5a739e2391d1d8264554c524601b0e313f01

SHA256
6833a34c79d936d6031d719eeb7c253f32e193d5be71787ea69dcf275ecbfd43

SHA512
619f78d307f2957332a200a1a85b4d59d7ab44aaaa43702542744af34113d7fe12518f89d7399318e67bcb58dac605dab7ee98c004c640d3f2afebc79a8233b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2898.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2939.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\pcysgevgprqy.exe

Filesize
376KB

MD5
050489ff4a10d6cc0897e237f6623e1b

SHA1
c2f9927d5f5a8b50f18fa0a91684c9de02345201

SHA256
c03c3fde100ab3c72104543c1dbb99f6110f24b4caa1b0846af985ebf6a45115

SHA512
b8987b7f20379205b964954644a84acb98ad0daa8258a8b6267abea399ac1d2e79f3f17181d7f0b4fa6e7faa65c217999176ea4ec6fcae598844d24868c6b9b9

Download Submit
memory/1828-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1828-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1828-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1828-30-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1828-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1828-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1828-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1828-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1828-8-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1828-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1828-10-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1940-19-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/1940-0-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/1940-1-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/2604-4960-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-52-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-6540-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-1832-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-1835-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-55-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-6082-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-6534-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-6535-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2604-6088-0x0000000003F20000-0x0000000003F22000-memory.dmp

Filesize
8KB

Download
memory/2660-6089-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2792-31-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download