teslacrypt | 8506824ad4a9aabf540bbf58741412448178b846e540fbbfdf2a4e48acfe46da

Analysis

max time kernel
133s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
Size

336KB
MD5

09b500283366eafb809963ae3341e9c0
SHA1

628610489c41e78617f4e51d0d0143a07b245f85
SHA256

8506824ad4a9aabf540bbf58741412448178b846e540fbbfdf2a4e48acfe46da
SHA512

7ecb3ed388e2866cbb0331d50d910ce3810f8b9bc1ece963e2cc67c5eaff017d2109e7ccb9d022b8960f78cca243c36bbdb29e0f78fdfc32a78cf2daea6ea796
SSDEEP

6144:r1w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:ri0Uu6ikyjcuk5y0hXaxpKkB

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+vvaqj.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/CA1174AD3B4660F2 2. http://tes543berda73i48fsdfsd.keratadze.at/CA1174AD3B4660F2 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CA1174AD3B4660F2 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/CA1174AD3B4660F2 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/CA1174AD3B4660F2 http://tes543berda73i48fsdfsd.keratadze.at/CA1174AD3B4660F2 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CA1174AD3B4660F2 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/CA1174AD3B4660F2

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/CA1174AD3B4660F2

http://tes543berda73i48fsdfsd.keratadze.at/CA1174AD3B4660F2

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CA1174AD3B4660F2

http://xlowfznrg4wf7dli.ONION/CA1174AD3B4660F2

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (431) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2888 cmd.exe

pid	process
2888	cmd.exe

Drops startup file 6 IoCs

Processes:

aujdltalnccs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vvaqj.txt	aujdltalnccs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vvaqj.txt	aujdltalnccs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vvaqj.html	aujdltalnccs.exe

Executes dropped EXE 2 IoCs

Processes:

aujdltalnccs.exeaujdltalnccs.exe

pid process

2756 aujdltalnccs.exe
2652 aujdltalnccs.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2756	aujdltalnccs.exe
2652	aujdltalnccs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aujdltalnccs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxlqouakyycw = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\aujdltalnccs.exe\""	aujdltalnccs.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

09b500283366eafb809963ae3341e9c0_JaffaCakes118.exeaujdltalnccs.exe

description	pid	process	target process
PID 1984 set thread context of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 2756 set thread context of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe

Drops file in Program Files directory 64 IoCs

Processes:

aujdltalnccs.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\Recovery+vvaqj.txt	aujdltalnccs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Recovery+vvaqj.txt	aujdltalnccs.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\es-ES\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	aujdltalnccs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css	aujdltalnccs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\Recovery+vvaqj.txt	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css	aujdltalnccs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\settings.css	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Recovery+vvaqj.txt	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Recovery+vvaqj.txt	aujdltalnccs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	aujdltalnccs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\Recovery+vvaqj.txt	aujdltalnccs.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\Recovery+vvaqj.txt	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\Recovery+vvaqj.txt	aujdltalnccs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\es-ES\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\Recovery+vvaqj.html	aujdltalnccs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	aujdltalnccs.exe
File opened for modification	C:\Program Files\Internet Explorer\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\Recovery+vvaqj.png	aujdltalnccs.exe
File opened for modification	C:\Program Files\Java\jre7\Recovery+vvaqj.html	aujdltalnccs.exe

Drops file in Windows directory 2 IoCs

Processes:

