teslacrypt | 10380d0df39b7a3ad85fb02bdb9b4a564ed1cf6d2cef51b2af392fc0ae56c312

Analysis

max time kernel
127s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
Size

356KB
MD5

4b1f6499e4cc634ef9444adc24243cca
SHA1

9d118446b0a5edd930ced59ce7dba5b9a66ca358
SHA256

10380d0df39b7a3ad85fb02bdb9b4a564ed1cf6d2cef51b2af392fc0ae56c312
SHA512

44d192c0309c530e05a94ec0207f8ad030fee25fe96ee773a25853c1fb9ce117138d1422ff8ebbd65a41c976927ff95eb1858f780d9da656f2a7dc33f435b48f
SSDEEP

6144:QmQ/rffLCxpVPEeTp+W+cMwH9rgWGBbzTXcwAcMSPsFzz7s02YrRAUZg:crfO3VPXb+cMo9MJ4SkUuRAUZg

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nhyeo.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2AA7FCA9DF869E9 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2AA7FCA9DF869E9 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/2AA7FCA9DF869E9 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/2AA7FCA9DF869E9 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2AA7FCA9DF869E9 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2AA7FCA9DF869E9 http://yyre45dbvn2nhbefbmh.begumvelic.at/2AA7FCA9DF869E9 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/2AA7FCA9DF869E9

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2AA7FCA9DF869E9

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2AA7FCA9DF869E9

http://yyre45dbvn2nhbefbmh.begumvelic.at/2AA7FCA9DF869E9

http://xlowfznrg4wf7dli.ONION/2AA7FCA9DF869E9

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (420) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1608 cmd.exe

pid	process
1608	cmd.exe

Drops startup file 3 IoCs

Processes:

daqnqmlhbgly.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe

Executes dropped EXE 2 IoCs

Processes:

daqnqmlhbgly.exedaqnqmlhbgly.exe

pid process

2604 daqnqmlhbgly.exe
1976 daqnqmlhbgly.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2604	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

daqnqmlhbgly.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rniviyy = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\daqnqmlhbgly.exe"	daqnqmlhbgly.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exedaqnqmlhbgly.exe

description	pid	process	target process
PID 756 set thread context of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 2604 set thread context of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe

Drops file in Program Files directory 64 IoCs

Processes:

daqnqmlhbgly.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_hover.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_ReCoVeRy_+nhyeo.html	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\_ReCoVeRy_+nhyeo.png	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Google\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_ReCoVeRy_+nhyeo.txt	daqnqmlhbgly.exe

Drops file in Windows directory 2 IoCs

Processes:

4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\daqnqmlhbgly.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
File opened for modification	C:\Windows\daqnqmlhbgly.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000063d1983ea75b9b6e611212891e7133dbb18328186290b8b35f578a6b26686940000000000e800000000200002000000010ae0e9fb159caf4ea97386a23415af615fc0d54a1aadee2939aaadd3a30a9209000000037c33d622c106daa5f2b41e0b9f4e4183bf63430de924e5d42fca994484a19b0ca40dc159dd197b715dbec5f2529eb8ca9792894e1c0a1e0c50718502e52a3428033f801d208580b0a6100258fe5ca80957b668a5018ab7ad5d767dd3abd23e1fdbfa31ee37d93d50f8ca77def674ec4607ef929fcecc9d9f2f497eb030c04c1ca2a4056316bd147a0da0258528b0f8940000000b3b0bc8a035ce90a2259fe57308d9bd888cca979fe0b51d77deec6ef571448f2e92e408f620814c3ad20e8ad29c17824e694799f6ca6f3ffe257e11e7a85e7db	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000834ba74785279b56b95374477c1b88d1ea808424c84228234b5b453f580ced76000000000e8000000002000020000000feaa524fa854e3d293ba5281be363639bc1442f6f77c92c9be348c9dbb77deb320000000a54ba9e639b087893703dccb14c3692eba7bd77301d6cdaf77c285f591db2a9e40000000707925eee9b27401b7f08fde98d3faf636007b4f3660520f1326cc62e3df0af19bc33962ea67efec6d8989ab208106a9cb82893ab805b0089fa61cd4d318a18f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50492fc08ea7da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB9B4851-1381-11EF-B1D1-D2EFD46A7D0E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

