teslacrypt | 3503e011b2844b6eb3f18b3a7c0965ff07171ac6af2488fcf03c0e69d95cd066

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-10-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
Size

368KB
MD5

627ec4f42d9649bc8309d87f03d1c288
SHA1

6cd845e8de2c2197cbab48f94eea823f88b0efd9
SHA256

3503e011b2844b6eb3f18b3a7c0965ff07171ac6af2488fcf03c0e69d95cd066
SHA512

62899ac229fbfff6cd6ace9610b6d6dc027cc32ffe5b7b2c08fb3445815e134caec32047e0a5129118675f22b32aed516fc877b33c90da98261eb44f119a74bd
SSDEEP

6144:e680E92oeOE4G63VEuFwm+DDrhd3wbYqaUq/JyKSmi97Msg4piwbBS9lkw86C:e68PIHt6DObD5dmYqarImi9jB4SBylkN

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ctqgj.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A4E65DAEC032E6 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A4E65DAEC032E6 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/A4E65DAEC032E6 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/A4E65DAEC032E6 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A4E65DAEC032E6 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A4E65DAEC032E6 http://yyre45dbvn2nhbefbmh.begumvelic.at/A4E65DAEC032E6 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/A4E65DAEC032E6

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A4E65DAEC032E6

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A4E65DAEC032E6

http://yyre45dbvn2nhbefbmh.begumvelic.at/A4E65DAEC032E6

http://xlowfznrg4wf7dli.ONION/A4E65DAEC032E6

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (425) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
3040	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tlgtwbe = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\ajehskmxcjvy.exe"	ajehskmxcjvy.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2636 set thread context of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2572 set thread context of 1904	2572	ajehskmxcjvy.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Java\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\it-IT\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_ReCoVeRy_+ctqgj.html	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\7-Zip\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\_ReCoVeRy_+ctqgj.png	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_ReCoVeRy_+ctqgj.txt	ajehskmxcjvy.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ajehskmxcjvy.exe	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
File opened for modification	C:\Windows\ajehskmxcjvy.exe	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajehskmxcjvy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajehskmxcjvy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d07e25cef422db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F9ADFEB1-8EE7-11EF-ACDF-5EE01BAFE073} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000b743158f7e25ec1b1db318b9970cabcf86138d1ae89bf9b99fb56a2430db310d000000000e8000000002000020000000d1cd18c214253358b7d576ae33c040e3f1352f98ed4164b167a4135b8b1b2a97200000001ca9b1682d1137f2a115317e9095d4300d6e6697f5f8751938a21cf544f9939740000000901fe0da7f3edcb07aebecaf2564946e67c4b0f90c397b8ffe454c6ababf87aa1d0d3ec3c548fb4a624f648a16232a0b2f4b259058c8b23bf0a0f38c5519d76f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000a42a2e5856161fb1f200c4a5e0cabb5d364369d03748f0116474781008e47cc3000000000e80000000020000200000000f886dd3bf97b5fc5d6b034bea321759c7e5699cfed5d34bd435767e26c661759000000082c5dd0f75459adc7fa614fe1de71dcf9d5d144cca53f80dd737465950f6414cc32de88a2a67e3892859486a2c887e10dffb01c6211da0ddd8782d531d712fbb5f38ab06a41bc37027bea90223a528bf1558870a4aa72bdc593c840f9992b1c4dadaae3b04f8cf5d35457bddc9db929674e5d0495f7f04c035562add49319a86068058f3f66435ed4126108e1b2dc986400000005605dc92b64d7c8fe16b0ad7d2215ba5bb2a297ba14fc7f14e14b515e8e94414b46138a0f4f579b6f48650eb3b64aba839345d4ca97403b2d6e982d704c8744a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1584	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe
1904	ajehskmxcjvy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
Token: SeDebugPrivilege	1904	ajehskmxcjvy.exe
Token: SeIncreaseQuotaPrivilege	2900	WMIC.exe
Token: SeSecurityPrivilege	2900	WMIC.exe
Token: SeTakeOwnershipPrivilege	2900	WMIC.exe
Token: SeLoadDriverPrivilege	2900	WMIC.exe
Token: SeSystemProfilePrivilege	2900	WMIC.exe
Token: SeSystemtimePrivilege	2900	WMIC.exe
Token: SeProfSingleProcessPrivilege	2900	WMIC.exe
Token: SeIncBasePriorityPrivilege	2900	WMIC.exe
Token: SeCreatePagefilePrivilege	2900	WMIC.exe
Token: SeBackupPrivilege	2900	WMIC.exe
Token: SeRestorePrivilege	2900	WMIC.exe
Token: SeShutdownPrivilege	2900	WMIC.exe
