teslacrypt | 39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Size

340KB
MD5

6bcc066e2a81f34c7e052895001f44c6
SHA1

6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8
SHA256

39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc
SHA512

b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c
SSDEEP

6144:2//b5dx5w2hahQGvPmZ8n0SylbvO+MeTHLlj9HhRbr3ET4b7ODRJT0luqig:SddvwdhHvPmZiyIXgLl3ZoMq4wO

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bepev.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BF5DC33221B461C 2. http://tes543berda73i48fsdfsd.keratadze.at/BF5DC33221B461C 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BF5DC33221B461C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/BF5DC33221B461C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BF5DC33221B461C http://tes543berda73i48fsdfsd.keratadze.at/BF5DC33221B461C http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BF5DC33221B461C *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/BF5DC33221B461C

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BF5DC33221B461C

http://tes543berda73i48fsdfsd.keratadze.at/BF5DC33221B461C

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BF5DC33221B461C

http://xlowfznrg4wf7dli.ONION/BF5DC33221B461C

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (413) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2152 cmd.exe

pid	process
2152	cmd.exe

Drops startup file 3 IoCs

Processes:

ergnycdlrvjo.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bepev.png	ergnycdlrvjo.exe

Executes dropped EXE 2 IoCs

Processes:

ergnycdlrvjo.exeergnycdlrvjo.exe

pid process

2584 ergnycdlrvjo.exe
2184 ergnycdlrvjo.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2584	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ergnycdlrvjo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ygcfkvhlbvja = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ergnycdlrvjo.exe\""	ergnycdlrvjo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeergnycdlrvjo.exe

description	pid	process	target process
PID 3024 set thread context of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2584 set thread context of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe

Drops file in Program Files directory 64 IoCs

Processes:

ergnycdlrvjo.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_right.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\it-IT\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\DVD Maker\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\Recovery+bepev.txt	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\Recovery+bepev.png	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\Recovery+bepev.html	ergnycdlrvjo.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\Recovery+bepev.png	ergnycdlrvjo.exe

Drops file in Windows directory 2 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\ergnycdlrvjo.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
File opened for modification	C:\Windows\ergnycdlrvjo.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000069892c5631081d42815d95eefee2a31400000000020000000000106600000001000020000000db4fd69312687dfafb1a8c5914b065ff517b41a2ec6731208d00681214a7bef8000000000e800000000200002000000055b45e856de36c33765335d7eb949c50f6dea5bb4f7fcb483041fd1baee769dc20000000ae25d40a61f60ff256d41c29dc65f2edeae564b3ac2d4fa994cd31e2187c4ff940000000b56563de458022e2fe87caaf96ea183f6e13084f4d393b741544c03546298aca9d8ebcf981d4d057a0f89272c2f520c1ee87ac89cac00f46f1cdca5851202275	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 907df4c93badda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5867351-192E-11EF-8221-D669B05BD432} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000069892c5631081d42815d95eefee2a314000000000200000000001066000000010000200000003bc78043912e4b66674b30f4e461cba98f89b4e7cf8c9676c4fa000b58527709000000000e8000000002000020000000cbb353c0144c46f0777c7cff426af59470dd7f03de0f2b89603248967d05d6f890000000c76f965bd1daddb76d782005d20fb6270cbf87897c2aa1a093ded2539296f588401152b6bb062653e4812fe4961447dd7bdc7a857c64a4a889c485bfbf7b1e69b36871903da8014308dd4aa7ca5337f341c0734595188fdc634af89b6b6e9224a6b2be52ac860609839c176d988f6ff24ca19d0a0846d3637491d8b89c772eea78191328dbac03695a386c50de1435c240000000884fe0a89a61fffa8532e8d42e720763ce9465868d2e3c3d2f17ec07eb101994eb0a4c650c1d47a5177a8c73be86c9e7e853ce8c04ee043f9e9e2401f30e4615	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1564 NOTEPAD.EXE

pid	process
1564	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ergnycdlrvjo.exe

