teslacrypt | ae50c1a234d07eb39859cf7aea9361d9b54397d477866ae38bb61ad904298315

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 17:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

58999b891c115ca4cd983c9675724890_JaffaCakes118.exe
Size

376KB
MD5

58999b891c115ca4cd983c9675724890
SHA1

8157379d1d1a40de5dfd00ea70c2cacc6b5d2f5e
SHA256

ae50c1a234d07eb39859cf7aea9361d9b54397d477866ae38bb61ad904298315
SHA512

6773b60e8ad7e940724daf5aa81cd1c08c113b4087c6ff69b21a12fd3c684e441007ab2968780ad5c0425a45ee1b2f3b8f486cc832415ce21f75da0b65e522ed
SSDEEP

6144:ue3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:uY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bggqw.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8558F3F2A5143E52 2. http://kkd47eh4hdjshb5t.angortra.at/8558F3F2A5143E52 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/8558F3F2A5143E52 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/8558F3F2A5143E52 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8558F3F2A5143E52 http://kkd47eh4hdjshb5t.angortra.at/8558F3F2A5143E52 http://ytrest84y5i456hghadefdsd.pontogrot.com/8558F3F2A5143E52 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/8558F3F2A5143E52

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8558F3F2A5143E52

http://kkd47eh4hdjshb5t.angortra.at/8558F3F2A5143E52

http://ytrest84y5i456hghadefdsd.pontogrot.com/8558F3F2A5143E52

http://xlowfznrg4wf7dli.ONION/8558F3F2A5143E52

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bggqw.html	dltalnccsvya.exe

Executes dropped EXE 2 IoCs

pid	Process
2736	dltalnccsvya.exe
2180	dltalnccsvya.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kyycwumawyac = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dltalnccsvya.exe\""	dltalnccsvya.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1288 set thread context of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 2736 set thread context of 2180	2736	dltalnccsvya.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	dltalnccsvya.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv	dltalnccsvya.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	dltalnccsvya.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js	dltalnccsvya.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak	dltalnccsvya.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak	dltalnccsvya.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\Recovery+bggqw.png	dltalnccsvya.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\Recovery+bggqw.html	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\Recovery+bggqw.txt	dltalnccsvya.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\Recovery+bggqw.html	dltalnccsvya.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dltalnccsvya.exe	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe
File opened for modification	C:\Windows\dltalnccsvya.exe	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dltalnccsvya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dltalnccsvya.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000005631ab16783a41b2575ac6e90c411a6b21d2bc5bb918c311f2e497850c49090e000000000e8000000002000020000000588c3ceb49374d48cef1a3421e3d14c99c6550309b704a57e8a491c10e7074f6900000009ae501ec2099db596432741c4cb78f24e5667fa379fda6915027ee8c301f0d878fb3567218c0c00088573e5957ba5f99d6b6ba75354ae1fdd00cb9a7bd493b9c0c6c5447e56c2953b29a4d47cb28cfd69f5e5828a9dcc0693e269800c85df1e4353d55d03ac47a0cd9018a3b03e880d4a6b859f8e8afcfd0791962d0b49b1fff2d2f0427f9bce241deb5984f5f30b82440000000c578eb93acb8d31eb7afc8c9e4970c00fe9e696f283adc22b95995658a472ba123bc6af389fd38ae3e654cc0eb13cc9813e81fd43f84eb7dc3b1aabf31de49b1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{67719351-8D74-11EF-94A4-62CAC36041A9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000006f482b5476c9f928d2c6a3b85850d664c7886a4cb4d8aa95ccb1d50d381209b000000000e8000000002000020000000c6a12086eaeca37a07c70c94721a15cb272b652d482184ddd00d19ba68ad160920000000cd3803006694ac315d1bc5cf080a48e576756a637cf448044af3d0c12ff5f8984000000088a2a68a0169c456b04ac5e34b207ba81277b75e421cdfe9c7ebbbe6bb65f34cdad9f6b1846b741a3ab0d1f78498dec5c6c2005d7f9693b5f1c72ae1ca4b65de	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5089f23b8121db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2872	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe
