teslacrypt | 6d2f0ac4c9a201202ffdb019c0ce82686a537deaa7fb8023ea42f7701cc10f14

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe
Size

340KB
MD5

c0a01298c05f2734155a1f73fd8655cc
SHA1

5bf6d78e9acd944c085812a1274c812c404a8278
SHA256

6d2f0ac4c9a201202ffdb019c0ce82686a537deaa7fb8023ea42f7701cc10f14
SHA512

6c081ae832b0f429ecc719ab112256860f1729e24bc12a454e15f6567343e9e9eb5669e5075d18df7567035f3d73b4b35dfc3968cd2c1713467789fb6292c9e7
SSDEEP

6144:6tY1LwQ/VVMixib/6+dx040XljnZm766y0:6qdwQ/4qi3dxD+bN6y0

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lhnxg.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://t54ndnku456ngkwsudqer.wallymac.com/B395E73B1CAC2DEF 2 - http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/B395E73B1CAC2DEF 3 - http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/B395E73B1CAC2DEF If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/B395E73B1CAC2DEF 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/B395E73B1CAC2DEF http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/B395E73B1CAC2DEF http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/B395E73B1CAC2DEF Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/B395E73B1CAC2DEF

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/B395E73B1CAC2DEF

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/B395E73B1CAC2DEF

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/B395E73B1CAC2DEF

http://xlowfznrg4wf7dli.ONION/B395E73B1CAC2DEF

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (432) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe

