teslacrypt | 62aaa2a24236be5ae371e5851370f24e6261025cf4bf539b7c40bdefc6ad07e6

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe
Size

369KB
MD5

3b240ca653bd5467b19e195889c07c6e
SHA1

bfb732fd34099fb9f4467cfab185a4bf3bb28e95
SHA256

62aaa2a24236be5ae371e5851370f24e6261025cf4bf539b7c40bdefc6ad07e6
SHA512

32242830aaf7fee32d16e86da4d602640fd360f24ae309bc5391c130ca384b951ac97f9ecc1f596bd7c7b3933c589dbd87ee872b4dfd8cda62835143e04e0296
SSDEEP

6144:fo07Ev9jgh+J0J+l/moekR1MlvlMa0FIe03ncsCMYZx/FqDN6TETpspvQrMX1r9:ftQVG+JIe/mGzMNlMVFC3Xi/YwOi

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+nhtta.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6D2ACC11884859A9 2. http://tes543berda73i48fsdfsd.keratadze.at/6D2ACC11884859A9 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6D2ACC11884859A9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6D2ACC11884859A9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6D2ACC11884859A9 http://tes543berda73i48fsdfsd.keratadze.at/6D2ACC11884859A9 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6D2ACC11884859A9 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6D2ACC11884859A9

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6D2ACC11884859A9

http://tes543berda73i48fsdfsd.keratadze.at/6D2ACC11884859A9

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6D2ACC11884859A9

http://xlowfznrg4wf7dli.ONION/6D2ACC11884859A9

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (411) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe

