teslacrypt | d7a54e392cc051e8fae6d26431351d405fe9836e9467bde07187a8586e0e4fbb

Analysis

max time kernel
124s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
Size

356KB
MD5

7bc8e9eb9f3d874764d2658b546abb61
SHA1

40b7e79add5449ac8b11b20ddeb338437a0d17bb
SHA256

d7a54e392cc051e8fae6d26431351d405fe9836e9467bde07187a8586e0e4fbb
SHA512

2f633cfd7194a11aaa68b7d42a31e95700d908a5af4c40616427d78afd5bebf56f0a9233bcde1cd500540bf5d553e5320aed1876a42dc934d74e1de3f7a7439d
SSDEEP

6144:NOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:NFeq0F+PzcOLyWRsHA93/oswe

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+fusib.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A243AEC46842D4 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A243AEC46842D4 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/A243AEC46842D4 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/A243AEC46842D4 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A243AEC46842D4 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A243AEC46842D4 http://yyre45dbvn2nhbefbmh.begumvelic.at/A243AEC46842D4 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/A243AEC46842D4

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A243AEC46842D4

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A243AEC46842D4

http://yyre45dbvn2nhbefbmh.begumvelic.at/A243AEC46842D4

http://xlowfznrg4wf7dli.ONION/A243AEC46842D4

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (432) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	crlkrjuaskum.exe
2140	crlkrjuaskum.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpihfxu = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\crlkrjuaskum.exe"	crlkrjuaskum.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1852 set thread context of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 2812 set thread context of 2140	2812	crlkrjuaskum.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\clock.css	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_ReCoVeRy_+fusib.html	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\settings.css	crlkrjuaskum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_ReCoVeRy_+fusib.png	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_ReCoVeRy_+fusib.txt	crlkrjuaskum.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\crlkrjuaskum.exe	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
File opened for modification	C:\Windows\crlkrjuaskum.exe	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crlkrjuaskum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crlkrjuaskum.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DDABE971-95AE-11EF-9E7F-EE9D5ADBD8E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000009f8496f2d2dadc18dee3fbd00d322f1aadcc54fd71afba41904279751c5af135000000000e80000000020000200000001b14264e7019f44871f67bc257d2dcc8340efb0d59b402417703ea504266608620000000709b9581b1ce4c991c0fa874d9d87d881f7ecbc9322ef5ce9fcf3b4bd7d13cde40000000f7cf5bc1d8a3464d00ad4c54cb825e6e6959d5b3ad19d224bfcbe830371ae643b72a5f826f91a41b14a95e3f33e8029a9084c595f381c2749587abd70a25fd49	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 906923b2bb29db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f0000000002000000000010660000000100002000000068e2152a6e2aadf832d0815c44b5fd54c622ca475979418240fe2e4fd48d340e000000000e80000000020000200000000d1959e9d6720e73e43cc4be993091e91184ba8785ca59bdcdc399bf1f7fb2e590000000be8e8a17eb776f58364125556ef1961eb464479f19e23e802b5a19e7d18c39e5e36b2a8f92008aeaf0092b5044a9b00bfb0c251e846be6ef96db9196fb59967d6941cf57ce7979d719fe063511d6c3239c6142a8c0236fef6316398a68a1bd0592456b72ba0c83b7a1af18dbd9b8e6a0f3a010e56635a315d0b4bda3c9f0d788d201ea00136af77d9ccaa0a46db24c0140000000fca85161d37330a17d9aaad43dad57a8e9ae135c3689f344726cf673fab00a2a57a0c77703df4ceed0bc3f393f1c28c5aaeb6f2a4e6d08c81d06e95211677422	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2232	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe
2140	crlkrjuaskum.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
Token: SeDebugPrivilege	2140	crlkrjuaskum.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe
Token: SeLoadDriverPrivilege	320	WMIC.exe
Token: SeSystemProfilePrivilege	320	WMIC.exe
Token: SeSystemtimePrivilege	320	WMIC.exe
Token: SeProfSingleProcessPrivilege	320	WMIC.exe
Token: SeIncBasePriorityPrivilege	320	WMIC.exe
Token: SeCreatePagefilePrivilege	320	WMIC.exe