896 NOTEPAD.EXE

pid	process
896	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

daqnqmlhbgly.exe

pid	process
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe
1976	daqnqmlhbgly.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exedaqnqmlhbgly.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2548	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
Token: SeDebugPrivilege	1976	daqnqmlhbgly.exe
Token: SeIncreaseQuotaPrivilege	2688	WMIC.exe
Token: SeSecurityPrivilege	2688	WMIC.exe
Token: SeTakeOwnershipPrivilege	2688	WMIC.exe
Token: SeLoadDriverPrivilege	2688	WMIC.exe
Token: SeSystemProfilePrivilege	2688	WMIC.exe
Token: SeSystemtimePrivilege	2688	WMIC.exe
Token: SeProfSingleProcessPrivilege	2688	WMIC.exe
Token: SeIncBasePriorityPrivilege	2688	WMIC.exe
Token: SeCreatePagefilePrivilege	2688	WMIC.exe
Token: SeBackupPrivilege	2688	WMIC.exe
Token: SeRestorePrivilege	2688	WMIC.exe
Token: SeShutdownPrivilege	2688	WMIC.exe
Token: SeDebugPrivilege	2688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2688	WMIC.exe
Token: SeRemoteShutdownPrivilege	2688	WMIC.exe
Token: SeUndockPrivilege	2688	WMIC.exe
Token: SeManageVolumePrivilege	2688	WMIC.exe
Token: 33	2688	WMIC.exe
Token: 34	2688	WMIC.exe
Token: 35	2688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2688	WMIC.exe
Token: SeSecurityPrivilege	2688	WMIC.exe
Token: SeTakeOwnershipPrivilege	2688	WMIC.exe
Token: SeLoadDriverPrivilege	2688	WMIC.exe
Token: SeSystemProfilePrivilege	2688	WMIC.exe
Token: SeSystemtimePrivilege	2688	WMIC.exe
Token: SeProfSingleProcessPrivilege	2688	WMIC.exe
Token: SeIncBasePriorityPrivilege	2688	WMIC.exe
Token: SeCreatePagefilePrivilege	2688	WMIC.exe
Token: SeBackupPrivilege	2688	WMIC.exe
Token: SeRestorePrivilege	2688	WMIC.exe
Token: SeShutdownPrivilege	2688	WMIC.exe
Token: SeDebugPrivilege	2688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2688	WMIC.exe
Token: SeRemoteShutdownPrivilege	2688	WMIC.exe
Token: SeUndockPrivilege	2688	WMIC.exe
Token: SeManageVolumePrivilege	2688	WMIC.exe
Token: 33	2688	WMIC.exe
Token: 34	2688	WMIC.exe
Token: 35	2688	WMIC.exe
Token: SeBackupPrivilege	1728	vssvc.exe
Token: SeRestorePrivilege	1728	vssvc.exe
Token: SeAuditPrivilege	1728	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2168	WMIC.exe
Token: SeSecurityPrivilege	2168	WMIC.exe
Token: SeTakeOwnershipPrivilege	2168	WMIC.exe
Token: SeLoadDriverPrivilege	2168	WMIC.exe
Token: SeSystemProfilePrivilege	2168	WMIC.exe
Token: SeSystemtimePrivilege	2168	WMIC.exe
Token: SeProfSingleProcessPrivilege	2168	WMIC.exe
Token: SeIncBasePriorityPrivilege	2168	WMIC.exe
Token: SeCreatePagefilePrivilege	2168	WMIC.exe
Token: SeBackupPrivilege	2168	WMIC.exe
Token: SeRestorePrivilege	2168	WMIC.exe
Token: SeShutdownPrivilege	2168	WMIC.exe
Token: SeDebugPrivilege	2168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2168	WMIC.exe
Token: SeRemoteShutdownPrivilege	2168	WMIC.exe
Token: SeUndockPrivilege	2168	WMIC.exe
Token: SeManageVolumePrivilege	2168	WMIC.exe
Token: 33	2168	WMIC.exe
Token: 34	2168	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2232 iexplore.exe
2208 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2232 iexplore.exe
2232 iexplore.exe
564 IEXPLORE.EXE
564 IEXPLORE.EXE