Executes dropped EXE 2 IoCs

pid	Process
2608	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\jbqqcwoqscgo = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\jxpgfuwensvp.exe\""	jxpgfuwensvp.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2608 set thread context of 600	2608	jxpgfuwensvp.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\es-ES\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Reference Assemblies\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\library.js	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\MSBuild\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\_RECOVERY_+nhtta.html	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_RECOVERY_+nhtta.txt	jxpgfuwensvp.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_RECOVERY_+nhtta.png	jxpgfuwensvp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\jxpgfuwensvp.exe	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe
File created	C:\Windows\jxpgfuwensvp.exe	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jxpgfuwensvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jxpgfuwensvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4043f1ffc81cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B79D2C1-88BC-11EF-98F1-4A174794FC88} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000003ada9b7aee330b733662ecad410e6eb7c3e49a47f56dc74dd4e22709a0058544000000000e8000000002000020000000147dc5b777021f2f80412d6fd396638cceafd6d60680e8d22a19e522a5908b399000000009fb581e072b450f2893ce30bf3f613feaaf53fd4ff99cf7dfdb6fc66fd30adcdb159decfd4a89cd7d737f6564bdbbe48070863456bf8cd49b991e61b700e3fe015c7c99378305c67a9094708f0b073ad0cbe3d2eb4f50a3c9ed6eb4fb4e372ffac3a220175e8b850b998b9efadf0e7f1a4eedfe5ac7c311159365019e50a2af1038e591a7b66af32517122dc636c559400000005cc3ef81608f272e14c8e56d6b491125d75e629d997f84ae78945b3fa312aaaa7e21df941b2ff1216b5d09a24ac9af7adeaf917a459ce714ea28c33b52085e18	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000947b272932394e568a377ebcda578eb5e4d14b54de1ae63df971bde2f01ca8ac000000000e8000000002000020000000aae1e1cc2781b299d7bdf3ee7c565a69ba8014b2b9ec132a645b20fba0f507222000000031eca34db09488d1b47566c22c9727d1003bd95e85379054670ffb5c561ee4434000000098e5c29c525bf5b62ec06a445f5cf4c65db95a095640a9caba01cff7e24c156734a7b5319654692ccc929868128457870fa3e87601ed59fbc1cdf10275d696de	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2516	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe
600	jxpgfuwensvp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe
Token: SeDebugPrivilege	600	jxpgfuwensvp.exe
Token: SeIncreaseQuotaPrivilege	2016	WMIC.exe
Token: SeSecurityPrivilege	2016	WMIC.exe
Token: SeTakeOwnershipPrivilege	2016	WMIC.exe
Token: SeLoadDriverPrivilege	2016	WMIC.exe
Token: SeSystemProfilePrivilege	2016	WMIC.exe
Token: SeSystemtimePrivilege	2016	WMIC.exe
Token: SeProfSingleProcessPrivilege	2016	WMIC.exe
Token: SeIncBasePriorityPrivilege	2016	WMIC.exe
Token: SeCreatePagefilePrivilege	2016	WMIC.exe
Token: SeBackupPrivilege	2016	WMIC.exe
Token: SeRestorePrivilege	2016	WMIC.exe
Token: SeShutdownPrivilege	2016	WMIC.exe
Token: SeDebugPrivilege	2016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2016	WMIC.exe
Token: SeRemoteShutdownPrivilege	2016	WMIC.exe
Token: SeUndockPrivilege	2016	WMIC.exe
Token: SeManageVolumePrivilege	2016	WMIC.exe
Token: 33	2016	WMIC.exe
Token: 34	2016	WMIC.exe
Token: 35	2016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2016	WMIC.exe
Token: SeSecurityPrivilege	2016	WMIC.exe
Token: SeTakeOwnershipPrivilege	2016	WMIC.exe
Token: SeLoadDriverPrivilege	2016	WMIC.exe
Token: SeSystemProfilePrivilege	2016	WMIC.exe
Token: SeSystemtimePrivilege	2016	WMIC.exe
Token: SeProfSingleProcessPrivilege	2016	WMIC.exe
Token: SeIncBasePriorityPrivilege	2016	WMIC.exe
Token: SeCreatePagefilePrivilege	2016	WMIC.exe
Token: SeBackupPrivilege	2016	WMIC.exe
Token: SeRestorePrivilege	2016	WMIC.exe
Token: SeShutdownPrivilege	2016	WMIC.exe
Token: SeDebugPrivilege	2016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2016	WMIC.exe
Token: SeRemoteShutdownPrivilege	2016	WMIC.exe
Token: SeUndockPrivilege	2016	WMIC.exe
Token: SeManageVolumePrivilege	2016	WMIC.exe
Token: 33	2016	WMIC.exe
Token: 34	2016	WMIC.exe
Token: 35	2016	WMIC.exe
Token: SeBackupPrivilege	2480	vssvc.exe
Token: SeRestorePrivilege	2480	vssvc.exe
Token: SeAuditPrivilege	2480	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeRemoteShutdownPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: 33	2652	WMIC.exe
Token: 34	2652	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2816	iexplore.exe
2504	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2816	iexplore.exe
2816	iexplore.exe
400	IEXPLORE.EXE
400	IEXPLORE.EXE
2504	DllHost.exe
2504	DllHost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2748	2408	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2608	2748	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2608	2748	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2608	2748	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2608	2748	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2728	2748	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	32
PID 2748 wrote to memory of 2728	2748	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	32
PID 2748 wrote to memory of 2728	2748	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	32
PID 2748 wrote to memory of 2728	2748	3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe	32
PID 2608 wrote to memory of 600	2608	jxpgfuwensvp.exe	34
PID 2608 wrote to memory of 600	2608	jxpgfuwensvp.exe	34
PID 2608 wrote to memory of 600	2608	jxpgfuwensvp.exe	34
PID 2608 wrote to memory of 600	2608	jxpgfuwensvp.exe	34
PID 2608 wrote to memory of 600	2608	jxpgfuwensvp.exe	34
PID 2608 wrote to memory of 600	2608	jxpgfuwensvp.exe	34
PID 2608 wrote to memory of 600	2608	jxpgfuwensvp.exe	34
PID 2608 wrote to memory of 600	2608	jxpgfuwensvp.exe	34
PID 2608 wrote to memory of 600	2608	jxpgfuwensvp.exe	34
PID 2608 wrote to memory of 600	2608	jxpgfuwensvp.exe	34
PID 600 wrote to memory of 2016	600	jxpgfuwensvp.exe	35
PID 600 wrote to memory of 2016	600	jxpgfuwensvp.exe	35
PID 600 wrote to memory of 2016	600	jxpgfuwensvp.exe	35
PID 600 wrote to memory of 2016	600	jxpgfuwensvp.exe	35
PID 600 wrote to memory of 2516	600	jxpgfuwensvp.exe	42
PID 600 wrote to memory of 2516	600	jxpgfuwensvp.exe	42
PID 600 wrote to memory of 2516	600	jxpgfuwensvp.exe	42
PID 600 wrote to memory of 2516	600	jxpgfuwensvp.exe	42
PID 600 wrote to memory of 2816	600	jxpgfuwensvp.exe	43
PID 600 wrote to memory of 2816	600	jxpgfuwensvp.exe	43
PID 600 wrote to memory of 2816	600	jxpgfuwensvp.exe	43
PID 600 wrote to memory of 2816	600	jxpgfuwensvp.exe	43
PID 2816 wrote to memory of 400	2816	iexplore.exe	45
PID 2816 wrote to memory of 400	2816	iexplore.exe	45
PID 2816 wrote to memory of 400	2816	iexplore.exe	45
PID 2816 wrote to memory of 400	2816	iexplore.exe	45
PID 600 wrote to memory of 2652	600	jxpgfuwensvp.exe	46
PID 600 wrote to memory of 2652	600	jxpgfuwensvp.exe	46
PID 600 wrote to memory of 2652	600	jxpgfuwensvp.exe	46
PID 600 wrote to memory of 2652	600	jxpgfuwensvp.exe	46
PID 600 wrote to memory of 2780	600	jxpgfuwensvp.exe	49
PID 600 wrote to memory of 2780	600	jxpgfuwensvp.exe	49
PID 600 wrote to memory of 2780	600	jxpgfuwensvp.exe	49
PID 600 wrote to memory of 2780	600	jxpgfuwensvp.exe	49