pid	process
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe
2184	ergnycdlrvjo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeergnycdlrvjo.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2940	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Token: SeDebugPrivilege	2184	ergnycdlrvjo.exe
Token: SeIncreaseQuotaPrivilege	1192	WMIC.exe
Token: SeSecurityPrivilege	1192	WMIC.exe
Token: SeTakeOwnershipPrivilege	1192	WMIC.exe
Token: SeLoadDriverPrivilege	1192	WMIC.exe
Token: SeSystemProfilePrivilege	1192	WMIC.exe
Token: SeSystemtimePrivilege	1192	WMIC.exe
Token: SeProfSingleProcessPrivilege	1192	WMIC.exe
Token: SeIncBasePriorityPrivilege	1192	WMIC.exe
Token: SeCreatePagefilePrivilege	1192	WMIC.exe
Token: SeBackupPrivilege	1192	WMIC.exe
Token: SeRestorePrivilege	1192	WMIC.exe
Token: SeShutdownPrivilege	1192	WMIC.exe
Token: SeDebugPrivilege	1192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1192	WMIC.exe
Token: SeRemoteShutdownPrivilege	1192	WMIC.exe
Token: SeUndockPrivilege	1192	WMIC.exe
Token: SeManageVolumePrivilege	1192	WMIC.exe
Token: 33	1192	WMIC.exe
Token: 34	1192	WMIC.exe
Token: 35	1192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1192	WMIC.exe
Token: SeSecurityPrivilege	1192	WMIC.exe
Token: SeTakeOwnershipPrivilege	1192	WMIC.exe
Token: SeLoadDriverPrivilege	1192	WMIC.exe
Token: SeSystemProfilePrivilege	1192	WMIC.exe
Token: SeSystemtimePrivilege	1192	WMIC.exe
Token: SeProfSingleProcessPrivilege	1192	WMIC.exe
Token: SeIncBasePriorityPrivilege	1192	WMIC.exe
Token: SeCreatePagefilePrivilege	1192	WMIC.exe
Token: SeBackupPrivilege	1192	WMIC.exe
Token: SeRestorePrivilege	1192	WMIC.exe
Token: SeShutdownPrivilege	1192	WMIC.exe
Token: SeDebugPrivilege	1192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1192	WMIC.exe
Token: SeRemoteShutdownPrivilege	1192	WMIC.exe
Token: SeUndockPrivilege	1192	WMIC.exe
Token: SeManageVolumePrivilege	1192	WMIC.exe
Token: 33	1192	WMIC.exe
Token: 34	1192	WMIC.exe
Token: 35	1192	WMIC.exe
Token: SeBackupPrivilege	1080	vssvc.exe
Token: SeRestorePrivilege	1080	vssvc.exe
Token: SeAuditPrivilege	1080	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2636	WMIC.exe
Token: SeSecurityPrivilege	2636	WMIC.exe
Token: SeTakeOwnershipPrivilege	2636	WMIC.exe
Token: SeLoadDriverPrivilege	2636	WMIC.exe
Token: SeSystemProfilePrivilege	2636	WMIC.exe
Token: SeSystemtimePrivilege	2636	WMIC.exe
Token: SeProfSingleProcessPrivilege	2636	WMIC.exe
Token: SeIncBasePriorityPrivilege	2636	WMIC.exe
Token: SeCreatePagefilePrivilege	2636	WMIC.exe
Token: SeBackupPrivilege	2636	WMIC.exe
Token: SeRestorePrivilege	2636	WMIC.exe
Token: SeShutdownPrivilege	2636	WMIC.exe
Token: SeDebugPrivilege	2636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2636	WMIC.exe
Token: SeRemoteShutdownPrivilege	2636	WMIC.exe
Token: SeUndockPrivilege	2636	WMIC.exe
Token: SeManageVolumePrivilege	2636	WMIC.exe
Token: 33	2636	WMIC.exe
Token: 34	2636	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1560 iexplore.exe
1708 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1560 iexplore.exe
1560 iexplore.exe
2128 IEXPLORE.EXE
2128 IEXPLORE.EXE

pid	process
1560	iexplore.exe
1708	DllHost.exe

pid	process
1560	iexplore.exe
1560	iexplore.exe
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeergnycdlrvjo.exeergnycdlrvjo.exeiexplore.exe

