teslacrypt | 2d8e7d0a895c13a1d012b25b069a528481cd0d3c91b74689c61299f3b5a55232

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
Size

340KB
MD5

d35c98321d2f87f089b7d5c26174a10b
SHA1

2d7f432514ba316ecec7a8f372d0a75cb32f8fc0
SHA256

2d8e7d0a895c13a1d012b25b069a528481cd0d3c91b74689c61299f3b5a55232
SHA512

a467e624af472a2dc240dc325bef21b4dd435315dd765e9afd6f4134bd1c2482d23072e2057cc9ef60e9aad9107f6985bdacde3c92f0d68601b44ebf9990c40d
SSDEEP

6144:DrHbGlBfoXKBA4pOoGf75hK7d/X/CMmm/2ikfOmvA2CxjSJgE0ToC8uUsYEF7u2K:f7GliXAOJf75YtPhxd3dRMkz8rG4

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+riixv.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DF629518642E313 2. http://tes543berda73i48fsdfsd.keratadze.at/DF629518642E313 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DF629518642E313 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/DF629518642E313 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DF629518642E313 http://tes543berda73i48fsdfsd.keratadze.at/DF629518642E313 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DF629518642E313 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/DF629518642E313

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DF629518642E313

http://tes543berda73i48fsdfsd.keratadze.at/DF629518642E313

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DF629518642E313

http://xlowfznrg4wf7dli.ONION/DF629518642E313

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+riixv.png	dguupnjptrys.exe

Executes dropped EXE 2 IoCs

pid	Process
2684	dguupnjptrys.exe
2212	dguupnjptrys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\nsgihypdcybf = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dguupnjptrys.exe\""	dguupnjptrys.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2684 set thread context of 2212	2684	dguupnjptrys.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\clock.js	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	dguupnjptrys.exe
File opened for modification	C:\Program Files\Internet Explorer\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\localizedSettings.css	dguupnjptrys.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\Google\Chrome\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\Java\jre7\lib\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js	dguupnjptrys.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\Recovery+riixv.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png	dguupnjptrys.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\Recovery+riixv.html	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\Recovery+riixv.txt	dguupnjptrys.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\Recovery+riixv.png	dguupnjptrys.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dguupnjptrys.exe	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
File opened for modification	C:\Windows\dguupnjptrys.exe	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dguupnjptrys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dguupnjptrys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006728d02a90b06341a656e611ba27917a00000000020000000000106600000001000020000000aa5925255c8fbe46e6d4d5cd6a95685c268090b013cede1eae5d404252eae8e8000000000e800000000200002000000058a389718c28a82ddf9f86a27eddbabe90cddf50b201d64c609aabf8aa46832d90000000a7ee90d983d5fae1343524f124634e10658ea6b9c2d725e7a579737cab5029f6413118333a172317b3bd2ca837bfe5e9dcf4d337611d323c810d654eda0688857a6bdb4e8a2e8965fed6bbe781b27212df6f0c51555d17aa17f7531ae540bab8b37ea8a8c086d075c0c33d18483df95ad91de1b4a4e409d619f5d75d83b2f1d217d413b7c7339ff721fbf8602d25bce340000000414f031d92883de70ee2f5a2ecc718d6448f2c822a6f85d7e5e4ce62c8a52069029666ac189d2d06f40e70a55cb96c31f0515c9d887c124bdcc3caea04ffe02d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F38EF201-B4D5-11EF-BDF2-7E918DD97D05} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806d19c8e248db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006728d02a90b06341a656e611ba27917a00000000020000000000106600000001000020000000d8aea1efd75a10e14f04f363bba501ccac3161038df0f3911e4e14b5f11ec9f8000000000e8000000002000020000000bc4fce4fee1488fbb1835c8a06e495c67ccfaf9fa475a7ee218b2c590f6e090f200000003c4108a11b186ddcf54a2b47f55fd00a338b2bb893bafefad6f325f12092189040000000757e875536221f95232dd424fb22b5562170e642a9a8e2880b1457faad2af2b4bda39ab6511d87850072f6f0eaf2cff05667e83fda12c63e729b888e6ce47053	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
920	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe
