teslacrypt | 96fa8dfead44385de7dd264365c9cc0cbf3f649504a0ea68b1da3ecaa87af859

Analysis

max time kernel
117s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe
Size

336KB
MD5

3f48d14095a78b389463ab479a067ab3
SHA1

a2161ff78d590864bac05b3a2d8a758495094267
SHA256

96fa8dfead44385de7dd264365c9cc0cbf3f649504a0ea68b1da3ecaa87af859
SHA512

b16d6ea6981e4245e459e536f3c07c104af8778c7b2e1ee44a85048f8d222cc95160dc0d4b5049688c4dc89f62753b60b14b44ce432e1665e073ee70d521e2fc
SSDEEP

6144:twO017IvxjY9u3x9DQhsx3GP7+Dd7yvQySmRvmdc7DrXti7O:90JIvpY9uTQhO3GSDlVyBRvIcDR

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xpsly.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D3B3745B22BF2FE0 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D3B3745B22BF2FE0 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/D3B3745B22BF2FE0 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/D3B3745B22BF2FE0 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D3B3745B22BF2FE0 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D3B3745B22BF2FE0 http://yyre45dbvn2nhbefbmh.begumvelic.at/D3B3745B22BF2FE0 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/D3B3745B22BF2FE0

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D3B3745B22BF2FE0

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D3B3745B22BF2FE0

http://yyre45dbvn2nhbefbmh.begumvelic.at/D3B3745B22BF2FE0

http://xlowfznrg4wf7dli.ONION/D3B3745B22BF2FE0

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (422) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2100 cmd.exe

pid	process
2100	cmd.exe

Drops startup file 6 IoCs

Processes:

tvjfpgguphut.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe

Executes dropped EXE 1 IoCs

Processes:

tvjfpgguphut.exe

pid process

2212 tvjfpgguphut.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tvjfpgguphut.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ojnyhrp = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\tvjfpgguphut.exe"	tvjfpgguphut.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

tvjfpgguphut.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Internet Explorer\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\calendar.css	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\es-ES\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\_ReCoVeRy_+xpsly.html	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\_ReCoVeRy_+xpsly.txt	tvjfpgguphut.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\_ReCoVeRy_+xpsly.png	tvjfpgguphut.exe

Drops file in Windows directory 2 IoCs

Processes:

3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\tvjfpgguphut.exe	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe
File opened for modification	C:\Windows\tvjfpgguphut.exe	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DllHost.exeIEXPLORE.EXEcmd.exe3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exetvjfpgguphut.execmd.exeNOTEPAD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tvjfpgguphut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{69FDDF61-894C-11EF-AE26-F245C6AC432F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000441f561703429a77c6bad0f072e6ef3912e20d9638405e5b32de9dc3ded47ad4000000000e8000000002000020000000655cf7c5593e8e4ee1b3bb980d265cfd7170d24ab39af19d73755150313fc8e9900000005c36086be05844d149d38f2d24d541b1efcbde1a3d998967ab510f1a1ff87f6f580bf234f0f88086faeff21ee13459020ea8b6187b426a0a60cb4358ac63bd021ff57813fe46aaccc71d133408c964384341ec10094c330b9b5bd6fa966c6827a47a318842901036d0b7c043f00fddd9dcb588787b8838921da8286ee3737233f3da61defd56b52a44010618e7c5b0c1400000004da6553f0c1228a4f4605cbd50394a3c3700d2a758b430195035bade73eb989b345efbaec52067bafa35b94d1727b6b1bcd90c0dd39b255b527e9a3c8bd7e5f4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000089c0bab14195e481c38cc441e30cb3a3a81343d666c6b87fd52e96c80ccd9970000000000e80000000020000200000008e5f644c8179a5fe10617dde2de0cef838ec4e0233d965a8da8b4f5e0ab307d42000000067b85b218fdb743eeedded27ea2bcec2bfe70849faab038dd1c76fa50b0de79f40000000e609f096c23cbce9dec7f3185387c4e19c77ee741b52a59973fc4308899e945815e2475ffde172e32bd903930c51686bd994c285d68ade01f45b0aabf07668e1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00747c3e591ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434976560"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2400 NOTEPAD.EXE

pid	process
2400	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tvjfpgguphut.exe