Executes dropped EXE 1 IoCs

pid	Process
2228	xpgfuwensvpk.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\xomyutl = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Windows\\xpgfuwensvpk.exe"	xpgfuwensvpk.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\cpu.css	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ja-JP\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_ReCoVeRy_+lhnxg.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Flyout_Thumbnail_Shadow.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\_ReCoVeRy_+lhnxg.html	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_ReCoVeRy_+lhnxg.png	xpgfuwensvpk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	xpgfuwensvpk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xpgfuwensvpk.exe	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe
File opened for modification	C:\Windows\xpgfuwensvpk.exe	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpgfuwensvpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c6316c31541e6d419a67790af23364ab000000000200000000001066000000010000200000001a0e69aff02021ecda95e264dc38d8821482180bf1d1b873725a9b6fb284c4b8000000000e800000000200002000000041bf5e9a81ed83ff841812069bc22831b482414511329193b6c703632907ad9e9000000077a24a7518d606b5921c61dc456f7eb28bbd1a7dfe3ac3acd9877bce83ec364780862c382f108f69ac3f38dc4800f8d8753814d30a0c448a41be0e8d53bf19a2797bafcf47d310f0ef2a01ca8208379456d92894d1201003e49587a3ade7df5b9caff53992adf1a83391793ac5a39f09e1472e84cd8e7d0c18c93311f8ef655169ca54d7c9256a2ebbad77d22dbc74b940000000b4a779d45fdd4712d9b1546b5dea99285204b30be606a0e8f975e5ab3b16c35b7f2e6870a810628888d6a2b690ca2321134294dcf44aa9551f7e00571c3996dc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c6316c31541e6d419a67790af23364ab000000000200000000001066000000010000200000004607bc108f40cea9c2df79f62d1758aba76c4b852f97c9798a3897180392e87d000000000e8000000002000020000000ca1dd246cce490cd74070e4e8430d2080ba5d7872258f0c97a6dfccfc83accba200000000fcd156c9be2f622740040ed29044069303780d103af7f5838cf53853ff5d73d400000006e166e21853d5fa031d66c747322039fca1ca6eb524aac4f3c6741653a44dded25b420892cb877f10cb7b1404140d3b55753f6a86b905d25ae42e44db7aca05c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F20DC1F1-B1F0-11EF-833B-EE9D5ADBD8E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439445255"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 703d98c6fd45db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2336	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe
2228	xpgfuwensvpk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2228	xpgfuwensvpk.exe
Token: SeIncreaseQuotaPrivilege	2832	WMIC.exe
Token: SeSecurityPrivilege	2832	WMIC.exe
Token: SeTakeOwnershipPrivilege	2832	WMIC.exe
Token: SeLoadDriverPrivilege	2832	WMIC.exe
Token: SeSystemProfilePrivilege	2832	WMIC.exe
Token: SeSystemtimePrivilege	2832	WMIC.exe
Token: SeProfSingleProcessPrivilege	2832	WMIC.exe
Token: SeIncBasePriorityPrivilege	2832	WMIC.exe
Token: SeCreatePagefilePrivilege	2832	WMIC.exe
Token: SeBackupPrivilege	2832	WMIC.exe
Token: SeRestorePrivilege	2832	WMIC.exe
Token: SeShutdownPrivilege	2832	WMIC.exe
Token: SeDebugPrivilege	2832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2832	WMIC.exe
Token: SeRemoteShutdownPrivilege	2832	WMIC.exe
Token: SeUndockPrivilege	2832	WMIC.exe
Token: SeManageVolumePrivilege	2832	WMIC.exe
Token: 33	2832	WMIC.exe
Token: 34	2832	WMIC.exe
Token: 35	2832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2832	WMIC.exe
Token: SeSecurityPrivilege	2832	WMIC.exe
Token: SeTakeOwnershipPrivilege	2832	WMIC.exe
Token: SeLoadDriverPrivilege	2832	WMIC.exe
Token: SeSystemProfilePrivilege	2832	WMIC.exe
Token: SeSystemtimePrivilege	2832	WMIC.exe
Token: SeProfSingleProcessPrivilege	2832	WMIC.exe
Token: SeIncBasePriorityPrivilege	2832	WMIC.exe
Token: SeCreatePagefilePrivilege	2832	WMIC.exe
Token: SeBackupPrivilege	2832	WMIC.exe
Token: SeRestorePrivilege	2832	WMIC.exe
Token: SeShutdownPrivilege	2832	WMIC.exe
Token: SeDebugPrivilege	2832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2832	WMIC.exe
Token: SeRemoteShutdownPrivilege	2832	WMIC.exe
Token: SeUndockPrivilege	2832	WMIC.exe
Token: SeManageVolumePrivilege	2832	WMIC.exe
Token: 33	2832	WMIC.exe
Token: 34	2832	WMIC.exe
Token: 35	2832	WMIC.exe
Token: SeBackupPrivilege	2844	vssvc.exe
Token: SeRestorePrivilege	2844	vssvc.exe
Token: SeAuditPrivilege	2844	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2892	WMIC.exe
Token: SeSecurityPrivilege	2892	WMIC.exe
Token: SeTakeOwnershipPrivilege	2892	WMIC.exe
Token: SeLoadDriverPrivilege	2892	WMIC.exe
Token: SeSystemProfilePrivilege	2892	WMIC.exe
Token: SeSystemtimePrivilege	2892	WMIC.exe
Token: SeProfSingleProcessPrivilege	2892	WMIC.exe
Token: SeIncBasePriorityPrivilege	2892	WMIC.exe
Token: SeCreatePagefilePrivilege	2892	WMIC.exe
Token: SeBackupPrivilege	2892	WMIC.exe
Token: SeRestorePrivilege	2892	WMIC.exe
Token: SeShutdownPrivilege	2892	WMIC.exe
Token: SeDebugPrivilege	2892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2892	WMIC.exe
Token: SeRemoteShutdownPrivilege	2892	WMIC.exe
Token: SeUndockPrivilege	2892	WMIC.exe
Token: SeManageVolumePrivilege	2892	WMIC.exe
Token: 33	2892	WMIC.exe
Token: 34	2892	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2372	iexplore.exe
2212	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2372	iexplore.exe
2372	iexplore.exe
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2212	DllHost.exe
2212	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2228	2216	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2228	2216	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2228	2216	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2228	2216	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2528	2216	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe	32
PID 2216 wrote to memory of 2528	2216	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe	32
PID 2216 wrote to memory of 2528	2216	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe	32
PID 2216 wrote to memory of 2528	2216	c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe	32
PID 2228 wrote to memory of 2832	2228	xpgfuwensvpk.exe	34
PID 2228 wrote to memory of 2832	2228	xpgfuwensvpk.exe	34
PID 2228 wrote to memory of 2832	2228	xpgfuwensvpk.exe	34
PID 2228 wrote to memory of 2832	2228	xpgfuwensvpk.exe	34
PID 2228 wrote to memory of 2336	2228	xpgfuwensvpk.exe	42
PID 2228 wrote to memory of 2336	2228	xpgfuwensvpk.exe	42
PID 2228 wrote to memory of 2336	2228	xpgfuwensvpk.exe	42
PID 2228 wrote to memory of 2336	2228	xpgfuwensvpk.exe	42
PID 2228 wrote to memory of 2372	2228	xpgfuwensvpk.exe	43
PID 2228 wrote to memory of 2372	2228	xpgfuwensvpk.exe	43
PID 2228 wrote to memory of 2372	2228	xpgfuwensvpk.exe	43
PID 2228 wrote to memory of 2372	2228	xpgfuwensvpk.exe	43
PID 2372 wrote to memory of 2836	2372	iexplore.exe	45
PID 2372 wrote to memory of 2836	2372	iexplore.exe	45
PID 2372 wrote to memory of 2836	2372	iexplore.exe	45
PID 2372 wrote to memory of 2836	2372	iexplore.exe	45
PID 2228 wrote to memory of 2892	2228	xpgfuwensvpk.exe	46
PID 2228 wrote to memory of 2892	2228	xpgfuwensvpk.exe	46
PID 2228 wrote to memory of 2892	2228	xpgfuwensvpk.exe	46
PID 2228 wrote to memory of 2892	2228	xpgfuwensvpk.exe	46
PID 2228 wrote to memory of 872	2228	xpgfuwensvpk.exe	49
PID 2228 wrote to memory of 872	2228	xpgfuwensvpk.exe	49
PID 2228 wrote to memory of 872	2228	xpgfuwensvpk.exe	49
PID 2228 wrote to memory of 872	2228	xpgfuwensvpk.exe	49

