teslacrypt | a748becdb2c21697c7bdc39cb2bad24c3cb3ecb20e432b1878fa9f05bcb74b82

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe
Size

360KB
MD5

3873e9c48611f30cdbdaae2351badd7b
SHA1

ceeb0cb8b6e61cba268c2bf300736979e88ab491
SHA256

a748becdb2c21697c7bdc39cb2bad24c3cb3ecb20e432b1878fa9f05bcb74b82
SHA512

0ccfdf2e5cb5ed44ffb777e1c61ced77262145d6e93332a3dfac631b4999203e4ef8e3b6274bd4abd9a6de2ec8da1f1e90886be32ceac5b9214458ec6b84c369
SSDEEP

6144:ZC7EO2S2Hu4uN6AOnToEN0lPBTEgFqE0tIjrUB4UKBIkvc2RRVIZd:ZwD2SEuN6pc3PBwxE0Ojox6Ioc2RRVIf

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nykvs.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A35D13E122CDD5B9 2. http://tes543berda73i48fsdfsd.keratadze.at/A35D13E122CDD5B9 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A35D13E122CDD5B9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/A35D13E122CDD5B9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A35D13E122CDD5B9 http://tes543berda73i48fsdfsd.keratadze.at/A35D13E122CDD5B9 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A35D13E122CDD5B9 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/A35D13E122CDD5B9

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A35D13E122CDD5B9

http://tes543berda73i48fsdfsd.keratadze.at/A35D13E122CDD5B9

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A35D13E122CDD5B9

http://xlowfznrg4wf7dli.ONION/A35D13E122CDD5B9

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (430) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2324	cmd.exe

Drops startup file 6 IoCs

Processes:

alwrcllpxawt.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+nykvs.png	alwrcllpxawt.exe

Executes dropped EXE 1 IoCs

Processes:

alwrcllpxawt.exe

pid	Process
1740	alwrcllpxawt.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

alwrcllpxawt.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\qcxlhnxgjgtr = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\alwrcllpxawt.exe\""	alwrcllpxawt.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

alwrcllpxawt.exe

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv	alwrcllpxawt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\it-IT\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\StartWait.raw	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\Recovery+nykvs.html	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\DVD Maker\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\Recovery+nykvs.txt	alwrcllpxawt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\Recovery+nykvs.png	alwrcllpxawt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png	alwrcllpxawt.exe

Drops file in Windows directory 2 IoCs

Processes:

3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\alwrcllpxawt.exe	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe
File opened for modification	C:\Windows\alwrcllpxawt.exe	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

alwrcllpxawt.execmd.exeNOTEPAD.EXEDllHost.exeIEXPLORE.EXEcmd.exe3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alwrcllpxawt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{303B6521-8854-11EF-88C1-C26A93CEF43F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000ae343afec790bc945b83d1baee959210ed189dfed42f49ea12d1097e6239ed50000000000e800000000200002000000023a3ae9a07ba781ff89a03bcfc6e84d708315d7a84adac252e827f8b1acb25b620000000d0d8b6841877e3671954bbf008e5e15c655bc859072be62bccecf9fbd881102a400000004f93d1e788cca5968e1866f5aa62effe25190df46a3577cde778206ff91908240edf11b0b2db73f913f1ed08638ea92650612cd4417ce6cb1f7b1add720d1b8f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434869931"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000417de46f02c51f458ffe525234a7c7d58b4ca3d124abc17153508833e5d55a16000000000e8000000002000020000000ec024b31ad0f38d6cf3f6b2b289264b70479b2f102dacf8d576af3fdba23ad649000000030ffa2062d0c51f1ca675709454b0a662d09abad2081f642d78855240c2602c996005370e9a17ccc0d1cb374b08998573dd2da3c34216e6b02b9457a2f5ad737a7b6b8a41756aefa1224d44fd214012c28ae9bf90c922864be259296e681f234a7fe7c8980893813830627d8833d8f421769c37e034221ea02eacb8adffafb2affca7549d5cdf72e242985de5934ec034000000066dc051a07bcbc47b64e2535d968bb542cbe02028ce63cc9df4d2734da67b059a31e5f1014d5a94d3d657a0c6c93a20f094835e7187504ab09c7e6dcab8dd81a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ded104611cdb01	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

alwrcllpxawt.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	alwrcllpxawt.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	alwrcllpxawt.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1664	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

