teslacrypt | 9c72b06b612a9480fe769863bc791e13f13584ca6124705893791bf5d303822a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15404f6912d235b375684663cfa239ff_JaffaCakes118.exe
Size

352KB
MD5

15404f6912d235b375684663cfa239ff
SHA1

13fe6ee93149d76b08c60a4911f699e03db76100
SHA256

9c72b06b612a9480fe769863bc791e13f13584ca6124705893791bf5d303822a
SHA512

5459b86dac25855b33b43df70886812714709655342f772d7bfc44b7aca38257b972f3614af8ded63204e9e0d283ee7aec1e10b2b49158cf71ed912af0b3a923
SSDEEP

6144:IXGhTudp6xAOHojA/aPzKxD3YaYC67ekFr7+0e8zt8BqKDKUonDL:IXGhadp6xNMAq2xD30C6ZH+0eet8B+DL

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+qyvys.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D947C7AA5CC886DA 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D947C7AA5CC886DA 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/D947C7AA5CC886DA If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/D947C7AA5CC886DA 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D947C7AA5CC886DA http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D947C7AA5CC886DA http://yyre45dbvn2nhbefbmh.begumvelic.at/D947C7AA5CC886DA Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/D947C7AA5CC886DA

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D947C7AA5CC886DA

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D947C7AA5CC886DA

http://yyre45dbvn2nhbefbmh.begumvelic.at/D947C7AA5CC886DA

http://xlowfznrg4wf7dli.ONION/D947C7AA5CC886DA

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2980 cmd.exe

pid	process
2980	cmd.exe

Drops startup file 6 IoCs

Processes:

akucmkdqflvq.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe

Executes dropped EXE 1 IoCs

Processes:

akucmkdqflvq.exe

pid process

2872 akucmkdqflvq.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

akucmkdqflvq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\foatcqvbojll = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\akucmkdqflvq.exe\""	akucmkdqflvq.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

akucmkdqflvq.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\clock.js	akucmkdqflvq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\settings.js	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Media Player\Icons\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_RECoVERY_+qyvys.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_RECoVERY_+qyvys.txt	akucmkdqflvq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_RECoVERY_+qyvys.html	akucmkdqflvq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_RECoVERY_+qyvys.png	akucmkdqflvq.exe

Drops file in Windows directory 2 IoCs

Processes:

15404f6912d235b375684663cfa239ff_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\akucmkdqflvq.exe	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe
File opened for modification	C:\Windows\akucmkdqflvq.exe	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NOTEPAD.EXEDllHost.exeIEXPLORE.EXEcmd.exe15404f6912d235b375684663cfa239ff_JaffaCakes118.exeakucmkdqflvq.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	akucmkdqflvq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434245106"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{674FDAA1-82A5-11EF-BFE2-7E918DD97D05} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000d2589aa26c7a469ef8d3adba9d3ba8eb0d06cbedcc159fb287d37f22847c8356000000000e800000000200002000000078e02acec6b3bc56deca0860f6aa8444bb330d262c7db057c361ea21ff2f60a9200000008fe484f9029e7507c2e2f41da8d31ffd9d9d56f24127db7d28e26f6a03c4b45c40000000ac009dbb543fc37b52007af1f3c9dcc362fc9bc992adcabd6fe81f5278072b0bffcadcbaea5241351ec6a37637595447c8fdc6446db3cbf9a2f4b07bf5c62d2d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000009c2436eb955e25f5195868b07800918a524f02d2cec45fa6d34ceb9bbac3299c000000000e8000000002000020000000029f30141fa8aae985b8280e1d89173e040be23474fa236d79eb0d11053b161a9000000030e91c459101ad29fa8ba673b191bf6083bc5ab9d26acd21877a45e966b4fea14b7d83241fd60622b58d44cf8808223511b1c023ac069b7c1b94240d856d56b3dad5de3dcb267e099068e7ca82f4a876e66f0a547d3188594ff8a38b31c7315a82dc8885ab3eb0e2d967cf514502881da91a22866b0ca662b2359d24e334d55d7f2a73bbae3573d29e802a353a6e041f4000000028bc490fcdbe932011669e328f9f6629be6bd8b652041824316233b8bb9081e1b002d6e5f5990f372b1484d80090a503d8e871d7cba51f4c151f5fced182d25c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0aad53bb216db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1480 NOTEPAD.EXE

pid	process
1480	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

akucmkdqflvq.exe

pid	process
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe
2872	akucmkdqflvq.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