Token: SeDebugPrivilege	2900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2900	WMIC.exe
Token: SeRemoteShutdownPrivilege	2900	WMIC.exe
Token: SeUndockPrivilege	2900	WMIC.exe
Token: SeManageVolumePrivilege	2900	WMIC.exe
Token: 33	2900	WMIC.exe
Token: 34	2900	WMIC.exe
Token: 35	2900	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2900	WMIC.exe
Token: SeSecurityPrivilege	2900	WMIC.exe
Token: SeTakeOwnershipPrivilege	2900	WMIC.exe
Token: SeLoadDriverPrivilege	2900	WMIC.exe
Token: SeSystemProfilePrivilege	2900	WMIC.exe
Token: SeSystemtimePrivilege	2900	WMIC.exe
Token: SeProfSingleProcessPrivilege	2900	WMIC.exe
Token: SeIncBasePriorityPrivilege	2900	WMIC.exe
Token: SeCreatePagefilePrivilege	2900	WMIC.exe
Token: SeBackupPrivilege	2900	WMIC.exe
Token: SeRestorePrivilege	2900	WMIC.exe
Token: SeShutdownPrivilege	2900	WMIC.exe
Token: SeDebugPrivilege	2900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2900	WMIC.exe
Token: SeRemoteShutdownPrivilege	2900	WMIC.exe
Token: SeUndockPrivilege	2900	WMIC.exe
Token: SeManageVolumePrivilege	2900	WMIC.exe
Token: 33	2900	WMIC.exe
Token: 34	2900	WMIC.exe
Token: 35	2900	WMIC.exe
Token: SeBackupPrivilege	2728	vssvc.exe
Token: SeRestorePrivilege	2728	vssvc.exe
Token: SeAuditPrivilege	2728	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2608	WMIC.exe
Token: SeSecurityPrivilege	2608	WMIC.exe
Token: SeTakeOwnershipPrivilege	2608	WMIC.exe
Token: SeLoadDriverPrivilege	2608	WMIC.exe
Token: SeSystemProfilePrivilege	2608	WMIC.exe
Token: SeSystemtimePrivilege	2608	WMIC.exe
Token: SeProfSingleProcessPrivilege	2608	WMIC.exe
Token: SeIncBasePriorityPrivilege	2608	WMIC.exe
Token: SeCreatePagefilePrivilege	2608	WMIC.exe
Token: SeBackupPrivilege	2608	WMIC.exe
Token: SeRestorePrivilege	2608	WMIC.exe
Token: SeShutdownPrivilege	2608	WMIC.exe
Token: SeDebugPrivilege	2608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2608	WMIC.exe
Token: SeRemoteShutdownPrivilege	2608	WMIC.exe
Token: SeUndockPrivilege	2608	WMIC.exe
Token: SeManageVolumePrivilege	2608	WMIC.exe
Token: 33	2608	WMIC.exe
Token: 34	2608	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2692	iexplore.exe
1632	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2692	iexplore.exe
2692	iexplore.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
1632	DllHost.exe
1632	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2184	2636	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2572	2184	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	32
PID 2184 wrote to memory of 2572	2184	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	32
PID 2184 wrote to memory of 2572	2184	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	32
PID 2184 wrote to memory of 2572	2184	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	32
PID 2184 wrote to memory of 3040	2184	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	33
PID 2184 wrote to memory of 3040	2184	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	33
PID 2184 wrote to memory of 3040	2184	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	33
PID 2184 wrote to memory of 3040	2184	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	33
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 2572 wrote to memory of 1904	2572	ajehskmxcjvy.exe	35
PID 1904 wrote to memory of 2900	1904	ajehskmxcjvy.exe	36
PID 1904 wrote to memory of 2900	1904	ajehskmxcjvy.exe	36
PID 1904 wrote to memory of 2900	1904	ajehskmxcjvy.exe	36
PID 1904 wrote to memory of 2900	1904	ajehskmxcjvy.exe	36
PID 1904 wrote to memory of 1584	1904	ajehskmxcjvy.exe	43
PID 1904 wrote to memory of 1584	1904	ajehskmxcjvy.exe	43
PID 1904 wrote to memory of 1584	1904	ajehskmxcjvy.exe	43
PID 1904 wrote to memory of 1584	1904	ajehskmxcjvy.exe	43
PID 1904 wrote to memory of 2692	1904	ajehskmxcjvy.exe	44
PID 1904 wrote to memory of 2692	1904	ajehskmxcjvy.exe	44
PID 1904 wrote to memory of 2692	1904	ajehskmxcjvy.exe	44
PID 1904 wrote to memory of 2692	1904	ajehskmxcjvy.exe	44
PID 2692 wrote to memory of 2796	2692	iexplore.exe	46
PID 2692 wrote to memory of 2796	2692	iexplore.exe	46
PID 2692 wrote to memory of 2796	2692	iexplore.exe	46
PID 2692 wrote to memory of 2796	2692	iexplore.exe	46
PID 1904 wrote to memory of 2608	1904	ajehskmxcjvy.exe	47
PID 1904 wrote to memory of 2608	1904	ajehskmxcjvy.exe	47
PID 1904 wrote to memory of 2608	1904	ajehskmxcjvy.exe	47
PID 1904 wrote to memory of 2608	1904	ajehskmxcjvy.exe	47
PID 1904 wrote to memory of 2992	1904	ajehskmxcjvy.exe	49
PID 1904 wrote to memory of 2992	1904	ajehskmxcjvy.exe	49
PID 1904 wrote to memory of 2992	1904	ajehskmxcjvy.exe	49
PID 1904 wrote to memory of 2992	1904	ajehskmxcjvy.exe	49