alwrcllpxawt.exe

pid	Process
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe
1740	alwrcllpxawt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exealwrcllpxawt.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2124	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe
Token: SeDebugPrivilege	1740	alwrcllpxawt.exe
Token: SeIncreaseQuotaPrivilege	2844	WMIC.exe
Token: SeSecurityPrivilege	2844	WMIC.exe
Token: SeTakeOwnershipPrivilege	2844	WMIC.exe
Token: SeLoadDriverPrivilege	2844	WMIC.exe
Token: SeSystemProfilePrivilege	2844	WMIC.exe
Token: SeSystemtimePrivilege	2844	WMIC.exe
Token: SeProfSingleProcessPrivilege	2844	WMIC.exe
Token: SeIncBasePriorityPrivilege	2844	WMIC.exe
Token: SeCreatePagefilePrivilege	2844	WMIC.exe
Token: SeBackupPrivilege	2844	WMIC.exe
Token: SeRestorePrivilege	2844	WMIC.exe
Token: SeShutdownPrivilege	2844	WMIC.exe
Token: SeDebugPrivilege	2844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2844	WMIC.exe
Token: SeRemoteShutdownPrivilege	2844	WMIC.exe
Token: SeUndockPrivilege	2844	WMIC.exe
Token: SeManageVolumePrivilege	2844	WMIC.exe
Token: 33	2844	WMIC.exe
Token: 34	2844	WMIC.exe
Token: 35	2844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2844	WMIC.exe
Token: SeSecurityPrivilege	2844	WMIC.exe
Token: SeTakeOwnershipPrivilege	2844	WMIC.exe
Token: SeLoadDriverPrivilege	2844	WMIC.exe
Token: SeSystemProfilePrivilege	2844	WMIC.exe
Token: SeSystemtimePrivilege	2844	WMIC.exe
Token: SeProfSingleProcessPrivilege	2844	WMIC.exe
Token: SeIncBasePriorityPrivilege	2844	WMIC.exe
Token: SeCreatePagefilePrivilege	2844	WMIC.exe
Token: SeBackupPrivilege	2844	WMIC.exe
Token: SeRestorePrivilege	2844	WMIC.exe
Token: SeShutdownPrivilege	2844	WMIC.exe
Token: SeDebugPrivilege	2844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2844	WMIC.exe
Token: SeRemoteShutdownPrivilege	2844	WMIC.exe
Token: SeUndockPrivilege	2844	WMIC.exe
Token: SeManageVolumePrivilege	2844	WMIC.exe
Token: 33	2844	WMIC.exe
Token: 34	2844	WMIC.exe
Token: 35	2844	WMIC.exe
Token: SeBackupPrivilege	2804	vssvc.exe
Token: SeRestorePrivilege	2804	vssvc.exe
Token: SeAuditPrivilege	2804	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2480	WMIC.exe
Token: SeSecurityPrivilege	2480	WMIC.exe
Token: SeTakeOwnershipPrivilege	2480	WMIC.exe
Token: SeLoadDriverPrivilege	2480	WMIC.exe
Token: SeSystemProfilePrivilege	2480	WMIC.exe
Token: SeSystemtimePrivilege	2480	WMIC.exe
Token: SeProfSingleProcessPrivilege	2480	WMIC.exe
Token: SeIncBasePriorityPrivilege	2480	WMIC.exe
Token: SeCreatePagefilePrivilege	2480	WMIC.exe
Token: SeBackupPrivilege	2480	WMIC.exe
Token: SeRestorePrivilege	2480	WMIC.exe
Token: SeShutdownPrivilege	2480	WMIC.exe
Token: SeDebugPrivilege	2480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2480	WMIC.exe
Token: SeRemoteShutdownPrivilege	2480	WMIC.exe
Token: SeUndockPrivilege	2480	WMIC.exe
Token: SeManageVolumePrivilege	2480	WMIC.exe
Token: 33	2480	WMIC.exe
Token: 34	2480	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid	Process
3012	iexplore.exe
1596	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid	Process
3012	iexplore.exe
3012	iexplore.exe
3044	IEXPLORE.EXE
3044	IEXPLORE.EXE
1596	DllHost.exe
1596	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exealwrcllpxawt.exeiexplore.exe