2180	dltalnccsvya.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe
Token: SeDebugPrivilege	2180	dltalnccsvya.exe
Token: SeIncreaseQuotaPrivilege	708	WMIC.exe
Token: SeSecurityPrivilege	708	WMIC.exe
Token: SeTakeOwnershipPrivilege	708	WMIC.exe
Token: SeLoadDriverPrivilege	708	WMIC.exe
Token: SeSystemProfilePrivilege	708	WMIC.exe
Token: SeSystemtimePrivilege	708	WMIC.exe
Token: SeProfSingleProcessPrivilege	708	WMIC.exe
Token: SeIncBasePriorityPrivilege	708	WMIC.exe
Token: SeCreatePagefilePrivilege	708	WMIC.exe
Token: SeBackupPrivilege	708	WMIC.exe
Token: SeRestorePrivilege	708	WMIC.exe
Token: SeShutdownPrivilege	708	WMIC.exe
Token: SeDebugPrivilege	708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	708	WMIC.exe
Token: SeRemoteShutdownPrivilege	708	WMIC.exe
Token: SeUndockPrivilege	708	WMIC.exe
Token: SeManageVolumePrivilege	708	WMIC.exe
Token: 33	708	WMIC.exe
Token: 34	708	WMIC.exe
Token: 35	708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	476	WMIC.exe
Token: SeSecurityPrivilege	476	WMIC.exe
Token: SeTakeOwnershipPrivilege	476	WMIC.exe
Token: SeLoadDriverPrivilege	476	WMIC.exe
Token: SeSystemProfilePrivilege	476	WMIC.exe
Token: SeSystemtimePrivilege	476	WMIC.exe
Token: SeProfSingleProcessPrivilege	476	WMIC.exe
Token: SeIncBasePriorityPrivilege	476	WMIC.exe
Token: SeCreatePagefilePrivilege	476	WMIC.exe
Token: SeBackupPrivilege	476	WMIC.exe
Token: SeRestorePrivilege	476	WMIC.exe
Token: SeShutdownPrivilege	476	WMIC.exe
Token: SeDebugPrivilege	476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	476	WMIC.exe
Token: SeRemoteShutdownPrivilege	476	WMIC.exe
Token: SeUndockPrivilege	476	WMIC.exe
Token: SeManageVolumePrivilege	476	WMIC.exe
Token: 33	476	WMIC.exe
Token: 34	476	WMIC.exe
Token: 35	476	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2876	iexplore.exe
1796	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2876	iexplore.exe
2876	iexplore.exe
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
1796	DllHost.exe
1796	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2744	1288	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	31
PID 2744 wrote to memory of 2736	2744	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	32
PID 2744 wrote to memory of 2736	2744	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	32
PID 2744 wrote to memory of 2736	2744	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	32
PID 2744 wrote to memory of 2736	2744	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	32
PID 2744 wrote to memory of 2812	2744	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	33
PID 2744 wrote to memory of 2812	2744	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	33
PID 2744 wrote to memory of 2812	2744	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	33
PID 2744 wrote to memory of 2812	2744	58999b891c115ca4cd983c9675724890_JaffaCakes118.exe	33
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2736 wrote to memory of 2180	2736	dltalnccsvya.exe	35
PID 2180 wrote to memory of 708	2180	dltalnccsvya.exe	36
PID 2180 wrote to memory of 708	2180	dltalnccsvya.exe	36
PID 2180 wrote to memory of 708	2180	dltalnccsvya.exe	36
PID 2180 wrote to memory of 708	2180	dltalnccsvya.exe	36
PID 2180 wrote to memory of 2872	2180	dltalnccsvya.exe	40
PID 2180 wrote to memory of 2872	2180	dltalnccsvya.exe	40
PID 2180 wrote to memory of 2872	2180	dltalnccsvya.exe	40
PID 2180 wrote to memory of 2872	2180	dltalnccsvya.exe	40
PID 2180 wrote to memory of 2876	2180	dltalnccsvya.exe	41
PID 2180 wrote to memory of 2876	2180	dltalnccsvya.exe	41
PID 2180 wrote to memory of 2876	2180	dltalnccsvya.exe	41
PID 2180 wrote to memory of 2876	2180	dltalnccsvya.exe	41
PID 2876 wrote to memory of 2708	2876	iexplore.exe	43
PID 2876 wrote to memory of 2708	2876	iexplore.exe	43
PID 2876 wrote to memory of 2708	2876	iexplore.exe	43
PID 2876 wrote to memory of 2708	2876	iexplore.exe	43
PID 2180 wrote to memory of 476	2180	dltalnccsvya.exe	44
PID 2180 wrote to memory of 476	2180	dltalnccsvya.exe	44
PID 2180 wrote to memory of 476	2180	dltalnccsvya.exe	44
PID 2180 wrote to memory of 476	2180	dltalnccsvya.exe	44
PID 2180 wrote to memory of 2568	2180	dltalnccsvya.exe	46
PID 2180 wrote to memory of 2568	2180	dltalnccsvya.exe	46
PID 2180 wrote to memory of 2568	2180	dltalnccsvya.exe	46
PID 2180 wrote to memory of 2568	2180	dltalnccsvya.exe	46

