teslacrypt | 93644832403246ebef8a76cac49d010b3864b4472a8a056f9cba66e8be7d55d8

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
Size

500KB
MD5

bfb464faecb6c1d1938228c68ee61fc2
SHA1

20ed2de92194ccb2d0a20a9a5f587d2800331ce4
SHA256

93644832403246ebef8a76cac49d010b3864b4472a8a056f9cba66e8be7d55d8
SHA512

359d11ee35717d1fdad942113b5439f4f0c9db5f1ae94896a48d554b957b65c7999c260ce80312125b6b0dd356a0669b4884a3e3d5e8593db03a03b76196d8cd
SSDEEP

6144:knKwYqvjLM36q25h5KdXSEGbXWWjge4R1p120rkv/Sg9/s+hi:xwYqGh205S3WW0TR1p1Po/

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nnvor.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/61E899A4FF905D7A 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/61E899A4FF905D7A 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/61E899A4FF905D7A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/61E899A4FF905D7A 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/61E899A4FF905D7A http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/61E899A4FF905D7A http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/61E899A4FF905D7A Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/61E899A4FF905D7A

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/61E899A4FF905D7A

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/61E899A4FF905D7A

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/61E899A4FF905D7A

http://xlowfznrg4wf7dli.ONION/61E899A4FF905D7A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (437) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2876 cmd.exe

pid	process
2876	cmd.exe

Drops startup file 6 IoCs

Processes:

jgtrrkwejxhh.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe

Executes dropped EXE 1 IoCs

Processes:

jgtrrkwejxhh.exe

pid process

2672 jgtrrkwejxhh.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jgtrrkwejxhh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\qckxqdh = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\jgtrrkwejxhh.exe"	jgtrrkwejxhh.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

jgtrrkwejxhh.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\it-IT\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\en-US\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_ReCoVeRy_+nnvor.png	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_ReCoVeRy_+nnvor.html	jgtrrkwejxhh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_ReCoVeRy_+nnvor.txt	jgtrrkwejxhh.exe

Drops file in Windows directory 2 IoCs

Processes:

bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\jgtrrkwejxhh.exe	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
File opened for modification	C:\Windows\jgtrrkwejxhh.exe	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

jgtrrkwejxhh.exeNOTEPAD.EXEDllHost.exeIEXPLORE.EXEcmd.exebfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgtrrkwejxhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0fbbf2982f6da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430706022"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d9909000000000200000000001066000000010000200000008fd8cf909480c85155a96d5bef2009fb9df21f8b6ccc715d1af4a80ad07480c2000000000e8000000002000020000000ae406271bc425cea3b92494885fb87dde4cf3869fe9a73c5aae461243ab8c9e2200000009deeeb31f2efe33bbaec5061c1f3ab7fe6b81556d9c3af30e4becaab71ec94a740000000654a15d388cdbd35e6be50ad6c63f41b94149f4f76b97d1ba6b9533e9945a0512a92ecf04bdac3a792cf8a01cc07044eff2a2d63cebc7ba07e5e97a2c4791ad1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d9909000000000200000000001066000000010000200000002e08d68cc82f1b8e5c12d3a962f68d6ded0937c11a67218df2105b8bfe89dc6a000000000e80000000020000200000003eedb44c49f1e71c0e706e98ad4c16b5df8bbdc672fa859e6951fd9e180f21a6900000000284ca29b73f6efdd59b07dc5fe7066a0dfa1ad935df3fc106c330ff798f614050510ab802738d0667438c81d2fe8ac846d37f37cf82ea3a93cda0f4d1dc7750e7d28d453b11d229801de6fbc592f118aa05b9c03f8c987cd3a11a0909793676d0716a255fa9c6cca443e83eea1067c142fb8aeb2bedc54bd287bd96396422b00143d95500a0a3543685b2ec69646798400000005c121cff9ee861f3756fcbee9162fbd951b758e3a6707e62759566a4f83203ed31357759fa3e55509c3fa6f4a73f8e125d25ccbed1a8640c762603de96dd77de	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{553568D1-6275-11EF-B6C3-72D3501DAA0F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2316 NOTEPAD.EXE