description	pid	Process	procid_target
PID 2124 wrote to memory of 1740	2124	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe	30
PID 2124 wrote to memory of 1740	2124	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe	30
PID 2124 wrote to memory of 1740	2124	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe	30
PID 2124 wrote to memory of 1740	2124	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2324	2124	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2324	2124	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2324	2124	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2324	2124	3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe	31
PID 1740 wrote to memory of 2844	1740	alwrcllpxawt.exe	33
PID 1740 wrote to memory of 2844	1740	alwrcllpxawt.exe	33
PID 1740 wrote to memory of 2844	1740	alwrcllpxawt.exe	33
PID 1740 wrote to memory of 2844	1740	alwrcllpxawt.exe	33
PID 1740 wrote to memory of 1664	1740	alwrcllpxawt.exe	42
PID 1740 wrote to memory of 1664	1740	alwrcllpxawt.exe	42
PID 1740 wrote to memory of 1664	1740	alwrcllpxawt.exe	42
PID 1740 wrote to memory of 1664	1740	alwrcllpxawt.exe	42
PID 1740 wrote to memory of 3012	1740	alwrcllpxawt.exe	43
PID 1740 wrote to memory of 3012	1740	alwrcllpxawt.exe	43
PID 1740 wrote to memory of 3012	1740	alwrcllpxawt.exe	43
PID 1740 wrote to memory of 3012	1740	alwrcllpxawt.exe	43
PID 3012 wrote to memory of 3044	3012	iexplore.exe	45
PID 3012 wrote to memory of 3044	3012	iexplore.exe	45
PID 3012 wrote to memory of 3044	3012	iexplore.exe	45
PID 3012 wrote to memory of 3044	3012	iexplore.exe	45
PID 1740 wrote to memory of 2480	1740	alwrcllpxawt.exe	46
PID 1740 wrote to memory of 2480	1740	alwrcllpxawt.exe	46
PID 1740 wrote to memory of 2480	1740	alwrcllpxawt.exe	46
PID 1740 wrote to memory of 2480	1740	alwrcllpxawt.exe	46
PID 1740 wrote to memory of 2412	1740	alwrcllpxawt.exe	49
PID 1740 wrote to memory of 2412	1740	alwrcllpxawt.exe	49
PID 1740 wrote to memory of 2412	1740	alwrcllpxawt.exe	49
PID 1740 wrote to memory of 2412	1740	alwrcllpxawt.exe	49

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

alwrcllpxawt.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	alwrcllpxawt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	alwrcllpxawt.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3873e9c48611f30cdbdaae2351badd7b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\alwrcllpxawt.exe
  C:\Windows\alwrcllpxawt.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1740
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:1664
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3012 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3044
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ALWRCL~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3873E9~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nykvs.html

Filesize
11KB

MD5
f2eb90e7438a1ee3dad340e138dcc2f1

SHA1
f54fbc4f4a32c0d4ac6c4c7c9105a63c9736cfcc

SHA256
f2a880fbe81e42e641916ad1adabd127f060879d5ba7dcd4b837c43fdeedfa0e

SHA512
8acde6f57d2c631cb226be25b6df2985f989070c5067140d107f29bd0939858ac24fa67d027485236cf6d1b88d5f8c7508e24cc5b39103c14116b23d2c9d9d32

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nykvs.png

Filesize
63KB

MD5
b346d876b978d77bd683a2b30c3b9581

SHA1
6f8a64f791032413d2ca943ffad0457a90bea543

SHA256
a4fd81e97fffd96e2ae835ba427e8a27c7b76fa1c80ea519558b27204ff9e7bd

SHA512
a80363d317e706c4ab7f98564edd2a699ef9030753627f14f37d9fa522cc914eda0d7bf7123d876358774c3af05b16ad4484bc4808f92b1dc0a927113ae41dbf

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nykvs.txt

Filesize
1KB

MD5
cb899211cb6150609c4f8adee35f53e6

SHA1
091e45138cdf01bb6f3cd14e4771f81f1170566e

SHA256
de90a27dd49256f27b48cff55c9a357bc5d6b91bb9a4a0ad28b8d7ab5fc3c2a4

SHA512
8891aae3bc9cc2363866d8f9ca9fa171e43fbe8e277ee92acdad384daf603d4cb28d8fb7c05e22b88ee7802d7330d7ced0cadee9004d7e6c775d0fc474baaeeb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
0bead6bd68b6aff97dd5d6702a8e3af4