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jxpgfuwensvp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jxpgfuwensvp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\jxpgfuwensvp.exe
    C:\Windows\jxpgfuwensvp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\jxpgfuwensvp.exe
      C:\Windows\jxpgfuwensvp.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:600
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2516
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:400
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JXPGFU~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3B240C~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+nhtta.html

Filesize
11KB

MD5
ebb4ad159a57fae8b58c673b0d3474b5

SHA1
ef2d6ef8fc6146379f34e20315cba16d3799bce4

SHA256
708f8b590ae526590c52180234d1f127552301cc764e4aa470017d0ed3dd8b80

SHA512
76bebb1e92e9514b7aac6b89f8cfe00a46df399dc633fc5684ba23c5325c5182278a02fc85ca39074c7234bc03d42d11bfe6b654fbb3e59fdbfb3b1c823c910a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+nhtta.png

Filesize
62KB

MD5
0e999b9b7d726e961908c7f7c42a26b7

SHA1
e9d1a81766c844ec91b6afcb27460363d716fdb5

SHA256
472f4e7381ea8cd86c3a9160aa69a79ba1a9109740c8474b9cf299ca6e53bbcd

SHA512
f86b797946f37dc6223e5c1db61d8e3d3bdf3f6e4d189170db562090ab5159fce9b1648fc0090fac0a74687595105cbd87e123d31c96e4179b133dc5177aedd3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+nhtta.txt

Filesize
1KB

MD5
81b9af20e4f683653638d3ea3127af16

SHA1
c3150d5d0baeaf8573a1f797f4351052589572d0

SHA256
e7e8b18516d031f53a8e4ce8b27fcda8779c714790593f299d235cec89e95b48

SHA512
67a84a27bfecf1e9ad207664ae6dfafbccf1812fd071fa24d67e39cb3eff394d6a6a6d788aebcf3f71c000cded0a6b4273afc9a9aa8f70124ac14906074e7afb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
25512cd7ada5db45e5594b9db8c056d1

SHA1
9a19e57463562656c88bfe78faca20dae0758853

SHA256
6a317b010540764569226d2c8627f805120451df46d8cc090bd271b8b955962d

SHA512
d5273c2ffc1f67a34d69c700567c66a9dda0c9ddeabc37f0db401d91f2b90e700f91b89ecdcec7321c66d74f8647b8e1b6c4c2caa7d71fcae2983309af815c83

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
60921347610e8b97abc05b8739c82adb

SHA1
028766d3f340cdc0eca5779e2eec9c1431caf61a

SHA256
96e5931d7a33633e7036e506b7d402bb0f43513d5fdc236556bec1972d1e146a

SHA512
b2ec73bcfd50a88d43463197b553d8e6b570a921880d6424f3ad2f9b5bd0fe49203b429c2e72bb67ebcd3f024285ca487d31a191a911fdf6f245ba30ef58a539

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
6312a06a06f4ad1315e9797753ec1e25

SHA1
c381588ff922c5a0d3b67b916befca419a8735cc

SHA256
95e3766c675551723811b870e40b575ce1d08855387a7b1cf100b7ea2665d8df

SHA512
a00dc9011631b850d45d1d52509a0322f4914afb42171ff4ab958fe9220f6dcd25209ee3dcbda10a32fa9df687d25acc59d5113b50d30b7103a2b70f512f222f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88e0543fbe73a6df5b8f7172e196d67c

SHA1
71c5e320a303a87e3c954b3106b8a74f4c2f5a01

SHA256
6993f518dc1f4790248d2c50c7099d2b0f85dca13fdf89e9c39688e692477fa9

SHA512
731c6804742486f7e696991604dc3829432b9e4f71ab5744cedea818d4a0b7abb4790e9b8be3adea491d309c087a870bcc8dae0235ea29b89e39cafab7fb2c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
312df1ed391b6096f95429fe5a58d086

