teslacrypt | 39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Size

340KB
MD5

6bcc066e2a81f34c7e052895001f44c6
SHA1

6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8
SHA256

39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc
SHA512

b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c
SSDEEP

6144:2//b5dx5w2hahQGvPmZ8n0SylbvO+MeTHLlj9HhRbr3ET4b7ODRJT0luqig:SddvwdhHvPmZiyIXgLl3ZoMq4wO

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qqgrb.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/59891527158A4F4D 2. http://tes543berda73i48fsdfsd.keratadze.at/59891527158A4F4D 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/59891527158A4F4D If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/59891527158A4F4D 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/59891527158A4F4D http://tes543berda73i48fsdfsd.keratadze.at/59891527158A4F4D http://tt54rfdjhb34rfbnknaerg.milerteddy.com/59891527158A4F4D *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/59891527158A4F4D

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/59891527158A4F4D

http://tes543berda73i48fsdfsd.keratadze.at/59891527158A4F4D

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/59891527158A4F4D

http://xlowfznrg4wf7dli.ONION/59891527158A4F4D

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (425) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1716 cmd.exe

pid	process
1716	cmd.exe

Drops startup file 3 IoCs

Processes:

cbnxpkcnkuwf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qqgrb.html	cbnxpkcnkuwf.exe

Executes dropped EXE 2 IoCs

Processes:

cbnxpkcnkuwf.execbnxpkcnkuwf.exe

pid process

2624 cbnxpkcnkuwf.exe
2380 cbnxpkcnkuwf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2624	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cbnxpkcnkuwf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\abtixjcnfuwn = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\cbnxpkcnkuwf.exe\""	cbnxpkcnkuwf.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.execbnxpkcnkuwf.exe

description	pid	process	target process
PID 3000 set thread context of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2624 set thread context of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe

Drops file in Program Files directory 64 IoCs

Processes:

cbnxpkcnkuwf.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\Recovery+qqgrb.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\Recovery+qqgrb.txt	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\Recovery+qqgrb.html	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png	cbnxpkcnkuwf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\Recovery+qqgrb.html	cbnxpkcnkuwf.exe

Drops file in Windows directory 2 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\cbnxpkcnkuwf.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
File opened for modification	C:\Windows\cbnxpkcnkuwf.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50c54ad93cadda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000081150ace02073f5075456273f0f3567594dbe136cbfa53dd4f91767baa6f950b000000000e80000000020000200000002c5b8d2f3c35f207b69e0fe76d8409ebe371be4bf227e3dcf59c80c8adc4b9819000000017dde810e4631b674e2bfbdc624b85effa3f0ca44afa83d70c17832f4292d7da65e0ec71fb91de9fcefefc03ddb89f5f99262df717b37ab7c6b054482274c70495147297ec585d6f4b33ccdb77f1ff2aa93a0f6aaf1fb5af28b4da34335b80b505df3906ddb83596b3f67be4dd68b852ac30e36e1611e9129dab07a2bec4adc401a428cf5038364a81e38ded3604f5cd40000000a89f93f73c2f483ae56b55e4df4c18a30c07bee2a479459baa346c43af27fdab2516f8051d0aadf9d98100f70d162d260ccf6c5af35344924206f327af1f71dc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000002f338953166eb1ab00d5df8914ff0eaaddaa723b3fe9ab9921586705e3a0cf7b000000000e800000000200002000000008e0abfbed148ac8f8702991bb80f641e9a63147667c998b7bc6ce0a01b134a42000000097a38a2f5c80e4df3c5a02b73528f28b2f3d22f01007f998013e7f0ce47cad0540000000afac1732924ab5f7b05df1b30675890139bdb244f5dd6b4ddc5350d3f46bc513624235225202b5e1293171a0f13134a75f737a9600f6bbd5ad470485e6d8237e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{04BDC931-1930-11EF-B781-461900256DFE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1016 NOTEPAD.EXE

pid	process
1016	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cbnxpkcnkuwf.exe