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	xpgfuwensvpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xpgfuwensvpk.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0a01298c05f2734155a1f73fd8655cc_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\xpgfuwensvpk.exe
  C:\Windows\xpgfuwensvpk.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2228
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2336
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2836
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XPGFUW~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C0A012~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lhnxg.html

Filesize
14KB

MD5
958a42739451d283796038f5847d44d3

SHA1
e83e03d2f135a4ceec1c04af769fd009b0736001

SHA256
bdb174f68458d7dea3eaf71d450a2c6fb84cdb4f9a622c6b97cba00adb42b529

SHA512
8f6c59a3d35628d3ecff9aef1e98c1210b3a404093ab891aedb56eee6c6d39c477de4656167456b183872b7582f82a8f419993e6ccd7cb49fab9ec98798c2b05

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lhnxg.png

Filesize
64KB

MD5
6dbf3306ba61e4d6080ec8e25ee7df68

SHA1
5d76705e9bd0980d48a37130780df2a506c0d5ad

SHA256
a4a68864c1a23b3fadd842690261c94e2afddffd3601e67e10d84652583d2972

SHA512
e70d131d3914ce98e71114e4fc599d1120cfd2e628f0a7a7cf33a7aeb43a53fbe369fa2eace323b0b2d2c2eea0415a74c7c4db6ab0291a09f0e6ba9bfafc10cd

