teslacrypt | ce70e4c500aa39d8d43b1fc93909894c87b68843420b359f4017bec77292fa7d

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe
Size

376KB
MD5

b4c370efce46e7abfec0b147f3118b6e
SHA1

d08babb7e379e05f24270b005efd42c57834d6f1
SHA256

ce70e4c500aa39d8d43b1fc93909894c87b68843420b359f4017bec77292fa7d
SHA512

61573d888601dec15e2eae0777df7a15a5205f3af28c44349aa76f29d712f32d287dedb1187ca1121262b1f7715244bb4c31cc3e878728d77a28619a9207b30f
SSDEEP

6144:ie3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:iY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ssbju.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/F017C87C33958B9 2. http://kkd47eh4hdjshb5t.angortra.at/F017C87C33958B9 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/F017C87C33958B9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/F017C87C33958B9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/F017C87C33958B9 http://kkd47eh4hdjshb5t.angortra.at/F017C87C33958B9 http://ytrest84y5i456hghadefdsd.pontogrot.com/F017C87C33958B9 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/F017C87C33958B9

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/F017C87C33958B9

http://kkd47eh4hdjshb5t.angortra.at/F017C87C33958B9

http://ytrest84y5i456hghadefdsd.pontogrot.com/F017C87C33958B9

http://xlowfznrg4wf7dli.ONION/F017C87C33958B9

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (434) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2556	cmd.exe

Drops startup file 6 IoCs

Processes:

xjiodgtqkcvb.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ssbju.html	xjiodgtqkcvb.exe

Executes dropped EXE 2 IoCs

Processes:

xjiodgtqkcvb.exexjiodgtqkcvb.exe

pid	Process
2780	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xjiodgtqkcvb.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\vsenolfgmyyh = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\xjiodgtqkcvb.exe\""	xjiodgtqkcvb.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exexjiodgtqkcvb.exe

description	pid	Process	procid_target
PID 2976 set thread context of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2780 set thread context of 2600	2780	xjiodgtqkcvb.exe	35

Drops file in Program Files directory 64 IoCs

Processes:

xjiodgtqkcvb.exe

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Common Files\System\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Media Player\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\Recovery+ssbju.html	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\Recovery+ssbju.txt	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\Recovery+ssbju.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png	xjiodgtqkcvb.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\Recovery+ssbju.html	xjiodgtqkcvb.exe

Drops file in Windows directory 2 IoCs

Processes:

b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\xjiodgtqkcvb.exe	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe
File opened for modification	C:\Windows\xjiodgtqkcvb.exe	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exeb4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exexjiodgtqkcvb.execmd.execmd.exexjiodgtqkcvb.exeNOTEPAD.EXEDllHost.exeIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xjiodgtqkcvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xjiodgtqkcvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2BF14F71-AED3-11EF-82CE-E62D5E492327} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000d2dccfd7511630e1955976fb358fb493cabaeb183bd623112859c29e44c8b3d9000000000e8000000002000020000000fa89c21eae80b9a7d1dc12b95afe1dcadb74e137f8c767037314d57ec0e609479000000059dad3b381c42a501212fd678af6d646967792f44d5d305898226ae2a8de0f324e1c39063dfee83f47b3417c2a618c23f9622524b228d0ed2117120f30570a0507ffe0eb7f5b88b4b29e9ab2f6b7edda1377ea5f66d10f50122fb980ee35c4a90d4a1bf53db5cfb9d869f958fbd41abaec6b56f2d4ee27b213f05d96aee492a1dc1a6a5e044f86fc1755e3cb844fc3d640000000f90da53b0907e412ac03afd60b066032196949dde547e25e49b9b12ae26d60af9148eacac106cb4a1fc469528be899fe43e5a29633ae2115eaa87a0a8709e9bf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000e8d69afddb745f3b2190318a4c0d055c695e331d95446a71c4b7752b1090153c000000000e8000000002000020000000f805857a0392f62a022986fdde093eb59edc40ff31af6c5f1ff9b9c3df761be620000000282050b5e49886bf25c6208e8d3cc943b70c946229e59300b0f0d68c630f172940000000734184b7e905a24f8563d4ef23346e23b2888f6cafc12bc7bd7d2f0148d3d764fb5772bdd6b742d07eda1f5c90af3ebcc7a85113d570752a20de55ff6d333617	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60666600e042db01	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2580	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