pid	process
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe
2380	cbnxpkcnkuwf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.execbnxpkcnkuwf.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2664	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Token: SeDebugPrivilege	2380	cbnxpkcnkuwf.exe
Token: SeIncreaseQuotaPrivilege	348	WMIC.exe
Token: SeSecurityPrivilege	348	WMIC.exe
Token: SeTakeOwnershipPrivilege	348	WMIC.exe
Token: SeLoadDriverPrivilege	348	WMIC.exe
Token: SeSystemProfilePrivilege	348	WMIC.exe
Token: SeSystemtimePrivilege	348	WMIC.exe
Token: SeProfSingleProcessPrivilege	348	WMIC.exe
Token: SeIncBasePriorityPrivilege	348	WMIC.exe
Token: SeCreatePagefilePrivilege	348	WMIC.exe
Token: SeBackupPrivilege	348	WMIC.exe
Token: SeRestorePrivilege	348	WMIC.exe
Token: SeShutdownPrivilege	348	WMIC.exe
Token: SeDebugPrivilege	348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	348	WMIC.exe
Token: SeRemoteShutdownPrivilege	348	WMIC.exe
Token: SeUndockPrivilege	348	WMIC.exe
Token: SeManageVolumePrivilege	348	WMIC.exe
Token: 33	348	WMIC.exe
Token: 34	348	WMIC.exe
Token: 35	348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	348	WMIC.exe
Token: SeSecurityPrivilege	348	WMIC.exe
Token: SeTakeOwnershipPrivilege	348	WMIC.exe
Token: SeLoadDriverPrivilege	348	WMIC.exe
Token: SeSystemProfilePrivilege	348	WMIC.exe
Token: SeSystemtimePrivilege	348	WMIC.exe
Token: SeProfSingleProcessPrivilege	348	WMIC.exe
Token: SeIncBasePriorityPrivilege	348	WMIC.exe
Token: SeCreatePagefilePrivilege	348	WMIC.exe
Token: SeBackupPrivilege	348	WMIC.exe
Token: SeRestorePrivilege	348	WMIC.exe
Token: SeShutdownPrivilege	348	WMIC.exe
Token: SeDebugPrivilege	348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	348	WMIC.exe
Token: SeRemoteShutdownPrivilege	348	WMIC.exe
Token: SeUndockPrivilege	348	WMIC.exe
Token: SeManageVolumePrivilege	348	WMIC.exe
Token: 33	348	WMIC.exe
Token: 34	348	WMIC.exe
Token: 35	348	WMIC.exe
Token: SeBackupPrivilege	2900	vssvc.exe
Token: SeRestorePrivilege	2900	vssvc.exe
Token: SeAuditPrivilege	2900	vssvc.exe
Token: SeIncreaseQuotaPrivilege	872	WMIC.exe
Token: SeSecurityPrivilege	872	WMIC.exe
Token: SeTakeOwnershipPrivilege	872	WMIC.exe
Token: SeLoadDriverPrivilege	872	WMIC.exe
Token: SeSystemProfilePrivilege	872	WMIC.exe
Token: SeSystemtimePrivilege	872	WMIC.exe
Token: SeProfSingleProcessPrivilege	872	WMIC.exe
Token: SeIncBasePriorityPrivilege	872	WMIC.exe
Token: SeCreatePagefilePrivilege	872	WMIC.exe
Token: SeBackupPrivilege	872	WMIC.exe
Token: SeRestorePrivilege	872	WMIC.exe
Token: SeShutdownPrivilege	872	WMIC.exe
Token: SeDebugPrivilege	872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	872	WMIC.exe
Token: SeRemoteShutdownPrivilege	872	WMIC.exe
Token: SeUndockPrivilege	872	WMIC.exe
Token: SeManageVolumePrivilege	872	WMIC.exe
Token: 33	872	WMIC.exe
Token: 34	872	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2684 iexplore.exe
1032 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2684 iexplore.exe
2684 iexplore.exe
568 IEXPLORE.EXE
568 IEXPLORE.EXE

pid	process
2684	iexplore.exe
1032	DllHost.exe

pid	process
2684	iexplore.exe
2684	iexplore.exe
568	IEXPLORE.EXE
568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.execbnxpkcnkuwf.execbnxpkcnkuwf.exeiexplore.exe