Token: SeBackupPrivilege	320	WMIC.exe
Token: SeRestorePrivilege	320	WMIC.exe
Token: SeShutdownPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	320	WMIC.exe
Token: SeRemoteShutdownPrivilege	320	WMIC.exe
Token: SeUndockPrivilege	320	WMIC.exe
Token: SeManageVolumePrivilege	320	WMIC.exe
Token: 33	320	WMIC.exe
Token: 34	320	WMIC.exe
Token: 35	320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe
Token: SeLoadDriverPrivilege	320	WMIC.exe
Token: SeSystemProfilePrivilege	320	WMIC.exe
Token: SeSystemtimePrivilege	320	WMIC.exe
Token: SeProfSingleProcessPrivilege	320	WMIC.exe
Token: SeIncBasePriorityPrivilege	320	WMIC.exe
Token: SeCreatePagefilePrivilege	320	WMIC.exe
Token: SeBackupPrivilege	320	WMIC.exe
Token: SeRestorePrivilege	320	WMIC.exe
Token: SeShutdownPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	320	WMIC.exe
Token: SeRemoteShutdownPrivilege	320	WMIC.exe
Token: SeUndockPrivilege	320	WMIC.exe
Token: SeManageVolumePrivilege	320	WMIC.exe
Token: 33	320	WMIC.exe
Token: 34	320	WMIC.exe
Token: 35	320	WMIC.exe
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1648	WMIC.exe
Token: SeSecurityPrivilege	1648	WMIC.exe
Token: SeTakeOwnershipPrivilege	1648	WMIC.exe
Token: SeLoadDriverPrivilege	1648	WMIC.exe
Token: SeSystemProfilePrivilege	1648	WMIC.exe
Token: SeSystemtimePrivilege	1648	WMIC.exe
Token: SeProfSingleProcessPrivilege	1648	WMIC.exe
Token: SeIncBasePriorityPrivilege	1648	WMIC.exe
Token: SeCreatePagefilePrivilege	1648	WMIC.exe
Token: SeBackupPrivilege	1648	WMIC.exe
Token: SeRestorePrivilege	1648	WMIC.exe
Token: SeShutdownPrivilege	1648	WMIC.exe
Token: SeDebugPrivilege	1648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1648	WMIC.exe
Token: SeRemoteShutdownPrivilege	1648	WMIC.exe
Token: SeUndockPrivilege	1648	WMIC.exe
Token: SeManageVolumePrivilege	1648	WMIC.exe
Token: 33	1648	WMIC.exe
Token: 34	1648	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2116	iexplore.exe
352	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2116	iexplore.exe
2116	iexplore.exe
1016	IEXPLORE.EXE
1016	IEXPLORE.EXE
352	DllHost.exe
352	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2652	1852	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2812	2652	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	32
PID 2652 wrote to memory of 2812	2652	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	32
PID 2652 wrote to memory of 2812	2652	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	32
PID 2652 wrote to memory of 2812	2652	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	32
PID 2652 wrote to memory of 2720	2652	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	33
PID 2652 wrote to memory of 2720	2652	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	33
PID 2652 wrote to memory of 2720	2652	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	33
PID 2652 wrote to memory of 2720	2652	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	33
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2812 wrote to memory of 2140	2812	crlkrjuaskum.exe	35
PID 2140 wrote to memory of 320	2140	crlkrjuaskum.exe	36
PID 2140 wrote to memory of 320	2140	crlkrjuaskum.exe	36
PID 2140 wrote to memory of 320	2140	crlkrjuaskum.exe	36
PID 2140 wrote to memory of 320	2140	crlkrjuaskum.exe	36
PID 2140 wrote to memory of 2232	2140	crlkrjuaskum.exe	45
PID 2140 wrote to memory of 2232	2140	crlkrjuaskum.exe	45
PID 2140 wrote to memory of 2232	2140	crlkrjuaskum.exe	45
PID 2140 wrote to memory of 2232	2140	crlkrjuaskum.exe	45
PID 2140 wrote to memory of 2116	2140	crlkrjuaskum.exe	46
PID 2140 wrote to memory of 2116	2140	crlkrjuaskum.exe	46
PID 2140 wrote to memory of 2116	2140	crlkrjuaskum.exe	46
PID 2140 wrote to memory of 2116	2140	crlkrjuaskum.exe	46
PID 2116 wrote to memory of 1016	2116	iexplore.exe	48
PID 2116 wrote to memory of 1016	2116	iexplore.exe	48
PID 2116 wrote to memory of 1016	2116	iexplore.exe	48
PID 2116 wrote to memory of 1016	2116	iexplore.exe	48
PID 2140 wrote to memory of 1648	2140	crlkrjuaskum.exe	49
PID 2140 wrote to memory of 1648	2140	crlkrjuaskum.exe	49
PID 2140 wrote to memory of 1648	2140	crlkrjuaskum.exe	49
PID 2140 wrote to memory of 1648	2140	crlkrjuaskum.exe	49
PID 2140 wrote to memory of 2956	2140	crlkrjuaskum.exe	52
PID 2140 wrote to memory of 2956	2140	crlkrjuaskum.exe	52
PID 2140 wrote to memory of 2956	2140	crlkrjuaskum.exe	52
PID 2140 wrote to memory of 2956	2140	crlkrjuaskum.exe	52