pid	process
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe
2212	tvjfpgguphut.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exetvjfpgguphut.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1960	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe
Token: SeDebugPrivilege	2212	tvjfpgguphut.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe
Token: SeManageVolumePrivilege	1972	WMIC.exe
Token: 33	1972	WMIC.exe
Token: 34	1972	WMIC.exe
Token: 35	1972	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe
Token: SeManageVolumePrivilege	1972	WMIC.exe
Token: 33	1972	WMIC.exe
Token: 34	1972	WMIC.exe
Token: 35	1972	WMIC.exe
Token: SeBackupPrivilege	2688	vssvc.exe
Token: SeRestorePrivilege	2688	vssvc.exe
Token: SeAuditPrivilege	2688	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2696	WMIC.exe
Token: SeSecurityPrivilege	2696	WMIC.exe
Token: SeTakeOwnershipPrivilege	2696	WMIC.exe
Token: SeLoadDriverPrivilege	2696	WMIC.exe
Token: SeSystemProfilePrivilege	2696	WMIC.exe
Token: SeSystemtimePrivilege	2696	WMIC.exe
Token: SeProfSingleProcessPrivilege	2696	WMIC.exe
Token: SeIncBasePriorityPrivilege	2696	WMIC.exe
Token: SeCreatePagefilePrivilege	2696	WMIC.exe
Token: SeBackupPrivilege	2696	WMIC.exe
Token: SeRestorePrivilege	2696	WMIC.exe
Token: SeShutdownPrivilege	2696	WMIC.exe
Token: SeDebugPrivilege	2696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2696	WMIC.exe
Token: SeRemoteShutdownPrivilege	2696	WMIC.exe
Token: SeUndockPrivilege	2696	WMIC.exe
Token: SeManageVolumePrivilege	2696	WMIC.exe
Token: 33	2696	WMIC.exe
Token: 34	2696	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1584 iexplore.exe
1808 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

1584 iexplore.exe
1584 iexplore.exe
2500 IEXPLORE.EXE
2500 IEXPLORE.EXE
1808 DllHost.exe
1808 DllHost.exe

pid	process
1584	iexplore.exe
1808	DllHost.exe

pid	process
1584	iexplore.exe
1584	iexplore.exe
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
1808	DllHost.exe
1808	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exetvjfpgguphut.exeiexplore.exe

description	pid	process	target process
PID 1960 wrote to memory of 2212	1960	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe	tvjfpgguphut.exe
PID 1960 wrote to memory of 2212	1960	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe	tvjfpgguphut.exe
PID 1960 wrote to memory of 2212	1960	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe	tvjfpgguphut.exe
PID 1960 wrote to memory of 2212	1960	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe	tvjfpgguphut.exe
PID 1960 wrote to memory of 2100	1960	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe	cmd.exe
PID 1960 wrote to memory of 2100	1960	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe	cmd.exe
PID 1960 wrote to memory of 2100	1960	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe	cmd.exe
PID 1960 wrote to memory of 2100	1960	3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe	cmd.exe
PID 2212 wrote to memory of 1972	2212	tvjfpgguphut.exe	WMIC.exe
PID 2212 wrote to memory of 1972	2212	tvjfpgguphut.exe	WMIC.exe
PID 2212 wrote to memory of 1972	2212	tvjfpgguphut.exe	WMIC.exe
PID 2212 wrote to memory of 1972	2212	tvjfpgguphut.exe	WMIC.exe
PID 2212 wrote to memory of 2400	2212	tvjfpgguphut.exe	NOTEPAD.EXE
PID 2212 wrote to memory of 2400	2212	tvjfpgguphut.exe	NOTEPAD.EXE
PID 2212 wrote to memory of 2400	2212	tvjfpgguphut.exe	NOTEPAD.EXE
PID 2212 wrote to memory of 2400	2212	tvjfpgguphut.exe	NOTEPAD.EXE
PID 2212 wrote to memory of 1584	2212	tvjfpgguphut.exe	iexplore.exe
PID 2212 wrote to memory of 1584	2212	tvjfpgguphut.exe	iexplore.exe
PID 2212 wrote to memory of 1584	2212	tvjfpgguphut.exe	iexplore.exe
PID 2212 wrote to memory of 1584	2212	tvjfpgguphut.exe	iexplore.exe
PID 1584 wrote to memory of 2500	1584	iexplore.exe	IEXPLORE.EXE
PID 1584 wrote to memory of 2500	1584	iexplore.exe	IEXPLORE.EXE
PID 1584 wrote to memory of 2500	1584	iexplore.exe	IEXPLORE.EXE
PID 1584 wrote to memory of 2500	1584	iexplore.exe	IEXPLORE.EXE
PID 2212 wrote to memory of 2696	2212	tvjfpgguphut.exe	WMIC.exe
PID 2212 wrote to memory of 2696	2212	tvjfpgguphut.exe	WMIC.exe
PID 2212 wrote to memory of 2696	2212	tvjfpgguphut.exe	WMIC.exe
PID 2212 wrote to memory of 2696	2212	tvjfpgguphut.exe	WMIC.exe
PID 2212 wrote to memory of 1784	2212	tvjfpgguphut.exe	cmd.exe
PID 2212 wrote to memory of 1784	2212	tvjfpgguphut.exe	cmd.exe
PID 2212 wrote to memory of 1784	2212	tvjfpgguphut.exe	cmd.exe
PID 2212 wrote to memory of 1784	2212	tvjfpgguphut.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tvjfpgguphut.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tvjfpgguphut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tvjfpgguphut.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f48d14095a78b389463ab479a067ab3_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\tvjfpgguphut.exe
C:\Windows\tvjfpgguphut.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2212