09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\aujdltalnccs.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
File opened for modification	C:\Windows\aujdltalnccs.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aujdltalnccs.execmd.exeIEXPLORE.EXE09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe09b500283366eafb809963ae3341e9c0_JaffaCakes118.execmd.exeaujdltalnccs.exeNOTEPAD.EXEDllHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aujdltalnccs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aujdltalnccs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{185EC341-8096-11EF-94A4-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b7ebeca214db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000093049af6c484d7ab1ea295b69b1b2415b68873ba29a1f8fbcb87962ec6e5c1c8000000000e8000000002000020000000bd9dee4de4a6e7a186ff978e9636a2a7bed01370e322c1b4307f23b3bdf3f73720000000def57c693b0539e0e85e2693c32dcb854c7371ea44c2433d0aff235420f90291400000008e651cc499764a6958b21c7da398ee8bf2d27b0784a1aec4cebd7c4e16ac69dd410bb193197f8b04f82c3316bd9ab862420045462dc66ef8fcc10cca7a739ab6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000effdd5c2fa6e596c45b042b0ec476271e12617420eba3cde09887b9771955c96000000000e80000000020000200000004424a04e2199b32ba81c2baec92ab16c721aefb9ce571d67fa6a931ec82c64569000000038430e2dfc1bc4b65a6a8cfa35390e709ce5b228d52d63e50cce7130533852c0dd70e97cec546705f75a5da1ca30431cb7ede112d1f3430d786a8801eb1047b9bbb46371a4c2524a20933db7ec1b87b8375046921e73117087ce501d1e7997b0fb17164f0604c0ba9c51157982af9034218c4210d113407d9e530a06d9b968164b3de1d564c248fd71561ae54d27393b400000008e925c3507fe8d6d6d8f69425cc6ad6108b37b2fc6e196d4b2051544f7e707b80485602de53f96eb2a869d01be4f8b60a8082d86eedb6f997f5f8d443967cd8b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2476 NOTEPAD.EXE

pid	process
2476	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aujdltalnccs.exe

pid	process
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe
2652	aujdltalnccs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

09b500283366eafb809963ae3341e9c0_JaffaCakes118.exeaujdltalnccs.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2696	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
Token: SeDebugPrivilege	2652	aujdltalnccs.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe
Token: SeLoadDriverPrivilege	320	WMIC.exe
Token: SeSystemProfilePrivilege	320	WMIC.exe
Token: SeSystemtimePrivilege	320	WMIC.exe
Token: SeProfSingleProcessPrivilege	320	WMIC.exe
Token: SeIncBasePriorityPrivilege	320	WMIC.exe
Token: SeCreatePagefilePrivilege	320	WMIC.exe
Token: SeBackupPrivilege	320	WMIC.exe
Token: SeRestorePrivilege	320	WMIC.exe
Token: SeShutdownPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	320	WMIC.exe
Token: SeRemoteShutdownPrivilege	320	WMIC.exe
Token: SeUndockPrivilege	320	WMIC.exe
Token: SeManageVolumePrivilege	320	WMIC.exe
Token: 33	320	WMIC.exe
Token: 34	320	WMIC.exe
Token: 35	320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe
Token: SeLoadDriverPrivilege	320	WMIC.exe
Token: SeSystemProfilePrivilege	320	WMIC.exe
Token: SeSystemtimePrivilege	320	WMIC.exe
Token: SeProfSingleProcessPrivilege	320	WMIC.exe
Token: SeIncBasePriorityPrivilege	320	WMIC.exe
Token: SeCreatePagefilePrivilege	320	WMIC.exe
Token: SeBackupPrivilege	320	WMIC.exe
Token: SeRestorePrivilege	320	WMIC.exe
Token: SeShutdownPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	320	WMIC.exe
Token: SeRemoteShutdownPrivilege	320	WMIC.exe
Token: SeUndockPrivilege	320	WMIC.exe
Token: SeManageVolumePrivilege	320	WMIC.exe
Token: 33	320	WMIC.exe
Token: 34	320	WMIC.exe
Token: 35	320	WMIC.exe
Token: SeBackupPrivilege	2572	vssvc.exe
Token: SeRestorePrivilege	2572	vssvc.exe
Token: SeAuditPrivilege	2572	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