pid	process
2232	iexplore.exe
2208	DllHost.exe

pid	process
2232	iexplore.exe
2232	iexplore.exe
564	IEXPLORE.EXE
564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exedaqnqmlhbgly.exedaqnqmlhbgly.exeiexplore.exe

description	pid	process	target process
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 756 wrote to memory of 2548	756	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
PID 2548 wrote to memory of 2604	2548	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	daqnqmlhbgly.exe
PID 2548 wrote to memory of 2604	2548	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	daqnqmlhbgly.exe
PID 2548 wrote to memory of 2604	2548	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	daqnqmlhbgly.exe
PID 2548 wrote to memory of 2604	2548	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	daqnqmlhbgly.exe
PID 2548 wrote to memory of 1608	2548	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	cmd.exe
PID 2548 wrote to memory of 1608	2548	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	cmd.exe
PID 2548 wrote to memory of 1608	2548	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	cmd.exe
PID 2548 wrote to memory of 1608	2548	4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe	cmd.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 2604 wrote to memory of 1976	2604	daqnqmlhbgly.exe	daqnqmlhbgly.exe
PID 1976 wrote to memory of 2688	1976	daqnqmlhbgly.exe	WMIC.exe
PID 1976 wrote to memory of 2688	1976	daqnqmlhbgly.exe	WMIC.exe
PID 1976 wrote to memory of 2688	1976	daqnqmlhbgly.exe	WMIC.exe
PID 1976 wrote to memory of 2688	1976	daqnqmlhbgly.exe	WMIC.exe
PID 1976 wrote to memory of 896	1976	daqnqmlhbgly.exe	NOTEPAD.EXE
PID 1976 wrote to memory of 896	1976	daqnqmlhbgly.exe	NOTEPAD.EXE
PID 1976 wrote to memory of 896	1976	daqnqmlhbgly.exe	NOTEPAD.EXE
PID 1976 wrote to memory of 896	1976	daqnqmlhbgly.exe	NOTEPAD.EXE
PID 1976 wrote to memory of 2232	1976	daqnqmlhbgly.exe	iexplore.exe
PID 1976 wrote to memory of 2232	1976	daqnqmlhbgly.exe	iexplore.exe
PID 1976 wrote to memory of 2232	1976	daqnqmlhbgly.exe	iexplore.exe
PID 1976 wrote to memory of 2232	1976	daqnqmlhbgly.exe	iexplore.exe
PID 2232 wrote to memory of 564	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 564	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 564	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 564	2232	iexplore.exe	IEXPLORE.EXE
PID 1976 wrote to memory of 2168	1976	daqnqmlhbgly.exe	WMIC.exe
PID 1976 wrote to memory of 2168	1976	daqnqmlhbgly.exe	WMIC.exe
PID 1976 wrote to memory of 2168	1976	daqnqmlhbgly.exe	WMIC.exe
PID 1976 wrote to memory of 2168	1976	daqnqmlhbgly.exe	WMIC.exe
PID 1976 wrote to memory of 2888	1976	daqnqmlhbgly.exe	cmd.exe
PID 1976 wrote to memory of 2888	1976	daqnqmlhbgly.exe	cmd.exe
PID 1976 wrote to memory of 2888	1976	daqnqmlhbgly.exe	cmd.exe
PID 1976 wrote to memory of 2888	1976	daqnqmlhbgly.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

daqnqmlhbgly.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	daqnqmlhbgly.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	daqnqmlhbgly.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b1f6499e4cc634ef9444adc24243cca_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\daqnqmlhbgly.exe
    C:\Windows\daqnqmlhbgly.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\daqnqmlhbgly.exe
      C:\Windows\daqnqmlhbgly.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1976
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:564
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DAQNQM~1.EXE
        5⤵
        
        PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4B1F64~1.EXE
    3⤵
    - Deletes itself
    PID:1608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nhyeo.html