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dltalnccsvya.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dltalnccsvya.exe

C:\Users\Admin\AppData\Local\Temp\58999b891c115ca4cd983c9675724890_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58999b891c115ca4cd983c9675724890_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\58999b891c115ca4cd983c9675724890_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\58999b891c115ca4cd983c9675724890_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\dltalnccsvya.exe
    C:\Windows\dltalnccsvya.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\dltalnccsvya.exe
      C:\Windows\dltalnccsvya.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2180
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2872
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2708
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:476
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DLTALN~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\58999B~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2812

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bggqw.html

Filesize
7KB

MD5
4083d66aadd6527755496b7b4da5b919

SHA1
283172e7dc7800504c582e85de9a4cc58c60fa75

SHA256
50eacf7e431c33dddb7075f740ff475979c6a2d96058cd6804861d0e26d228f8

SHA512
f4553ea2e944972e4066a32249c61e295e665cfb718e202f76fc1173d4d1eea373ead04e3532bef7ca9fb3a2ceb1a090c114ec22c094049cd3fc5647baed7c5f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bggqw.png

Filesize
63KB

MD5
92067a4884ba3a8024e7c48e6961adf1

SHA1
cebd6004da125df3612050087457dfa4fcd92ae6

SHA256
e88015f8ed3c0c33ee8f68292fb2abfa86c03a2fc449bf2f84ccaf8ec79da3e3

SHA512
d029a4e5a303543acf58b194d823c98a391b9a8bcf1e037f29a5c1c26d66d13785965ded649e71ab5b8bb3dd3ecc26c928b57ce8ebb1aede587abedeebc14241

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bggqw.txt

Filesize
1KB

MD5
ee9b5e948d2d92a05c08ee0af62af5e7

SHA1
44ec99c10d2231689984a3551aa6bca1e368fddc

SHA256
81781e36f1fdea14469ce18e74fcdfdd8525d013cb755fd73523d25aea95a877

SHA512
0f461b10a6ad4ca2de84413156e29c5c8de43f55e3ba0f7a28adbac8bb4abc4d48cb8379dfcb864a775144df17abe883d2ca4dc91c8128ce00ccc4fbdb39657c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e380582c80a64a2110b1c533b54ee396

SHA1
da18e950980979bf1afcbffff1f24296d73652a6

SHA256
c3437b4078239dd282ea5e8f77f40f605b690623759210057ece97af306e74fa

SHA512
419180b2460d63bec96a86fcf6ae840e123426ba8744506d8f0f682fe1a41eb1f5430738f16f802825e1ba8433978ecf22bfb14f8f057fa0abe9e9ff4a5f801a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
7b3567d6e7700ffcbe7416a8c7d8f595

SHA1
cf32da5c8adab378bdebb1cc1170ee674d72769e

SHA256
5458b349d5267d72179f5a83f8485a0ba0a39eb9d3d5de8af84c8036acb46880

SHA512
346d8ec654e5fdcca8305b3e1d04b7c9c86433aca3bee85038ff14075e3e20c7dc58165f20c4f04eed5a24381c2bf2c329f9c9785b29bf3c13e4c312c90d2dd9

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
2712a3ea0d181079dc596667500c2aaf

SHA1
567f0acb21303e2e7f9050e3d9c49462f339124c

SHA256
4bfd2076045f0fc31c62f70742d4893578047a9d74c57fb242303fd628ed6639

SHA512
7f9225ee9fb4ecab4eff2a745075a446da3ce788068994f8416950b16adc51714e24ff528c4251c72f27ae6a6b43fc93c10b726d7cf4f309886a0aa0e92353b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9451d09cdd91366748b510d5a65df1f

SHA1
2be15bdc83fd28749d056cf40d53ce9d4b88263c

SHA256
6a3aade0193565e03f7b466a941b9300da5db27ea007e50bd7298b7d871c437a

SHA512
8aa809f3e5db322bf0ca6a98ebfaa8a3b471b0560ddcb6ed1b5b8c76f5c38dc1227b177a5c65582a5138967daacf6d6324c798f3d5c678561043861e1086d7e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9fe2314a9212ded529c2386683d874b

SHA1
6aee1cedd1c13bcd5efeff0109d03cc8a7ede79d

SHA256
3a76a22471c754a597a9e1bb28ad1dd4857ede82422d485fcbd2b93d210039c5

SHA512
59de641a574ef7a2196e8c80c987a6dd64b6150580c87560fcc8abb35a0b491fb8437869fb0f0d0e0535e39657d1ed79c25b26c1d21578ba539c6066b626d934

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d2fa9650d5027b34adc6815ebd19237