pid	process
2316	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jgtrrkwejxhh.exe

pid	process
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe
2672	jgtrrkwejxhh.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exejgtrrkwejxhh.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3056	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
Token: SeDebugPrivilege	2672	jgtrrkwejxhh.exe
Token: SeIncreaseQuotaPrivilege	2712	WMIC.exe
Token: SeSecurityPrivilege	2712	WMIC.exe
Token: SeTakeOwnershipPrivilege	2712	WMIC.exe
Token: SeLoadDriverPrivilege	2712	WMIC.exe
Token: SeSystemProfilePrivilege	2712	WMIC.exe
Token: SeSystemtimePrivilege	2712	WMIC.exe
Token: SeProfSingleProcessPrivilege	2712	WMIC.exe
Token: SeIncBasePriorityPrivilege	2712	WMIC.exe
Token: SeCreatePagefilePrivilege	2712	WMIC.exe
Token: SeBackupPrivilege	2712	WMIC.exe
Token: SeRestorePrivilege	2712	WMIC.exe
Token: SeShutdownPrivilege	2712	WMIC.exe
Token: SeDebugPrivilege	2712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2712	WMIC.exe
Token: SeRemoteShutdownPrivilege	2712	WMIC.exe
Token: SeUndockPrivilege	2712	WMIC.exe
Token: SeManageVolumePrivilege	2712	WMIC.exe
Token: 33	2712	WMIC.exe
Token: 34	2712	WMIC.exe
Token: 35	2712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2712	WMIC.exe
Token: SeSecurityPrivilege	2712	WMIC.exe
Token: SeTakeOwnershipPrivilege	2712	WMIC.exe
Token: SeLoadDriverPrivilege	2712	WMIC.exe
Token: SeSystemProfilePrivilege	2712	WMIC.exe
Token: SeSystemtimePrivilege	2712	WMIC.exe
Token: SeProfSingleProcessPrivilege	2712	WMIC.exe
Token: SeIncBasePriorityPrivilege	2712	WMIC.exe
Token: SeCreatePagefilePrivilege	2712	WMIC.exe
Token: SeBackupPrivilege	2712	WMIC.exe
Token: SeRestorePrivilege	2712	WMIC.exe
Token: SeShutdownPrivilege	2712	WMIC.exe
Token: SeDebugPrivilege	2712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2712	WMIC.exe
Token: SeRemoteShutdownPrivilege	2712	WMIC.exe
Token: SeUndockPrivilege	2712	WMIC.exe
Token: SeManageVolumePrivilege	2712	WMIC.exe
Token: 33	2712	WMIC.exe
Token: 34	2712	WMIC.exe
Token: 35	2712	WMIC.exe
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2552 iexplore.exe
2732 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2552 iexplore.exe
2552 iexplore.exe
3016 IEXPLORE.EXE
3016 IEXPLORE.EXE

pid	process
2552	iexplore.exe
2732	DllHost.exe

pid	process
2552	iexplore.exe
2552	iexplore.exe
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exejgtrrkwejxhh.exeiexplore.exe