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ajehskmxcjvy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ajehskmxcjvy.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\ajehskmxcjvy.exe
    C:\Windows\ajehskmxcjvy.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\ajehskmxcjvy.exe
      C:\Windows\ajehskmxcjvy.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1904
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1584
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2796
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\AJEHSK~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\627EC4~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:3040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ctqgj.html

Filesize
12KB

MD5
9fbb5f7889c46289e1cb2a8a64c8a903

SHA1
fc35f9e7b52b8ae16bd79c51d0871fae7805dfa8

SHA256
8343cb192d1e49c1a9f41646a23dda0b4d5599b99fd313972d4c5046c1f4a093

SHA512
d43d8ee46277e2f8e4de7c9318708617e335eb005fc02c8dbbdc3500353398dde1e83e07fff4a6b77df4165c2e2be07d801c4cb37dd7651c42a5be78a24c5703

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ctqgj.png

Filesize
64KB

MD5
0a18692ad52edb26532ea315fc7c32e7

SHA1
273ae3289d2b62fcd5f32fe05562ae9afdefaa20

SHA256
433a1aee0e57bbe29419ab5d76052a315374f6d000d7ddbee61567ad7f022d32

SHA512
b087978aed41b376a4672115544758261328f01368b7a9b8adb54adbe9e75f7ca375cab66b85ec8188f8b82661f5e6d0e7b95cdcba938be22245916c8c6398e5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ctqgj.txt