2212	dguupnjptrys.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
Token: SeDebugPrivilege	2212	dguupnjptrys.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: SeBackupPrivilege	708	vssvc.exe
Token: SeRestorePrivilege	708	vssvc.exe
Token: SeAuditPrivilege	708	vssvc.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2500	iexplore.exe
1852	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2500	iexplore.exe
2500	iexplore.exe
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE
1852	DllHost.exe
1852	DllHost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2616 wrote to memory of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2616 wrote to memory of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2616 wrote to memory of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2616 wrote to memory of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2616 wrote to memory of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2616 wrote to memory of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2616 wrote to memory of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2616 wrote to memory of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2616 wrote to memory of 2624	2616	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2684	2624	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2684	2624	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2684	2624	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2684	2624	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2648	2624	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	33
PID 2624 wrote to memory of 2648	2624	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	33
PID 2624 wrote to memory of 2648	2624	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	33
PID 2624 wrote to memory of 2648	2624	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	33
PID 2684 wrote to memory of 2212	2684	dguupnjptrys.exe	35
PID 2684 wrote to memory of 2212	2684	dguupnjptrys.exe	35
PID 2684 wrote to memory of 2212	2684	dguupnjptrys.exe	35
PID 2684 wrote to memory of 2212	2684	dguupnjptrys.exe	35
PID 2684 wrote to memory of 2212	2684	dguupnjptrys.exe	35
PID 2684 wrote to memory of 2212	2684	dguupnjptrys.exe	35
PID 2684 wrote to memory of 2212	2684	dguupnjptrys.exe	35
PID 2684 wrote to memory of 2212	2684	dguupnjptrys.exe	35
PID 2684 wrote to memory of 2212	2684	dguupnjptrys.exe	35
PID 2684 wrote to memory of 2212	2684	dguupnjptrys.exe	35
PID 2212 wrote to memory of 1680	2212	dguupnjptrys.exe	36
PID 2212 wrote to memory of 1680	2212	dguupnjptrys.exe	36
PID 2212 wrote to memory of 1680	2212	dguupnjptrys.exe	36
PID 2212 wrote to memory of 1680	2212	dguupnjptrys.exe	36
PID 2212 wrote to memory of 920	2212	dguupnjptrys.exe	44
PID 2212 wrote to memory of 920	2212	dguupnjptrys.exe	44
PID 2212 wrote to memory of 920	2212	dguupnjptrys.exe	44
PID 2212 wrote to memory of 920	2212	dguupnjptrys.exe	44
PID 2212 wrote to memory of 2500	2212	dguupnjptrys.exe	45
PID 2212 wrote to memory of 2500	2212	dguupnjptrys.exe	45
PID 2212 wrote to memory of 2500	2212	dguupnjptrys.exe	45
PID 2212 wrote to memory of 2500	2212	dguupnjptrys.exe	45
PID 2500 wrote to memory of 2080	2500	iexplore.exe	47
PID 2500 wrote to memory of 2080	2500	iexplore.exe	47
PID 2500 wrote to memory of 2080	2500	iexplore.exe	47
PID 2500 wrote to memory of 2080	2500	iexplore.exe	47
PID 2212 wrote to memory of 556	2212	dguupnjptrys.exe	48
PID 2212 wrote to memory of 556	2212	dguupnjptrys.exe	48
PID 2212 wrote to memory of 556	2212	dguupnjptrys.exe	48
PID 2212 wrote to memory of 556	2212	dguupnjptrys.exe	48
PID 2212 wrote to memory of 1936	2212	dguupnjptrys.exe	51
PID 2212 wrote to memory of 1936	2212	dguupnjptrys.exe	51
PID 2212 wrote to memory of 1936	2212	dguupnjptrys.exe	51
PID 2212 wrote to memory of 1936	2212	dguupnjptrys.exe	51

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dguupnjptrys.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dguupnjptrys.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\dguupnjptrys.exe
    C:\Windows\dguupnjptrys.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\dguupnjptrys.exe
      C:\Windows\dguupnjptrys.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2212
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2080
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DGUUPN~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D35C98~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+riixv.html

