teslacrypt | 843c8d5bebe93aeaebeb940267b6b9fb4d8ddb392a316be0f6d58e0bcf940109

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
Size

369KB
MD5

2c6e8b55ec2beb6ed16874e3e809573b
SHA1

221f4a333fffd85f544c71949661f73b62eed173
SHA256

843c8d5bebe93aeaebeb940267b6b9fb4d8ddb392a316be0f6d58e0bcf940109
SHA512

8c48aa13e678ef8988d16198aa0dd767e6255e75f56c405fee03f1ea99852243b83c8e99bca703b7046eed97cf1ee8ffdce55580375805266b536d4dae3f9bce
SSDEEP

6144:2o07Ev9jgh+J0J+l/moekR1MlvlMa0FIe03ncsCMYZx/FqDN6TETpspvQrMX1r9:2tQVG+JIe/mGzMNlMVFC3Xi/YwOi

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+vqqgr.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BE33FE44F9B1BE78 2. http://tes543berda73i48fsdfsd.keratadze.at/BE33FE44F9B1BE78 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BE33FE44F9B1BE78 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/BE33FE44F9B1BE78 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BE33FE44F9B1BE78 http://tes543berda73i48fsdfsd.keratadze.at/BE33FE44F9B1BE78 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BE33FE44F9B1BE78 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/BE33FE44F9B1BE78

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BE33FE44F9B1BE78

http://tes543berda73i48fsdfsd.keratadze.at/BE33FE44F9B1BE78

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BE33FE44F9B1BE78

http://xlowfznrg4wf7dli.ONION/BE33FE44F9B1BE78

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (425) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2548 cmd.exe

pid	process
2548	cmd.exe

Drops startup file 3 IoCs

Processes:

pkcnkuwfvsgu.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe

Executes dropped EXE 2 IoCs

Processes:

pkcnkuwfvsgu.exepkcnkuwfvsgu.exe

pid process

1736 pkcnkuwfvsgu.exe
2868 pkcnkuwfvsgu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1736	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pkcnkuwfvsgu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\btixjcnfuwnk = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\pkcnkuwfvsgu.exe\""	pkcnkuwfvsgu.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exepkcnkuwfvsgu.exe

description	pid	process	target process
PID 1796 set thread context of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 1736 set thread context of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe

Drops file in Program Files directory 64 IoCs

Processes:

pkcnkuwfvsgu.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\it-IT\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Journal\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\settings.js	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_RECOVERY_+vqqgr.html	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_RECOVERY_+vqqgr.txt	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_RECOVERY_+vqqgr.png	pkcnkuwfvsgu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseout.png	pkcnkuwfvsgu.exe

Drops file in Windows directory 2 IoCs

Processes:

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\pkcnkuwfvsgu.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
File opened for modification	C:\Windows\pkcnkuwfvsgu.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20ddf2d970a2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05801021-0E64-11EF-A304-E60682B688C9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000cb99dbef9466771ed8caf1f9d6fe901c1bf6552f5ba76684b2ae16bc1e74560f000000000e80000000020000200000005839595e6f8fc6628394bc154c6a43b60e17a58652e6dde7798ab16b2f4d6fd79000000024ed4f0f32b0e44f1fa7e1e9eb2a99c6b64adf3fcea7df8344e4a43bf990666e7ab86c981fc3cd88a81cf25b96359ec3c3d2ea65f0acb388b82e27871403d6a465fe778ca7cee124eb6fa629318499abf442c90cefe317c090e7d932a399affa522c08759d16322a35915082a11f0b9c2c4886e1fa1698077f84b7e1af6ec2a66e92e4017842e0ff0e10ea8aeeb53e6e40000000cd9338ca72dca40a44b4be3af78699b0e1853622251fa1b49f623f9a246c1ce7cc5239816f630604b1f076f8ea8f414d2217fc96da27e11d92c00f1c09a896e1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000973b6122b0e253719ebfbb4acfbd9b6ae30a5d62375455175d5392579e78121d000000000e8000000002000020000000d0b372ee1476fbd926fd2a96175bcf81ad69653c84539e6a486e7dfa2ac14758200000009bebf5e31595594bde3aca056f06344c369f487cf7ffc7fab39d230ffce0ab09400000000a1d08a5f658152177b0285d2a5b357cfa697ee6aa8a2f274c21e87f2690bc30b21e3bea499458fe16c938c8fea17d0ec714a575413d89a567e25a2a9af4c5c6	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2404 NOTEPAD.EXE

