teslacrypt | 84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
Size

336KB
MD5

55ef5620d1205df70163818bf84688cd
SHA1

d883ae424be4f1968797f5d1ef3d7968932ab650
SHA256

84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec
SHA512

82f7284808f2e513dac7d3de3cbd13e56699dfa37aa45e936c7b36a7a76ff42ace05d0acb75e454c495a50f0c2d7862114bd9ed23417f1698fc1eb9afcb4b2cd
SSDEEP

6144:0xy9nRqDo0RAua922DNcbCfFpHVKY8E4IvFBJ1KTBNqG:0w9noocAxxDNcbCdfH8E7vtw9Nq

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+xrrop.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/FB34F8CC2045BC29 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FB34F8CC2045BC29 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FB34F8CC2045BC29 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/FB34F8CC2045BC29 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/FB34F8CC2045BC29 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FB34F8CC2045BC29 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FB34F8CC2045BC29 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/FB34F8CC2045BC29

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/FB34F8CC2045BC29

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FB34F8CC2045BC29

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FB34F8CC2045BC29

http://xlowfznrg4wf7dli.ONION/FB34F8CC2045BC29

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (422) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	olclhutyvsnn.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\umtjdujkgmxa = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\olclhutyvsnn.exe\""	olclhutyvsnn.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\DVD Maker\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css	olclhutyvsnn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	olclhutyvsnn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\_RECoVERY_+xrrop.png	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Microsoft Office\_RECoVERY_+xrrop.txt	olclhutyvsnn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_RECoVERY_+xrrop.html	olclhutyvsnn.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_RECoVERY_+xrrop.png	olclhutyvsnn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\olclhutyvsnn.exe	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
File opened for modification	C:\Windows\olclhutyvsnn.exe	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olclhutyvsnn.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00bced632621db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000012c28d2ffb4838ec4454347cb7045ae05930af09a6143ca8e03577bb0dac74d4000000000e8000000002000020000000fc77ac508dcc24179bfbe8cfeb84905ae490bb9d832c905169c6bf079fe021f2900000004da05184956e989bdec7ed31ba4b099c1766fd8273cefff9e85108b6231de134a12ca7ba3f74d6585400724f013d56a14bfe3f47d7323d6c77ce7f252986d86722fb3bb2876194c37150d319166573925d6fa4931aa9bf07589126eb036aff376104b0f8e917ed5b3d29f3581e5e1685801b6f3b27011e2ac9df67f4a171df1e8e9d4f4495c5566be05f9c4e76c2005040000000f21580b6239cbcd709768e408ace012c87709832172289c008c04e6a3cbdd6d29ff09ea9cb0b5a78029dba72195cb32026450a26b9ea435509ae8afd481f209b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8F59BB01-8D19-11EF-8B3A-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435394506"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000f7662ccb0307f178c02abd4a899af79923db7e77c523180d57e73be0dc3c90ef000000000e800000000200002000000001d9d8a1f6403741a8e7007ec92c9a5512d19a8cd2302c085bf9c75955a73f4c20000000b415747c6747a50aaf86ad26d8a5e7e55c86998ac095a052f7313987bfb491b140000000a8521e69f33377523263c34cf0e91ef72dc15f28959d8eeb457ba2f1833a2d38792d68cb23fa15f785aa90bdc1310a505f7c29959c2c9d1d049ba6426368a077	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1400	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe
2448	olclhutyvsnn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
Token: SeDebugPrivilege	2448	olclhutyvsnn.exe
Token: SeIncreaseQuotaPrivilege	2252	WMIC.exe
Token: SeSecurityPrivilege	2252	WMIC.exe
Token: SeTakeOwnershipPrivilege	2252	WMIC.exe
Token: SeLoadDriverPrivilege	2252	WMIC.exe
Token: SeSystemProfilePrivilege	2252	WMIC.exe
Token: SeSystemtimePrivilege	2252	WMIC.exe
Token: SeProfSingleProcessPrivilege	2252	WMIC.exe
Token: SeIncBasePriorityPrivilege	2252	WMIC.exe
Token: SeCreatePagefilePrivilege	2252	WMIC.exe
Token: SeBackupPrivilege	2252	WMIC.exe
Token: SeRestorePrivilege	2252	WMIC.exe
Token: SeShutdownPrivilege	2252	WMIC.exe
Token: SeDebugPrivilege	2252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2252	WMIC.exe
Token: SeRemoteShutdownPrivilege	2252	WMIC.exe
Token: SeUndockPrivilege	2252	WMIC.exe
Token: SeManageVolumePrivilege	2252	WMIC.exe
Token: 33	2252	WMIC.exe
Token: 34	2252	WMIC.exe
