teslacrypt | dd754c7e866babc27f01d9e9b3bbac680dcc3e83b8a748d39e026b871052b527

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
Size

276KB
MD5

0633631727771a19c3593b678268e8f9
SHA1

2c8af799af11e03abc5face54f3943c2b3071203
SHA256

dd754c7e866babc27f01d9e9b3bbac680dcc3e83b8a748d39e026b871052b527
SHA512

f705f51b7f49f51a13c4509909b80e7eaeecf2914867b41f42dd13f655ad1e815355366cb05b9a6093c1887dae569f204b9ca7ad5761a3f1952b3cbc9b31645b
SSDEEP

6144:wL+ROMHXZ99JX2WngMNSYZh1r0CLf2dWsLf2EUOH9:wQ7J9PgMN7LsqEUO

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+dvsen.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/589F16A5ADDC9B1D 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/589F16A5ADDC9B1D 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/589F16A5ADDC9B1D If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/589F16A5ADDC9B1D 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/589F16A5ADDC9B1D http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/589F16A5ADDC9B1D http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/589F16A5ADDC9B1D Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/589F16A5ADDC9B1D

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/589F16A5ADDC9B1D

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/589F16A5ADDC9B1D

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/589F16A5ADDC9B1D

http://xlowfznrg4wf7dli.ONION/589F16A5ADDC9B1D

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (387) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
3044	cmd.exe

Drops startup file 6 IoCs

Processes:

gyldesacoumt.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe

Executes dropped EXE 2 IoCs

Processes:

gyldesacoumt.exegyldesacoumt.exe

pid	Process
1936	gyldesacoumt.exe
2232	gyldesacoumt.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gyldesacoumt.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvyxmcl = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\gyldesacoumt.exe"	gyldesacoumt.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

0633631727771a19c3593b678268e8f9_JaffaCakes118.exegyldesacoumt.exe

description	pid	Process	procid_target
PID 1300 set thread context of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1936 set thread context of 2232	1936	gyldesacoumt.exe	35

Drops file in Program Files directory 64 IoCs

Processes:

gyldesacoumt.exe

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css	gyldesacoumt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveAnother.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv	gyldesacoumt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_ReCoVeRy_+dvsen.html	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js	gyldesacoumt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv	gyldesacoumt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\_ReCoVeRy_+dvsen.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png	gyldesacoumt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_ReCoVeRy_+dvsen.txt	gyldesacoumt.exe

Drops file in Windows directory 2 IoCs

Processes:

0633631727771a19c3593b678268e8f9_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\gyldesacoumt.exe	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
File opened for modification	C:\Windows\gyldesacoumt.exe	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXE0633631727771a19c3593b678268e8f9_JaffaCakes118.execmd.exegyldesacoumt.exeNOTEPAD.EXEDllHost.exe0633631727771a19c3593b678268e8f9_JaffaCakes118.exegyldesacoumt.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyldesacoumt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyldesacoumt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a701960e14db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000004551b38c8b9f46a661f90cc656e572e941b8b0130c2e6f8e9d22aba483bf89d000000000e80000000020000200000002849a6fbe5e98d6d3bfea953ef4f7da84094b524749aa08af391cdefa9ce61d4900000009f20509015779b23dc243a9686d5adfdb0273d2fe7e7a3b2960beacecf588d2c509c29388f2323b4b016ee7cb30afca641ba57049e3599437194f776b5272ddf0a0e34e6896b198ec9bd7c515714373a1e567db35fe7de0d87333b0b08bb4c1c60b88016ac2d9adb6fd8d9168a2142e7995fe5b56e9b2c1a16a995d22da9e25aa278754d45d12e9de23197ff2c84e75440000000a15a86a1631b5d43fb205b20745f05bcae4f785a283017b2ad403c4d17ef1eebcaed409f02204fc211ef9100e34e5e5d51909b62153dc0db58f3470fd233a9ec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000a406309469956028636e9765b08d1f32de1f86c7dd22bf10d696f6cc6d8fddd0000000000e800000000200002000000087b161f0a39326327c5f3740290f3b16c8397273e5fb330042c4ea100cd69891200000008f9237bacc1a2e11c4bcf6c2ebfc29df5b2898132426eb52836b7f5e702c833f40000000c4090159f5eed8dd204cea9c7d5bb2a7bf53ad09435a9d286616aa134c47c9f633f910700af18d83561bc694f4b6cc1d5dfb37f38f6cd98bd997d7333ff30444	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C17E4031-8001-11EF-AF9A-46D787DB8171} = "0"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2920	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gyldesacoumt.exe