15404f6912d235b375684663cfa239ff_JaffaCakes118.exeakucmkdqflvq.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2272	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe
Token: SeDebugPrivilege	2872	akucmkdqflvq.exe
Token: SeIncreaseQuotaPrivilege	3064	WMIC.exe
Token: SeSecurityPrivilege	3064	WMIC.exe
Token: SeTakeOwnershipPrivilege	3064	WMIC.exe
Token: SeLoadDriverPrivilege	3064	WMIC.exe
Token: SeSystemProfilePrivilege	3064	WMIC.exe
Token: SeSystemtimePrivilege	3064	WMIC.exe
Token: SeProfSingleProcessPrivilege	3064	WMIC.exe
Token: SeIncBasePriorityPrivilege	3064	WMIC.exe
Token: SeCreatePagefilePrivilege	3064	WMIC.exe
Token: SeBackupPrivilege	3064	WMIC.exe
Token: SeRestorePrivilege	3064	WMIC.exe
Token: SeShutdownPrivilege	3064	WMIC.exe
Token: SeDebugPrivilege	3064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3064	WMIC.exe
Token: SeRemoteShutdownPrivilege	3064	WMIC.exe
Token: SeUndockPrivilege	3064	WMIC.exe
Token: SeManageVolumePrivilege	3064	WMIC.exe
Token: 33	3064	WMIC.exe
Token: 34	3064	WMIC.exe
Token: 35	3064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3064	WMIC.exe
Token: SeSecurityPrivilege	3064	WMIC.exe
Token: SeTakeOwnershipPrivilege	3064	WMIC.exe
Token: SeLoadDriverPrivilege	3064	WMIC.exe
Token: SeSystemProfilePrivilege	3064	WMIC.exe
Token: SeSystemtimePrivilege	3064	WMIC.exe
Token: SeProfSingleProcessPrivilege	3064	WMIC.exe
Token: SeIncBasePriorityPrivilege	3064	WMIC.exe
Token: SeCreatePagefilePrivilege	3064	WMIC.exe
Token: SeBackupPrivilege	3064	WMIC.exe
Token: SeRestorePrivilege	3064	WMIC.exe
Token: SeShutdownPrivilege	3064	WMIC.exe
Token: SeDebugPrivilege	3064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3064	WMIC.exe
Token: SeRemoteShutdownPrivilege	3064	WMIC.exe
Token: SeUndockPrivilege	3064	WMIC.exe
Token: SeManageVolumePrivilege	3064	WMIC.exe
Token: 33	3064	WMIC.exe
Token: 34	3064	WMIC.exe
Token: 35	3064	WMIC.exe
Token: SeBackupPrivilege	804	vssvc.exe
Token: SeRestorePrivilege	804	vssvc.exe
Token: SeAuditPrivilege	804	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1988	WMIC.exe
Token: SeSecurityPrivilege	1988	WMIC.exe
Token: SeTakeOwnershipPrivilege	1988	WMIC.exe
Token: SeLoadDriverPrivilege	1988	WMIC.exe
Token: SeSystemProfilePrivilege	1988	WMIC.exe
Token: SeSystemtimePrivilege	1988	WMIC.exe
Token: SeProfSingleProcessPrivilege	1988	WMIC.exe
Token: SeIncBasePriorityPrivilege	1988	WMIC.exe
Token: SeCreatePagefilePrivilege	1988	WMIC.exe
Token: SeBackupPrivilege	1988	WMIC.exe
Token: SeRestorePrivilege	1988	WMIC.exe
Token: SeShutdownPrivilege	1988	WMIC.exe
Token: SeDebugPrivilege	1988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1988	WMIC.exe
Token: SeRemoteShutdownPrivilege	1988	WMIC.exe
Token: SeUndockPrivilege	1988	WMIC.exe
Token: SeManageVolumePrivilege	1988	WMIC.exe
Token: 33	1988	WMIC.exe
Token: 34	1988	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1680 iexplore.exe
1324 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