Token: 35	2252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2252	WMIC.exe
Token: SeSecurityPrivilege	2252	WMIC.exe
Token: SeTakeOwnershipPrivilege	2252	WMIC.exe
Token: SeLoadDriverPrivilege	2252	WMIC.exe
Token: SeSystemProfilePrivilege	2252	WMIC.exe
Token: SeSystemtimePrivilege	2252	WMIC.exe
Token: SeProfSingleProcessPrivilege	2252	WMIC.exe
Token: SeIncBasePriorityPrivilege	2252	WMIC.exe
Token: SeCreatePagefilePrivilege	2252	WMIC.exe
Token: SeBackupPrivilege	2252	WMIC.exe
Token: SeRestorePrivilege	2252	WMIC.exe
Token: SeShutdownPrivilege	2252	WMIC.exe
Token: SeDebugPrivilege	2252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2252	WMIC.exe
Token: SeRemoteShutdownPrivilege	2252	WMIC.exe
Token: SeUndockPrivilege	2252	WMIC.exe
Token: SeManageVolumePrivilege	2252	WMIC.exe
Token: 33	2252	WMIC.exe
Token: 34	2252	WMIC.exe
Token: 35	2252	WMIC.exe
Token: SeBackupPrivilege	1636	vssvc.exe
Token: SeRestorePrivilege	1636	vssvc.exe
Token: SeAuditPrivilege	1636	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1232	WMIC.exe
Token: SeSecurityPrivilege	1232	WMIC.exe
Token: SeTakeOwnershipPrivilege	1232	WMIC.exe
Token: SeLoadDriverPrivilege	1232	WMIC.exe
Token: SeSystemProfilePrivilege	1232	WMIC.exe
Token: SeSystemtimePrivilege	1232	WMIC.exe
Token: SeProfSingleProcessPrivilege	1232	WMIC.exe
Token: SeIncBasePriorityPrivilege	1232	WMIC.exe
Token: SeCreatePagefilePrivilege	1232	WMIC.exe
Token: SeBackupPrivilege	1232	WMIC.exe
Token: SeRestorePrivilege	1232	WMIC.exe
Token: SeShutdownPrivilege	1232	WMIC.exe
Token: SeDebugPrivilege	1232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1232	WMIC.exe
Token: SeRemoteShutdownPrivilege	1232	WMIC.exe
Token: SeUndockPrivilege	1232	WMIC.exe
Token: SeManageVolumePrivilege	1232	WMIC.exe
Token: 33	1232	WMIC.exe
Token: 34	1232	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
596	iexplore.exe
1780	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
596	iexplore.exe
596	iexplore.exe
548	IEXPLORE.EXE
548	IEXPLORE.EXE
1780	DllHost.exe
1780	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2448	2036	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	31
PID 2036 wrote to memory of 2448	2036	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	31
PID 2036 wrote to memory of 2448	2036	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	31
PID 2036 wrote to memory of 2448	2036	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	31
PID 2036 wrote to memory of 2636	2036	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	32
PID 2036 wrote to memory of 2636	2036	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	32
PID 2036 wrote to memory of 2636	2036	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	32
PID 2036 wrote to memory of 2636	2036	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	32
PID 2448 wrote to memory of 2252	2448	olclhutyvsnn.exe	34
PID 2448 wrote to memory of 2252	2448	olclhutyvsnn.exe	34
PID 2448 wrote to memory of 2252	2448	olclhutyvsnn.exe	34
PID 2448 wrote to memory of 2252	2448	olclhutyvsnn.exe	34
PID 2448 wrote to memory of 1400	2448	olclhutyvsnn.exe	42
PID 2448 wrote to memory of 1400	2448	olclhutyvsnn.exe	42
PID 2448 wrote to memory of 1400	2448	olclhutyvsnn.exe	42
PID 2448 wrote to memory of 1400	2448	olclhutyvsnn.exe	42
PID 2448 wrote to memory of 596	2448	olclhutyvsnn.exe	43
PID 2448 wrote to memory of 596	2448	olclhutyvsnn.exe	43
PID 2448 wrote to memory of 596	2448	olclhutyvsnn.exe	43
PID 2448 wrote to memory of 596	2448	olclhutyvsnn.exe	43
PID 596 wrote to memory of 548	596	iexplore.exe	45
PID 596 wrote to memory of 548	596	iexplore.exe	45
PID 596 wrote to memory of 548	596	iexplore.exe	45
PID 596 wrote to memory of 548	596	iexplore.exe	45
PID 2448 wrote to memory of 1232	2448	olclhutyvsnn.exe	46
PID 2448 wrote to memory of 1232	2448	olclhutyvsnn.exe	46
PID 2448 wrote to memory of 1232	2448	olclhutyvsnn.exe	46
PID 2448 wrote to memory of 1232	2448	olclhutyvsnn.exe	46
PID 2448 wrote to memory of 2028	2448	olclhutyvsnn.exe	48
PID 2448 wrote to memory of 2028	2448	olclhutyvsnn.exe	48
PID 2448 wrote to memory of 2028	2448	olclhutyvsnn.exe	48
PID 2448 wrote to memory of 2028	2448	olclhutyvsnn.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	olclhutyvsnn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	olclhutyvsnn.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\olclhutyvsnn.exe
  C:\Windows\olclhutyvsnn.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2448
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:1400
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:596 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:548
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OLCLHU~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\55EF56~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+xrrop.html