pid	process
2404	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pkcnkuwfvsgu.exe

pid	process
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe
2868	pkcnkuwfvsgu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exepkcnkuwfvsgu.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2640	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
Token: SeDebugPrivilege	2868	pkcnkuwfvsgu.exe
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	2000	WMIC.exe
Token: SeDebugPrivilege	2000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2000	WMIC.exe
Token: SeRemoteShutdownPrivilege	2000	WMIC.exe
Token: SeUndockPrivilege	2000	WMIC.exe
Token: SeManageVolumePrivilege	2000	WMIC.exe
Token: 33	2000	WMIC.exe
Token: 34	2000	WMIC.exe
Token: 35	2000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	2000	WMIC.exe
Token: SeDebugPrivilege	2000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2000	WMIC.exe
Token: SeRemoteShutdownPrivilege	2000	WMIC.exe
Token: SeUndockPrivilege	2000	WMIC.exe
Token: SeManageVolumePrivilege	2000	WMIC.exe
Token: 33	2000	WMIC.exe
Token: 34	2000	WMIC.exe
Token: 35	2000	WMIC.exe
Token: SeBackupPrivilege	1784	vssvc.exe
Token: SeRestorePrivilege	1784	vssvc.exe
Token: SeAuditPrivilege	1784	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2984	WMIC.exe
Token: SeSecurityPrivilege	2984	WMIC.exe
Token: SeTakeOwnershipPrivilege	2984	WMIC.exe
Token: SeLoadDriverPrivilege	2984	WMIC.exe
Token: SeSystemProfilePrivilege	2984	WMIC.exe
Token: SeSystemtimePrivilege	2984	WMIC.exe
Token: SeProfSingleProcessPrivilege	2984	WMIC.exe
Token: SeIncBasePriorityPrivilege	2984	WMIC.exe
Token: SeCreatePagefilePrivilege	2984	WMIC.exe
Token: SeBackupPrivilege	2984	WMIC.exe
Token: SeRestorePrivilege	2984	WMIC.exe
Token: SeShutdownPrivilege	2984	WMIC.exe
Token: SeDebugPrivilege	2984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2984	WMIC.exe
Token: SeRemoteShutdownPrivilege	2984	WMIC.exe
Token: SeUndockPrivilege	2984	WMIC.exe
Token: SeManageVolumePrivilege	2984	WMIC.exe
Token: 33	2984	WMIC.exe
Token: 34	2984	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2600 iexplore.exe
2584 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2600 iexplore.exe
2600 iexplore.exe
2684 IEXPLORE.EXE
2684 IEXPLORE.EXE

pid	process
2600	iexplore.exe
2584	DllHost.exe

pid	process
2600	iexplore.exe
2600	iexplore.exe
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exepkcnkuwfvsgu.exepkcnkuwfvsgu.exeiexplore.exe