xjiodgtqkcvb.exe

pid	Process
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe
2600	xjiodgtqkcvb.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exexjiodgtqkcvb.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2752	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe
Token: SeDebugPrivilege	2600	xjiodgtqkcvb.exe
Token: SeIncreaseQuotaPrivilege	1892	WMIC.exe
Token: SeSecurityPrivilege	1892	WMIC.exe
Token: SeTakeOwnershipPrivilege	1892	WMIC.exe
Token: SeLoadDriverPrivilege	1892	WMIC.exe
Token: SeSystemProfilePrivilege	1892	WMIC.exe
Token: SeSystemtimePrivilege	1892	WMIC.exe
Token: SeProfSingleProcessPrivilege	1892	WMIC.exe
Token: SeIncBasePriorityPrivilege	1892	WMIC.exe
Token: SeCreatePagefilePrivilege	1892	WMIC.exe
Token: SeBackupPrivilege	1892	WMIC.exe
Token: SeRestorePrivilege	1892	WMIC.exe
Token: SeShutdownPrivilege	1892	WMIC.exe
Token: SeDebugPrivilege	1892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1892	WMIC.exe
Token: SeRemoteShutdownPrivilege	1892	WMIC.exe
Token: SeUndockPrivilege	1892	WMIC.exe
Token: SeManageVolumePrivilege	1892	WMIC.exe
Token: 33	1892	WMIC.exe
Token: 34	1892	WMIC.exe
Token: 35	1892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1032	WMIC.exe
Token: SeSecurityPrivilege	1032	WMIC.exe
Token: SeTakeOwnershipPrivilege	1032	WMIC.exe
Token: SeLoadDriverPrivilege	1032	WMIC.exe
Token: SeSystemProfilePrivilege	1032	WMIC.exe
Token: SeSystemtimePrivilege	1032	WMIC.exe
Token: SeProfSingleProcessPrivilege	1032	WMIC.exe
Token: SeIncBasePriorityPrivilege	1032	WMIC.exe
Token: SeCreatePagefilePrivilege	1032	WMIC.exe
Token: SeBackupPrivilege	1032	WMIC.exe
Token: SeRestorePrivilege	1032	WMIC.exe
Token: SeShutdownPrivilege	1032	WMIC.exe
Token: SeDebugPrivilege	1032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1032	WMIC.exe
Token: SeRemoteShutdownPrivilege	1032	WMIC.exe
Token: SeUndockPrivilege	1032	WMIC.exe
Token: SeManageVolumePrivilege	1032	WMIC.exe
Token: 33	1032	WMIC.exe
Token: 34	1032	WMIC.exe
Token: 35	1032	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid	Process
2952	iexplore.exe
2956	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid	Process
2952	iexplore.exe
2952	iexplore.exe
1892	IEXPLORE.EXE
1892	IEXPLORE.EXE
2956	DllHost.exe
2956	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exeb4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exexjiodgtqkcvb.exexjiodgtqkcvb.exeiexplore.exe

description	pid	Process	procid_target
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2752	2976	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	31
PID 2752 wrote to memory of 2780	2752	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	32
PID 2752 wrote to memory of 2780	2752	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	32
PID 2752 wrote to memory of 2780	2752	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	32
PID 2752 wrote to memory of 2780	2752	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	32
PID 2752 wrote to memory of 2556	2752	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	33
PID 2752 wrote to memory of 2556	2752	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	33
PID 2752 wrote to memory of 2556	2752	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	33
PID 2752 wrote to memory of 2556	2752	b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe	33
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2780 wrote to memory of 2600	2780	xjiodgtqkcvb.exe	35
PID 2600 wrote to memory of 1892	2600	xjiodgtqkcvb.exe	36
PID 2600 wrote to memory of 1892	2600	xjiodgtqkcvb.exe	36
PID 2600 wrote to memory of 1892	2600	xjiodgtqkcvb.exe	36
PID 2600 wrote to memory of 1892	2600	xjiodgtqkcvb.exe	36
PID 2600 wrote to memory of 2580	2600	xjiodgtqkcvb.exe	40
PID 2600 wrote to memory of 2580	2600	xjiodgtqkcvb.exe	40
PID 2600 wrote to memory of 2580	2600	xjiodgtqkcvb.exe	40
PID 2600 wrote to memory of 2580	2600	xjiodgtqkcvb.exe	40
PID 2600 wrote to memory of 2952	2600	xjiodgtqkcvb.exe	41
PID 2600 wrote to memory of 2952	2600	xjiodgtqkcvb.exe	41
PID 2600 wrote to memory of 2952	2600	xjiodgtqkcvb.exe	41
PID 2600 wrote to memory of 2952	2600	xjiodgtqkcvb.exe	41
PID 2952 wrote to memory of 1892	2952	iexplore.exe	43
PID 2952 wrote to memory of 1892	2952	iexplore.exe	43
PID 2952 wrote to memory of 1892	2952	iexplore.exe	43
PID 2952 wrote to memory of 1892	2952	iexplore.exe	43
PID 2600 wrote to memory of 1032	2600	xjiodgtqkcvb.exe	44
PID 2600 wrote to memory of 1032	2600	xjiodgtqkcvb.exe	44
PID 2600 wrote to memory of 1032	2600	xjiodgtqkcvb.exe	44
PID 2600 wrote to memory of 1032	2600	xjiodgtqkcvb.exe	44
PID 2600 wrote to memory of 776	2600	xjiodgtqkcvb.exe	46
PID 2600 wrote to memory of 776	2600	xjiodgtqkcvb.exe	46
PID 2600 wrote to memory of 776	2600	xjiodgtqkcvb.exe	46
PID 2600 wrote to memory of 776	2600	xjiodgtqkcvb.exe	46