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1584 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TVJFPG~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:1784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3F48D1~1.EXE
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xpsly.html

Filesize
12KB

MD5
d83f9f33656fe34a2dbce70a883edcef

SHA1
bb28b882a3beb6a1687f77ad77c13e937ac2fdfd

SHA256
eae239283cc24fd071ce65744a7191e04726bbd7d174bcb084630db037a30030

SHA512
a783fba96ccd334b443066135145c1b8b9c0eb02b1c1127d3e88149d2aa1239e2b3d273cafdf4cbcdd27a158f35a825a35033f55dd6e3af91562abd50139c100

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xpsly.png

Filesize
64KB

MD5
832858537743f58068fdd1d82177763f

SHA1
b3d82c34d5ace1758143c41c3fb6237a74c8f3be

SHA256
91fb11b44431d33bee0c51b29a4fd0694687db2573850cb427e9a237ff5f4c73

SHA512
10fdcf9d00f9a1e0b0465b24d0e88585214d8b565dcbaffec8ad6325b5cdcb3e7bb1886e7e3fbc741883d42624d319cfd2213dbc693967698e92cabdcaac1765

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xpsly.txt

Filesize
1KB

MD5
5b393b5999f1c09e441c16ec9789a76e

SHA1
acc0baecda2bfc4e6ad58ff5c06bce77163207b7

SHA256
901830fcff1571e161fc018f16f6a62d8beb2bdf6f2df229cbe8bfa9864eca15

SHA512
1191c1fd2120e66d87a6e275b72032349e9662c0d1d5904b6f95ff6779a9d40d297f4338e518478c7b1ac6a4a4f04559f07730ee8771d738ebc3788de00bacd0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
99ec870ee1eb84a79cdeb0ac4d92e910

SHA1
c601e1409c7dee9dbb1d631082603f5d7a7eb8d5

SHA256
d35c3230e05b375eef637c157b5c0631611def14e19f948757ef6eb618346318

SHA512
ca21c89d7210d7bd958654a0723327355b8e8b4c601ae414a7ad671289ad01658f80176bc4ab10ab9eb09597a89d3628e322f19f8c17333c1181ac5d9a00502a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
4266a4308d69d529e2d50b89ea210046

SHA1
754663e7e997f4ddf8143df1b1e170a1cdb8aca1

SHA256
36c662635ee1ee17a3d71ca4b4c39828cb35db5512682e781ef99b44fb4047d5

SHA512
47103db5c75350e87d866ba4ac785c7b8741b3c163dc633216b523a9e9194cc4557dcf357b077e1b559991db840604f2c00dc4246612fe42da0ed71a934ccf10

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
ae68c2c12c389246dba5a3936bacd6b2

SHA1
42f465dbe7cf82346585f9a0ae8cb6ff18194f49

SHA256
549845460b6754357c88164d80b611baeb423f0157e1a97d2de63910fba311ae

SHA512
f674a5362cd7002e8d72e9842ece430e96a65610326dab130f3e01339bc529268d9695eb6b72b8072b246fbebb00355def0f6db2325551496c59e646894c60bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd8f2b052a6813de672baff16dc01eae

SHA1
7baa76b343bcaa94b538f26f4dc294360f7fa9d1

SHA256
3c819343d5c7aba2ec33a129572c568a9b60631611e54aefeacf5961cd3ffe33

SHA512
f2c146eb7caa9fcb0bdbe17db6ceece0359eb4adbe5c0af32b8574525e64593c6f3c855529de6f84a375a7109b56d35905a57a5a1795342d13a8c71477e0f1dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1fef5da488f25e5163b08c496a9beaf

SHA1
527bb68be256c80dd5be10279cac1eb49037ef9d

SHA256
da5def633827531c486b370f4ee8c79b198efc06e3ff1d1ce61ee21809f0c2e7

SHA512
c8ea3986a7e2973aa88a07be522ae1f9636be559ebf58a25f1e707e63c52adcd4c8cfed6eff0e6a16a6c1e2f758839c6a0093f815848efaac7bd77a6e160d2f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bc7f9f603bcb3437b742ee7ea2c27d9

SHA1
12014c153c19214f917db8ca8bc3f4f81a2229b9

SHA256
06dc8e5e466de6b6777a0307a6a659191b222697b67ae48f84b976bab6abcc18

SHA512
da7259b9ae5b84e979d5b1832dc74da60045c866efd5acb692ca673fd999c3fc64b40312c110bb1a3f062934cbacb4ca38526682781cb82ab63b0aacfeb66e81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a84486b6a278ab24319a266f0dce5b9a