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lhnxg.txt

Filesize
1KB

MD5
7d2b9deba0c8d49b80cffd6e5a848b57

SHA1
dbef5742779733e0c5aca8bc02f4eee881357902

SHA256
6aa9fb4ad0b68054feb439477faad91e091623314ac62dff0f19ee4de521c5a0

SHA512
8b8ff84d9ba44a9b8a08b8fd3711c4cbb12c81b7f9749da37bfb3c45d4a20663d7f226f130982f8bd6806cb6f4d3cba259d93befce3815f27cb2433877379e62

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
258de7e8fc6e17aff0e1afca7a3a7cf5

SHA1
24067c23ea29f9aa9a0028e1794779d74285bb63

SHA256
8c93a34698f0f4f9266ef29a61b620763a1acedefcc2003e2a04e3a40a892150

SHA512
c1a9f132a76b6bad869c864d17a7a16541a237657b7b45ede80c220adccc3a5bd5902788727b95d1349af490cae36cd46fefc06664c81e8d78e697e08ca462cf

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
707eb882209930332d9a50b60317d9eb

SHA1
fab933b4cde4c1623d826d606d2b64d929342356

SHA256
f9b86635591db3e3c1433b5db3130ca47ee3eba0dd97a9c8a8ee58cabefabb8b

SHA512
97c361a254ba98ecd1e8fdbadd094d6025c78a32d0f4fb2f5c9f403efd5c76433ba78733b6125bd444b90a34577897bb30a8ce95751ef0f5f6f232cd0d67731b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
48029454bc18c5f2075fc890e7550259

SHA1
0110cc8c2e06a0ef7f2ff26635eeaeca52b1c944

SHA256
237d178b9e7778eeb544611c5ab6495e0526b810c244e4880aa33dc1ff179f19

SHA512
f80e9298a799d9b173d2371de41dbc38fe8af69e3e7849cf01a73d62633bd79ac9c8d9a2697b6077bb603ec1e27b15d41ea32d4c94aaa09294a3633fc84b7929

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e05d01c6f2e96051b30106b4d6114a6

SHA1
6bf358601c2277f1f5e118670d20e96f0494cb50

SHA256
132638265aba9629b4c262850470a0bbcf66ee39cd9b7adbac0a269825fa2649

SHA512
518c18cfa193c88f7f5d872bf9e102a05127760c65f700d548e2f92e984b0984fb94920b66e31a58d951cdfa0623707c908947793b61568cdf3886758cbd231a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b203b9639a09ced1aeefc6235a9fd561

SHA1
9e1708c2320f625da1ce92918bc4ecfd4c3b4d29

SHA256
6d46c7efbe2e0d415d908f0481d7de194d0c1165770d8f9c10003a8c18f6cfae

SHA512
f89926af3b113814dd66fb1e5d4400d92823161212e73e5ce832a0fd2e5b1d16c54d9fef477a345f7fae82ccd40c0471c34a9eb9b6a312680dff3cd3dc7d75b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8468a97e40537f172d4357c9bdb6d3f2

SHA1
22e8d879b000d42a56e347cb110d57488345a552

SHA256
208ff38fdbbc944f92882fbeab83c8ac9345380198455697afcdd2bcec54e7c5

SHA512
edec5ce3014765ace674b25c324d1a51629dc91967b6f16caf89fdb08de43a76498a7aec0b793c07c16bcffde430cdedc8f674e4c833a656c919daf6587ac3c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
715f2af080a97db3f90cab216df6f392

SHA1
0a05162bb24917a0004e6c27b62120b7fbb7413f

SHA256
b04765f816443ea1182bca6229cb0feca41534b9cf3b5b7d26b2c17d871921fc

SHA512
9ef9fc7422eedbd4f83226e3073811e4a55340af19cd7ab94e27f8ebf92c3ae39f46658fe45fb386dce527b5b34fae7fd170c745704e71bb3d1a2fc8ece3572f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f16f10fc01121e3acfd72b665ce86fc