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

xjiodgtqkcvb.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xjiodgtqkcvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	xjiodgtqkcvb.exe

C:\Users\Admin\AppData\Local\Temp\b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\xjiodgtqkcvb.exe
    C:\Windows\xjiodgtqkcvb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\xjiodgtqkcvb.exe
      C:\Windows\xjiodgtqkcvb.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2600
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2580
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1892
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XJIODG~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B4C370~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2556

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ssbju.html

Filesize
7KB

MD5
ed2e706c630a7def3771e3cf8287a935

SHA1
3c54253ca0e6ee373a0edf540f5347bc7064a192

SHA256
b9117813a66545eb2c20805deb913baf369e8fd6170058f379010c07bdd751a5

SHA512
873fa6e6a8b4cec0dbd6ccb0b5aafd0215ca8d46e1ff87e43d50cf502a21f7ef311d443519b07dffa496f422a9ac8ef0074b806d6156fe853c9d110a3b55a9c0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ssbju.png

Filesize
63KB

MD5
797f8ca408086bd3ef05c55c2a887d6f

SHA1
198fb11b556bc1654f1018aae2abe68b3919f0db

SHA256
9fbceda23ec0008b52164ce419791668fe4dd216cb7b911eed85848402ca8e34

SHA512
4d3b2f65152e508bf3e94b5005fcd1d35576fe4e63003551172f9f7149dc24b6478cfde7f0dc6fbb8af2e27644ab91c682a01faeb96e285a7cb0ae4f7db1b359

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ssbju.txt

Filesize
1KB

MD5
81fd107f67d00ac05486ce7721da2a01

SHA1
0bd63cbbc0fa30c9337d0eae74cc341730d83cf8

SHA256
4654bf2e250d46ac16df8eeb0e9f850e44a039786cfa3adb62513d6703886faa

SHA512
b58a09cc34a777774c348a50920468a36f3352864c9a22181c06f79d35d4b911f623b094baf4fb0ed8a96252d18322a51733dfc805f47341f376901cb0300861

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
c581aa8dcf2fb39d34cf05b98f15b15f

SHA1
a65320c964015234ff71792534f9aea5855ae752

SHA256
6dfe98ac05a7395c52137737cc473d84ece27d21f317f7632b3d75bb1afc7467

SHA512
5e7b108aef73249b7c4d76fb169571bb9784df1e8bbfc63232e8d69c577d3fcbaaf71a93fe8bc2645ed9236314ad3ae68c4968bdb444834827e1354918711111

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
7fccd4e1f01d2c3b9ba0951a4a53f078

SHA1
41bd7f97e9dabff40ee6d6d6b5bec316fcf69870

SHA256
9db5e64029a0f85bc014523e3900e93b4dca4a29f24e19f151959d2f4d67ee87

SHA512
096405acfbfbc77a2db2abac4ea9e2c4276c3599ae1d40d1dfa36fa359ac0bf1224b519c6ba927d45e1b5e96c4c0a19163764b7d4b24a61fb653d1c8718a14dd

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
cac4c4908e5a10750932763d379fa516