540 iexplore.exe
2824 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

540 iexplore.exe
540 iexplore.exe
2420 IEXPLORE.EXE
2420 IEXPLORE.EXE
2824 DllHost.exe
2824 DllHost.exe

pid	process
540	iexplore.exe
2824	DllHost.exe

pid	process
540	iexplore.exe
540	iexplore.exe
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2824	DllHost.exe
2824	DllHost.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe09b500283366eafb809963ae3341e9c0_JaffaCakes118.exeaujdltalnccs.exeaujdltalnccs.exeiexplore.exe

description	pid	process	target process
PID 1984 wrote to memory of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 1984 wrote to memory of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 1984 wrote to memory of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 1984 wrote to memory of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 1984 wrote to memory of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 1984 wrote to memory of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 1984 wrote to memory of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 1984 wrote to memory of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 1984 wrote to memory of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 1984 wrote to memory of 2696	1984	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
PID 2696 wrote to memory of 2756	2696	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	aujdltalnccs.exe
PID 2696 wrote to memory of 2756	2696	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	aujdltalnccs.exe
PID 2696 wrote to memory of 2756	2696	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	aujdltalnccs.exe
PID 2696 wrote to memory of 2756	2696	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	aujdltalnccs.exe
PID 2696 wrote to memory of 2888	2696	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	cmd.exe
PID 2696 wrote to memory of 2888	2696	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	cmd.exe
PID 2696 wrote to memory of 2888	2696	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	cmd.exe
PID 2696 wrote to memory of 2888	2696	09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe	cmd.exe
PID 2756 wrote to memory of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe
PID 2756 wrote to memory of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe
PID 2756 wrote to memory of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe
PID 2756 wrote to memory of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe
PID 2756 wrote to memory of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe
PID 2756 wrote to memory of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe
PID 2756 wrote to memory of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe
PID 2756 wrote to memory of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe
PID 2756 wrote to memory of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe
PID 2756 wrote to memory of 2652	2756	aujdltalnccs.exe	aujdltalnccs.exe
PID 2652 wrote to memory of 320	2652	aujdltalnccs.exe	WMIC.exe
PID 2652 wrote to memory of 320	2652	aujdltalnccs.exe	WMIC.exe
PID 2652 wrote to memory of 320	2652	aujdltalnccs.exe	WMIC.exe
PID 2652 wrote to memory of 320	2652	aujdltalnccs.exe	WMIC.exe
PID 2652 wrote to memory of 2476	2652	aujdltalnccs.exe	NOTEPAD.EXE
PID 2652 wrote to memory of 2476	2652	aujdltalnccs.exe	NOTEPAD.EXE
PID 2652 wrote to memory of 2476	2652	aujdltalnccs.exe	NOTEPAD.EXE
PID 2652 wrote to memory of 2476	2652	aujdltalnccs.exe	NOTEPAD.EXE
PID 2652 wrote to memory of 540	2652	aujdltalnccs.exe	iexplore.exe
PID 2652 wrote to memory of 540	2652	aujdltalnccs.exe	iexplore.exe
PID 2652 wrote to memory of 540	2652	aujdltalnccs.exe	iexplore.exe
PID 2652 wrote to memory of 540	2652	aujdltalnccs.exe	iexplore.exe
PID 540 wrote to memory of 2420	540	iexplore.exe	IEXPLORE.EXE
PID 540 wrote to memory of 2420	540	iexplore.exe	IEXPLORE.EXE
PID 540 wrote to memory of 2420	540	iexplore.exe	IEXPLORE.EXE
PID 540 wrote to memory of 2420	540	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2020	2652	aujdltalnccs.exe	WMIC.exe
PID 2652 wrote to memory of 2020	2652	aujdltalnccs.exe	WMIC.exe
PID 2652 wrote to memory of 2020	2652	aujdltalnccs.exe	WMIC.exe
PID 2652 wrote to memory of 2020	2652	aujdltalnccs.exe	WMIC.exe
PID 2652 wrote to memory of 2680	2652	aujdltalnccs.exe	cmd.exe
PID 2652 wrote to memory of 2680	2652	aujdltalnccs.exe	cmd.exe
PID 2652 wrote to memory of 2680	2652	aujdltalnccs.exe	cmd.exe
PID 2652 wrote to memory of 2680	2652	aujdltalnccs.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

aujdltalnccs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aujdltalnccs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	aujdltalnccs.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\09b500283366eafb809963ae3341e9c0_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\aujdltalnccs.exe
    C:\Windows\aujdltalnccs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\aujdltalnccs.exe
      C:\Windows\aujdltalnccs.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2652
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2476
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2420
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\AUJDLT~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\09B500~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+vvaqj.html