Filesize
11KB

MD5
22567f493e8ee8315b6904ad25d0c94b

SHA1
7ede92d7943bf0f7e4a4767430ae9f19d3c1e93b

SHA256
542b4c83d925e2d00e2f1a1878629ddb7285e7ef6b09ad91b1a40f0f2572f873

SHA512
3c8996109c8653394117a9d53a38313c6475a0c306e6ca1676496f98bf15c010f13db799131bedfbb376aeff5155c0a13f081c63f892b187089e6a9674b1b591

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+xrrop.png

Filesize
63KB

MD5
71abaab94addeb0aacf29053f36514d7

SHA1
4a07bff556702b5cf5562a85c0741749e9b46bc5

SHA256
ee23b9fee60a9093a59b27059c97faabe9587557265fea7c2389b38fa217d349

SHA512
3c1ec0fb3ee1be8ac72e44bf8009b7cd0859fb8e4f50ca4162ccbec5f2bfa1d441d732a2e26d5be4ccb9ff959daa9b9f5c6324afff5a55460f6e1c712363cb4e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+xrrop.txt

Filesize
1KB

MD5
7a18dd9e3713e06e38ba55df26079981

SHA1
1f7e9433cdd0af2c90c449018bc0df22abc7098f

SHA256
c1cb6ca32a65b48b468a81643f88bc568368297915ff4965b31ad462824f653c

SHA512
efc2f7f1d4acf7c21a8395c1a349a71f003e0d36bd37a55e2df87c8a1724e9d3595a36b61f35958c3bc0d0ffbf52532827e42134bcf541734bdf5d60ad055011

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
8f3925e2bffc0f555b2b59391e327d06

SHA1
6626a592c340a3a0f083e986b760ed982f4dde5b

SHA256
c42c8b70dedbe88cbeaed3486b3bb83298937e4cec9fc0cd81cbdecdde7bc513

SHA512
91afba9afd593d2c5bca5e711bc97bca5e2790159ba9a9b5382941e3e7f594af80828721063e2cf662123933f0ef8a3f37df8ad7d98847c1e8d38b0d981333ec

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
eab261f4812d03ca99c175db25fe687b

SHA1
ea710748916a77f7835f331eec252bcc56687c3d

SHA256
88b961da17654499b158a56507d9bb6678422c8e18e7384c7b78e40fce7440d3

SHA512
23cbf5208272335a8170bf1ae6d114ccabec2aca6fe8a7fba754a2b3397cc96b0f128d018af2c8505d0c24d1522fe2650c524e79b3aa75510452e5096835fce9

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
da39913fc2dda046887551b03a8c01ef

SHA1
232c69cf7b555383586f43aa8b54c598a1368e0b

SHA256
e00390b16e73bee4d0648cec918510b2c31c4cd05311aa3e8756c6c823d83d48

SHA512
3dbc34480851ee30bfcced19b4ec5d1f0e8453112b1810edb2f99af1ab7a0d3bf22479afd8bed8e62931fffdb99546ccf32111edfd639dc6941c1ae63f02cc19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
305ea8db11179d9a7009884495e4b04c

SHA1
2d321863d44ca256528fc9fdc96f3934b9adf035

SHA256
26f6c9fe05ec6c927a5ae3374235f88003b515734f01f8acbc8bc4e68fb3d4f5

SHA512
ca4ceef056fe97b521c64f4833980418ea439490ead6c4914c5e1ede57fa7a9831ba043ec0dc2538dfd7d6daafd610a797789c324977609700ee2638d486cd3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
631e27cf772e26fb07d25630df6c416d