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	crlkrjuaskum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	crlkrjuaskum.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\crlkrjuaskum.exe
    C:\Windows\crlkrjuaskum.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\crlkrjuaskum.exe
      C:\Windows\crlkrjuaskum.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2140
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2232
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1016
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CRLKRJ~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\7BC8E9~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+fusib.html

Filesize
12KB

MD5
ab1d90e35f6d3cc1943887bfe3703a15

SHA1
fe7fecdc2974d7e87b38388d76640c6914fd6655

SHA256
4ce801ce492bc2227d5fd3af7fcc46bfd4d79a04b969f6a1664aec507d49eb0d

SHA512
e22b50aa8665d3f86d4fac7f07c4b321786ab7ec46e604fd07539341cf899e9fbfc92ad8ba1a0f34005364c83bddd52cb7a8d6d0c6dea501c039a245fdb4e234

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+fusib.png

Filesize
64KB

MD5
a41b32bffef1e204528595c4635e78e1

SHA1
47ddc5d5db21a5968edb32afa6c548ffc45df70b

SHA256
59336198db5697ac429ff744018995d772740848e1511b80b2bf97c5d881498d

SHA512
0e68c5efed5c0fba211c53c365848c7f9df2f51a91ec06aaed5cc65f61e1dc5cf7a33f86d20471b0036047d4ae201c381ef61eb3ce3e638edf1f72ea3e29d412

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+fusib.txt

Filesize
1KB

MD5
e0cbac9be64396fb397d9256c263f743

SHA1
e1f1912f8c88444eeb26a2e0edb946e142e246ca

SHA256
d687cc0ff5258bbab98e974dfc948567e3f158e649f8fb074f60d938ff92c9f2

SHA512
2e11fdf5fe82a56535efcacc94b49bae95e816d9fd195c4a0a3c6948fdf6ea183dce5c4ce29ae28de2bbfadf2bc7cd3e582ce979694f5e8fc3f46ca5fa1dbd80

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
914df54c2bcc11e752e68bc4dba81920

SHA1
ec71cfd7669129be0f7002693939776b5bc85206

SHA256
4589d7fcdd5d5b7b0b610bcba7c9d1fa7aebdb3c3e5402bd4e2791f77bca1d9f

SHA512
81bdd6ecec3fc92dd314a781925ee57985200ad52d887ae0ece1d1d55954cbe2cd26394e9841abd8054309b33f6c0efd8f08f31558588b8fd17eeee4ce3e0d36

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
0364fc6a9de07af8e8021e8500be2ec2

SHA1
b203e83dc23d8d82f48194377faa7eda5f6cfc3e

SHA256
1a83420062c89161327c37b9ed4d601a8a664e405414821824946abc3d5f3568

SHA512
322f5140c7f34447c5e8377a6959c45d56498b92a11a055f8099ebfca9b3c2ba749dc5f8d2f1151fb60fdb0038e01f7fd715c0043cdfcc934f5d844ab6628f5c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
dcd7c905b1a0d612657684fb32cdec57

SHA1
b4e24be36d0d30082d536f4e2363e722adbb158e

SHA256
734af69933d46165efa2db81ac7fdabec56cb66ec058bbd0e79363ebf3af17c6

SHA512
01eff9989dd2e9dc8f6c990cc81d8c658e9fd58d5e5895c94f824091a4cae9cb956253d9d73a79cf5a27ffa93e0a4eac0983e275f2d136f1d876e07a3aa4f083

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c668e04b85b75955d3347c68b860de84

SHA1
7143708fd48d61f79170efa9c8bbe8a3e660b004

SHA256
908b3e5c9788b03325bb75ec4907c6f29bbd111bc07fbd7fb4ba5814263ff2d0

SHA512
e57240c8220ad9bca54739ed46878cdcaf9d44982c7e92e2b90cd0e472810b56d1ab9144ce08e7bcf7801baf9cef8db9aebbe77301862afd814cdc7ba25db713

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
565911e5bc0c74d695c5e15a59867a7a