1680 iexplore.exe
1680 iexplore.exe
1664 IEXPLORE.EXE
1664 IEXPLORE.EXE
1324 DllHost.exe
1324 DllHost.exe

pid	process
1680	iexplore.exe
1324	DllHost.exe

pid	process
1680	iexplore.exe
1680	iexplore.exe
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1324	DllHost.exe
1324	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

15404f6912d235b375684663cfa239ff_JaffaCakes118.exeakucmkdqflvq.exeiexplore.exe

description	pid	process	target process
PID 2272 wrote to memory of 2872	2272	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe	akucmkdqflvq.exe
PID 2272 wrote to memory of 2872	2272	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe	akucmkdqflvq.exe
PID 2272 wrote to memory of 2872	2272	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe	akucmkdqflvq.exe
PID 2272 wrote to memory of 2872	2272	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe	akucmkdqflvq.exe
PID 2272 wrote to memory of 2980	2272	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe	cmd.exe
PID 2272 wrote to memory of 2980	2272	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe	cmd.exe
PID 2272 wrote to memory of 2980	2272	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe	cmd.exe
PID 2272 wrote to memory of 2980	2272	15404f6912d235b375684663cfa239ff_JaffaCakes118.exe	cmd.exe
PID 2872 wrote to memory of 3064	2872	akucmkdqflvq.exe	WMIC.exe
PID 2872 wrote to memory of 3064	2872	akucmkdqflvq.exe	WMIC.exe
PID 2872 wrote to memory of 3064	2872	akucmkdqflvq.exe	WMIC.exe
PID 2872 wrote to memory of 3064	2872	akucmkdqflvq.exe	WMIC.exe
PID 2872 wrote to memory of 1480	2872	akucmkdqflvq.exe	NOTEPAD.EXE
PID 2872 wrote to memory of 1480	2872	akucmkdqflvq.exe	NOTEPAD.EXE
PID 2872 wrote to memory of 1480	2872	akucmkdqflvq.exe	NOTEPAD.EXE
PID 2872 wrote to memory of 1480	2872	akucmkdqflvq.exe	NOTEPAD.EXE
PID 2872 wrote to memory of 1680	2872	akucmkdqflvq.exe	iexplore.exe
PID 2872 wrote to memory of 1680	2872	akucmkdqflvq.exe	iexplore.exe
PID 2872 wrote to memory of 1680	2872	akucmkdqflvq.exe	iexplore.exe
PID 2872 wrote to memory of 1680	2872	akucmkdqflvq.exe	iexplore.exe
PID 1680 wrote to memory of 1664	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1664	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1664	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1664	1680	iexplore.exe	IEXPLORE.EXE
PID 2872 wrote to memory of 1988	2872	akucmkdqflvq.exe	WMIC.exe
PID 2872 wrote to memory of 1988	2872	akucmkdqflvq.exe	WMIC.exe
PID 2872 wrote to memory of 1988	2872	akucmkdqflvq.exe	WMIC.exe
PID 2872 wrote to memory of 1988	2872	akucmkdqflvq.exe	WMIC.exe
PID 2872 wrote to memory of 2720	2872	akucmkdqflvq.exe	cmd.exe
PID 2872 wrote to memory of 2720	2872	akucmkdqflvq.exe	cmd.exe
PID 2872 wrote to memory of 2720	2872	akucmkdqflvq.exe	cmd.exe
PID 2872 wrote to memory of 2720	2872	akucmkdqflvq.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

akucmkdqflvq.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	akucmkdqflvq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	akucmkdqflvq.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\15404f6912d235b375684663cfa239ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15404f6912d235b375684663cfa239ff_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\akucmkdqflvq.exe
  C:\Windows\akucmkdqflvq.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2872
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:1480
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1664
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\AKUCMK~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\15404F~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+qyvys.html

Filesize
12KB

MD5
851d220d21243953a12df4788858c901

SHA1
d70c80df596f50167382e8704f9771ab9ac035b4

SHA256
792bcdcee317b7c4bc51d014864c9c7f52b0f0f06807e0f844449ada1b7221bc

SHA512
e36fdabdeffacfb49bc002f3f924e2bc8ffebf3eae2ce5437c901782da7169753b9dcf32c0cac6ccd2fd019164d2e2e17b7360e720bdf2b0667a0d622e923683