description	pid	process	target process
PID 3024 wrote to memory of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3024 wrote to memory of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3024 wrote to memory of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3024 wrote to memory of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3024 wrote to memory of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3024 wrote to memory of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3024 wrote to memory of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3024 wrote to memory of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3024 wrote to memory of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3024 wrote to memory of 2940	3024	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2940 wrote to memory of 2584	2940	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	ergnycdlrvjo.exe
PID 2940 wrote to memory of 2584	2940	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	ergnycdlrvjo.exe
PID 2940 wrote to memory of 2584	2940	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	ergnycdlrvjo.exe
PID 2940 wrote to memory of 2584	2940	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	ergnycdlrvjo.exe
PID 2940 wrote to memory of 2152	2940	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2940 wrote to memory of 2152	2940	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2940 wrote to memory of 2152	2940	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2940 wrote to memory of 2152	2940	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2584 wrote to memory of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe
PID 2584 wrote to memory of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe
PID 2584 wrote to memory of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe
PID 2584 wrote to memory of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe
PID 2584 wrote to memory of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe
PID 2584 wrote to memory of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe
PID 2584 wrote to memory of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe
PID 2584 wrote to memory of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe
PID 2584 wrote to memory of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe
PID 2584 wrote to memory of 2184	2584	ergnycdlrvjo.exe	ergnycdlrvjo.exe
PID 2184 wrote to memory of 1192	2184	ergnycdlrvjo.exe	WMIC.exe
PID 2184 wrote to memory of 1192	2184	ergnycdlrvjo.exe	WMIC.exe
PID 2184 wrote to memory of 1192	2184	ergnycdlrvjo.exe	WMIC.exe
PID 2184 wrote to memory of 1192	2184	ergnycdlrvjo.exe	WMIC.exe
PID 2184 wrote to memory of 1564	2184	ergnycdlrvjo.exe	NOTEPAD.EXE
PID 2184 wrote to memory of 1564	2184	ergnycdlrvjo.exe	NOTEPAD.EXE
PID 2184 wrote to memory of 1564	2184	ergnycdlrvjo.exe	NOTEPAD.EXE
PID 2184 wrote to memory of 1564	2184	ergnycdlrvjo.exe	NOTEPAD.EXE
PID 2184 wrote to memory of 1560	2184	ergnycdlrvjo.exe	iexplore.exe
PID 2184 wrote to memory of 1560	2184	ergnycdlrvjo.exe	iexplore.exe
PID 2184 wrote to memory of 1560	2184	ergnycdlrvjo.exe	iexplore.exe
PID 2184 wrote to memory of 1560	2184	ergnycdlrvjo.exe	iexplore.exe
PID 1560 wrote to memory of 2128	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 2128	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 2128	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 2128	1560	iexplore.exe	IEXPLORE.EXE
PID 2184 wrote to memory of 2636	2184	ergnycdlrvjo.exe	WMIC.exe
PID 2184 wrote to memory of 2636	2184	ergnycdlrvjo.exe	WMIC.exe
PID 2184 wrote to memory of 2636	2184	ergnycdlrvjo.exe	WMIC.exe
PID 2184 wrote to memory of 2636	2184	ergnycdlrvjo.exe	WMIC.exe
PID 2184 wrote to memory of 2520	2184	ergnycdlrvjo.exe	cmd.exe
PID 2184 wrote to memory of 2520	2184	ergnycdlrvjo.exe	cmd.exe
PID 2184 wrote to memory of 2520	2184	ergnycdlrvjo.exe	cmd.exe
PID 2184 wrote to memory of 2520	2184	ergnycdlrvjo.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ergnycdlrvjo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ergnycdlrvjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ergnycdlrvjo.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\ergnycdlrvjo.exe
    C:\Windows\ergnycdlrvjo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\ergnycdlrvjo.exe
      C:\Windows\ergnycdlrvjo.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2184
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1564
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2128
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ERGNYC~1.EXE
        5⤵
        
        PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6BCC06~1.EXE
    3⤵
    - Deletes itself
    PID:2152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bepev.html

Filesize
11KB

MD5
55285e9b7f4b5402e4c8541532b4f29c

SHA1
20302278f9f5d02817efad643db614b08d533d86

SHA256
6f519ad88c8716f331772a1014a6f7aaf79a73f7cec9b4f5a6e5668c981e4fb5

SHA512
8f55f2d56e5ed84c65f43036276310f9d0d90bb86a62d468f284417604f8995134b147db0076feeb4d6b1c93782a11fb3cc7b9f8db0bb54c1d24626449ada261