pid	Process
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe
2232	gyldesacoumt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0633631727771a19c3593b678268e8f9_JaffaCakes118.exegyldesacoumt.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2776	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
Token: SeDebugPrivilege	2232	gyldesacoumt.exe
Token: SeIncreaseQuotaPrivilege	2896	WMIC.exe
Token: SeSecurityPrivilege	2896	WMIC.exe
Token: SeTakeOwnershipPrivilege	2896	WMIC.exe
Token: SeLoadDriverPrivilege	2896	WMIC.exe
Token: SeSystemProfilePrivilege	2896	WMIC.exe
Token: SeSystemtimePrivilege	2896	WMIC.exe
Token: SeProfSingleProcessPrivilege	2896	WMIC.exe
Token: SeIncBasePriorityPrivilege	2896	WMIC.exe
Token: SeCreatePagefilePrivilege	2896	WMIC.exe
Token: SeBackupPrivilege	2896	WMIC.exe
Token: SeRestorePrivilege	2896	WMIC.exe
Token: SeShutdownPrivilege	2896	WMIC.exe
Token: SeDebugPrivilege	2896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2896	WMIC.exe
Token: SeRemoteShutdownPrivilege	2896	WMIC.exe
Token: SeUndockPrivilege	2896	WMIC.exe
Token: SeManageVolumePrivilege	2896	WMIC.exe
Token: 33	2896	WMIC.exe
Token: 34	2896	WMIC.exe
Token: 35	2896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2896	WMIC.exe
Token: SeSecurityPrivilege	2896	WMIC.exe
Token: SeTakeOwnershipPrivilege	2896	WMIC.exe
Token: SeLoadDriverPrivilege	2896	WMIC.exe
Token: SeSystemProfilePrivilege	2896	WMIC.exe
Token: SeSystemtimePrivilege	2896	WMIC.exe
Token: SeProfSingleProcessPrivilege	2896	WMIC.exe
Token: SeIncBasePriorityPrivilege	2896	WMIC.exe
Token: SeCreatePagefilePrivilege	2896	WMIC.exe
Token: SeBackupPrivilege	2896	WMIC.exe
Token: SeRestorePrivilege	2896	WMIC.exe
Token: SeShutdownPrivilege	2896	WMIC.exe
Token: SeDebugPrivilege	2896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2896	WMIC.exe
Token: SeRemoteShutdownPrivilege	2896	WMIC.exe
Token: SeUndockPrivilege	2896	WMIC.exe
Token: SeManageVolumePrivilege	2896	WMIC.exe
Token: 33	2896	WMIC.exe
Token: 34	2896	WMIC.exe
Token: 35	2896	WMIC.exe
Token: SeBackupPrivilege	2120	vssvc.exe
Token: SeRestorePrivilege	2120	vssvc.exe
Token: SeAuditPrivilege	2120	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2924	WMIC.exe
Token: SeSecurityPrivilege	2924	WMIC.exe
Token: SeTakeOwnershipPrivilege	2924	WMIC.exe
Token: SeLoadDriverPrivilege	2924	WMIC.exe
Token: SeSystemProfilePrivilege	2924	WMIC.exe
Token: SeSystemtimePrivilege	2924	WMIC.exe
Token: SeProfSingleProcessPrivilege	2924	WMIC.exe
Token: SeIncBasePriorityPrivilege	2924	WMIC.exe
Token: SeCreatePagefilePrivilege	2924	WMIC.exe
Token: SeBackupPrivilege	2924	WMIC.exe
Token: SeRestorePrivilege	2924	WMIC.exe
Token: SeShutdownPrivilege	2924	WMIC.exe
Token: SeDebugPrivilege	2924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2924	WMIC.exe
Token: SeRemoteShutdownPrivilege	2924	WMIC.exe
Token: SeUndockPrivilege	2924	WMIC.exe
Token: SeManageVolumePrivilege	2924	WMIC.exe
Token: 33	2924	WMIC.exe
Token: 34	2924	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid	Process
316	iexplore.exe
3036	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid	Process
316	iexplore.exe
316	iexplore.exe
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
3036	DllHost.exe
3036	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

