teslacrypt | 3fb80b937831aca246d838a129d4e094b8de7fc513fe14f311e1bbaf67cb8a99

Resubmissions

17-10-2024 03:46

241017-eb1k3sthpp 10

17-10-2024 03:41

241017-d8zjls1alf 10

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5092d1d7abb882028147df297432ca49_JaffaCakes118.exe
Size

381KB
MD5

5092d1d7abb882028147df297432ca49
SHA1

101d56d520a89ac973099959a317a790d7b75130
SHA256

3fb80b937831aca246d838a129d4e094b8de7fc513fe14f311e1bbaf67cb8a99
SHA512

aec9a4a561978251bc537675fad16818522c6cd6b8f6e5700f96ded4d0c2ba4bd50c5efc8ec5e2ab30fe56f5209e21f1af16f4fb7b599db8184266e474b7a898
SSDEEP

6144:bU+DRYgAOEYI146+ziWRKrY7350PeR21AG+KpAy:l9YgaTl+ziTrY7pAxdpAy

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+ocjae.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/933DCC20A3C1FD75 2. http://tes543berda73i48fsdfsd.keratadze.at/933DCC20A3C1FD75 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/933DCC20A3C1FD75 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/933DCC20A3C1FD75 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/933DCC20A3C1FD75 http://tes543berda73i48fsdfsd.keratadze.at/933DCC20A3C1FD75 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/933DCC20A3C1FD75 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/933DCC20A3C1FD75

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/933DCC20A3C1FD75

http://tes543berda73i48fsdfsd.keratadze.at/933DCC20A3C1FD75

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/933DCC20A3C1FD75

http://xlowfznrg4wf7dli.ONION/933DCC20A3C1FD75

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (419) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2988 cmd.exe

pid	process
2988	cmd.exe

Drops startup file 6 IoCs

Processes:

calmuxlyjyaw.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe

Executes dropped EXE 1 IoCs

Processes:

calmuxlyjyaw.exe

pid process

2484 calmuxlyjyaw.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

calmuxlyjyaw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\rxunawehhtgb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\calmuxlyjyaw.exe\""	calmuxlyjyaw.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

calmuxlyjyaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Media Player\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_RECOVERY_+ocjae.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_RECOVERY_+ocjae.txt	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_RECOVERY_+ocjae.html	calmuxlyjyaw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg	calmuxlyjyaw.exe

Drops file in Windows directory 2 IoCs

Processes:

5092d1d7abb882028147df297432ca49_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\calmuxlyjyaw.exe	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe
File opened for modification	C:\Windows\calmuxlyjyaw.exe	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeNOTEPAD.EXEDllHost.exeIEXPLORE.EXEcmd.exe5092d1d7abb882028147df297432ca49_JaffaCakes118.execalmuxlyjyaw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calmuxlyjyaw.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d65f944620db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000852799a7d081c7e86a1fe9f348be562bbbeb56bbea407bac4c19aaeb3bf3a6c2000000000e80000000020000200000003654df13e45b190edf6a777dcc3b2bfeabd285a32f7d84267d3e44e875e69472900000004c99fd904bf7d0489637aaf5bf7b7d236190de08a09770518a5b9e476ec340a4f05d7208976734dc611adec153228a022456dfce67cdce20f6975cae1d01302d931d761cbe6f4eef24131b107befaf575fa79093478ddb06aa9fe71c5748139a347f5075ff4cfe11659a8dd2ffe6792820de962cea0c68f9592d0e6cfef8e4f767527df33b6f91737f632e753c1c863f40000000a1d2f7b005a85ddc7dadaf77b563e6e7042c97dc8ec8e3022b73cf1b51d1069a0644e667622582baf1da0a32cb62f47f5282e980a268e4c9d4506db5ea25543a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435298380"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BFE12AA1-8C39-11EF-875C-F2BBDB1F0DCB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000003b2e0bf22ea2841d966bea0fb4c70ff28c2d34bd14dad1a624731f0d76811fa2000000000e8000000002000020000000c031e6d9bed828e25f42e0faf783cf31d79a5411f1f1c1f424c5e2ba1252fcff20000000e201b9a11631b663b3f71c36713344fdfc8c4bbe1d535924a0ab0f8c53a193bc400000002adce6a1dbeb2f4adeafe205cc331ccff7e16225888c030fedd83fad7748e94b5883862a63951d48d498a96c04f6b1e4cd9dabed9dc0c8ee9533322263165fb7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3044 NOTEPAD.EXE