description	pid	process	target process
PID 3000 wrote to memory of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3000 wrote to memory of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3000 wrote to memory of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3000 wrote to memory of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3000 wrote to memory of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3000 wrote to memory of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3000 wrote to memory of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3000 wrote to memory of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3000 wrote to memory of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3000 wrote to memory of 2664	3000	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2664 wrote to memory of 2624	2664	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cbnxpkcnkuwf.exe
PID 2664 wrote to memory of 2624	2664	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cbnxpkcnkuwf.exe
PID 2664 wrote to memory of 2624	2664	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cbnxpkcnkuwf.exe
PID 2664 wrote to memory of 2624	2664	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cbnxpkcnkuwf.exe
PID 2664 wrote to memory of 1716	2664	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2664 wrote to memory of 1716	2664	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2664 wrote to memory of 1716	2664	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2664 wrote to memory of 1716	2664	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2624 wrote to memory of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe
PID 2624 wrote to memory of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe
PID 2624 wrote to memory of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe
PID 2624 wrote to memory of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe
PID 2624 wrote to memory of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe
PID 2624 wrote to memory of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe
PID 2624 wrote to memory of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe
PID 2624 wrote to memory of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe
PID 2624 wrote to memory of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe
PID 2624 wrote to memory of 2380	2624	cbnxpkcnkuwf.exe	cbnxpkcnkuwf.exe
PID 2380 wrote to memory of 348	2380	cbnxpkcnkuwf.exe	WMIC.exe
PID 2380 wrote to memory of 348	2380	cbnxpkcnkuwf.exe	WMIC.exe
PID 2380 wrote to memory of 348	2380	cbnxpkcnkuwf.exe	WMIC.exe
PID 2380 wrote to memory of 348	2380	cbnxpkcnkuwf.exe	WMIC.exe
PID 2380 wrote to memory of 1016	2380	cbnxpkcnkuwf.exe	NOTEPAD.EXE
PID 2380 wrote to memory of 1016	2380	cbnxpkcnkuwf.exe	NOTEPAD.EXE
PID 2380 wrote to memory of 1016	2380	cbnxpkcnkuwf.exe	NOTEPAD.EXE
PID 2380 wrote to memory of 1016	2380	cbnxpkcnkuwf.exe	NOTEPAD.EXE
PID 2380 wrote to memory of 2684	2380	cbnxpkcnkuwf.exe	iexplore.exe
PID 2380 wrote to memory of 2684	2380	cbnxpkcnkuwf.exe	iexplore.exe
PID 2380 wrote to memory of 2684	2380	cbnxpkcnkuwf.exe	iexplore.exe
PID 2380 wrote to memory of 2684	2380	cbnxpkcnkuwf.exe	iexplore.exe
PID 2684 wrote to memory of 568	2684	iexplore.exe	IEXPLORE.EXE
PID 2684 wrote to memory of 568	2684	iexplore.exe	IEXPLORE.EXE
PID 2684 wrote to memory of 568	2684	iexplore.exe	IEXPLORE.EXE
PID 2684 wrote to memory of 568	2684	iexplore.exe	IEXPLORE.EXE
PID 2380 wrote to memory of 872	2380	cbnxpkcnkuwf.exe	WMIC.exe
PID 2380 wrote to memory of 872	2380	cbnxpkcnkuwf.exe	WMIC.exe
PID 2380 wrote to memory of 872	2380	cbnxpkcnkuwf.exe	WMIC.exe
PID 2380 wrote to memory of 872	2380	cbnxpkcnkuwf.exe	WMIC.exe
PID 2380 wrote to memory of 2868	2380	cbnxpkcnkuwf.exe	cmd.exe
PID 2380 wrote to memory of 2868	2380	cbnxpkcnkuwf.exe	cmd.exe
PID 2380 wrote to memory of 2868	2380	cbnxpkcnkuwf.exe	cmd.exe
PID 2380 wrote to memory of 2868	2380	cbnxpkcnkuwf.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

cbnxpkcnkuwf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbnxpkcnkuwf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cbnxpkcnkuwf.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\cbnxpkcnkuwf.exe
C:\Windows\cbnxpkcnkuwf.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\cbnxpkcnkuwf.exe
C:\Windows\cbnxpkcnkuwf.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
5⤵
- Opens file in notepad (likely ransom note)
PID:1016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:568