Filesize
12KB

MD5
389241c7877a488a2739051f6489b84b

SHA1
f295513ae6bf6ce2a33572a80da26bce8f3b29aa

SHA256
004bde3cb0d9ca6edcc5ee89e6b0e4172fd8fcc1dfc8e0c9fd953e2147f41f89

SHA512
832a813a86b16db4460f2ba55d5b0ddaa20e5d80fbf1125875e6982938289892d7debeba73180edf48e66669e9caf91897f924bc97decda08a93861ef9033a15

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nhyeo.png

Filesize
64KB

MD5
f64514cdb7ba0cfc95ce1e7f127c7252

SHA1
d3195703f8e093f5e26e2549bbce5f8d24817737

SHA256
58089456af0ad8a89400fd367c2413a969bd15d7eea09111ed9d455d9b31385a

SHA512
84ed2ae15cbcf92d688a9d2a92516392cbc1fbca650d044b142b8f062ae57e34f495857cf164c9539318eb00ca6826b5ef91de9e775b2148ba3eb0a551cef3f1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nhyeo.txt

Filesize
1KB

MD5
b230974a55b8a08588093ae43a57681a

SHA1
4d94078b809f312a1e201861178a7a063d1317f9

SHA256
3ab311aa9df4bf7c4606659a3b6543c2451d58aa7b5cd5898092521ce8600db1

SHA512
55f25d7dbf0606d925e670ddb8c8aca6bef9e1a02997ef58e7e269f5a103cee9d3e852a26eb4755ccfca7181768ce8197879d5f888425343039483d15c3d6e72

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
fc21d3992312275ce44271b854681832

SHA1
0420f7f1407625018e27200eb85d9981e24cdb7e

SHA256
0fbf62a24abacd5c91c382d50842e93f2fc4a78f9c3acd53a1d9bf769b01d3f7

SHA512
c462d6126fead38b13cbfcb2f39a859d8a0303cf981fb5bc0dd30d8a41a144caf85ad09cfb5cd0dca98285b0de660d0eb5f4997d771becea7d844e11a24c3e9b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9db2b88ad301f6ded8cf514bcba55760

SHA1
c277f2f3f43329bdb6cc1564464fcf6b56d66f44

SHA256
8dfac6d03a82041f7bb7e0a95de0f35d9eb0c0868764daddd6d6e8265a23f73a

SHA512
3d774187f068a74c1d168df7b21d5ddd04e51a013896205b7ae12367c4aae0edaf7bf9906f7c7d7e5535607bd1eb3817b4010152fe464d78082f37e92cbbc30f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
30a4422d4fc010ee191aa4f4f90edc8f

SHA1
49507653809f1ae4703d29673d902db2f3804f44

SHA256
01090cec121272bd4e9364842e726c717d115f44692a63ecd34d50db967db22e

SHA512
fbf25f34f9abbcc45f52db36d63b4627873b1858244c6577846ece6b568c742c1505a71ce4645f4be6648d8d6e725205ce0357192ffde72fdffa75f2292554cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61ad8fa696140b855d2d18905ddd34ba

SHA1
e8d154de6795017a882ed37781a36db7075ad417

SHA256
9a1bf961e72bd5657dca6e38c6c663ee3a9c9afa14a17b8ccf6377ef2e855d0e

SHA512
92ae44beefb832156459fba91ad711eb2e4de3fbddfdf0089023be6f560cd4f70b0e82f4c13902d845828b93367b2488313ad81178008f956f9b871050948753

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54595a4bb7847e4a38390105b8fc6b1f

SHA1
92f7f8783f7567fae23418cb071a4be8c36aa177

SHA256
6d393bc6eca01f312ceda72af326d81c2f877931a7b871420e1f8cd84c8aa57a

SHA512
e9d7115d7cb60d32c91ca72907cfad729bd11f9625838678b4a32b5527a5ff3b4aaaa6d0d92ed3de27152653a99771402432a91cca7f73cb80973055739f2309

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a8eeca5890d9e5b2631a0987e7a31cb