pid	process
3044	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

calmuxlyjyaw.exe

pid	process
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe
2484	calmuxlyjyaw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5092d1d7abb882028147df297432ca49_JaffaCakes118.execalmuxlyjyaw.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1736	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe
Token: SeDebugPrivilege	2484	calmuxlyjyaw.exe
Token: SeIncreaseQuotaPrivilege	2724	WMIC.exe
Token: SeSecurityPrivilege	2724	WMIC.exe
Token: SeTakeOwnershipPrivilege	2724	WMIC.exe
Token: SeLoadDriverPrivilege	2724	WMIC.exe
Token: SeSystemProfilePrivilege	2724	WMIC.exe
Token: SeSystemtimePrivilege	2724	WMIC.exe
Token: SeProfSingleProcessPrivilege	2724	WMIC.exe
Token: SeIncBasePriorityPrivilege	2724	WMIC.exe
Token: SeCreatePagefilePrivilege	2724	WMIC.exe
Token: SeBackupPrivilege	2724	WMIC.exe
Token: SeRestorePrivilege	2724	WMIC.exe
Token: SeShutdownPrivilege	2724	WMIC.exe
Token: SeDebugPrivilege	2724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2724	WMIC.exe
Token: SeRemoteShutdownPrivilege	2724	WMIC.exe
Token: SeUndockPrivilege	2724	WMIC.exe
Token: SeManageVolumePrivilege	2724	WMIC.exe
Token: 33	2724	WMIC.exe
Token: 34	2724	WMIC.exe
Token: 35	2724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2724	WMIC.exe
Token: SeSecurityPrivilege	2724	WMIC.exe
Token: SeTakeOwnershipPrivilege	2724	WMIC.exe
Token: SeLoadDriverPrivilege	2724	WMIC.exe
Token: SeSystemProfilePrivilege	2724	WMIC.exe
Token: SeSystemtimePrivilege	2724	WMIC.exe
Token: SeProfSingleProcessPrivilege	2724	WMIC.exe
Token: SeIncBasePriorityPrivilege	2724	WMIC.exe
Token: SeCreatePagefilePrivilege	2724	WMIC.exe
Token: SeBackupPrivilege	2724	WMIC.exe
Token: SeRestorePrivilege	2724	WMIC.exe
Token: SeShutdownPrivilege	2724	WMIC.exe
Token: SeDebugPrivilege	2724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2724	WMIC.exe
Token: SeRemoteShutdownPrivilege	2724	WMIC.exe
Token: SeUndockPrivilege	2724	WMIC.exe
Token: SeManageVolumePrivilege	2724	WMIC.exe
Token: 33	2724	WMIC.exe
Token: 34	2724	WMIC.exe
Token: 35	2724	WMIC.exe
Token: SeBackupPrivilege	2768	vssvc.exe
Token: SeRestorePrivilege	2768	vssvc.exe
Token: SeAuditPrivilege	2768	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