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CBNXPK~1.EXE
5⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6BCC06~1.EXE
3⤵
- Deletes itself
PID:1716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qqgrb.html
Filesize
11KB

MD5
a5f7b04d75fd3f0a8d40f1286f84ed41

SHA1
4ff6663d242ce305de8d6f63b41fbe55450ff822

SHA256
9b695b8cbb9b71dab3ff26809fc504a9192c7086e9eb70e9239607d994c6644e

SHA512
7b5600ac49bd3b3160fcddaa3fcd197a559d69587189011baebb2fec91266074e8f95de2fad05d3db52fcd9df3616f2d68bfbc4668dbf4f8116bb515ea36e7de

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qqgrb.png
Filesize
62KB

MD5
dc177fd3d483a618384a79ffefebf3f5

SHA1
addbaf6c6afc42e2b53d8657c00fd590904b647a

SHA256
58d93ae394b6d0dff9824579ceaf05e630299bc997231cc725f76b92243aa0b4

SHA512
650cfc7ffd41eea4b13cd95792763e0ce0f64dffe58348509e17688a55fadbe0f8c799c7cc603deb30963e00c30e89974a9e221713eb3c0cf720585e2579738f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qqgrb.txt
Filesize
1KB

MD5
5652646874c58676e7caed4cf940cfc5

SHA1
addebc102ba1b3f8d9b9870858b9c94b5175013c

SHA256
9d172710b5c0ea3639881258cf1bddbd5500a115a4d4f1da25d8e79578af19a8

SHA512
67f7dcec134240a0dfaf82899d2ecd26fbb4bf91633e30507b981759bfe77335ba27d0f923e76288cc403a36150dfdf272238c15931496b56e4e4efcbe6b384e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize
11KB

MD5
c5251bb2a7cf2c0573b593d7c7fae987

SHA1
9e31e54a5fe5a21a4f0f272e24b0ffaf2acafa0a

SHA256
3345b8c5fb66b39c12b7d0f40f7d2b1871595e4c076e8f0e2b417f150a3c625d

SHA512
21c460911700a7cc1d13a979d4b44bca28db9d0be4717038b0501a6e17048dd25df25bff8a33bdea9e64a59c14c71c4380f1f477288f3494daa0e915dd10849c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
Filesize
109KB

MD5
b22cc7227bab67b4b99e1c4c0302a8af

SHA1
fcf23e02b23b5e5c9a4b4039f1d8a4d41e61b875

SHA256
897ef393d99512e6734000eb2c0aba36dad05471bd4ff1f0d30c27b177dffdd2

SHA512
b4c3e31a378f2f3175c73cb49873d0ce1f21031761cb2b0ae377a6f21e51a2f33a3aadba1af49930d5bcf74117e4873aa38697eac299ade560d450fb1bf1b8c5

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
Filesize
173KB

MD5
9a00ec17812dd1af24c71790d9d125a5

SHA1
3a0d325cf76cb62d771ddbb66e249c7ca26c4494

SHA256
2616ded5d741ecb3f9c2ee7d2ed0d9f9472fee0fe880ebf8d0c2b60cac42f30e

SHA512
21d9eec43dff5490ea7eae407adb1a09d13471452ce327ec0e7fa18c28ebe5cec0af99e3e3ee51f827edf4a16e77562a229f6deb9aa758489d565040d702de45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fc5fccdc7781babba132a78a4559c0bc

SHA1
24512e079ae376857bd1bb378a11d4863f2a6997

SHA256
98d70c72c2b96c95c25fb99c1afb0002ff75f15cb7c3d9e4f78d3e79d5ee8dd0

SHA512
d474e9041f29b0e725225045b16ada1454555ac5fe762ca81bd447c1ea4018798a141f052baf1093875c8d5ac46309f76cc203579f2e8492e47f667a97936a62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c9bd54df7f6a51815c76721a59452aed

SHA1
03244b00ec13463304c5da30a7ce2912d00771e9

SHA256
96a4d42225218f2470869c827f08aafffd2b7e1fdfc401e1208e3a1923a527b1

SHA512
96e1aba4d2e5c941231e70faa522e551dfcbc246257c702f1e6e95a4dea44e9b0ed5a5e3f4a1fcc79a77d39635a5b2d68cfca7c3f3e2e86d60dcbaf45b26f9a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
16400c1f4e06978a3570b370798504cb