SHA1
33c181baf3956e6379c9d28164d83e43a67effc8

SHA256
971b3942aa52f984eb6c1a8d18147692b2b55e4494c7d604816fd6d804fcf18f

SHA512
83b8ce4149ad3f15becc8059ba6a74227f7eb0154df570d9d87348edcd2b9ae2a1ff26f8bfe98e1bc665e8fefd17e5778ff9bde33889232c8bb6af248b30b100

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29f1ed747719a840a11674e54ad71c64

SHA1
93341799ffbd980e589e0b3696bd750fd2bd1cd8

SHA256
09a85724ea4603354c89dff029d4b73ae7218fa976a12b80d968734eddcfc4bf

SHA512
0e03dc2cfd14183de802dbc6b86c85f7a7fa2f68750c6f54633910bb49979236c4fa76bfa58f37f7485b18a48a708ab6e2d73f6947e4451a10d70bf01a621360

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6b01118d5adecbbcf2d513c66ec2273

SHA1
f51ff7efb8d1f9a1fdcaff932086b10a0327ddcf

SHA256
5291b9ee2728993cfcb3c21b00acf0af7e1b82b7b46f1cca8184c4dd14d39da6

SHA512
91ec0ecdf43e7ec484e1f46e6dc3468abf56e79b9fb056ae294fc932a3d1ef732a085c00a35e6af4610cf808c9fd3f599896f7a94392d905d3cc0e9dd910e119

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95ab38e56d800de97d0508a64944f6f5

SHA1
f1194c4523055c3fa5133660b53c551256f1d3e8

SHA256
e7bea4a666ad3a7344423003978a07a4c4509e29146ade21f00c724ec39198cf

SHA512
1a01e681bde399aaa14191999c5d83923135d366f3ba5647f18016a0a1925f00047b2c401d5bdee9f0a29001e295df69865efe407165b8a522196d9c4ef6d535

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbcf32b156e06b27b07bc5cc25a35ee4

SHA1
0b3ad67a2cb233af33cd9556d3e70eaf16d0339f

SHA256
d50af66bfcdcb816e49442b01ca8ddf9853dc6b332c2a38a3b04a5332207e911

SHA512
b08c1f23b2cbc41633ef09ab301b2a3b085f26097609c66fe9f2db61beeb62009c1efc792883f33bff20ab0fd9aff2497ab2f01bfc35df5561446e0a210d4b6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36f92afb7612656dccb699206943ab41

SHA1
60ff068f03e5554f30eb2602faf64909dab775c7

SHA256
7e9704ff65e923dce4d61a8c8a4d20e6542ddd79f4320cd605d5b2a44ea90516

SHA512
1c5a85d6725f6770daf2db7544a5e6d09e2e8d7fa8b2c88d9ed27e305b1835ab660629f6ffefddd18642b7f73d87be6750311ed38ba384b76335ef78c488ce66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13df47a146fb8c03d218995c89b43e4f

SHA1
6e3d477d4db0127cd515e68fb35572f6c1d1a2ee

SHA256
c294c7aa475327326d53e25700bb8e88b6aa37b04095204f60c5059331067ae2

SHA512
6c6573a1bc91834ee99f49c87e01d7b620fb14f3d271a627f61c888dde2ce1c1b125d8b0223ac4cfb637ca48fa2aaba205dd2d3d0e2568359a4d15b00b82a277

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab125A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12DB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\dltalnccsvya.exe

Filesize
376KB

MD5
58999b891c115ca4cd983c9675724890

SHA1
8157379d1d1a40de5dfd00ea70c2cacc6b5d2f5e

SHA256
ae50c1a234d07eb39859cf7aea9361d9b54397d477866ae38bb61ad904298315

SHA512
6773b60e8ad7e940724daf5aa81cd1c08c113b4087c6ff69b21a12fd3c684e441007ab2968780ad5c0425a45ee1b2f3b8f486cc832415ce21f75da0b65e522ed

Download Submit
memory/1288-20-0x00000000003B0000-0x00000000003B3000-memory.dmp

Filesize
12KB

Download
memory/1288-0-0x00000000003B0000-0x00000000003B3000-memory.dmp

Filesize
12KB

Download
memory/1288-1-0x00000000003B0000-0x00000000003B3000-memory.dmp

Filesize
12KB

Download
memory/1796-6132-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2180-1917-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-3381-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-6265-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-54-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-1918-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-52-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-5067-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-6125-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-56-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-6131-0x0000000003FE0000-0x0000000003FE2000-memory.dmp

Filesize
8KB

Download
memory/2180-6134-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2180-6135-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2736-28-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2744-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-8-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-10-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-31-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download