684 iexplore.exe
2424 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

684 iexplore.exe
684 iexplore.exe
2488 IEXPLORE.EXE
2488 IEXPLORE.EXE
2424 DllHost.exe
2424 DllHost.exe

pid	process
684	iexplore.exe
2424	DllHost.exe

pid	process
684	iexplore.exe
684	iexplore.exe
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2424	DllHost.exe
2424	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5092d1d7abb882028147df297432ca49_JaffaCakes118.execalmuxlyjyaw.exeiexplore.exe

description	pid	process	target process
PID 1736 wrote to memory of 2484	1736	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe	calmuxlyjyaw.exe
PID 1736 wrote to memory of 2484	1736	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe	calmuxlyjyaw.exe
PID 1736 wrote to memory of 2484	1736	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe	calmuxlyjyaw.exe
PID 1736 wrote to memory of 2484	1736	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe	calmuxlyjyaw.exe
PID 1736 wrote to memory of 2988	1736	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe	cmd.exe
PID 1736 wrote to memory of 2988	1736	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe	cmd.exe
PID 1736 wrote to memory of 2988	1736	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe	cmd.exe
PID 1736 wrote to memory of 2988	1736	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe	cmd.exe
PID 2484 wrote to memory of 2724	2484	calmuxlyjyaw.exe	WMIC.exe
PID 2484 wrote to memory of 2724	2484	calmuxlyjyaw.exe	WMIC.exe
PID 2484 wrote to memory of 2724	2484	calmuxlyjyaw.exe	WMIC.exe
PID 2484 wrote to memory of 2724	2484	calmuxlyjyaw.exe	WMIC.exe
PID 2484 wrote to memory of 3044	2484	calmuxlyjyaw.exe	NOTEPAD.EXE
PID 2484 wrote to memory of 3044	2484	calmuxlyjyaw.exe	NOTEPAD.EXE
PID 2484 wrote to memory of 3044	2484	calmuxlyjyaw.exe	NOTEPAD.EXE
PID 2484 wrote to memory of 3044	2484	calmuxlyjyaw.exe	NOTEPAD.EXE
PID 2484 wrote to memory of 684	2484	calmuxlyjyaw.exe	iexplore.exe
PID 2484 wrote to memory of 684	2484	calmuxlyjyaw.exe	iexplore.exe
PID 2484 wrote to memory of 684	2484	calmuxlyjyaw.exe	iexplore.exe
PID 2484 wrote to memory of 684	2484	calmuxlyjyaw.exe	iexplore.exe
PID 684 wrote to memory of 2488	684	iexplore.exe	IEXPLORE.EXE
PID 684 wrote to memory of 2488	684	iexplore.exe	IEXPLORE.EXE
PID 684 wrote to memory of 2488	684	iexplore.exe	IEXPLORE.EXE
PID 684 wrote to memory of 2488	684	iexplore.exe	IEXPLORE.EXE
PID 2484 wrote to memory of 2216	2484	calmuxlyjyaw.exe	WMIC.exe
PID 2484 wrote to memory of 2216	2484	calmuxlyjyaw.exe	WMIC.exe
PID 2484 wrote to memory of 2216	2484	calmuxlyjyaw.exe	WMIC.exe
PID 2484 wrote to memory of 2216	2484	calmuxlyjyaw.exe	WMIC.exe
PID 2484 wrote to memory of 2312	2484	calmuxlyjyaw.exe	cmd.exe
PID 2484 wrote to memory of 2312	2484	calmuxlyjyaw.exe	cmd.exe
PID 2484 wrote to memory of 2312	2484	calmuxlyjyaw.exe	cmd.exe
PID 2484 wrote to memory of 2312	2484	calmuxlyjyaw.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

calmuxlyjyaw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	calmuxlyjyaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	calmuxlyjyaw.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5092d1d7abb882028147df297432ca49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5092d1d7abb882028147df297432ca49_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\calmuxlyjyaw.exe
C:\Windows\calmuxlyjyaw.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2484

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:684 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CALMUX~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:2312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5092D1~1.EXE
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+ocjae.html

Filesize
11KB

MD5
62d65e466e886f3286b21165413c11b0

SHA1
79c8cf90a09b3af762e52c8ca155a3a4af2873ab

SHA256
e6645675268709df312021f4166690856390600eeca4c6515dcc54d2c9dec939

SHA512
bbf4534b9e56a1e0111e000f2625cd2dc03c58ce1f1863e2fc829fa464d9b6ce223cf974318d75a25f30ed2dd529df9f959a395d92d44d01a7c96389a230c160