0633631727771a19c3593b678268e8f9_JaffaCakes118.exe0633631727771a19c3593b678268e8f9_JaffaCakes118.exegyldesacoumt.exegyldesacoumt.exeiexplore.exe

description	pid	Process	procid_target
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2776	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	31
PID 2776 wrote to memory of 1936	2776	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	32
PID 2776 wrote to memory of 1936	2776	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	32
PID 2776 wrote to memory of 1936	2776	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	32
PID 2776 wrote to memory of 1936	2776	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	32
PID 2776 wrote to memory of 3044	2776	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	33
PID 2776 wrote to memory of 3044	2776	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	33
PID 2776 wrote to memory of 3044	2776	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	33
PID 2776 wrote to memory of 3044	2776	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	33
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 1936 wrote to memory of 2232	1936	gyldesacoumt.exe	35
PID 2232 wrote to memory of 2896	2232	gyldesacoumt.exe	36
PID 2232 wrote to memory of 2896	2232	gyldesacoumt.exe	36
PID 2232 wrote to memory of 2896	2232	gyldesacoumt.exe	36
PID 2232 wrote to memory of 2896	2232	gyldesacoumt.exe	36
PID 2232 wrote to memory of 2920	2232	gyldesacoumt.exe	43
PID 2232 wrote to memory of 2920	2232	gyldesacoumt.exe	43
PID 2232 wrote to memory of 2920	2232	gyldesacoumt.exe	43
PID 2232 wrote to memory of 2920	2232	gyldesacoumt.exe	43
PID 2232 wrote to memory of 316	2232	gyldesacoumt.exe	44
PID 2232 wrote to memory of 316	2232	gyldesacoumt.exe	44
PID 2232 wrote to memory of 316	2232	gyldesacoumt.exe	44
PID 2232 wrote to memory of 316	2232	gyldesacoumt.exe	44
PID 316 wrote to memory of 2800	316	iexplore.exe	46
PID 316 wrote to memory of 2800	316	iexplore.exe	46
PID 316 wrote to memory of 2800	316	iexplore.exe	46
PID 316 wrote to memory of 2800	316	iexplore.exe	46
PID 2232 wrote to memory of 2924	2232	gyldesacoumt.exe	47
PID 2232 wrote to memory of 2924	2232	gyldesacoumt.exe	47
PID 2232 wrote to memory of 2924	2232	gyldesacoumt.exe	47
PID 2232 wrote to memory of 2924	2232	gyldesacoumt.exe	47
PID 2232 wrote to memory of 2588	2232	gyldesacoumt.exe	49
PID 2232 wrote to memory of 2588	2232	gyldesacoumt.exe	49
PID 2232 wrote to memory of 2588	2232	gyldesacoumt.exe	49
PID 2232 wrote to memory of 2588	2232	gyldesacoumt.exe	49

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gyldesacoumt.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gyldesacoumt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gyldesacoumt.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0633631727771a19c3593b678268e8f9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0633631727771a19c3593b678268e8f9_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\gyldesacoumt.exe
    C:\Windows\gyldesacoumt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\gyldesacoumt.exe
      C:\Windows\gyldesacoumt.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2232
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:316 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2800
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GYLDES~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\063363~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:3044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+dvsen.html

Filesize
11KB

MD5
281215502b6b267a6c3d51f7040d9c51

SHA1
4a9ab5696d9b78a69e87759b8c75f0789fa69855

SHA256
eccf755fb554890b1778de6bde3f09dc586ca3659b39ccd3b397fd0bb2bf86f0

SHA512
dd02249199a77e6a0f99d774e89f518f56a30d3903de5f1360fe46f494f991fdd3a73beee430f3339fc3823271b77f9127507cab819c952d67644f6ee591ee55

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+dvsen.png

Filesize
65KB

MD5
9c2add0927acb911cd7ad9a678c42384

SHA1
2c33ebca229dd46c39d4018031b83055af9687d0

SHA256
efc40430ef1e875ed27e3af5b9d9d1cef3e8af1dcc872fa035ac7c9fd5b77e7a

SHA512
9ce1771634420cd68760c49a773384e893fa01b2fe1b3212ba2769d903897eedf5c93fb5daecd456689d4fc4e6063fe790ded3fe2f6bb56eaf46a026f6c3eeb0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+dvsen.txt