description	pid	process	target process
PID 3056 wrote to memory of 2672	3056	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	jgtrrkwejxhh.exe
PID 3056 wrote to memory of 2672	3056	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	jgtrrkwejxhh.exe
PID 3056 wrote to memory of 2672	3056	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	jgtrrkwejxhh.exe
PID 3056 wrote to memory of 2672	3056	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	jgtrrkwejxhh.exe
PID 3056 wrote to memory of 2876	3056	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	cmd.exe
PID 3056 wrote to memory of 2876	3056	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	cmd.exe
PID 3056 wrote to memory of 2876	3056	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	cmd.exe
PID 3056 wrote to memory of 2876	3056	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	cmd.exe
PID 2672 wrote to memory of 2712	2672	jgtrrkwejxhh.exe	WMIC.exe
PID 2672 wrote to memory of 2712	2672	jgtrrkwejxhh.exe	WMIC.exe
PID 2672 wrote to memory of 2712	2672	jgtrrkwejxhh.exe	WMIC.exe
PID 2672 wrote to memory of 2712	2672	jgtrrkwejxhh.exe	WMIC.exe
PID 2672 wrote to memory of 2316	2672	jgtrrkwejxhh.exe	NOTEPAD.EXE
PID 2672 wrote to memory of 2316	2672	jgtrrkwejxhh.exe	NOTEPAD.EXE
PID 2672 wrote to memory of 2316	2672	jgtrrkwejxhh.exe	NOTEPAD.EXE
PID 2672 wrote to memory of 2316	2672	jgtrrkwejxhh.exe	NOTEPAD.EXE
PID 2672 wrote to memory of 2552	2672	jgtrrkwejxhh.exe	iexplore.exe
PID 2672 wrote to memory of 2552	2672	jgtrrkwejxhh.exe	iexplore.exe
PID 2672 wrote to memory of 2552	2672	jgtrrkwejxhh.exe	iexplore.exe
PID 2672 wrote to memory of 2552	2672	jgtrrkwejxhh.exe	iexplore.exe
PID 2552 wrote to memory of 3016	2552	iexplore.exe	IEXPLORE.EXE
PID 2552 wrote to memory of 3016	2552	iexplore.exe	IEXPLORE.EXE
PID 2552 wrote to memory of 3016	2552	iexplore.exe	IEXPLORE.EXE
PID 2552 wrote to memory of 3016	2552	iexplore.exe	IEXPLORE.EXE
PID 2672 wrote to memory of 1796	2672	jgtrrkwejxhh.exe	WMIC.exe
PID 2672 wrote to memory of 1796	2672	jgtrrkwejxhh.exe	WMIC.exe
PID 2672 wrote to memory of 1796	2672	jgtrrkwejxhh.exe	WMIC.exe
PID 2672 wrote to memory of 1796	2672	jgtrrkwejxhh.exe	WMIC.exe
PID 2672 wrote to memory of 1248	2672	jgtrrkwejxhh.exe	cmd.exe
PID 2672 wrote to memory of 1248	2672	jgtrrkwejxhh.exe	cmd.exe
PID 2672 wrote to memory of 1248	2672	jgtrrkwejxhh.exe	cmd.exe
PID 2672 wrote to memory of 1248	2672	jgtrrkwejxhh.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

jgtrrkwejxhh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jgtrrkwejxhh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jgtrrkwejxhh.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\jgtrrkwejxhh.exe
  C:\Windows\jgtrrkwejxhh.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2672
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2316
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3016
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JGTRRK~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\BFB464~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nnvor.html

Filesize
11KB

MD5
e4a379081590b00f89c3bc09ca8f1ccb

SHA1
e98970c3eebebbefe8203e6c31025c16f792a942

SHA256
f303fe7b2ba09093ebdb5901532b4a173804bd18915acf71d227e809cef3d152

SHA512
f04e6bfd667837ab56ce269f03c600ca64d2a46339acd6077e43dccd1ab297f04d0025e194975317b83b882c1b2757cc83d28569f9f15bcccdb9e4013737a559

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nnvor.png

Filesize
65KB

MD5
c947ee8d87539467c9ef940db8227d53

SHA1
37e39b0b9b3242d70b5cc23806c13bdfc6b1b3ec

SHA256
0d7457f89cb2c4aedad6c659948568bc2613fb1dacec591e89001dd903353969

SHA512
b9f57b3532150c29b87609176d952335b5c3234a82a8468411693a7996df7555ed0708288bbdbad676d51168043946a06b1bb8bf7879304d89a53f459cf05b42

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nnvor.txt

Filesize
1KB

MD5
69f3fc2c3e241dd6e8da0123b43a7bb2

SHA1
c6d1fbfb7877549de14d3023ddddfeea910c3183

SHA256
d2b42dc9ff30bb2f0478e7ca741911fbe6b8747338529c4f776a9c71d1bb87de

SHA512
4693392ce339184dbda7b40398feaf2e7024f5a6dbf3cf3d62e43101d8e5a14f1ad5b3005f1977e6b41b45a87b89728fe3d60376995ccff8dbe5c9d5a6a0d1ee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
4497e41d9fc1af46db2da95d1579bd7d