description	pid	process	target process
PID 1796 wrote to memory of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 1796 wrote to memory of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 1796 wrote to memory of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 1796 wrote to memory of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 1796 wrote to memory of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 1796 wrote to memory of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 1796 wrote to memory of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 1796 wrote to memory of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 1796 wrote to memory of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 1796 wrote to memory of 2640	1796	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 2640 wrote to memory of 1736	2640	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	pkcnkuwfvsgu.exe
PID 2640 wrote to memory of 1736	2640	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	pkcnkuwfvsgu.exe
PID 2640 wrote to memory of 1736	2640	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	pkcnkuwfvsgu.exe
PID 2640 wrote to memory of 1736	2640	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	pkcnkuwfvsgu.exe
PID 2640 wrote to memory of 2548	2640	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	cmd.exe
PID 2640 wrote to memory of 2548	2640	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	cmd.exe
PID 2640 wrote to memory of 2548	2640	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	cmd.exe
PID 2640 wrote to memory of 2548	2640	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	cmd.exe
PID 1736 wrote to memory of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe
PID 1736 wrote to memory of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe
PID 1736 wrote to memory of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe
PID 1736 wrote to memory of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe
PID 1736 wrote to memory of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe
PID 1736 wrote to memory of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe
PID 1736 wrote to memory of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe
PID 1736 wrote to memory of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe
PID 1736 wrote to memory of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe
PID 1736 wrote to memory of 2868	1736	pkcnkuwfvsgu.exe	pkcnkuwfvsgu.exe
PID 2868 wrote to memory of 2000	2868	pkcnkuwfvsgu.exe	WMIC.exe
PID 2868 wrote to memory of 2000	2868	pkcnkuwfvsgu.exe	WMIC.exe
PID 2868 wrote to memory of 2000	2868	pkcnkuwfvsgu.exe	WMIC.exe
PID 2868 wrote to memory of 2000	2868	pkcnkuwfvsgu.exe	WMIC.exe
PID 2868 wrote to memory of 2404	2868	pkcnkuwfvsgu.exe	NOTEPAD.EXE
PID 2868 wrote to memory of 2404	2868	pkcnkuwfvsgu.exe	NOTEPAD.EXE
PID 2868 wrote to memory of 2404	2868	pkcnkuwfvsgu.exe	NOTEPAD.EXE
PID 2868 wrote to memory of 2404	2868	pkcnkuwfvsgu.exe	NOTEPAD.EXE
PID 2868 wrote to memory of 2600	2868	pkcnkuwfvsgu.exe	iexplore.exe
PID 2868 wrote to memory of 2600	2868	pkcnkuwfvsgu.exe	iexplore.exe
PID 2868 wrote to memory of 2600	2868	pkcnkuwfvsgu.exe	iexplore.exe
PID 2868 wrote to memory of 2600	2868	pkcnkuwfvsgu.exe	iexplore.exe
PID 2600 wrote to memory of 2684	2600	iexplore.exe	IEXPLORE.EXE
PID 2600 wrote to memory of 2684	2600	iexplore.exe	IEXPLORE.EXE
PID 2600 wrote to memory of 2684	2600	iexplore.exe	IEXPLORE.EXE
PID 2600 wrote to memory of 2684	2600	iexplore.exe	IEXPLORE.EXE
PID 2868 wrote to memory of 2984	2868	pkcnkuwfvsgu.exe	WMIC.exe
PID 2868 wrote to memory of 2984	2868	pkcnkuwfvsgu.exe	WMIC.exe
PID 2868 wrote to memory of 2984	2868	pkcnkuwfvsgu.exe	WMIC.exe
PID 2868 wrote to memory of 2984	2868	pkcnkuwfvsgu.exe	WMIC.exe
PID 2868 wrote to memory of 2552	2868	pkcnkuwfvsgu.exe	cmd.exe
PID 2868 wrote to memory of 2552	2868	pkcnkuwfvsgu.exe	cmd.exe
PID 2868 wrote to memory of 2552	2868	pkcnkuwfvsgu.exe	cmd.exe
PID 2868 wrote to memory of 2552	2868	pkcnkuwfvsgu.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

pkcnkuwfvsgu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pkcnkuwfvsgu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	pkcnkuwfvsgu.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\pkcnkuwfvsgu.exe
    C:\Windows\pkcnkuwfvsgu.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\pkcnkuwfvsgu.exe
      C:\Windows\pkcnkuwfvsgu.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2868
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2404
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2684
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\PKCNKU~1.EXE
        5⤵
        
        PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2C6E8B~1.EXE
    3⤵
    - Deletes itself
    PID:2548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+vqqgr.html