Filesize
11KB

MD5
2a2c21cbe3deea17c3f236f583c30cec

SHA1
ce9644e6a6d24d0594a874408f1b28a82f3b9550

SHA256
feafb9b48e66d853a62dd228fe9359db09d01c5fbc63b86558c44e453f3c76c6

SHA512
11f22d2e278001b39fb92384f51f6bfd865b71bb02bb2bc22a8d07780e17c37bd02a205c1e0474984b889768dfc266acda8cb4e5bbecad274c8034a79a197234

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+vvaqj.png

Filesize
63KB

MD5
aaf1727cc332755ddae352c12517810f

SHA1
2680adbfd40ce5977ed72908c2a2786021c0dda0

SHA256
1779f6afceff323ba8322ae93568219dd3c478a4296b869b871fcdf40828b531

SHA512
761589111858febd16b31a509f4230d20ef630f9ed3c42e8afe462c1c70617fbd698915a6aae2ff3ef90526ef343648a2b5a15d0539889ffd19eb03e5dd82c4e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+vvaqj.txt

Filesize
1KB

MD5
f2d138f4cda19a8ce249634975e5534f

SHA1
db2bccd09dd1ec8c9f6721dd205b9e3bc03cee83

SHA256
9ae2661f59e66a6ba4293b43be112463bcc549ac94ff63621cc39ccfc81ee761

SHA512
76ec4280cff34263d22d64163e75c0003ecea70f4699674eb98b2d1937e7027bb3acaf4cc473ca7a7a8f9f2442de1fb81d6fb71991c72163f63e68e19e7ccbcc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
65b2b942baedb6bf409590b04b8de295

SHA1
5b49127794facaab9993869224f8f43bfcd3073f

SHA256
e8217629f82c7c516482a230d22dd7a2cce8ce04a49cc9fce63afe2bd99739da

SHA512
8a8d2a1d7d3c3ea467c96c044380eba0ab6626e989a54a68421067874d6dfecd3d17195e0674931b53d386bb2d11341ac04b6525b2be943e5b2a6a03a477197c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
f8111e668c123af636b9d78da4ca76ca

SHA1
c1758630970291e07bbadcea4f0a543b82d24913

SHA256
39e0ff1cd151b519e4c1c0e093e34c8d88bdf1d6e37429782af4f975e6cdb499

SHA512
88547d9cf65f8e0e7542bd407d619dec1d378e96eb954df49a7dcf408379d35e05ba8b6b55ba831c3dff664d7716e9c34f169f3202f645f80ce865c0e414181f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
0e52b2962c2a054e5cd9981a40ae7a3d

SHA1
e7ce55b1035a46ed5b7c5245fdc6eb1ba0dc6db4

SHA256
fba05bef3df2b8be22087849306afc65fc3b1f600b9c312f65620da51cf98225

SHA512
24237ef136ea2906cd382fae770a13d13b69a27bc229d89c18f95028c2b40d1cac49e1d3affe7352e8bf85350bcb2c66754bf103e878a81f0e439f9e3ac1cc98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dd1f090a1680bb0e9d54abf81416d05

SHA1
e7fe1d5c0045c2455838469b95b7b56c1fab38a2

SHA256
9e3c8635ac04b3a7053088f22a4d7ced772e5e6c37a020df51bd63018d85ba0a

SHA512
4658de4ddf8473f259481139787ba35e6ddcd9847983f1093c0fe1aade68850f83c37ff647b34e7dc010982265c82199e6c4ccef8d481e45bf24af18300e7736

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e0d6a898b4481a91a43f601fed324e2

SHA1
f8e070925746cb482a150048581caa99640207e7

SHA256
5a1e4655dfd0360bb1e2292e4bc27a9c55964c34ec1db8fe07ed11a6237a7824

SHA512
a2d43c7d504223c1a301a43dd037419cb0166389322c2de63add78949852ed8fb975b32dae3142f05ed6c06ee3b960d2dae2d8f9359766894f8aa340f484f26e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
246e7b521524c364ac5c4395a0572d09