SHA1
f083cd77225b4b97619d9ddbb491ddbe4031b84d

SHA256
bc7782c04d7ff1ae78be580a8e0ea4608bf19caf6a6f7c692e70279efa9234c0

SHA512
6cce242b1eaeedfcb765c92579d454047e98af4773c6bec5610a37a184a18c437242d115eb885bbc32394b0d6841808089cac65dcad3b2096f1077e2a02a108d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff4131aaa124b9eee972e94f74fe3845

SHA1
720e9013e892b7d0e55a903f308d622131842d5e

SHA256
7419cace1b15747e1a525090176ec9ab43dbc0298fe80ce8b99eecc6fd794449

SHA512
93d14bd44f3d3e54f9b8956802ff296dee513d99a6d71e674d8529dda486804e6da0d80f0bb9ed2f6a215dd38f3ec9c8cac0afb023c01b18ebe586598a5e7581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93becb8fe745e0f4627bef9ce8eb6a64

SHA1
27052a49b64c4cd12018cb76b3de4b3b96599a43

SHA256
d68000b623d2c7c3ff314316cf89c65640d28bda24a3c94978f37f474f3940ce

SHA512
8b7e81a7080abe93da1b4aeb1eb24547cb6f857add30e863b01806edc9891304c31eaec6958b22a6f5a0ca7f15ce6e6b19cc7f14b077adce95a33b6971641e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ecf2c38881090976e10a82f2f3646bc

SHA1
dafc6fb542c3ac839cefc3414081b16559a99c6a

SHA256
6665bfbaa524614370474838d8e115139b7e188a01e9c13ef04e7c93f3691c1f

SHA512
d50f6273419d210d47388e0971f13f92490204fde5aed1f1ae7b4a9b6ebd93df7034242167b9bc96235976ae79663c9ae2d558d4fc39668f89f00ede1f20eab6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aef580f4b110a078139c3ea5563114d3

SHA1
8b3c92d913a6cd63ece0f597643733fea034c851

SHA256
13a2bf74845962dbaca0d430bd2a8a82f90465743e60c7b062adf2ca1d80b270

SHA512
f22c5583d65c93207f6c85246f0b7f4c2a6afaf141c0cad75b5aa85ccb59dd75337882cc810fd87aa6da4d60793e2ee98a8418ec6643c6756bc814a5b76876eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
074b2a8826c3341adaf9318becdaedd4

SHA1
12bd4c92875602db737914a37ad500b9761f1bb7

SHA256
6d7a37f37af5cf1d85563981a0bf1822143860519816361973a0944de25ceae0

SHA512
85bc48eacee583057dca1ab622084127a295c31532c2ea2e4ec4f6001ddba10670c04f5f6af492745dd4672a4f1cf5d236ac51242d32bd06f22dafbaf7b7cf5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bba8c43a2bb1757f93e9f0887def866

SHA1
de00bccf9d240c4d8709ce2516e2cf5764961fc1

SHA256
72ba1a65d584bf027724cba25738260ac26388adfb547c6aa3657fd30b996573

SHA512
46251984d597e21e96f2a067c1a3066e9f5c80bf8282577141c4bcf70e1022cbcb40daca08bdfbf1802874e194783da83f4abcbbc261dccf690eeb83cccbcb51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ea2ca78f4961aa705cb49d9b1733c47

SHA1
35cea4a6f2dfdc2dd7bad8cb4daa09cc77295922

SHA256
fbbe28cbf523bf11746f9509c6caf9ab30cd6e49c32a5efd590229cd5be248b6

SHA512
3e4e051f9a29e07e4b1dc51a8a5bb340bafa71a1aa3ef06b06ffba64654130a77261d887a455dbc49f32bfd24867812202f205c92f3f029baf171d8daa40b583

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC46B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC519.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\jxpgfuwensvp.exe

Filesize
369KB

MD5
3b240ca653bd5467b19e195889c07c6e

SHA1
bfb732fd34099fb9f4467cfab185a4bf3bb28e95

SHA256
62aaa2a24236be5ae371e5851370f24e6261025cf4bf539b7c40bdefc6ad07e6

SHA512
32242830aaf7fee32d16e86da4d602640fd360f24ae309bc5391c130ca384b951ac97f9ecc1f596bd7c7b3933c589dbd87ee872b4dfd8cda62835143e04e0296

Download Submit
memory/600-6068-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-6069-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-6513-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-6516-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-1977-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-1979-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-2317-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-5168-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-6059-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-6065-0x0000000002B40000-0x0000000002B42000-memory.dmp

Filesize
8KB

Download
memory/600-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/600-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2408-0-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2408-14-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2504-6066-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2608-25-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2748-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2748-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2748-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2748-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2748-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2748-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2748-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2748-28-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2748-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download