Filesize
1KB

MD5
699cbb81cc85b10d922425e2bbff1810

SHA1
803f2202b6f52d566760587e48c1b68bc97d1acd

SHA256
98c198cfbfebae44dcbd943dc80e68f36d09f59f2ac067e6da0b75b73d92ce69

SHA512
157f5893051c7443f94f8566dfca8c6640c2079b19249ce2d93e6050d9463461bc879ad2a5f5e7286e6e64c0669de3031719ab78a8f0b52eb2c13597b21c1779

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
4465b6fd44e998ca9c7d57290d783ab4

SHA1
0f1c8556d846fbfb44e972285eb3e563dd0e49a0

SHA256
e58164914232846b72d32ff5126903f5ab10c3570c7b1faa7359427609dc75cb

SHA512
97a93b2d58e986ddd17a1b4fe5cb026437efcbf58e5255791cf0a02092316f199b9cf8be6cb98277591287dea320356b018b6e9fc9ab81fb9e9d48e81435d6e2

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
99dac0aa9e1886a3b67653ab54543c5d

SHA1
71eba52114f5270f94c2d1fcacad402ca4fe7b51

SHA256
61ec4336958c59c4c3a1894d8ac75eef3071903b50e9031380a2cd0d2df2f805

SHA512
ed0fc09f3ec5adaa910f8aef66761ae4313fcdf710a25ebd2590ca2d011b466a0459ea59eb7ed35952047eb51c5b7150d40512aec0f774c221d63f0da9290b0d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
fd063ce307a38fe865517181973e23fb

SHA1
f8d0d5e68f56c76d257b0c5e4589ca89432c8c15

SHA256
45bfc46c25931802667c52054f2301c5cac2cbc01ae97f9aa3af81690fef9d01

SHA512
cf9c9ba5fd9ed5a95c744fbe52a8c6b3da5294dfb6d66e510886f2fb1d64fd35c8b0314460bc750217d10b2f289548e88142dda52852a1278a865efcd3a40498

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bac662f9ffbcdec3ba9a6b895c4330a

SHA1
b19d3f32fd5bb55f4a7fdf4598a5ae0954659d31

SHA256
95abc9f89525d9d26a54a40d7dcbf8acd928cc2694ae9d369d391608c431a6bb

SHA512
91ea7a1e7f24caeb10cd24926cc817824d8fa3599761ef97267040720504f82fd69bfb779171c6dcaca2de4648a167bd4c8662a86cdd93e6e68a16f8bc46aae8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c9b772f5246fb78d1483099ae4b135f

SHA1
c7acf1bf16ef13b1b79fb0b8a1bddf2644a7125d

SHA256
4ee6505f6361445258744c2302eeb47090df655075ce65bc00a2f3a718b8d71f

SHA512
0ad59be771ae9fdb155b816f30f5c77c908ab97bc2a00df044511850ac111c43d3ac7ff76de18187726137af5613c5e9e04582d87c07322b7dde06d9b40c7861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
322f4677ccb1ac37280fc94854d83e09

SHA1
009a16641028747578d7e84ea3462d5ab09cabde

SHA256
c236f9fef10d64c1b958f480e651afbf5c94f8730e7903cda92d6babef73406a

SHA512
2b0906908686aab8b8564684d511e3f4ff9137a36b554bdba0472235aede4e4355c0e3a17aafd778afb4bff002758039c2b2a37194078a58a9b76f76ec31383a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7210f1691a1259c89dc964d3ad4cf7d8

SHA1
022df1af188f2dbc91d3f6e5a852904ea123e47e

SHA256
32d1244b7bbc6262a70f6a57917388f07b00551c36056439f921ff49eee79639

SHA512
fbbe8bcf5caf35ddad5fddf87b6eb223ff503968c0eb0764f7807c56408d27faaf85405fd1fdaaf1e5f226335fc3a44937d377adf6e2cd681d6e28cfaa4bb85a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93e748e651318ee1a9b3b3096177734a