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+ocjae.png

Filesize
63KB

MD5
200f1c917e27b1e7a8fbf6c330eca68b

SHA1
f65add1cb6775bd6c2deaf4a27fe8d9e1f92cdbb

SHA256
cc30759ea2f3e4824722b233a75d59dabceab420b6839895cfd5a93c467da523

SHA512
180cce71c1e333db2b82d65fc44eafe412d1db9af231cc0e68ec6e981b77e1596f45c5631201d32bedbab53ae2f337cfbf2e1f07511ea8788f3c16bd526e1ba8

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+ocjae.txt

Filesize
1KB

MD5
5752446a8b09cceea18c47bc5bce23d1

SHA1
27762ca2ce92fbfffade99428f63021307c794d6

SHA256
2a12da1adf784110d0ac9876c24fd954af0d33cf5bf7e14e8d6c6e0328be6c5c

SHA512
c19e42d5bcff8614f27e4b517fa0e620c6e648b2c61bc811e00632ff58978615942062fe16410a7206db7babf3325e61d34d1f5ea527d1f9d4dafd98e3f5598a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e3e685005894335bf7b40eb7dfc0d99d

SHA1
747ed967e0666f55f8c611050ab9866f6472e47d

SHA256
801127c6b23a26edf01796a9995c8db058045e683c333a69719769de966d4878

SHA512
cee2da4641d666288f8cba50df4b8163da28b489813df593b03bfddd2cd377053a420d440a733bd6c0a2047c76b1a68b4c718b89d8cdf87a29fa965d791b9c52

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ea0ab983ebbf03b9c3641ddcb43bc188

SHA1
c6e8ba24db59d331addcaa7e6e09460db874a7db

SHA256
490291175977effbecf048e2d78d462a371aef8d93169561cfb9188bc7043cfc

SHA512
70e29fe7dd46c0fab4456ec811c3a4d252ed20e8e02b19b8a6067ae2430d67fdf6d899644a667a2d5476229a715ca5516f9ff75d5aaa235521f030b18ee865f0

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
321fadb2d9919b217d29c14af644ddff

SHA1
2a65c42398c5a64cb943c3638fce48e279a9d0a3

SHA256
6dc02d98d2b21b9dab47536e08facc26562f702ee134a174e3a07ae884a58880

SHA512
38ceb7f2e53f8e2645c79a78d8039c912b0c17f6d6c12551808b0ea588701a9ef6a2ee4e9737f95da0a5416d74886e61af9afaebd7805e0fd50013e6560c2202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0598e16e44d3f377a01d70bbe2c062ad

SHA1
6ae0746a0b7f19cab4f40eb546b435e44889aae6

SHA256
c9675b94f17f251a656069bceeaa660926fde98e012dbfd12498196fd1bb4be7

SHA512
f00954f5b8ec82df091ba7bae64c8848c6ede45141354655af278d990e7202bc4ae0d58354273f563ffeeedeaf3b5cd6fd634ff13580d12a9e70e4a930b8f66b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a48bdfef59efcdb55bf54218f78fa220

SHA1
5844c01ee510e94be670bf0ccd4500358ae80141

SHA256
bd3702a14469cc70c0657452342bc346f90bc007664d24e964f0ce8adc3f4aee

SHA512
a51a557e6ea063a1423993d2b0d0bb02006c80174c6c9ceebf8f1bd2481a16babe75d6de5cc0d317e9d868c75400a4d848a30e082c7e40ee831fb7196e0e7958

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba0b5bc875d6ddce8a55a25da6142e7c

SHA1
ea76de18003fa0aaab480191b5017c85af47a571

SHA256
d41f50b79eae583534fe20c5f649cf65622485e4c6c098fa5b42f644dcd3ed7e

SHA512
00e2d001c7a71a2e3826b738cf71ddaae02820e231988b6c37ad6f9dc76109c19f51481a1bbb85a031f5b29f2715b14b9f4c65c5609eb8f9f0a5837351e09d6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a869e94cf08d246b3126034c7f39da09