SHA1
3d67f366d14df387add7665c3e3bc6d9c4dbac3e

SHA256
c0fa8c0d6407a94bbb2fcac608a9de8e279a3cdf3443e18d816b949b56c8db79

SHA512
a048f3130c392519d8abe985d425f2ef2c15c966f1eaa0e2e29bf2eef6f7c5be661fc4d8954a3ed75466bbc2a17791768ebcde3384ea93698d4e2ac9450c8b84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4254aadf6b9b07278b9c7d1294a37aa2

SHA1
b1dde58f2f2c3ed719b9446b97577d1692a77120

SHA256
1aa96ea5bb6bb8457e56aedd6c5ec1a05b88c37c396826baa8e0ee90ddcfcc6e

SHA512
5fab6855df78c9f4b8c2a9371bff453eb698cf09b95ad86fd2bacc60578dae0ab4551459c705dc418ba6ca2b8f18c1195d6ae7704f3111538364d96793e00233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49113b6d067f7d05cc18d015a235c34f

SHA1
fdba195ce985916082f3ed7f4858c3ea3d6730ab

SHA256
cd5f6c78229279d38d20fc4e709146985800f44f2084516e495976a1c83e2686

SHA512
86938894a4dd9a59cf81f5a83722b2a3490ff8c56fcef655d5436c80aa953fd28e5670c9607fbbf41d5ebaf344a9de81730f012544a20439302cad424a2e5ce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a5ad4dfca8d229395fd89284adbf1a4

SHA1
6f33019bfac884e66f968575ffd1f8581d822c16

SHA256
9a5515115dbf1e06b8400f02140a4d65f16dece3d7c19e658e15b58305582dd6

SHA512
7ff1fa16d61c1df2382aa10114c1824d5c18323a239909604b516f1f2eb04d410483662e6af78549614d36fc3ea24be1dac72e2a5d0719ca3fd08e8ef4de890e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a1c9f62441e8533ead50472521be69c

SHA1
6048a886e48536c3953f30c5a767da78234a3a24

SHA256
ad98eff17954fc6d9a149fcf1d630408483cbce9c211b0d6bcbbae5ecf8e6c95

SHA512
a6526455af0d4107688d17822b474980dd7b8f3dbb244ddd9917490132b8e38b65f072f829f299293608f212935910a16f47eefd773db99eba9b6b22a24bac94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0cd895ecc744b3b2e20a9f7ee65be9c4

SHA1
d68c930b5081a97d84bcf988c0fddc1e3600c849

SHA256
afa4dbcdd3c12b2ef66a0b60b0bccbb46ef794ba12ec3b00d8a3aa8f9d10fc79

SHA512
de8518961c8e1fe89c1787a7ab23f156ac06caed58c2d08e4396612bd1eb11e09a5489970b035172afcf267b25ab0770b845717e9c39cd9f896ca3073cfb3189

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d44e426f509c2de011976c89fcf4475

SHA1
91b4b6981b5ab96398a7fd4b9bc08dc09a0ff678

SHA256
2fd47de159b74df1434d99238b59b65d6c44f4c434f293f8d1dce87ab91775a8

SHA512
520778636e3117aa619cfd6a2844e5f782a8184f1302375f0694d5cd2bb16b29cf83389004df47f3db5749aa28c273fa3a6495db1940f22005e1361e43998a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD81.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE4E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE82.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\daqnqmlhbgly.exe

Filesize
356KB

MD5
4b1f6499e4cc634ef9444adc24243cca

SHA1
9d118446b0a5edd930ced59ce7dba5b9a66ca358

SHA256
10380d0df39b7a3ad85fb02bdb9b4a564ed1cf6d2cef51b2af392fc0ae56c312

SHA512
44d192c0309c530e05a94ec0207f8ad030fee25fe96ee773a25853c1fb9ce117138d1422ff8ebbd65a41c976927ff95eb1858f780d9da656f2a7dc33f435b48f

Download Submit
memory/756-0-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/756-17-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/756-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1976-6030-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-6026-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-485-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-1647-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-3661-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-6015-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-6016-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-6022-0x0000000002C20000-0x0000000002C22000-memory.dmp

Filesize
8KB

Download
memory/1976-6033-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-6025-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1976-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2208-6023-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2548-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-31-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download