SHA1
d4f53201ef5ea5b45a3422406d7b6db89c4ca0ae

SHA256
39a45d50bbd36d2de3ebfe92e9e12ef78100b45cc2d1410184cc90169b1aa301

SHA512
92ad962f543789cedc4c822323a61790ee301da968f2ff3815914614c910dda7cc883acb8a057c0f94b3ff04c9a9cb3c3213be8a2e76479765b344bea4b7d719

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5a0b485d176f20e2e0406eb531aa7ab

SHA1
a338b64347998869bebb40e392d11e32d2374643

SHA256
202cee1f04eb2c9471c95f73c33fc5d87624984e999dcb9a4b86d2b35445aa6d

SHA512
511f0d43561b34907f986856bb09fdc6034eded4f4a05b4cf8dd15d2e5c71b2ccbce4f7a250c7be262bbe9dee9191bbf015438d248e3839b72486ef962f06e19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2b5b903d3d79e7425f66253716fc74a

SHA1
1d78d01161f3b19dd28771dd12f302773885d236

SHA256
e6914893b28d086d3759956325b7be1fd5925f0af2624e0463ada413e3c1186d

SHA512
1459c6ee4cf0e62c05eaf3e2cd346871a5a10ff4d923fedfbb8440c69d5fdfcf7322ce294b2b39ff89d94886b08bf5216bafd7126ccebe9aff8a81ffd0e40196

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25e06029cfbbf0287df71fc1be2cfec2

SHA1
2c619a653fe20282c83278d14886ad40bb9ef1f8

SHA256
bf6e780c26cadadad688ee6699d14a008c9733d6e060b2d6f7037d2aa7c6198a

SHA512
cf1fc4b0b2e5406dd5b868f1fabcbd4f914bfc9d9b059fedaeaa8c1f04c837f0a50a4414d46b7d210fe68edc4716568dd6b81e0db6031c1d41cc9843cbc56089

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da5b1cc6968f763e680d031f5ed2e9a8

SHA1
6533ac9d9d3d2b6f73a842825a17696308a899b6

SHA256
0537e1fdb639e3131d17d7564ff2fed3fc0de373d00598ee57c635e58e8bb9cb

SHA512
1179ca49e357c24bd97178c36aa63dc0ddb53cf139393a7537912ee1cfa9d7f142e7bd618f7cf83ef6da4ec365a32439e2e624ff20e7cfea984f45d25404e2fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5f89c04e522e826e4f74ce6feaa4946

SHA1
0b248b29b5ca809119b6d3631bee10409ffeccd6

SHA256
c214525517b028ce81bedea721dc4a40425c895780ada6628f4219a833457f6f

SHA512
f996f329bc5934333c96dbdcf6a1200f0dcc8cc7fd5af5b922014e6b8f9ac3918c942a4cb00075f2736daaace5dbb0aaccd80a568ba766f793e6386f067d2862

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC41C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC47D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\ajehskmxcjvy.exe

Filesize
368KB

MD5
627ec4f42d9649bc8309d87f03d1c288

SHA1
6cd845e8de2c2197cbab48f94eea823f88b0efd9

SHA256
3503e011b2844b6eb3f18b3a7c0965ff07171ac6af2488fcf03c0e69d95cd066

SHA512
62899ac229fbfff6cd6ace9610b6d6dc027cc32ffe5b7b2c08fb3445815e134caec32047e0a5129118675f22b32aed516fc877b33c90da98261eb44f119a74bd

Download Submit
memory/1632-6114-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/1904-6121-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-6117-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-761-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-6124-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-1841-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-1844-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-5381-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-6107-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1904-6113-0x0000000004330000-0x0000000004332000-memory.dmp

Filesize
8KB

Download
memory/1904-6116-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2184-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2184-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2184-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2184-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2184-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2184-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2184-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2184-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2184-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2184-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2184-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2572-31-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2636-19-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/2636-0-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/2636-1-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download