SHA1
2e0d9d7cf4e6e1756cc41fb6d99019669a5c7d68

SHA256
803b37d78b972c1f002e23fe8470c5c23d9fddc68bf2dbffef6a9610a608c710

SHA512
efb3a97824723841ed777e1fbb25fc968d72b66e47368cbff4986ce5fc653b4cd7a2fa336f4fbdd08e57c9b420b6ee6c0474e43bbdecca238d751c470dbe5688

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f54c7c71032b706ca43c5c319a1668c6

SHA1
ad96f5fc40a186a08699886c1e76a036ea587a00

SHA256
e7278222f60c2cfb45e89a6f3ccd00e333faac603700054b43a4b7a8c9797f1f

SHA512
35a3ab2b0660605df0d73493ab8d0eefa0630c74527cdbdcbf7097b5b887e8ebeb5f94809ac7189da1c567713d008895adac201491b8231a78dd6516394def8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64abf2c0f215d49063656d3161610ee5

SHA1
2106d45743973fc663299c27532cd8cdb8b431f5

SHA256
b64cf48fadd4fbbfd00f0cf20fcc6875ff60d8163b29359dfd283c27c2efcc4e

SHA512
4d93de0535cab180408bbab8a8e3e305b64590e30deb6aa9f1e2bc82ef73a91b877ce74fdbf490a2bd9f46896add46918575be95db91e1b65b3120a234d53fb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d31dbe7e92e75536acf34760002bd8a

SHA1
468213450f79d38dec03fe8b1a16c18295f31d3f

SHA256
17848daccd44686898431074d1aae9cfea94a446f64332e51653f4c6132d1820

SHA512
5596a1d2d4757657a11fce85a1b8a94863b1f0dd219737cbc2b164f38b7ce825e4300044b35624c64bb09005b14caeee9b892c389a11c6e71ffa497ea82b4adf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b68eb11f436b4931356d3ceb2c4d049b

SHA1
06a5c2d8e9871138b43e74af6a3f95eceac2a75e

SHA256
b0204cf388dde99068e34e3b760d6d56148c3b10321305f802624ec51850917b

SHA512
1cea9545ae8eb7230d124374d74e30b899ee4ed3d689e50fa60795cfc49f2d93e6a349dbdf3fa6a420c904a67ef3e5885adeffa22d1cf4dba798c701d62a39f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5591549c424a41b5d170e3c32438b4da

SHA1
399581b68e195c017606eb8f430b827fcaf2364e

SHA256
11c987b327c658981b7e169be7ade837fa45521373e07d96b16fef356f9145b3

SHA512
467e621a4ec165c3b496a3fc976dd09043f380ae357809de265e35ab7da24e14a11d2fe6545496624950b27e79af21a05c432be7be971845f371b652c5f784fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7dff266abca4fa8f38eb20b4618c907

SHA1
fa46bf702e91d69267493a27a7b5ef32d245fc14

SHA256
2e1df470ee4e35e9978b098150d427d7d9ad406feae29aca677cc4e6ea637e01

SHA512
e5c8879bead0240951ba515e5c210b985454c8ddea4a93d751aa430f6933ec615faf5b77397d3cd6a51522aae35b527963a3eac5cdcdf3ecd956531bd94ed00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF11.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF91.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\aujdltalnccs.exe

Filesize
336KB

MD5
09b500283366eafb809963ae3341e9c0

SHA1
628610489c41e78617f4e51d0d0143a07b245f85

SHA256
8506824ad4a9aabf540bbf58741412448178b846e540fbbfdf2a4e48acfe46da

SHA512
7ecb3ed388e2866cbb0331d50d910ce3810f8b9bc1ece963e2cc67c5eaff017d2109e7ccb9d022b8960f78cca243c36bbdb29e0f78fdfc32a78cf2daea6ea796

Download Submit
memory/1984-0-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/1984-16-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2652-49-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-5275-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-6577-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-6574-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-6570-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-1829-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-1834-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-6113-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-6119-0x0000000004560000-0x0000000004562000-memory.dmp

Filesize
8KB

Download
memory/2652-6566-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-6565-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2652-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-28-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2756-25-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/2824-6120-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download