SHA1
1107f7dedba6ca3f82577ab2c9ffd87a9b31129a

SHA256
591552a0b19e24a91ae4d96caf355c5882fcae00a5fa30fde77f94cbf70ecf92

SHA512
44be1e4ab69a3878687a025b8abafe6bcf2add74fdbef00d27ed03706b19a9a5d756cdff6f13ee092ffa2197eaac131076c85fc42a6e2533800f514e095edd12

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
34109e129a37ce3f4366e61f67270c46

SHA1
57f273318ae4f6e317ed2f3eae0e6b856d683f95

SHA256
6015c9d960dfffef54a5f46cbfec9426305c18bb497dd2bf158bf445be7c51ec

SHA512
ee7f9b252975e81ae31ec76d4e27119e3e05090f668751d50b35b38d7544ea92f81cb694dec0094c03c0f19e39c919a7ea342c56cdc536df9a477d3e921bbaa2

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
007f4897290960d80e5ca562ede11a7d

SHA1
483d9585e0108b461dd7a7456eff1613ae68341e

SHA256
63318da0a56633df685ae27d1ff7c7433883a48774506c1f0935067c016641b6

SHA512
ba7e08368176e9c03a1167bc0b96a0a062c138296ab30e76632e7a79bc730eaaae55386b818c3434140571e7f3144ec67bf2b73f3a7d26bc2fee98114ccc7949

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd7129e24035da25c5d692cd390e70f6

SHA1
8896873b43bfbb321749ada63b8c07391c063d3b

SHA256
dfa158986898b88df45203b456e95afbe480390f25ec53662acc02308f8fc924

SHA512
6ed97a090ed14cd2a1441b7fee1569072c1496169d693c1e81264e050ac947e9dd43deebe308bc9177e97bdd924f67e8a197df23a480f7d5c104d59b3c858877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a96279b29cb189c4cee3c14ec985109

SHA1
118bbef4f5b409d59e45f14d528843e521a11343

SHA256
5276097ca86cb502246568531624430df8fb63b388fb8c94e219f55c4e42bc08

SHA512
ab4827a75a680cae0a2f755d8ae7efa9d425344846aac1e596a1205f2ab75912322bac0c14b27286da6a0c78348735fc4a2785bff8849409e7368aa94212226e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31e1097fd7f179cc9029ef4990c1b202

SHA1
f47872489789d97a76a10414fe3997d834602c66

SHA256
62dabfd04a2a05238356c7a7dfe729a69d0787c9a3542d64c340a9ecd00890cc

SHA512
f58dbf86088fcb8d3f5c052127e0af7dd6f8683be4d92833fcd44d2fe9b2c759efd5403997bc4a870b8c550786f9dd0b1edcb916f8336337a399824a13c4f087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cce52679c6d94451bf0f9ffb132a7608

SHA1
729f9e09aba00216503e9db98edc5f9695329a82

SHA256
2d1b67b00ed6ab1fc4651377847ae17d71bbbf975d25400e36a68464523615ed

SHA512
182375055eec6513146e4d819a1565150a2215b6e958be11a249998ce230b7c202c89e3060a04dbfcdbd44406ef11a0b05c1882001eac620ab32a1aad0aba2f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
027324b23e9ef7ccc1d1b129f51375ba

SHA1
bd516acb3aca694a7c56b8d2467ed2507a7df1b1

SHA256
63e5ff70484fd3850100bf7b4ed0af1c107f7a0dccad023a2828b782d0aa4e43

SHA512
f4eff014fffba1e1b56adecde3a3a3c7f93e1735242e4e5a1ab2dd541789f2643790c98bb55785789c9063d23334683581fc6c798b12ab4dd97668bd9bf1fd6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f62a4a240afb214aed88593963065fca