Filesize
11KB

MD5
d3b49ca5f880e2d141ac9a51846d6edf

SHA1
3238001741934a4f597b8a12750e9056264a8262

SHA256
fa539c6fd7072696502881da3ba52020f6ee443f02a0620c58d304edd8ad59b8

SHA512
2dd3ca0e096282a1ec48ac03ef2d30fc1b9056c6ec4bbd2434b5eb2bb17747ac9108d9e0a1a376fd0b8c290d26768bfb89ce3e890db6da3c8508629991e1b6e5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+riixv.png

Filesize
62KB

MD5
0bc08e02726ed7287c30f1ac53d2fae3

SHA1
257a0377e69b62c0a0be9ac01923e9740cae8287

SHA256
361fa945c692e2df56f6e185fcb70093c9cd05c7dc7d79d7a01963b74015d536

SHA512
f2c13c206b147d8b03ae019f3b7bbe8f2d27bbae4b6d5183581d50f369e1723ba19942972e366c8ae3a742b56e0e5a48fc8cd9db69caa7476e8c74adde1bf3e5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+riixv.txt

Filesize
1KB

MD5
09021598db9afc1a1d27564547ff5c8f

SHA1
83d57a0463e83c12e9d38d465f923fb8887cfad6

SHA256
03f76f66db11639089be864a147efd0cc7a7224fc28cfa239a0e04c095ef45f6

SHA512
2e1895bfaf6b6de4cd5bad2af01100f06fa06b656f4a106c6e0476759b3b22defd969913e56b8fed518875be8a8057d0acce30da78af7ff2c0334e85747aba50

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
451ff7fa37cab40651994b889c8c7565

SHA1
3e4eb13fd26303d82ba6340c73c3687b817d806f

SHA256
bdd99c168f603db79e2f7d74ede68bd4a9f5068af8c615e7249e1de19d87cac2

SHA512
b36c6ac0fd1dce97cc09ffbe71036d3553e4e73cfd41fec903629058c313890398fbab9d021d292f07e9108a98d2b94d00847acb2470b22f147bb34ec9e77490

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
6101eac0c3d52bdcaef5bda36c7bd199

SHA1
957a5f6be09b1810a1a923437d1a57847d509951

SHA256
d2a4bea8ad4af8bc7c75e8b3d77144d5778d7053a2b872795b2309088e6d548c

SHA512
3f90e743c402c4c92d58b4927084f87e7330a7b5f3995e2b931f8a516eb8292d1c6552632ce5046941dc6616d01acb0968e17cea5d089588bd821a4cc5a08ef3

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
04ab6ca4e821e5d757b55e979e5cda62

SHA1
ec6069ef426660cadfab31d6cb4e73890f051402

SHA256
7afe1e4684435d929cbf30336926505208e2d26506e634ce6af3bf2a3e7870c3

SHA512
5e6de548d32446666a88a518f8b742eb6a0bdc287898d9200751529b71502087e4c4a9c7c521d39174e3134d221d41ef9f239d3e7ef2cea1a04549141e8bf69c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbaeb59aae4906bb4aa9ccf97425b57b

SHA1
1899a656b0f4b72ab4e36abdab2ae0c3ae27ae3e

SHA256
b69bf6e6bd1d5b63cdf53a23d731f314abae79a5fb608274ca0065f426a1828e

SHA512
b6b96c67fb2f40c5bcbc1f4743013418b34ce5f4c9f2fce41ac7b64abea2692ce62d8be114066c7e8cdb9a32a10111fe1b92e48990a220dc67db2323bf86cd3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
448885648aa54e7b9f0f8685b47e409c

SHA1
663f62ca7222cffbfc43b871d2166a6c2fe4b7d0

SHA256
bdf9ee8339a5570afbc59aa2ecd16138ab6ca23a9a594a937f94cff4401a8ebf

SHA512
d3ef8359dcaac76674652c82251027c37b25dc571e4875673df1067ee04839c7e269f3a1198dd4783d1ebf288a62a1823234ba4a5bca27a3732f0fcf56a5e98e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
baefc8676af82b9a29b3fa78c0beb114