Filesize
1KB

MD5
7415ae3e2f63453a9ab15e712f64893c

SHA1
ab7835dd8f42e0569e44c04831b929ff9ea4e51e

SHA256
0f95df237b9252c7ee8f97777cb404807863d545a90820413423a2670819e370

SHA512
017d9b90f25b409fdaa80822f2cdf1c58ed1e43f3d7adb38aa958c0e7c5d03c5d1866d9450125d05641ac84c761367fde73c2e92150ca6e7d151b975d460cd1f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
5135d48ba6adfc97a9040ea3ad7fe44c

SHA1
a923098eaa9a369a001efdade210007989e2a87f

SHA256
9e7a05c7b7febecee287a0c8c9011feb07dc02b67bec2cb931ce9b4509aedeac

SHA512
45351743df60d94776997f18a0be70c20079214898d23e081ad637e0f29c45f66233e70be0a9372a076f35cb1aa13907f759c94f7e4f44b54cbc7faaac765448

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
a4767500222d6787ac6ebca3df2c4a17

SHA1
22c2347b7ec9ed1ad47556a610643e883730f094

SHA256
af6b63720f8c101bded320e58e1807fa68f2e25d8c1f32171c74f417e011312b

SHA512
6af1576e9f0dca2844095130621fec28dc0463bbd3871b81912e283aff99318e0233a4dd9c9cdba87fe8036a124c0cbc9b7c188727a47208949ff8e43b9e10d1

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
f516e6827ef97646cf43f4b680006f1a

SHA1
d9cc591f67e6e3b658a55d3183740e4acc0b8d73

SHA256
84b54411101551bce03da4da9b6d9e316e991ab6126128bc7350e82201079990

SHA512
b9bea1ee8dcf9dc7bfd4bce95037a8bfa1b148060d56b3da0469f7c58c42593292c07e63ac28f5525046b4d1d67ed86ca9a1b92bf13967a1afdfcd515b27dc35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2c201018c813b3f5b73433d90982c5c

SHA1
0a0574d38cdd27da6067015451da1a767d4cf95a

SHA256
33a905625c82e6b411c307b9a4a95b1528ab4d55b3558ce32a4f5c7036ef8f59

SHA512
1d168c2712071715560f1c655eb1de51649db40a39754996cdec964c79380d46fa44381ec3b4ce965af105c6f70c18832ea999f8fb34ae724f37d974d81db80a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fd98030c41757c43c400f2844cc7820

SHA1
c9d9982c273d7c9d4412af10fefcea7e79a4628b

SHA256
70561d680a96f55e24ab70c424e623103f2314711c5a4b8b335832bf1b17ff47

SHA512
5e4b98e208906e1f74f3b62ea0dfdfff8f313bc6f70d115a8c923a5e7e5d0144f004ab2fea509e970aeae97ff644f23974549b884c9a7307d81acea6ae30c8e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11afa2ab3f96bf48fe3894698ecfe202

SHA1
a47c1160851346708ad6d4635ae3f1b8d86f179b

SHA256
ba7badefdd9d307b16df9aabce3207f198874bdd77ea56bc2fbeccfbd1c8af34

SHA512
1e5e9cbb9ea810e8b25a4a0669cab96d02c17994c6f4e1def069617d30c2f2149e3086422430947b335e399a56ade1abbc10eb5be0c62c6b5d412fb66c0b8fca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cc3481e034c0975a71b46875ca8ceb0

SHA1
7bf2e62a4072110bab037197b488c901d5a7d3f8

SHA256
1ba37679be57fc1f2ed456985c6e844fb12f2ebf6b6378876ca3a3300eb8bf21

SHA512
5e4599433a7451219589f9f7c8fddd7058b1c615f770d91718abaaa480c9828df7345bfe196d4b10d5edaa1cfe84c94064050f65bfe8cc3c58f99119899230a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edf7ecfd4383083b3c628860b73136a4