SHA1
d8bc40c46a430e2cccd562bef070eb878b5221df

SHA256
dd7ca653412ed3e34740cd3cb7bb1a3c9bfa0b9c7c2e06ce15dbd37cd096f6e8

SHA512
e7b240007ebf43da70ea0706bcca83c8e2630877873fe195a1b59ad73d525a57593e4e3bae5eddb9bde90152ed48ff3bc2b7cebfef26f1754b85bbe6a38498e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92180bdaba778ba0efb92f0af2263532

SHA1
cd59b3afa9fdcdcc97a451528521371e59106365

SHA256
35557ff4db5919ab7831e2ea64efe252d8a7a21efb09d153c4da882663462ce0

SHA512
fac971ffd069c0aecf853f9898eb90a6c0248a44009aedb1404f5237ce85d259dc4a6eb1fb1aea1a3306b908cd5f48871bb402a884186bb42fcc922fbac70979

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5caf16028101cd876f74a1d4361a1ec

SHA1
95023bac62c9d5af6ba49b70d8ab2aca1796960f

SHA256
447d9c8ca2410e52324fa8c5f97540db49d974659ea70fcc6d95a2d8630d12c3

SHA512
ca5cfac57507420e2d5a1ca6e589483d1d3adb5843aa82ff5bded2d7448a85d0e6a1ed52b6e9eb2d1eb820ebd565d486fef48d6d4bcb23a188b1ff4c25d52433

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73594fcc49250f0c62a898e91718aea0

SHA1
569293dd1cb693414d0d458b288b2b7791bb6f9c

SHA256
acc3ecb0a4ef891da8d42f19088ce7307780f989dfc8168cad9976272f6ccc72

SHA512
2c95781a0b521e7a53524d924b234d729998be30a1de099ef30251dafce260bcc9d2939aa7f31b403d1f31531d0882784b694f28a48e58d8ad91e9b4f1133db9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d4f1e1568b70418e7386037571a888c

SHA1
8afc285c0a1228727b61b24e47b73572e5020a28

SHA256
604b52467884bb164f591531837f8c3843e677f3ec5bf5e6b4adab0fafc0233a

SHA512
d6f0006d93cee599e8b708ddc9aae250ba89f63769c7d35e174a060837e0dc856cfb97ac86d3c0313a29fc28f68d6789961e8858ef3698468b0e1da2bbb2bba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20089847c29ada8175d15dc8075f2563

SHA1
82e307beb1de13643a5d56c0ba8d63fb61d25818

SHA256
d15075dc1ed150abbdb23cc8da3de6cb8fa7e3db92f1586425015fda73b742d6

SHA512
066a94f7f5962c70bd375a037b4e407e36ade59c49c3c4ff63b520b21b5b6bdea9a37871941d6d3aad5fe7f81498ed786acb18ae862b4aea754a9bb2e588f58f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af7c2d307987a28d6978ce0b9c406254

SHA1
d3d6d8c5caaa53f8d8ab4338e88b0c8f28706a7a

SHA256
baca551f8abf179b1118645716f8d3ea9a219c9304c61b22a09f825705137057

SHA512
5b79b5232a3daa5488f30e660b250f1319d0c40793f6bc15ff5fb8e4694daf4e45edec22d758e027ca238eb02b7387faccd2687dbc036dfdef5dab1c60a1e544

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3bb4148c74033fa18de7f610bf30cd7

SHA1
52fcedca03f268a8875ff84d6442319ea39aa2d7

SHA256
92992e9bf0a21f2df61cf9298e4d29491455e875f259005f8c34b11cf59f7ef4

SHA512
52e1ce917d8f6c1d25c8f7d585ad537a15dce4b42c491d4b4b3f8512e716a19b70839a4aa756526645c7b2d526282489b52ca063d5d89878e576fd8eda7ac383

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1deb2febe080a8b1a1d9fcf34a7b326

SHA1
ec3ac4e06b1b94bec46236bae4da35e608492018

SHA256
b583deaf080ce88ed05979ac9d4a174e77ca770c8e6b8e4f62d8b1ba74a6d129

SHA512
5cba0b8ec0c54a8d8746e1852d555e48ea57fd4a2ba5ca4412042d971537cbd6b5501770e40e459f570a9ad8ee883f400f1582e57efff6dbc589dc736ebba707

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c80a9ddc693a6f6e4db1ae18503b1e17

SHA1
eb0f27d5f3e1843d3dd3a65675eb16991c89cde9

SHA256
83d9f4ab854fe4802acdb54f42ec91801770c6fc95ba65aa67242ba3a4b9b55c

SHA512
4065a9fb8d0805195a52ea78aebd221a612fe7f0be271d956a40891ea713e534b281b900e35f212e4048d288bf94fe33634f41ecc25764c768656fb9397823f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21128f351f382f65d35248543f212d59