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+qyvys.png

Filesize
65KB

MD5
a60e00f7ef65dd43e3343679d2c6fc16

SHA1
05ab5cf43a58df7284ceeb4a2d8ce97a3458f058

SHA256
ba129bbae048c54ce298056e426ab38a2c1d2f3fb20b361b349f54f8bc3e3487

SHA512
e26a8326099ae2f0da672a805a97090a0d8229593be9d3cd01d07407d2bcbd3616657073a12007fc9011a95ad13c23ad687112660fd0d3f03793d57947fdca23

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+qyvys.txt

Filesize
1KB

MD5
2dd21707ec52460ba74870ecc7d98225

SHA1
8980294d9943ece7532d0616968004c8eed494dc

SHA256
725a3839a0be761d50beeb17162bf965c5e7af6148e9e0863f32d7a42b9532d7

SHA512
5a63b79c283b0ea4d4fcae175ea2b8fbc2b9fcc813339bbd40a4cd374f6a56566014b4003a2b43af90fa10527e15294ee80b8fc72014c0cf307146d438226337

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3ac40f7aefe18e58e36c88a7b0e14dbd

SHA1
f29dc6983a2754b9a4089619aa73ad50aff71214

SHA256
f45bf24e34a4808bc8fb74e867f36a6fb4be60d5d5d1b1d350b81ee474ea0b36

SHA512
48599353d1f6150b5eded21d3d3c21a6660d75b7c8b3da0c3d64da03214589f283e2ca8858eba65122e3eba104b3e45c38a0a29ae99a03084f352e012005f103

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
306dd9af8a28f90886ce91208977d993

SHA1
999252358837cc4ccbf05e555246070b4e504bd4

SHA256
23d2b69785e942742664fbc6076e9830b79e101dc23780a23215b65d990933d1

SHA512
60d4293f5ae0f38b18fc05bd6dcf9f7773c9505ee57c02e0d00631eb1d168f023ffbd70f1959cb7bb0cf0576b47f4e3cc867f066c6c6378e314d6ae1210a24f4

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
abddb0aef453613029f936b98df383bc

SHA1
2cd0fa273d1ab98ec4817eb9cf1c0eb1caa75728

SHA256
08bb00b167d8e37be24c523409becece801fd4c423de2ad2775f1e033b743ab9

SHA512
0f6c542bf483c45730e21033d9b11e9bf4a8b8ae79e1f97f39eee9f8e39123a9faa3cde197be5f2649dccb2a51f7093e88be240f1f2ec88736bb31236f1a2cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e47910889f69890e109352e301c887a

SHA1
3f7fb103e8d5ca0ee971e903de6e2682c8c24946

SHA256
7fb154dcd2ffaa75aad94d74ca2e40201daf1a31291971d5c8461c2ab7e9a8ea

SHA512
32783a7560c7d7509bdef0bc8f9beb3758807f15a0dd74584751fc534dc3203791dbd00d16c67fd367f8ecb075065be877c9e7434029f002f778b8ffeab80bc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09e47210beec58b44c5be848c10f4785

SHA1
cb4c6ba368f311b6a7abf87ded61823c7bb87770

SHA256
4accd85c2943bb863e78aa78a8b87684888b3d1f9dcb389586298bc7b04a7cf0

SHA512
b6b8b29e1348b2bc5a02ba01b6bf098bc595935bccee7c221095aeb8360bb5eae0200ceebe8a263f5725e3dc88948d3d9f22e392e03e3ccdc80e632d69c07cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ca7724c45f25b88c241b906174d7699

SHA1
3d191ae73bf23077c88eea64f81af3e73b32eba1

SHA256
c8eaa7c07b116b01fac8ffcd3f5fcac160678d148926d547c8aaa40ac74d857b

SHA512
6f330b43751fab10b2386a2932e9d117deeb86821e98104e169dc055535cb7af9baa0dc6010f39c27414384b252b88af35018135e25268e851f5c65160f0d56c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8b40a070116eab220be03ff278ba3bf