SHA1
f65c9e79ce66156ec343a08420a5b1b6187f0837

SHA256
d16b1474eca289b20a45b3cd62873db6cdf5554ece97a456d7a99a0fce0db2b5

SHA512
a1707b59ae70d81c0b8ecfe0ca90f1395be846f73160a607f6e4e86187dcb684a1b515cc43ea3c21191da8c5f8c681e3f6fa331d00d76b12df5abe9cbad749e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60e91c81c86f50cd206d81a819636887

SHA1
5fd4d0dc8e88483b0f95d3e6526e446fcf6e3ca9

SHA256
25ead1f5d5498017e114352e4231e1b5ce9d206f3e7cfcd44e12af0a047e6bd9

SHA512
f64d1bb26546915387e239b152c88b80a7a5bab7bcc2b735675e9a2ab1976483f524e8f85abc41b3f3b4b4ae02ac386bcd2d29ad1bb2c97021cf7117dea8c226

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01764d613797c3b01b8c22969bc28c1c

SHA1
673b6b9223cf8ec55dd0c3127c89593eaafc6398

SHA256
734aa23e69cf3f007147e8755216e18fcee207d942cb126c1d576b7089bc79e7

SHA512
4912e486f9a6b7e414e8b03d9626cfe285afb77be849b5aa5b77d9e9377013b21e93ac136615be62648a40d4649b292d3b3c89bfc3acb8eff08ffb39b49da704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc3e923ad5e45e7ea997958729994dc1

SHA1
327ae0c18fef55079d0c4de5bac2879a18f8f861

SHA256
2dd169fd3abf365fdd00b4db3853c62908d88a5ded238cf275127f369a034982

SHA512
965e79635293c39d904c1151464e71ed4d71a341c2531bfb93ec38241619c9a74d8e511dff8738ba9007150c2b30bb74419501fd519bdd42018f3e07a17d6ddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c50b2ff437c0b522cbbf62cdeffbd2b0

SHA1
27df325331991c6de00940f8d9cf73845f5ff01e

SHA256
ea7cd7571a8ce0191aed759518c20d186be8679b56fffe3d7a1facfb8ffa0641

SHA512
cebaa5905e807db5b2b5107e4a4e992b8b0c88daebd3a233ad617072feac5773d64e7b3b75f3497c332cf3f24678a31165ae8e3e23ab4518aa1206a131939793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23bbb33ab1593d568fc41c7161f117ab

SHA1
4581036baa00605f030df496d4c7ac3f18c2377d

SHA256
0bf1e11e720024cd96f340595d533c8b66155cf4c4b25d47d07d2076814e47a4

SHA512
7f27b344a01e7b28b76ab65104466b2ac73db52da1d7be0b3e5fa42a78c0d120a6f416755da8359b01f8a662bc70b9ae88f9c52677e75f883d2c7ccc8817e2b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b199a18e4fa791483d9155e07a7593d6

SHA1
29fa5b5abb1d2bf2d4ae78ea685574f7eb4d0518

SHA256
547e1b056e6bbbd761fb6388de493bd656ecadad6b3a9af8de77d1b04935a7d8

SHA512
479c3b482ffbe5f264b0a89883ede7cda77f7221d862c965ea9cd2d2ea94f0f4e6867d07ba8b41e238dbce64091f3f139989cadaeb5b93414efa4ce5a3b76dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1ED9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F69.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\gyldesacoumt.exe

Filesize
276KB

MD5
0633631727771a19c3593b678268e8f9

SHA1
2c8af799af11e03abc5face54f3943c2b3071203

SHA256
dd754c7e866babc27f01d9e9b3bbac680dcc3e83b8a748d39e026b871052b527

SHA512
f705f51b7f49f51a13c4509909b80e7eaeecf2914867b41f42dd13f655ad1e815355366cb05b9a6093c1887dae569f204b9ca7ad5761a3f1952b3cbc9b31645b

Download Submit
memory/1300-19-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/1300-0-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/1300-1-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/1936-31-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2232-1463-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-1912-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-1908-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-5053-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-5978-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-5984-0x0000000003EE0000-0x0000000003EE2000-memory.dmp

Filesize
8KB

Download
memory/2232-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-5987-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-5992-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-5997-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2232-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2776-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2776-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2776-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2776-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2776-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2776-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2776-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2776-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2776-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2776-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3036-5985-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download