SHA1
ff1d50254f4a76d053b303ed4851599d9671f55b

SHA256
fdf118c98498cff037cd6c9546df760ccca325b2eb639d0b4073af051d470e07

SHA512
216271613db66daf500e2292fbd46de0ad7867a96542353b4ca6633cb9e2d38fcac4e7d2b4ead627e08502a950afa45cd5a0f44f5b58e49dbcb759a0587a1d58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0634dc2eb35e33d26b75d8c4a98ca71e

SHA1
78e79f179e5d97ab5d7cada7949d31e9576e13dd

SHA256
6c2d62a2e8c8ca2e02fa8679fc3ba0cbba1ccb51576a7d7bfb8b81fa5139d000

SHA512
db3a7cddf7a512cb217854f4014aa84f896377f1a971a8d14bb3d7ee71a7c9bb1fd40b6ccf65d089803d9cabf3564c905ec497e06bb4b292a2f9f490c61805cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbf786dd2b527f82ce6e6fe1892ab798

SHA1
308ad7638ad453e7dd0839868873c3e01d1a728a

SHA256
ed4d06ca618f4b986173663e9d04f90d8d0477859e2f6b80f4fa01d028af0c2e

SHA512
a4f6edcdb6f9623ef6d3f17e9d14ec72b2c839c567aeca33ccbadda2152b67149dccde06068ee378f7ab6c6fc4d441a7d7ea4dc19664e7fb010ba335012a5030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82de019ce2368610da607374c7646ad6

SHA1
2819027c0c48c795cb2b142d0ac6e450cda511c4

SHA256
edb3e0d40d5116c747aa43efa55d17d0d62f143eda76b9c89ff8416c4d6cce98

SHA512
cf55cf4c04cfcfa0db74cadc1a028a4a51034a2f4a67bae174fe55b5257745984270dfd157a97949bef168b7e4cd84ba64152384a87f5ae893f4e3ba2c52d5fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b379697ae71d4ca53a038e46233b703d

SHA1
23a44771bcab0f0ccc7b0ad2396bd48545077cf6

SHA256
c37c3d57dad7297846e0d260498e723f57df1b600c69cea9ede3174e8844e2a2

SHA512
0390847c6d3f468e119e74838ce36d993a22725d1f92b601c2d5f4fc336b624f6be1acc67988f6e718a3eabee3defbbc4acd44b34e6e1307a2a695e955a21e42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e524e0c64982fab23ce62db8385ec04

SHA1
9e3b32ec9d3351870eca833aee0f583fd209a201

SHA256
d7373372778966f1b488a1327cffe9b4b845561f57c6fd1012688943ac168a09

SHA512
6731ea49fe4b78a57c52dc70874daac7d4f618f94d82a4727d9dfa04c2843befb8eee04cc0eb582e51a78d25ac8cf4a46c096fd101cc4b7265d90d61da09365c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fb95d9de0fd05cdd94cbd2db378680d

SHA1
9234f357f5a153d92046519937100001454f55b6

SHA256
da680748e21b58ba531b913807f783781242cb6c1b49c3e8bea2014b20ac2582

SHA512
713e3e61a7831030b614e2109cf93dcd38c548276ad89a91286be8b577a00768df6d2af2022d6187a25cb899d24c5917f66330f5b71a6bd9fe73b291f931c2f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f761f9978b521390025906984e4624c

SHA1
434f44d7a5b6dd0f6d1188eac582c431afc5f3a1

SHA256
167ccbaf240203b0c7d4338395bcb160bb27130b6541f39f7b2cd25b17ea20e0

SHA512
77b557f6cf73a6dd72fadc230c3da5370dcb378aaafa92eb3937f1754db0c79dd5f86fd7c52b47f10790080f828058993a8e079a15c94d0a18d80c4ff16487ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbeaed3edb1022eeaa0fe3ebf1f29a8b