Filesize
11KB

MD5
460ffb30ccb9c5ad3bf3177d52227146

SHA1
60f035d11940a546814e20b785dd467fd8de9bc8

SHA256
02c9ce3b5436f2ef2bad9017c73a43d73c4816a3c49bb8d6727c19688ef5f3d2

SHA512
efce9312011732c1b82bc7ff17486ea9b6c03742fd67509aa5a5563ddec582026b519f626ec63ea87f1e024fe03242cda2e21492e405715f7586298630c2b99c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+vqqgr.png

Filesize
62KB

MD5
c90f3d74166d4bcd9137aa61f418e612

SHA1
a68ac170433aa5563aa0cd993973cc505f7aef63

SHA256
80845cf31810405dcbf011113d801359319a5c6bcda6d06acf3309b2d72f65a6

SHA512
c0ca8593c60b9e998c85715ad0fd3632127fa49b7450c41abd13eda820fd7e18ee4de8aaf899f65c89f451a6cfab4cf1dc920d56356c9c1620efe8524369d0f9

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+vqqgr.txt

Filesize
1KB

MD5
adc5bdf20ba3fa2256032ebdb793a9ed

SHA1
6100c6b13d3e14601ce4799d85c978789ca536a2

SHA256
a14ade5000c799dd5f59c27f155c6b32811add038d5e7617ca62e2f6ec676493

SHA512
590b0f4bbd1d350d5488cd5b57dc49116bfc586d46ecb73e6bb17d816ef502e00a9c52b6b6c11b60c06ebc17f3b95446fd3e634cc2934614b9bac5986c386bbc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
05eba3dc686a0fcd6a930ef29f3e33ee

SHA1
7d4df9fc748a939548c25fc415e004e479c3d2b2

SHA256
f8dea19ffe958d4d5d10f53e29e1db50be12126a93db1b878c5922c4b75cc386

SHA512
83f1566b7c9bbfc691dab905e6e8639382ec928f7af5c38b9e89e56a629cfdab9ea61ef335d47a0aa93c76ec96a3bd9b575540a9cd6404453da1e0d488317706

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
e5f65fd5892865cf3909cafa95c13d94

SHA1
97c0a75531bead584c7bcabfd2d68bcfe97b7e44

SHA256
98459deafe0d12475a5770a338dcddef8217e8ba47b3e843c98602b45eb11d49

SHA512
dd08ebfede699734699e555538bb9c281996bf3868fce9add108685a205200a84a6f3ea7c14ab2b935549e97dabdc06ff5e79adc595dd9d14f627f543353f4b7

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
71ebe1c8344fa100cd87f0aa6aa99195

SHA1
7c64cedd18792c3d86d9463ffcae689138330f82

SHA256
49cfa547e7cbfb9f139018539707e4fa0077583b61f293d88b57a59948e18426

SHA512
e2d8dc365e3f4e28395583bf25435ee57ef07751179b7f5233094c2a5dc29610c33097f1cddc9a71c9c23fb1b5ec713f8692893600baad10675fed7ac28bc99c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7001bee8171d52dcb23641ac1c0831aa

SHA1
ff2e8c53258b6954b09d676ebeba07ba46b5f8f7

SHA256
06a02205037b1d16157e28314cdf12e5c7cc6f65dfb32da2b5cf2494eba57a65

SHA512
78fbd17667fd90d4bd7bc5b1b9922d9c5738fdf57d4dfd5da79081e3fed8ed9f3a6aa1f7fc932d8dc8369b1df5f2ae23255effa41246c1e53dcc1e48cc23da45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8935b6b60d31cc803d92671525809684

SHA1
560e319c53f6b7560127de1c6af725cbdf8b87c1

SHA256
9c138bd3a475dda3d3a6c6b817d635f8036b0b2bc63ff65a1f9fc4e15d1cb9f1

SHA512
e2a8ec489f34abea503556430983106f640be56dd1e093d84f399e3c0bf40cd29300192744d5290873a3cb82317e1377615aca97985ceeb530609eba63704f0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c960b4839850caa297ed762ee9c28d4