SHA1
b52b003a0bafde577b09cd20e8ca3a6b86abe3b1

SHA256
0c9425876d848ef197bffe4b26e2832216bc4c0db9717fa633f823ba8904ac60

SHA512
015a2f3860f551978ff2736d3c90dafc40030e0102b51797b35287523ebedfaad75bf3889b7172306fc75ad72a54171aae04b600e639a51e142d604399075c5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c9ac1717fede938d81a317ce81292d9a

SHA1
9adad06a878a1a2bde8bdc2cd6f7ab2d83eddc4b

SHA256
9e1db814f218159d62621e644092524a22dff151bdc7b521d2fe39b0ee2fc606

SHA512
a875bf418a0429dc79d2bb836b2c896a1d0ff0f6a532cc7997d50f53240bd59c278ee1be22d5fcf23cf5d2fbb8f411d96ebf0059259415367ec0356ec207d8eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
93dac74ed2b9ea98eb1f6b7dc4562cc1

SHA1
e631c890cbd45d0704a3712a472e5c19d3363abb

SHA256
912a7517dce643c2da47eba9310d36223babc6b0159505c5d8345e5aa857b8b1

SHA512
28145e2ac7d54b64fbb31abdc00387b85df254252ade777b4d556e812f8189035c905f8f423fc2e20957e0bcc90871a7c0f11a15b92a509d2ceb6290b75afd59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a335b0b9381890244de4b09e475f18a7

SHA1
4e50bd94f71a391c3f2fe9bde860f4b36507970a

SHA256
d90701d3b27bc977d24d963ab603b8a37e1aaf9186a71d47544e50ddc5054271

SHA512
8f080458932a00711e5132d9bb82b7627c6082ccf8afac661ac853809dda21e099f7a6995a7c38743cfbaf51b5ba2a0cd5f039898d9567a9e11333a1faef9b91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
538c740216581762978200b622a842f3

SHA1
3b1cbf5d70fb3a0d0e57f534ad004f97bcede9d3

SHA256
c353e98e8ba488f462e7e9a8e6ec6e131289c2f84ceec4854f50b2e6054f3f7e

SHA512
b80becddde060946b812944d31ec7f04416f4000ab40be6a6f9eb2de03e534f81762de4486a33cea1e4a52c801ad0e283ee3a03882ec4d3a8eda158fac9e2b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
163c8f4dab9a693476c74d0dd35cf2da

SHA1
af208f6ff1e6f108e3358677ff4bec50756afd40

SHA256
faf747d2a998590391c884ac6372fe3f6d5c8fe0789ef534321e360f2014d8b3

SHA512
c3785e5b0d8efeb8064271d5a0f0e750db6508e039163898bd82e5ff6b75873174e59abc9d7ee34fd025575812ef7afc23a1a35661a4b317e98e6e976a727da2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dc6d56b7f8914d0356b06e17f428be56

SHA1
d64bd8d6e7c53b06149dcc3315fdb35ff9aa8d53

SHA256
704226a253e6779581f573099c69bf64f8a887d48743c468e67abfbd55561f0c

SHA512
5bf11daccc01b5236a5617329656bebf2c7b47e09957478a77d820807524ed7600d64cbdd46630272ca5cabb6a772164a31447ef4b76ea9740ea9ad987729d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab88B3.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8933.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\cbnxpkcnkuwf.exe
Filesize
340KB

MD5
6bcc066e2a81f34c7e052895001f44c6

SHA1
6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8

SHA256
39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc

SHA512
b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c

Download Submit
memory/1032-6075-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2380-449-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-6078-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-6085-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-2227-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-5168-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-6068-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-6074-0x0000000004530000-0x0000000004532000-memory.dmp

Filesize
8KB

Download
memory/2380-6082-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-6077-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2380-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-28-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2664-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2664-27-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2664-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2664-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2664-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2664-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2664-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2664-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2664-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3000-0-0x00000000003A0000-0x00000000003A3000-memory.dmp

Filesize
12KB

Download
memory/3000-15-0x00000000003A0000-0x00000000003A3000-memory.dmp

Filesize
12KB

Download