SHA1
ab4c65631e0a3b2d00fe60fef098e545ac403b15

SHA256
deb41eb59656764659f308728ca5b08f3fbd769cdc7ac249fafcb809d541bbf4

SHA512
9cf39965b78536cf85e9fd0a39e112d850d5f4d5ba8bc2af00a7e0cba8bad16f8a0dacb71b5410da01620b89eab976aa71e7d001eb05aa212624e28d2324f87e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27cd969e2624a8c91596a8be6511ad3c

SHA1
44cfc0b54787ac0f28c4d5d409dd09822fe95d36

SHA256
743b45c258b62c8521acff16ccad324480c11a03a288768d657973c3aeac10b5

SHA512
593018f49eb6f4b307373fb29bbd7bb91dcc5e2e52e70d328f387abf33d3485f59aef555d30081c1d95f5f3b1949859df97d283685ca651af32ea1e48a1a3544

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2d3f6f8672188f9c56cdc9cb6d919b2

SHA1
f2753686abbe9afac2a56ffbc47e1295e00f0c03

SHA256
01bf16c69525ba0e7bc70c7026f15f204f6f778fc7eafbcb084ee449f9653854

SHA512
055a909b66244366f0978ed829f34c4edd50fe5b91ba381193bfdf77e22892ad03d9552526868f2a8e11144b19b65a3d6e5fd755451365e0609b7bee01cd59e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1b2e88423a17bd1757c1d2988aad59e

SHA1
fbe653da3514b658c4ee90b645e8991bb69672f0

SHA256
4c186f03bb39e8d578dabcfbe1ac65162508d73673e4a3cf2b731920e72fdc03

SHA512
2694e3e5bf5614b8937e5a1e8c8288f7ee1c030d94796693c5e1b0c0368cf2ef1d828c6b21e2bb1f48a02f6724a436597095734f11e7cd7cb8d69e33d11e09ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07b42ae4591f0a094b83de6bcbcc4154

SHA1
213c71eb2d3b4e08de3412ed6918238b2297fdc5

SHA256
5d722275f9f090eef2dd79cad6ee2520c65f61f413878cfa44525c68ffaacc1c

SHA512
8d780e3bace527cf54d23a4b69a42f4d9942d019f53e706cfbfe18d6cc9e7ab7e96bd08696d3feea4819ee289ef0f83383d064a9eed70338b2a5e76c91b27649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd6be61c49725653acb8768cdc04b9df

SHA1
88e696d0d3a6c99e5c53244b367b92909f5e3740

SHA256
ae8db254e703d7921275fad389580c9956a82448cf891313c4bb1acf54acec80

SHA512
a82c5e290ce1a0ee7356362ebef953cba01f15b1b5829394ff04b96085e94da131259c099782ae7e7825c73e60e7e95ca2befd1dc621d25eec03bcfd70884d0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
636a508099e2cdfe2e25275d3e56391c

SHA1
3d92b93520b497eea01f24e70f97c5877f2019b9

SHA256
da072d4e8a8dce049f0bf5cffedb3ffe758c6d5c3e63d324e1262c1fc5f08589

SHA512
470281dda02401d53a5f8cc30c470fc9a18b23dc27af8ca781907207d790e127348f07b95ca2b5070ebca739f181571f2fa0680bb0830abac04f6010e1d41267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a67bfc288107d30147962dfd66978c9

SHA1
96f708ba3728ad07477dca44c136e28a4e7aee6b

SHA256
e952ec566a792c954108b1060027db91112410674e670c935384d6c90f9ca58f

SHA512
c94b948d3e2b5d7a69c1544849dbef986f360f4a4fe03330721b3b51975e3156e0921968deb39de14b912fb7e4ffd82d8b8add233ecfbe26c492def79b103bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c9cb448ae556e3f5170ecf43594b653