SHA1
0cb08cdf06a9264140ea8ed287d48055c8e783e0

SHA256
de3dad8e5b7ffaee6735fc54320dbc3a51ef2790e7edbaa551e0489b9cdc1985

SHA512
24d12e4988f3e4b811820583f56f796cb0a81d4e4273ba67056c6f916cd11bb0b7270bfca1fb25bcdbb6271487b1f32d29fcfff78cad7af89bd3c6368d422352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e686a61284ce01596fbe989cc134a6f7

SHA1
c09330410593caa467974f5f8957c2499eb4f42a

SHA256
a35d04b761dc3d24b278beada74a0ad126ff706eb84493d6a1a9556c1530c65c

SHA512
50e549864d56a24b8a28f6e0aec0b1fe8d23c8b2fac18eb89350f0530cae92676619dfca4a9734b83f1030613dc64a858a273542f2e06adff91cd63a2605b338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b73960b520a1ed111ed4690006cd3017

SHA1
8d28ba6448258dc251953fbb39c15d9584b5c1da

SHA256
2c17a2087eac1b046e5838d5d60f59db376dc12b0d5935eb495e0ab9f1a574e1

SHA512
2db8f3d4c93a95ae6a549ea90af0814bc3a42480253938568ca0eebb89cbfe301c89f46987b7e41845badc57d004e86c867f55ac58c9787f646df366800b925c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b260f5335aef9f82eccfdc3707001a84

SHA1
f5b5081b1f76b51d1a1d7a8b7b94fb0264b1f4db

SHA256
b185d26df56fdea255cbf2f1475ab25b79a1fff4476991021cca130e9f708555

SHA512
d5af0d5329caba2f9dd2eec9823885833b38da986e97e84402ea231aebdbb1f5e14471ee1694b86d7dc6297a1897ebbafb2275d163f1175361b17280c5ee7584

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b8778ad035061005a9cfa8f3eb438ec

SHA1
f976f21cfd1e8055502a9be2bc10dd0c34de130e

SHA256
f5f3856eeb7965552675b725fc3bbb57de484c0da107eb6932743cd5df6d471c

SHA512
c76e08e8ed0fa10482e7f207254033ddaff9f7fae17177e7ca586f67571e52309e500ae4128447237ff9831141da9e967e6b15a03594065329af26fa76aae011

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abe7b4b663e6515606c652c36ad1eaef

SHA1
e6afe63e51d0bc298f0eef66a1784020c8157837

SHA256
f46f863094e3fab6eb42092dfe12b46a573b31769d6807061dc4b287f891eb36

SHA512
05543ca0f06b2849aa1a98705d3d53025d2a26b45b1580e973ea9a6cdf847127ca57800b56f16fc734831b9a6a7950a4535ef4bdc5171644beb38b388cc53b5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a048f0de71fafadc0368071064e50909

SHA1
2e6cd3956b402fc372435d7e38144d7224cb1b09

SHA256
f6c5be7aae9782c7469723312bfa91da71907b8f0a5514900ece5563f50370f5

SHA512
a9a14eba4b7b64567d6ac7614f048439b52705e2e86b45cb3f29092a38685f18b0b0a3a60fc9a681e61416fefca36095019c2e635357ea9156a046a1010d48eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8E8C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8F6F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\pkcnkuwfvsgu.exe

Filesize
369KB

MD5
2c6e8b55ec2beb6ed16874e3e809573b

SHA1
221f4a333fffd85f544c71949661f73b62eed173

SHA256
843c8d5bebe93aeaebeb940267b6b9fb4d8ddb392a316be0f6d58e0bcf940109

SHA512
8c48aa13e678ef8988d16198aa0dd767e6255e75f56c405fee03f1ea99852243b83c8e99bca703b7046eed97cf1ee8ffdce55580375805266b536d4dae3f9bce

Download Submit
memory/1736-25-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1796-14-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1796-0-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2584-6028-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2640-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2640-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2640-28-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2640-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2640-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2640-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2640-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2640-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2640-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-1234-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-6030-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-6031-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-6027-0x0000000002B40000-0x0000000002B42000-memory.dmp

Filesize
8KB

Download
memory/2868-4702-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-6020-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-2063-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-6518-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2868-6521-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download