SHA1
7a56b5b02d6baeb4bee38e90f6b57fbd7d1c5f74

SHA256
6e5348b3b44ab777cd9a38c1acbf94516968a1e70017593a6f1765ebc623a6ee

SHA512
14cb2c6415315c78298c69a5f140fb3b03b25027a897173da69986de9dfb81572ca71d015499cd6a0ea3aa88a918d446a509eddc52551683764a93130e519024

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
84ceefcbcdec33a7e65a370f28434c16

SHA1
8f7fad1283dd17e8cf37a314e04ec0b67d2d5e4e

SHA256
850258df4d4ac335b68e31fd7f73e8af6984e9c5d9b81a8e2176ab0afeac2260

SHA512
a5276cea1a2226ca8f164e1c8270eb69a610d9ce79fb31dc99184c66f9245364c2e99508a04729d3d82973e58abf0a7fd09ff465bca6f722c984d46b427732fb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
7356a7b26a0170f47e4e69eab92343f3

SHA1
a93f5ffa68ae7aa7fd6c9ba983fe18a502a4672b

SHA256
57975bdc87b9143d78283e361dda576f522600098bc9917890ef4070d3e9e2bc

SHA512
ae63f7c40519fe59340b68c571c82f425550a745b3d27604e06021e57238400b65c11b2a8022fddf98ec4cad936f0d07c467693f3c1cd2756712e021b88b7321

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8e400e20c9d8577cae258ddfaa8c1dc8

SHA1
bdd4bcb3fc5b669eecf1a25fb6636b7c56d40a99

SHA256
a6863d2fca8d4ca29e85dd04b44dc5ef701ae8afae1d3d9229f97dffe2b63c00

SHA512
a0927ae296b530ee864c8bcce130b2db6887f77fbb81fa1bc0d6259208d205dee6e4501e998a33b767a072e9cb6d9670a3c033f222beecb7555207b4e4b5215a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba177ee445477d2639b6feb39f54788d

SHA1
0e9cd2a4334598ea9d5ea353ce980e4330d21bef

SHA256
2110a077642e72aea18705ec77291ecb4513186d12d4571defdd6e63b46f6cc1

SHA512
5921b89aa3eda2ab38fc93956d6480f3a6a20878235680b11c5cf69a03ac3df16f9b5dfe2ebd2f360a9359b176ae147b1ff011cce748956dcb8225660c1f2027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a3035f580b4f0088d971a18c139d85d

SHA1
874b34b938a30cba7c620b28520129a211122250

SHA256
93020712eda96853ae6da5995763bb0732853bfbb82441d25cb76cc04a8c566e

SHA512
58ae3c17c1154629377c9e455f263edc308f5aece5eeb0ef7d7bd32629d43109ac8e2008dbf32daab047ef7d27ff6991c1ec1df4862a3f692436e812ba4304b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bf4dc2a25e43bb33d452ba91ffdd99c

SHA1
ee44bb519bb5b9d9eacab658c46648cc50293845

SHA256
6fdf1d9adce222e4c05dad31579ca6ca40621594a804f5fe2962218e8648f6ba

SHA512
5a7e98407d632184750fadcd6d60957c8cbab0e92f6556c392e6faaf65e5185fc8fefc962b23dd0d9e7afd6652f1cd7477520241d0ae19446bee2cf2b8c7f475

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a04507fb5e401f3c7d6a50c04451924c

SHA1
8699412fa307f30e34deecde250ca6cbf83d9d64

SHA256
e7f59177cafb00d016535f435784fdc7c06232eec84a0fb566068fe6bfccd4f9

SHA512
c203dd0e60778b679dfea201bbd4998cd960bab910582fb63221f62dd8807657d0abd763c2d7bbfa6c177c12178cc78859d7381a1df6d0b775a4cf42eb3d633e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5d2eca515e3fdd73a692f764cd2b2e9

SHA1
167d6482809cdd227c78af4abcc072d0b8f51c68

SHA256
616eec06f764715c05c171a54d4c2e1d3654342dd391cb5344648930afa5a997

SHA512
c65b45cdbf8cea4b149b783f55f7ce40465bcf0ca2c1a440bd592763e65aa74527cba95613d4e1d9b431420bbf1179a0e4cbfae99cded3b7a5b06bfa13a99533

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e8a42cf333294f3b5f8cb7bd67bbffa

SHA1
15065e14bb5d805a4df40d2f7202d33ceaaa5367

SHA256
719bc2aacfc3abee4e55f33025e7ca9605aaaace5c899240729ef554903023e9

SHA512
511aea4ae058eef4a3d6261b5b34cb64d1116899d4a8ed30732705353cb396bf9cafe254f18341656980720d52b8c8201c0c8ef894b42a1d68d5c67564f8749c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
393f81676ae4884c37013cd788dd8361