SHA1
54ed86882c6c04dcadb0b366d9e483a2743e42b2

SHA256
779234271ea9a02b111bd75d81d606614c599ea88fbed6acadd4b0113a37bd27

SHA512
43bdeaf8f3e058b008e85f6b733326d6dfcbacd018f22543da29cd56b177958aa118c99522c37f3c2189c11672c3d4f40f55b89d488a37eebcf5cd5b90ac4aaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8b69a69379ed8663012f4f3288eb285

SHA1
a2fc49ab74b0d55772f9bb606dab722f4353945c

SHA256
3f50652b2c07f031c3649c51b561bdc5a2012b4f59c1959eb395e40800d5a56e

SHA512
9168dc37c72833b5e7fedd6e0b1f0415a6e8d7e571df3d0093ed4b0db2fd30ad0dcc67003c2dcad1e8839b8243634dcc2df449ce936d3e3f401c1cf1533ac54e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e05d0a116d7d6aaf4a9558861481d93

SHA1
abf3156c0d00da1cd1a5084df2ec523b0845a49d

SHA256
1517bd04c55a18081af15d273eb335b40f052161ab1286fa59b2c80e09c18d77

SHA512
796f3bb623b0023102bdd39457a5fe22c227d9809c583dd1de660a179ec15c879b94bdc4e6d2a993677ecd930e0c35f4b224b7bb3cac00070717c4300b4fed49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5471b411d1db251d528c5fdf25aa3d8e

SHA1
ef2599513bbb426b67a388a3dbf5ce39cfec7a20

SHA256
318f3f4927cdff1cc1415ee161bb4bb712d2bf3457d08f1f7a738917aaa035e3

SHA512
7e1de05a7084b46fa6b344515f0919ff27e6868b79637b7885373caeeccc55e9ec055566b1d5d17d5f4143bf0e7f98fb09915b36a8ec4a5c48da35f921ef1217

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7331e8b241f3798c49533bd123330a47

SHA1
f70484db976b12d75fe691eb48c30f83a85e03df

SHA256
b1463ae6538ba5534b20d5cfa25b94bc139567f042bd0b367d4904708a477ec4

SHA512
2020d8af6e1eab1828b45b28f5280cbd8f723c9f0c06fee0c8cd7225bbb023a6199f67b3a59f829bc2314c5453fba75271c3c2019273a89eb371eb651eaf7ea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58493689dd8508ec2f04d44d6a80f137

SHA1
b53605835b4393fcfbe04ef23fc254f873181969

SHA256
26e2e9d72d3f2a2a9f74b146033e81a11ac7c5d1df537d553be5405904fb90cf

SHA512
1a1e780fc4c3827c36809f3963c2b58bd178d8df8caa4960f4e4273708fd603917338e43c5eabe7524ab5015f2289c858e5fbcfe14f9da5a526ab9d64387681f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf4dd2cbe69b37269654eead58f20552

SHA1
c346cb152392a2fff5215fabd51978d684710518

SHA256
164a09d14d44ee604b971a4eabf34bc3a7048c09f52fcad74b4cd8f00f8ff955

SHA512
847174eee979417e5e12b89a68c8c63cf7c37827e5db0f65a97b34fef7458d6ceb0b7dc98928ab5ccf97d2e92aca05aeba95aded1dd502dcef9a33f7035926b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd1f5e6b028bea7a86662eab0bd3457b

SHA1
cb469c255ba54dc60b5bcfbcea8d5266f0961221

SHA256
9bfd24133e2a4a6c505183c1b6beeefcbf462b1a9be8aa9f7d4794615d7845c3

SHA512
58078d7145d8df194c1dc649834f3e38d3ade3f39e966d766a2d6ade3b88c096b9d5370cbd9baafda20d0192d96418c69406e2295548491a1cc64a3ae3dbde37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
089fe3371e38e36aaf4fe4446f70e9df

SHA1
4fda41643c7033ca1aa5df7ed5be169f51870918

SHA256
9b770869235f267c9c0d8a78e32ec974327a81d7e55d3c929db074a294af70a4

SHA512
12caf37a1614b4581dcf2765cb4ecd9192cfbfaaa66933aaa7113a5d1d77aac030caa16dc11da2b207e38fc63f1c06972a2f102ca37106f5492de956f5858e4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
438d229dae565e96d90c96b782907e1e