SHA1
ccdc0875c173caca5caf068cfe1da285d3baf3d7

SHA256
a65dd4867a19b50e95c81fbfff532c7f5a86da9e3404db903236d13927fd6f78

SHA512
1823703357eea6a939c32ef9f95d371e6d957849b01a7f2db2d3c03d2135df5267c8ccd82f5d76e925d16ac869cc1371113d4772e173175960ba6cd8a68aa51e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f92cf3a1a47a9793d4c9fe62237f6302

SHA1
6f1e206343c49235fc8bef0c5fb517c0519735ca

SHA256
b4c657e330d3add5486bcd627b3037a6910650451c11f62d69a0cfe54d39aec8

SHA512
8829762af2e46bf7eb88ced8c0682fc64f052b523d793d208623ba8e8fdd41b6bcf719dd0ed29eb35033f445a31939dd2a26e30ef415824ca17a118ccdf28956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27e4fb7c40a0ec40ae2996f7fe630cf7

SHA1
9b8fe4d9e34a960494ab79f3de76f779785a959d

SHA256
fa0e0cf5fd5e1cac3f33405afc7f4b3bcc5ce497793a605e563efabfde1f00ba

SHA512
9111cd4a3e79efb346da0e9c5211188422ed0ed052f5bb0e64198b3348e91e467d706a2d1104876be453c7af2293ebdae3e19e4f517520334e0c0f500137dac6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59ae9a930d7d568771dbf70f29184ba2

SHA1
02d9bc678cbe46c80226f1fe69ab34b760d20a93

SHA256
ffcdb7e082b08989f5fd9bfdb369c2e7c2adf2fa2e7ee434277090da893aec1b

SHA512
db4827986359027f4620fbde95b451a589d5c3abcf6c45c949146112adea0ade2f334b3cd4623957318997d399b02ae203883ca62246b852741e28ad31460cdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
758353ec13a22c3433a8e4297b85a90e

SHA1
94a77c53b61d8e3712425140fd14bbff68c50029

SHA256
ba0235eac48ce9f94018082b3e7e6e082e3c8e47fdd9f20d74df2dba39d7d1ca

SHA512
50e209d59525eb496dbef252ca515b5aa7c071bc05b36d5215694d268f8c4e38efdcecaad0d8ee6945c69e90d2c0239663d7919f08b842a121d5f5ab7c4f85d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
782221b14a96e3a71057af54c418ca59

SHA1
7257da21b57bdc5bc94fc2b576f495a1c8fb4680

SHA256
c50fb51cf4546d731d6ed5cb26ec09dec2deb0a60b6658941fe4dae7e3504d11

SHA512
9ed20f5521911778520c41f5f03b9b5a37f200b2d3195c07829f90e80ace5e800aeec27b412730c256da3ac620b8cad75d2f81dee01537b223b4f35a04a595f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7f735e9adfe002858cef2dcb09064a4

SHA1
b95a3928149e0a93bd372fa252716ddff16d0afc

SHA256
570bd27e7b9841448020eefdaf2f9f94e9b513f6c531133e096b9919a7255f8c

SHA512
e2974100541dc1dc9aaba3021402662ac3a95b51d9a8982ff9cba890b152059d7a3e99620822660b284db3681464daf36dd097dd1c933f190deaa5772c25358b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6454dda78109444d3cf1aa45bd135a55

SHA1
f48f6cf8071a3a9f90d87a5fda1defdae959bb2b

SHA256
2dbb3a029b4e833d87390b4ca9a7e7b05f18da8875db674b3acf4c1f299179ff

SHA512
58a265fd2cdc6e479b3e926ca487e236357e70a5686c3b35690e37b00e6690a45e126f6263501b7a1de3783095483d3e360f73eed0429947be3e6fb9be411cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab48E5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4D2C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\tvjfpgguphut.exe

Filesize
336KB

MD5
3f48d14095a78b389463ab479a067ab3

SHA1
a2161ff78d590864bac05b3a2d8a758495094267

SHA256
96fa8dfead44385de7dd264365c9cc0cbf3f649504a0ea68b1da3ecaa87af859

SHA512
b16d6ea6981e4245e459e536f3c07c104af8778c7b2e1ee44a85048f8d222cc95160dc0d4b5049688c4dc89f62753b60b14b44ce432e1665e073ee70d521e2fc

Download Submit
memory/1808-6062-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/1960-11-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1960-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1960-0-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/1960-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1960-10-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2212-6061-0x0000000002E40000-0x0000000002E42000-memory.dmp

Filesize
8KB

Download
memory/2212-1908-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2212-1670-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2212-9-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2212-8-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2212-5269-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2212-6066-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download