SHA1
90a81d0543bafaf65223784c9fa136276036da02

SHA256
6c1fce1050fa66bc7d19e26f28714d32be15373a3061a6ad00676ce085758e7d

SHA512
f6ad2902194850628bb89fe30a32612aeabe8af8ea4066966fbfd8f7088f04c6846cd8ac9be6678049df549f1b1b7583af6a0a269dd3bc4f52c424d40a966d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3436e6f0953d58ed6d24beaf29cf1e1b

SHA1
14eaa746d96cad8887d72070b26944ca3db8d0be

SHA256
3f9b249ac83bd0aee3dd473b5416aa18c4118454a7ac0ced497e34adc3098a09

SHA512
b215f44d39c12b9bf126d5ac5613d3740cf16384a9764d5e528af96e8d433eca4be9e5d42e67fc1f621a4dd352a651e287cc07bff6282a242923f1be72bdb1d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5edd2c9ec46bed8a9e7ff718cda4600d

SHA1
95794bbc8da8a916ccc18922342bb65168121650

SHA256
16a7b3ef03c7833e74c15bf018686276e30d3721562741f52b23fe3bdb3bc578

SHA512
92cb42fd5798eb41e9e67096d560aa8fd6c2d1111e46bf5281f7fa4592defc7f3fc00ede38b01c54c34e62d26d8ab5d7cb8cf0e9d5a743d35aaf238c6d27b297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cec31f591bbba45d9dcf24a6c15467ee

SHA1
e7d70bea5cfc907bbffa135bb29b4eb87e5c8f7b

SHA256
1852f42fc66e19f8199ee70d3309c5889c6cfdd4622e408536c15f5084e496a6

SHA512
9dd5b4aeec7976edc342fb856694ddf4d6f7c30aa898f3d789b75ecfd2737b5f969d24f119efeba4c51d336cbc3324523b8d105d1f0566841906585b585c8c14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dd3c547a639bd54d3f82aa7cc97a551

SHA1
fa6357d49f5128bc283cc2aae00187ac098fcec2

SHA256
6e80c0d2b63326d61604c168975f99f13e73a006b0427a0869a5cd29af1860b8

SHA512
d7f14e0d287b08b109e7d8d047a1b0d9c2e1e6174efce7c766ae74fb305dfe248117a558f7d145c06257aa3464ba98c1a856c840c0f89fdc3df2f2092285c4b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad470223c9d37fe65a845867f2f49404

SHA1
a1f8823ec71d0c375388d882c701820c7b393d85

SHA256
d049e883eafcff313f422c1e16e44a994debeecd77dbec87b472dae3be59551f

SHA512
3b8b5ff4c9927ad972433dea10b3d06bad0ea0610e1abe3c1686941bb307dae3680be5c3ffdcc87f9db38e379371d0d60f14a05d6d9ba64c3de39408ccc7bdfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb209eae1fe60b27f15d0241e90dac51

SHA1
15f81072f940fbfb9d70227015071c4add14b558

SHA256
1f843b70313380da838d78c8315d33cb6b7ba080c5835e351e46b732c991d9bb

SHA512
ec4f42d7648cd477ff45ed40600ba820c942766ccc1bb3fefde9236901686624dc8f48b793cc53c9cf34cbea35c00e065011d44bd710cc2e506028f78b51ee41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4849.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48D9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\dguupnjptrys.exe

Filesize
340KB

MD5
d35c98321d2f87f089b7d5c26174a10b

SHA1
2d7f432514ba316ecec7a8f372d0a75cb32f8fc0

SHA256
2d8e7d0a895c13a1d012b25b069a528481cd0d3c91b74689c61299f3b5a55232

SHA512
a467e624af472a2dc240dc325bef21b4dd435315dd765e9afd6f4134bd1c2482d23072e2057cc9ef60e9aad9107f6985bdacde3c92f0d68601b44ebf9990c40d

Download Submit
memory/1852-6111-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2212-6113-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-5380-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-49-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-6559-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-1836-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-1838-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-2755-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-6114-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-6104-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-6110-0x0000000004010000-0x0000000004012000-memory.dmp

Filesize
8KB

Download
memory/2212-6556-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2212-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2616-0-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/2616-14-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/2624-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-28-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-25-0x0000000000400000-0x000000000081D000-memory.dmp

Filesize
4.1MB

Download