SHA1
19adf73beb4b9dd53647d7648f2739d5dd2772ad

SHA256
fe3d72c1f0932b84bbf0e88f9aeafddd84c057d03f8ddaecd4d2354db0fac430

SHA512
c9c97c636a9e14685e2e837da629c8015d9a6d5e2de25718939eb5171f26ebfe09cc60eae2ae9ad99c8ee2b2c29c31194a67075c5b91012b8120c4d59981051b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d118a6f2c7c926eb0def00907f68dea8

SHA1
90d87b8f0009d6c2d2798170ac8aa00790748121

SHA256
7c8bb4dd68886be3e4543c55d276a739adde93e07ea7432ea51a9ed09ec21a53

SHA512
4220a9ec41c98d5a451b154b40c8194cf8466d3b6eb93256d39ebd337729c1f85f248daa923ec46f681c9775eff283fbe8244fed8521f04acadc299562d25d44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad75cea2943c53d9d5961c5de415cbad

SHA1
9f6ff14c03ea9f8e7ee0ac0bbe89c2cf690dee7e

SHA256
2af4a25726e889c7e20374b8c92df527eceedd414628b45fa6bd31ea4b066246

SHA512
e71b4648361509a7de220dd6e67116a66e06d407f0f622f6ebc6ec155186b67bdb566f2f4f0e0f672bd8665b7ff495ad79dc99448751dc8df75987c997546be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0e74a995e2417f34c9cacc4649b34b8

SHA1
3549a7b355c63df50e112b3236a91ea7f5cef75c

SHA256
577b13a4bcc12cfeb8b3b31257f77da7ca023e929eca40a6c7732edde38997e5

SHA512
68bf20d03e1c4163c5093a3c1ebe8e26b54f4302e0e039f12c382847b5a50b55dafec7ac1a364bca2d6c39f3f05a37a3cfdd11325fcf2edc696fa7f2c33095c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69eef5a083220eb723bbbf2e78f0a8d8

SHA1
4a1a54f26498da0adc04c7136666df68c4c33153

SHA256
991ec533f9c803efa091d41287f3265be7744202579302ab11049fff15271e8e

SHA512
4020ed32225f449076699d5f2473ac8e74aeb23d00ce13b2e5bb5abbc5dba9ddeef7801dcc4f525c353388cb595d51396b7a1e66ef87ddc88844e7b671677dbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
698293118cf9786932491ac81e8c024f

SHA1
82368c33c6a0a6cb416610453b583e4a71959c81

SHA256
ca6db2639bea7e71a51c349e84c9f885dafaaa38e10eb881460fc03a5157ab1e

SHA512
1be98d86bbc82e16a325dc96aca337d777a39846061d74e6987a28b6dbc04d48c244c22f0be1c545619292189e7ebb56bc26b26b11d7378c150f151698427bb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ce2add851caa1ef6872ca1601726ec4f

SHA1
d778489bd7197b582b26a1ebf00fa99afdf619c2

SHA256
83a5e9c8b5fceb144917cee26c96759565b8de9bf684f57330a3a024b43b8e12

SHA512
6d9f5e281029524916a22a1b6401d7affd419d00ee41eb0032cd0281d60cecc681f71b592c16ed5949014dd76434369c3b7f07527e813f504e4d97aebea7e622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab52A4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar52A6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\alwrcllpxawt.exe

Filesize
360KB

MD5
3873e9c48611f30cdbdaae2351badd7b

SHA1
ceeb0cb8b6e61cba268c2bf300736979e88ab491

SHA256
a748becdb2c21697c7bdc39cb2bad24c3cb3ecb20e432b1878fa9f05bcb74b82

SHA512
0ccfdf2e5cb5ed44ffb777e1c61ced77262145d6e93332a3dfac631b4999203e4ef8e3b6274bd4abd9a6de2ec8da1f1e90886be32ceac5b9214458ec6b84c369

Download Submit
memory/1596-6078-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1740-10-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1740-6115-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1740-1416-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1740-6090-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1740-6077-0x00000000034B0000-0x00000000034B2000-memory.dmp

Filesize
8KB

Download
memory/1740-4894-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1740-1677-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2124-0-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/2124-9-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2124-8-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download