SHA1
8f376e476be4b36db663be1d7446278331f2abb6

SHA256
e137ff30502255b28555ba052495d243185b15586586674c1cf6e70bb01cdd80

SHA512
1f4c61bc195bb0c19aab8567c8981b9899b85d47b6669f1554c76b03b58877ef601fab92c23bd95d40982d7f880da5334c0aac38271de45116d7f2b3eb5b41bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec8ba03f8d2ac59b0057fadbcc93202b

SHA1
08b378ab73b80354875a636b57fe113a8067638b

SHA256
f1d1407cd22cbd7688e0b6274def3db9c871bfc9c27cf7fc3548260f7fe5dd07

SHA512
5ef87ae345d84d298114842b8fb3ef5f064b46b39f898473fdc6a72f1bfd3b96b43d512c7437437b5bfd9d6479da3883c9ce489f90f7aeb08ad6a2199af746c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0652a39e03c6da1e41153b0f898c465d

SHA1
2e3ed02435b133cbb8118306fd770f12bde72b47

SHA256
5efff89affa4bfd276c11869314e75876fa88d797997efe57867f9e8741b8e1a

SHA512
b7e00e22c76c885b458f86a6c2bfa4c4079a00d120bc39704715c04dcdc3392c35cf9a2adda727457c3820b7255e313fa5a2526443897fc83bf5fccc97f80e70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0fa7167d6484467aa11c945d6e241f8

SHA1
2e8f25755b992c0986edee213965b266957db51d

SHA256
698787ec5c2f31818bbe33013a8cce6951bee03fd83cb39ea86a868ca588ce14

SHA512
245cda5c4b6c7dc748074a2929182d31c8349d69d06e622d728058fd7f26d5f9455d967660f88e7a5d42f90a49cc793e872ff763e0438545a951368ca57a10b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61a79a2d35abea2b1d72335fd13aa453

SHA1
0d023f6cd6ae426054a96c87a938b2f7ac565774

SHA256
09077d1f1ff9ff7715b8e078d7a468a07993f0d234b6b21f799d20c143617c42

SHA512
afe2dce3508a1d52aa6f9dab3f4801e310d4e93f4e2b32d97298499ba810f44c18def6e05ad21465afd857c9b5b9712831cec9cff7d838efc41d55d408e115a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b19224f5dddec33ea049ec2294f8e23d

SHA1
0f84374700e974887b84701c529251e11beb4650

SHA256
b0353d3fc33b658174fb04ca1dea56aba26536e3f3d6ca6dbba1ea346614936f

SHA512
0116ba74db61ddf06f2610791bd8fbe89f9a3ea2d1f57532b2be58d9e96bcadc0750a0f98c3a8584a38939d7d76ff6b0617bc19586c53965817bae0886c3f08d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2aebb88f24f50c414fcdb28c5bf5859

SHA1
965dfcc793ddb3b082f7e3ec45378149b88cfb22

SHA256
2c2a434f37dc8756837ed3c7ce084641a81004ac0be86a9dee718330b44e02c7

SHA512
daea7fcefe6aa547e3902446020d78fdea13301bfe92eb6b4389dd54e1438118bcd2b46a68931ea6e7f3ae4425a2484c137e3700939aa2ac6c37a791739a36e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7005.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7075.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\akucmkdqflvq.exe

Filesize
352KB

MD5
15404f6912d235b375684663cfa239ff

SHA1
13fe6ee93149d76b08c60a4911f699e03db76100

SHA256
9c72b06b612a9480fe769863bc791e13f13584ca6124705893791bf5d303822a

SHA512
5459b86dac25855b33b43df70886812714709655342f772d7bfc44b7aca38257b972f3614af8ded63204e9e0d283ee7aec1e10b2b49158cf71ed912af0b3a923

Download Submit
memory/1324-6075-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2272-0-0x0000000000360000-0x000000000038F000-memory.dmp

Filesize
188KB

Download
memory/2272-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2272-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2272-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2272-8-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2872-10-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2872-1709-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2872-2011-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2872-5391-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2872-6079-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2872-6074-0x0000000002A30000-0x0000000002A32000-memory.dmp

Filesize
8KB

Download