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bepev.png

Filesize
62KB

MD5
fbac862d164da32b527379054e1648ec

SHA1
ec4716939ac281ed4477638c14612948e949b492

SHA256
bdae52ba7a8a81667c3043aacc34840f25889268f6879ce874f254e546a8cae6

SHA512
7c8dab75d73ab7e71c97fa4ac589f1a15ad30638b6950f9afe03c92c1431f55e86f1f2f2791f99362b70bc4562d577f8284ccd5f021c8a421711869e831c44c3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bepev.txt

Filesize
1KB

MD5
ba4753bbc5fa905380223b17e4930f6c

SHA1
76099f812b0fb3e88d82c7132e1ea633be7527ae

SHA256
bd4858ac7438e39c62cf4ecbe27e86554fb3c31a6b79b754e84e5f1b0688ab11

SHA512
e15a5e3f130a7e1da48d626b0a4785634e3997ecf8a3774aae1d9945b1712f1b8fecbd6d529324145a9242b63da693c7a7acd487b0392c13984f7f7f833c58cb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
cd4a52ebd46f492b67e8209551c752f5

SHA1
dd526bda70e77484f07edde6d5986fc9bea22d04

SHA256
de1b4e8dff4babca9f428ef249913bc904991667ac3f5a1fea47bf21d175bee1

SHA512
2d404f653cf95e2708a496b517d54ee328dcec98b4170ec86859d319af7831588002efd500ef5a301ceb389e43c6243d559c0a89235d586f66b68a76ad3ab95a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
69fbdb9b12865891d265dbff2b8b1168

SHA1
cd672ac3fa68b786646b5747d8a172d4d3313937

SHA256
c6192431ee6ad07ff53f9fa8368a63d896950dcdeba695b5c7dd04af5f8324f8

SHA512
2e609dc759713c2451e18e74df164b7454c95e376399877cc84e4e31b27ca3bb07036b1603121c95ab4851a9c9b2d746a734f10c763bfe22d9ca1012e3129da3

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
4a2571302667cb3a7ee024f8a55f7a8f

SHA1
fd110724d9c635d894060230c14300fef4e09f93

SHA256
7de86d9ac99ba974bd1f5db28d162d85bea334ce6040dbe3f497e5a50f9d949b

SHA512
ee4a5b9dc7d082ab49693e8eebf10c1e1b23b80846db9d832e10e20b1fee45cfbaf897159ac84c6141ff33f137005be4786a91b850f9502f59b1a18e1f7c20c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
775758eca0d4ec6f823830d141589dfd

SHA1
5e12d37b0db66794ae04116b65e627e0ab02323e

SHA256
b80b2dcd7082319360ca294ed1f680341c2b3e488cb3376dbc8d899822e79db1

SHA512
62d43078d216266b3832ef8ecd337df7eaecf8360a433c2b8c9a724491f75cf9c7bae9ea88d3eb84dbd87798c6536054ad8a1e2d886bb2bfd9179ab9944df142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b2dd25d24add688828761df6742f207

SHA1
3a4f52707458f768ca78c750d759773064c8c12a

SHA256
62d4dc7a0de6b785de9700c793334468c4012f1a63ee4788fb0ce53246c02b30

SHA512
4feb627e44485cdb2b242da223baf87a37127a72bdd063c492f8552d43e8f9bda4e600fe7208870138c94f27589e48d242cffda19aee54cba761ae944adca0a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c221317dda84168dcbc99e0a8e1a041e

SHA1
e64921ae8158a4bbeec944019779a8f83e551b76

SHA256
06870f465256133ce73ec74254141aaeaf0671fa487df9e35757a8a33c4dfa3e

SHA512
f7cdf6d95b676d0eb168d479b7d52538d4ae9b5eaf40248f1138ee017dbcd98830f33859f7375c24d280da74dfe4642efbb95251c7853bbf0d758f2e5dcec985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17605bf6d1bafe0e4f544e237e8de85b