SHA1
44b88cdca267cda1859b88014d32bcc50bacd450

SHA256
feebe50535ced9604840a7a7cd34a0886a64257057455dbd3ddb5f52bf2fe0a0

SHA512
dc2adfc88f884379871c7ab634ccd5bbe7662310d12b84a0b6935d734938be953d0ca2c1fd7b72a8c27451c6031821f9973ceea724f4bfec804f0bd082c29a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89d2061bbb007042c0a16c5ef7055a0f

SHA1
b32cf1e2f2069281ad18c0e57929276df76a5b76

SHA256
809720a1c7fe9ef677219e05fcd5c4cc5edc178722dd85217dc6126b8dbbf0d9

SHA512
1de34f7c45a8dfb9e38dcaf15c3c61ffbe0b558a2c914d2ad774f7000dd979f0164f13de19882c2e939afd506cca53f175919c48d3abe05bf4909a31001359c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e4ba46a73b34ec2b486dcfbcf9ed9e9

SHA1
fc7db4813f28cf7c54c7964a17e96f3a2feb62db

SHA256
31952cec4c15d02e9d5bd233bd68eb8aeb25d7538bd5d2075c7c7408c3d6a4ad

SHA512
192f8bf2e54e1ba93fae171cf0d0156ace05a89657c2275741ba954e32a3ea8672fb36f6a6d0432a37f16b3539243c09979e753e911a3ce93a81d50b54524215

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d55c3ccb703484d83b241cdca0128933

SHA1
c239e379ae43c1b5d91e98089f29fe8f845ecc6b

SHA256
952f5d2b3d91769e11781d449e4b26680e3e3fe951d33134b5436213a3c27ad6

SHA512
f966d072d14d0f54cd7fdd335912fb6f16491009d8432be03e0031e51a46aa58bd895ac9501296964319742fcf56bcce8b892ad64f267c36f77c5b4cb2252b5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc904d5d9ad228a31e822d8b706195e1

SHA1
82fec2677940ba44672c808969e11d66913b08e8

SHA256
42736be8aa41725345ac75b6a4c459fdf47614e52693455927a61908154f48e0

SHA512
a8de71fcdd66d811854876a71e5831a0d442c5ae7f612691e5bf3a2b16c14b045e907f2223fcf1fb876b662eba4989f210439b635470e894c79587a2602c2034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3796d9a47f2467698e089ffb485274d0

SHA1
3d25d0f0c0f37fbfda62e9d719c9c013e90fa8aa

SHA256
31c54ec8117a83df7500a5952f25693c987d44106692efc52d5a4672699905a4

SHA512
eb6181ce43105cc1d00b1ac451d51320678d5165a297ff82422893646026b487349b63de3d5fcb4c3243917b087222d6b2a3795c40681193cdce4e64153def07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd72dcea0e4b48aa7d5e31838c151a31

SHA1
90940c058018c897126a748761e410502e5253c9

SHA256
751d664adcfa83741752f2ed3167a1ef52d0be13c725f6109dc488fec5adde45

SHA512
ab1876409e625917238c59e9219cede60b3831f03afb611121ae810ebd01313560c31af6593d43f2f0a5acdb639372792d5d156f3fe9ceb88428f0616b22e4d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aea4a6d84dcc236382ce9b14bb54455a

SHA1
cc94dc4682d92b37db5f9bda80213315eec3bcec

SHA256
c22076cef22c02772bdd3960f43bff37c03e61942b659be42131e5adca44b894

SHA512
39811eac796e7a64fadf0c5e87f9563acba455bef26cafd6ff9fef74674c1ea3299c42cba7d987b92a639f1a63fbe329d1fd03b43c35bb052978578e0033d0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab650B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar65BB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\crlkrjuaskum.exe

Filesize
356KB

MD5
7bc8e9eb9f3d874764d2658b546abb61

SHA1
40b7e79add5449ac8b11b20ddeb338437a0d17bb

SHA256
d7a54e392cc051e8fae6d26431351d405fe9836e9467bde07187a8586e0e4fbb

SHA512
2f633cfd7194a11aaa68b7d42a31e95700d908a5af4c40616427d78afd5bebf56f0a9233bcde1cd500540bf5d553e5320aed1876a42dc934d74e1de3f7a7439d

Download Submit
memory/352-6135-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1852-0-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/1852-17-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/1852-1-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/2140-6146-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-6139-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-1131-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-1539-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-1538-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-4237-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-6128-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-6134-0x0000000002B10000-0x0000000002B12000-memory.dmp

Filesize
8KB

Download
memory/2140-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-6137-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2140-6143-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-31-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2812-29-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download