SHA1
dec1d49e5be41997db932229cadb2d8ad1555585

SHA256
096da03416b3ff2833a3a910ce25f863ad37c13122b7f4d61564d9ffc3d592fc

SHA512
6963d5a024ff185b2aeb4709f4be6de7bbab8815522d9cb99b95e6288dc4139130d48a4fa9f540c98f0d8c070de3aa9901abfd9e351c2dba984111310c0752d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67b3b5f17faa9f26693b72090fdebd8d

SHA1
f2109d90a1252d192160ed8db6ebc4a873b489cb

SHA256
dcbd8dcd3420fdb45a7027843e16a5c38815ffd1d77040200ce2ffb3a0273436

SHA512
1fdd75c367d175e8414a989b9ae62b01b94782dbdd823877972e93ae0e58dab9f570ffde1b70febd468ca5e069b368bc7eb26376bcb1b47f871e149f2ef63bb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3669ad36411540e383b3dea3ad1000a5

SHA1
81b40587aa71b51b8336ffd85f17b628b27bb5c5

SHA256
b6bc11d46e2621c86df8ff4e9a3d925b982f7a53bbfb2c15b68dc1f5d67c8eae

SHA512
084dbf1f33373fe02b7a4824c4479243dbdbd571b24e48269d34c56f6d257d86de1bb5273686f85c1f6ce8a222133c31c9b7f7c225c3e7887f9e8cdba668f7d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c795ffe511eaa6bc1d0b56d0a16bb9df

SHA1
6b74f5d51c8b619206655c420470d899acf57d51

SHA256
9733d6c614f63e18f81cfd9d61947b044373c7dd1dd711973a4f294aad85057f

SHA512
01625de44a40f69beacbb577098dbaea12386ef70189575ab307c1953922eb0a712a375e5279c7564c1b27cbef52997baaa4c3fc3224abe7d93b26579f9f7526

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3f42d46c394dd00ead4e110a49ebdd0

SHA1
7b634c9ab0e448c8a43c8851051df77bc1dfd099

SHA256
21b3fd459b1f0bb6c4a1b784fa7392242c64535d80a68536c03ca3199ef2fbee

SHA512
34112b245b98a75dba0ce38166b64e8fa29336d2d8d60927640fef9c076bb99021d4c55c08698490a92ba9db1833fbc30abd77d908f965657bbb04fbb8815612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a4d98061558f0fbd483652618a2ddf5

SHA1
cdbafd2af2341f6912e4e8bb795ed3da22fd4e63

SHA256
3d19b4487f741b6318b773164b43c65609123046bc52528d5419cf1e5dacec8e

SHA512
cc38d9cc1c7f22c72dcc892e6ebe83a6e8915763978cb8514b1244acadb75f0d706ea204a3524b9166fc6259b0a0f52eda79804a7695d78abd59dab74222ccae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1621.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1683.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\calmuxlyjyaw.exe

Filesize
381KB

MD5
5092d1d7abb882028147df297432ca49

SHA1
101d56d520a89ac973099959a317a790d7b75130

SHA256
3fb80b937831aca246d838a129d4e094b8de7fc513fe14f311e1bbaf67cb8a99

SHA512
aec9a4a561978251bc537675fad16818522c6cd6b8f6e5700f96ded4d0c2ba4bd50c5efc8ec5e2ab30fe56f5209e21f1af16f4fb7b599db8184266e474b7a898

Download Submit
memory/1736-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1736-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1736-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1736-0-0x00000000005C0000-0x00000000005EE000-memory.dmp

Filesize
184KB

Download
memory/1736-8-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2424-6065-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2484-6064-0x0000000002EC0000-0x0000000002EC2000-memory.dmp

Filesize
8KB

Download
memory/2484-894-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2484-6069-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2484-5381-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2484-1926-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2484-1925-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2484-10-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2484-12-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2484-1227-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2484-11-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download