SHA1
8a8696a240546229fa2e7fc9cb297cc63e6aecf7

SHA256
19ab7737889d0db06cb749f59813848f79fd123bdfb3b859057abb91af8bffd2

SHA512
b0067f4753c50184376e27ad9880ca2a20f924d9df4d24e19e90c719b20357c89c2c1f611c10d61f966c6d2608a87dd4e9c7f417724f8b5cedfe40cd6f456b70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2509e528855f4539d84a446be5194270

SHA1
ad2ced34227fc4bd7b3cf6afc6912cd236a4cb81

SHA256
63ef3e9cbc102f0d907462dbdb550d1d6be55561e390f34e279bf8e7f0c4f5d7

SHA512
1aa17bb5815fc421799d5f50f25fc22883d1520fbe81ad719dcd312c82c537665aa4c906e1e2acf6831d29a7d0dfb9d9496e3e4c7bd6e86a30dc4c0efd6929e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b2da11a78703799c02bf200dfeb2d2a

SHA1
6de91afab2378105397d6bccb2744417ebee5f1e

SHA256
89a57be08b8b4e435a7620d3e9157048220c85ad621835a4624292f579f886d4

SHA512
acc9bb77b90548ea87cad7add0572f4bc23ba54363aee3a894b38f43881dfd57ceea7f569f37d4aa934f9c37bae695e565848efe7d2222de2b14b3cbe3560037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3eb0baa0b4037728aaf5740572c0273b

SHA1
86f8dada7277c36f06c99b8a18e41871825f2a3f

SHA256
2a03f488220aee5c7ec57378f12db6ea9ec85750cae7fde756a2ccff375a2a76

SHA512
49e88b141733246f2c132c20f5265315b4d26c345f0e0e12d4a099c74a64efa86eb2edb0ad4b1d925c52c884603692f405f1f19cef19bbcd040bcc477cc0d53a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f21a965684ee872e667abf2652f56ec8

SHA1
73ca6291bf2a37d17a3abdc806c2f2f3a644e311

SHA256
11e996f36709f6e73431c751131d5926fa73d5269efd9a27ca81baa3df99cf54

SHA512
14c19ffee4bed05512982568e17e3537026666369e5f3c6de47c40008e4031986570f746ce86f5564cbd765eb1c302f4221589a7a40fe3385b46a2731b873de0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93be37057a2cf1701ddca96500f64f05

SHA1
e46bd31de07c62a16ad2269216416d6ad2209024

SHA256
10152bacbfd81fcc78c4d4ca22847a3401d1ce79c382500e9baf4db8a346ef02

SHA512
f6f014027a1a12cfd5b66269e75454f46c9b29025e24a49bcf236b9f7ea303f996da3e92ace74e893a248e807ab684afb78077bedc1713a5cddec3cd6dd24993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
00c0c6c2f2fa09e584fe57e27e130fbe

SHA1
c543db698035af8978aaf7db1f6eb8ac430a53d9

SHA256
abe3a3d54c6941c0bfdfec3fd81e0bf8b1234a5569b11c2b06978f416e8464f8

SHA512
05c463c51ef5865e48ec6ab8575999dbe37f2dcfc2a27fccc72ba1bd5ce534a333bf0053df75b62b487604849efe5afead201e1f47156727ffc5bc7304ebee4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8CCB.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\ergnycdlrvjo.exe

Filesize
340KB

MD5
6bcc066e2a81f34c7e052895001f44c6

SHA1
6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8

SHA256
39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc

SHA512
b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c

Download Submit
memory/1708-5965-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/2184-1256-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2184-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2184-48-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2184-2314-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2184-5264-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2184-5958-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2184-5964-0x0000000002B90000-0x0000000002B92000-memory.dmp

Filesize
8KB

Download
memory/2184-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2184-5967-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2184-5969-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2184-5972-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2184-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2584-29-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2940-8-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2940-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2940-14-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2940-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2940-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-10-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2940-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2940-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2940-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2940-28-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3024-0-0x00000000002B0000-0x00000000002B3000-memory.dmp

Filesize
12KB

Download
memory/3024-16-0x00000000002B0000-0x00000000002B3000-memory.dmp

Filesize
12KB

Download
memory/3024-1-0x00000000002B0000-0x00000000002B3000-memory.dmp

Filesize
12KB

Download