SHA1
965224bc41c0903a562b211f6df6d833a9560ba0

SHA256
0f6d559fcb4dff4bfed15105868c7ef3473adbdebf87463e7501385cd6f0fe36

SHA512
398ef7d490c721ed3f9adf6660450577acb3e9a9659dfd9d0aeb09157d09809c7b5a2c93cb8a2a94d7cc33844f7add5d0306e1d6b671a803c0bcd49e95b84c0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4be8555c2201b1b20ce8cada15cd9972

SHA1
bfb94469eb3267b985bca8a755e346b487892c6f

SHA256
3313818af8ece7a4f7bc71d82a246469b5e4849c638c26c32a3c7df8f6d7ff56

SHA512
6d5f6ce213d1fba3ff658f42f6c25342347c1112e5d0b19ffb32a499f9b9560a95a1e3ca39edff94285ae8f77939286c3dee9633b073b6f386613bef33abee68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13215da19ee2d8bd00732a2e94d7a19f

SHA1
ef31bb1c8345f467814bc7d38e1ecc6f1a1b32ac

SHA256
d2fea5f260f3a96b3925f466c90203cd7afd6cc6544bdc9fb922cf96f217f472

SHA512
94424118bdba484980d2405202c799df435e323b9d283ee48bf1f74037cbd38030b88fbb85a4bdf7a015a1de74bcf8cbedc67106fd15c8ebb86b821e19f7e549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18abc2f4f588ea3f3fbc8db1950f852a

SHA1
21f97ca41d4a81c87c8496c96dc0b601aa21a26c

SHA256
5d089334f283134620bdc148e406a5e3012167d52b9bf2fb91e62e2b0672565a

SHA512
f2e75dbb40d1423863f217891a223bb82770390340a88fd8ec14455eb2abae9c743e2e0566b4a2dc97e63c88caf85591a7f926deb1b363046fdd527c3616c576

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f068b531670b473bf3858c3ba6f94b4

SHA1
19c1468cd308e22515776334adc9e9bf72096b7a

SHA256
3247e9f576ddb8bc976cd0acce97c0fe3f7915c2991d84cb8efe3ff1d0bb06aa

SHA512
1daa98361a55dc9778d460f58e91334e4c1f29ca9af247e82d51f62cc734b8068fc4ab9342e4daa082a7a3eda5f88ef4da571ca1cca3040742779523ad5d3980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c925b73b194579b35d9a88040caa8e83

SHA1
496a8a6242b875b0ef11084889fe4099ac0978d5

SHA256
3e622654538c8d8df6deb9e0373a58d659758bd1431dde18be9a8633ec050b1a

SHA512
89802629cf846e8b1b65d1c7358c29bd92279ce439fa0d3903950267354f63988dc1520a2186d02b26d560859de410eceb429dcddce799f76241de4733294de1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb5baf9d21912f5baa86428238a292a9

SHA1
63807c796144c1634ddb81d9c47ae46cbcc2379f

SHA256
1635b7cf2008e38c7ff0e71647d66063770c7c3a06838dc391ff3c7500f2e2db

SHA512
221e6cfba8ec8012e548114ab6b147f4182704856b72e9f156676d3dd1ce2db9ee73e2c07d5e320f0e30d9a6f7a9dcc342754835b790e4ceea424fd216189ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb65476ba5e23c2073cbaa3beaf8f874

SHA1
da47b94ca87d213318c443bedc9051492e2e8f64

SHA256
d526c7676535a39b71b350889e242391673a2d34482ace3f3a9e256aa553c26c

SHA512
eb15c042aba5702622c045bf2663bceb379ea8850e93279bc233633869db733bf58e4ba732d5aa6728edaac7dd0c3c2cea414341ee356270593479fa72ee759a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a40e36770af5811072ef690b86952605

SHA1
7d109c1e98b45c8030fe910feccd8724e9727e9b

SHA256
46b75c2b3fb7adba397580e94334704350660271682d331e3d5decc698e2368e

SHA512
10adc118e89396c614b21c40387e30e76704e8a1802750b1682d875357623d3b5416ff0d3f6357d4e4d4e5c3eabd855a8ecbc36618fb866c08cbbe215af324df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f80b8127b6d930e1af5da0d3ba2cdafd