SHA1
f5921f3ad7c6bf34f22f2188c7b45f9a7d8bcf54

SHA256
67290c9a58767c795f144f872f114ab575f931058883a256f2742140b0b67dab

SHA512
86cb108bd1f91a8b073723b5f97b05c7c79eb9b79a24564d9fc7f32673c7d7f98fc88b737007257c40225a3ed8d1cd914e92f7db95fef0f09eb9d1993dd2627b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc2f2019c65eb31cebd70727464b9e0a

SHA1
64a5923db18f9f6bf8ec010e02f55bcbf520068f

SHA256
999d117738816f2477a3d873316013cf5f1dd7e22a2b92acc7e6b19a2a490793

SHA512
cef40f878a6701e61728afc03eb5eb37c5bb14d1274fd13ddfec4a189a2e61b5963c90f9f52dbb86d36b5fe7828a595733ae2079092070c83223c2a19a2f6016

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc22ef687ae7e3f06fec0fff637d861c

SHA1
0ddb52d5e486027adcd402de0bd4fce179d6a78a

SHA256
270bf7cae9ecaf754196a8b29a85de5f31312df6a3c739199264be1b99619ffb

SHA512
ac3d31bb8128c7a9eb70dcbf0b873f70620916a459efa878231faba9161226ee6db2abe1e27784b13c7d2ce426dbf5ac8ac72e54fea2c7d2d468afd39fb6a582

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4c11f77a9cc5404d9a28d287c4491c2

SHA1
0ba179417673f43f2fec2abb779ea985f7239fde

SHA256
f3fd82c5dc9e0a8f7d7f47453bc64d6a10bac578b4304acd1f8df952f2d31c5d

SHA512
a148110a1aad234d19297623d1e8f3808c244d2ea0d273b048e70b279841483fb637e6c5349f1eace2f67b053435a5a54d59e62c31e6f4111b5a22ddb3a7a084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1d8ae0ec477e8c2eaf59fe5f34b53de

SHA1
4fe2ab283aaee905e8664d0fb9b32370cfa6252e

SHA256
c8514693ca83a6552400f7fdca9a35b9f7179c90b6cc9b641b0f6e5abf8dd0f5

SHA512
37c7ac11ab7d734088b62b2ee527ff7909920398266a3e2ffae18832c4e1ab1cce6c96c9dd19b31aaa506d228f756c4d32ac8b2550a932667b023bc033d5a367

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2178897ef9ceb1d54ee7266b043a8f4b

SHA1
06fa42f46d0afc4a178d2bb1bdcb176ca57339ac

SHA256
2558f4cc4aecea6cf0fda33c87511d73f2f1d9df8360aeac78a11128c8d80807

SHA512
74cf23cbfbdcf7eb6dab2d637e73769ba6f5840365e4687b5766db9aa031b36fe143c0374cc421e0d84ea887881e32be604beb60b6d5e57790ff5f800792ae7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab515E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar51CE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\jgtrrkwejxhh.exe

Filesize
500KB

MD5
bfb464faecb6c1d1938228c68ee61fc2

SHA1
20ed2de92194ccb2d0a20a9a5f587d2800331ce4

SHA256
93644832403246ebef8a76cac49d010b3864b4472a8a056f9cba66e8be7d55d8

SHA512
359d11ee35717d1fdad942113b5439f4f0c9db5f1ae94896a48d554b957b65c7999c260ce80312125b6b0dd356a0669b4884a3e3d5e8593db03a03b76196d8cd

Download Submit
memory/2672-6099-0x0000000002D80000-0x0000000002D82000-memory.dmp

Filesize
8KB

Download
memory/2672-14-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2672-13-0x00000000004D0000-0x0000000000556000-memory.dmp

Filesize
536KB

Download
memory/2672-1852-0x00000000004D0000-0x0000000000556000-memory.dmp

Filesize
536KB

Download
memory/2672-1849-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2672-5205-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2672-6103-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2732-6100-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/3056-1-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3056-0-0x0000000000370000-0x00000000003F6000-memory.dmp

Filesize
536KB

Download
memory/3056-12-0x0000000000370000-0x00000000003F6000-memory.dmp

Filesize
536KB

Download
memory/3056-11-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download