SHA1
c14a5d53beb40853357d4a2e3d521d3d0093d15d

SHA256
1f21e5bc69132c216cddae0af874d8f18adc9454b49ecf672e8835d8a73be6dd

SHA512
6ceb407dcc1d398c8689bc86b6373f358688814640ac89046d985a3c42c78891240690a8513e90717967c5283013ba6d00d61fc7a2047e2f48f5381e3b64d4ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8882e7c84af9dae1166c5f1b88b4d7e1

SHA1
9850fef0d25fcd01f99e7f0b411458be11e5ee4f

SHA256
4b5bda9b2627e2f246aff34a8e673fcbb62155c135d5ca2b294073a50b4d7c48

SHA512
9b91b03d991a455fd0818233e527b7c9e0836529eb5a21a018db1c0dab53ba68cfb5710f7865d521a1884ec31cbc9ab6cd01c3a79eb98c74c760237df4f18781

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac783bbc77a0fd93356d049fb5b9221a

SHA1
f6ddbeba2137d355f37ec4af106cecb7199d048d

SHA256
0186d1651fa0193384706b51e6e17dab257f973f9af6b346923f3202796435e5

SHA512
fd9f97dc5212b8a821bacace0ea8b140ee8e157b96d42400d609edee7c2c70201ca7d86e20e06d8c552048ae16d40d6f5e29fa31cd2535ada35189dfd57e23ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91bff4925bc6e20c3c6b62ca27f5298d

SHA1
8b104acf71d017ace1dfefc2517fcde90b82c827

SHA256
b781d47b6987cdaaf64877e097b38f6eda5f2cd942196d056caa35a3f1fe8461

SHA512
917d4f6bc652114d9508c911372718b05aea9470e9647abb5511e2a99aba49f5cf410f13d756cee176ee6958acc540a7d43ef7462071062e15c4d139c0529183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
407203caf57abf2b41dd1eb855c01aa1

SHA1
08e48ad3d40df6197218c8a1fb5b839f79ba9bbf

SHA256
fe57b448dad5700a167061fe683d8287276708d925ce30f764906d757aa61eb1

SHA512
b4e00f0552a14974a156075eb9b3cefd68daa3d0027b3d1be76956dee83936ebaa8f5f07e14302d7f5eb662edd3fefeba9c91fa74c941d2fb02a4243137ec9ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46c5f275796d1a026d672e4e3ec19052

SHA1
8c808611db438a1cd4c7ec053bfb5124faafc7f3

SHA256
219f502f071920746949af1304e05a5ab6c3a752677fa299fb091750a31aa1fd

SHA512
dbb91526d933b6afbdb2e43339bee372e0da8f06eb8f783736fe05075f106d3d98b8a478e8767d4961955449861ab6379db4159305cf0216b50825cf26892a68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
092628185e4a0b90886b5f53f9d89caa

SHA1
3ec0abb318f26d76faa0590d0de4f40ca0cdadf3

SHA256
483547e9643ee47af27a82b06d9d7ab916c6046f7b73937583c471d560fe7a48

SHA512
f47a7bbf9f249da194b6cffa5cc2dbe27e65bca4aaef82af004f5af6c4fdde89f12285a7b4c9436585339a24d3c015407dccefef4ebe9cee99f5d0f971296e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4B54.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4BC6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\olclhutyvsnn.exe

Filesize
336KB

MD5
55ef5620d1205df70163818bf84688cd

SHA1
d883ae424be4f1968797f5d1ef3d7968932ab650

SHA256
84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec

SHA512
82f7284808f2e513dac7d3de3cbd13e56699dfa37aa45e936c7b36a7a76ff42ace05d0acb75e454c495a50f0c2d7862114bd9ed23417f1698fc1eb9afcb4b2cd

Download Submit
memory/1780-6067-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2036-1-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2036-0-0x00000000004A0000-0x0000000000526000-memory.dmp

Filesize
536KB

Download
memory/2036-12-0x00000000004A0000-0x0000000000526000-memory.dmp

Filesize
536KB

Download
memory/2036-11-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2448-5981-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2448-13-0x0000000002260000-0x00000000022E6000-memory.dmp

Filesize
536KB

Download
memory/2448-2253-0x0000000002260000-0x00000000022E6000-memory.dmp

Filesize
536KB

Download
memory/2448-2251-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2448-6070-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2448-6066-0x0000000002850000-0x0000000002852000-memory.dmp

Filesize
8KB

Download