SHA1
b0826564630411805c799941ae3d8c6910733a93

SHA256
61e63e8829b093dfa448e96d8891a24ee84b2c205acfc05c15ded7fc55f1f275

SHA512
7f93daa753ae3c30d936a08d8d54c3dc8f952b6b1d6345201a55cc5ed5b489c412fbc9abd6df51182851b11f8d34bf01d0b8a2ea7a761026201c1c3d90bcfe54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33bce29aa6ddb581e2b32c973fbd392c

SHA1
5caae2f751a5b9fd8bd58666b9f4207440f8b50d

SHA256
e1d64df5719e552ca0083ea2ef1d8c620cc54ee2060cf6bb953eea45ee8370d1

SHA512
ef548595c889766205ffbe07c18a5e553b6aab0aa7deb296e15187cffd4d88b7c6c6ee2c685d5ab2209087ed0eed1463e3dddcf1f2195ea963217cdadf4dad05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a651864809a7a811615af35dfe3e3ea

SHA1
4b902b1f5c243217d69640637a93d758bb14afdf

SHA256
22622e323a7313c7f88e7683cc8b437f4b91bca4cef45c3bbbecff788bb78e87

SHA512
7732a3d16f3d4bfa63ac0a41f837364b6167fe78593f25dbb2ca199f76c54012b4be03f215e15caa2c62be86f7558367d43d5b55281cf9e72b39785382d697a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e319fa31999c785d9435de3906d2fabe

SHA1
3d2c1640923affc0f95a1352d85d1d9db728314b

SHA256
8fd3882bee56630129101094c1380e053fa2ddf966b3b556898af83a36287b56

SHA512
2a027ba8de96a24cc11d2f32b56c43e7c5e48b9c6456cdd144fbefef972af17457e02d080769306f842043fc8fa24b29972846d80e5ae01d71f45ac841b0cefa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60282c0bfaa39d2e961a6d6c1ac332a3

SHA1
c388d2836d5664f629ddd4a9259cb8497c6e2222

SHA256
8e97836023666b4f4ced5d97f6277e862c35387a0c41204b13ce0376bea48415

SHA512
82368e1c78a867022b35ce00527c94613b3582f60b7ca64a7960f44eac0ed05300540fc13ddb517c1f15bd25f5abfa1c927071e3f5f127db69a5bc550ad9b7ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3fb2bde3388999a95db77f59c52f65d

SHA1
221da3c2575ef32c1e942950389a3830ac69949f

SHA256
cc4508346704c7a7d05dad5e01097c2f0545d5fd34eb0dff19297dc3fd424f67

SHA512
be050e8470e5a02afc292b52ddff275d59920b63cfe5602db09900c9e297e302eb504d7a213d4804b0bf0918be737db5edfa04d69a101db28441835ea3788bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab54F5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5576.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\xpgfuwensvpk.exe

Filesize
340KB

MD5
c0a01298c05f2734155a1f73fd8655cc

SHA1
5bf6d78e9acd944c085812a1274c812c404a8278

SHA256
6d2f0ac4c9a201202ffdb019c0ce82686a537deaa7fb8023ea42f7701cc10f14

SHA512
6c081ae832b0f429ecc719ab112256860f1729e24bc12a454e15f6567343e9e9eb5669e5075d18df7567035f3d73b4b35dfc3968cd2c1713467789fb6292c9e7

Download Submit
memory/2212-6081-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2216-8-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2216-2-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2216-0-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2216-1-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2216-9-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2228-6523-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2228-10-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2228-1441-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2228-1765-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2228-4668-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2228-6080-0x0000000002E20000-0x0000000002E22000-memory.dmp

Filesize
8KB

Download
memory/2228-6084-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download