SHA1
398f7fb728e665149d80dde1ce7964f373b8a921

SHA256
595329f9f1690f490f94a0fe696cbf7c17eb88a5e6ac925eba770a4c643f3995

SHA512
e2a40874270eca0863e0b88afefc8a744692c95bbf104e32afe8be9da5720e3edd5052f37c1c38bdcedcc233c4248fac346e0a8ceb1d638c4e1165d2ce6f50cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c61e241d3cc7015ed12cd12672b82a20

SHA1
5113c1e87d430b706999d50b89665f391f4e7505

SHA256
d7f141832e6741f1d26c9027d17a247f10f2a5762bbb94e696df8be5cd875113

SHA512
81cd47d74140e4bc6996d240096eaa164eb0808f4a055d54588fb32a85a12affeb07ecc74e3d900c0099701d504bb9850336386e8ca4e4fcd5cc615822938b6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1bdcd5c9114e2fa90327960dd5e348b

SHA1
9c6c96cd07808386d56cdb00552d3150901780d1

SHA256
4a56b03caa1f8a2b2a25db341ffe726edb2748914d10298c88fabe3d54240746

SHA512
cc445184a2a7324dbe502abfc2e7bb1d584eb5d17c51bae8029614f48584870919ee523c3cf969e353bb8efc831c2f35a492ff966bc163f58f6b61cb182ce5a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a6dffdde9b17f4a917255d136ce4af8

SHA1
691db58ce2ac61c7018d6903d98e9e14987cc038

SHA256
5b6a34de17dc7b68c6d446a4d3b395dc4851c8a4da7c6f3ab507cb50ea47ce90

SHA512
219e2fa9b3e010a92ba126fb80705a9dfe811468cbb19ee99996abd868fab2a3b8ff2946918a68b60dbd0f924e272812e5a3e4808069a24e6b31b8cac987544d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f6cdb58321e5b1f090d3dea87f05a17

SHA1
9970ffd51c9e143473c022b96befc299dc9a043e

SHA256
2bfc49665eeef1a9b93b20b8510d12e2bc443a3061d94b0470b70e61e2f45839

SHA512
a995c377ab08016769236ae65fe87c9f7819001b7d8cfbe618d38014e64808e3cf6cd2fe7e09dd4119bd1beac78880eef41c0db141a0496d44b41af38a474c6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d0794e5f5a7037aa31a8c84bcad48dc

SHA1
8809808880bfc28c0eec0cd08157b73296dcfbd9

SHA256
629ec60e6e3ddb3c606fc23df6c9c0d2efb34fe6fa87432dabea3f1cdd1695cb

SHA512
a999857021ee0310651066ba5562f2b6855b80ec86efa86b104e2bf4ba0a8851db06ed4267bb9d5b59ccd570af670d4c7cc1126011d82e1ec9d6b0961e7c7b38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48ff4a2d2616825d2918ec2ee200260e

SHA1
b63dc12a0090935beb2c2629ce28e9d14b0f1935

SHA256
8ada96f3ff32b35bf8e5c2e841960b3a35340427c3598e1ead5b794daed62c50

SHA512
9af7d2d3d869cf814d8a30054981d5152e87141c937696ea447a7fd9164fb463faafb725698c1a17602a5ede88960b07e05f133c16fb51d67207ea4bd5d23d94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c130ee12243c1aa7262041a5fe39752

SHA1
68d752c52203e55968a7e36906eea429a631ed5b

SHA256
8f44e367b71a8820706e626a53e81c2c479484acc30f7bda92f49f09d631c682

SHA512
2045abf0f48a7eaba1ed0700e0b6ad9e47b513b4c8b50408e674e383c005b8970eb5224dd90be8c5de54e648c8d5958e4e4393640be2f063a05df730ef921c6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1173a1ee58e3c63d5ae7c9f7c50adaf2

SHA1
0e1335b3081f9d4b446a38c9a94519eff31f1353

SHA256
e2f2952c965470cf39e695fa14c3275dd65dc19ff52a388c5d8cddd9f91a4ac1

SHA512
f4f54d0e04e9850fd1dd14ccfd20defe11dc970654e08c416115134cb639f9fabf974f80b9aae0f7d20290debd15e1d7fefa2cd37f39edc0979216a3ab258fa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c2572ccff36da96b3920aa35518d518

SHA1
6428bdda9bcc605d01028e9137943c49e75aa8ac

SHA256
b2518bc51138d508736345735ce618e805941e9f7a2b790c5b658ad9cad5993a

SHA512
1c3f5c91e6efa29b461e1af07fca50c9995a5002a246753715924be4e33b3767a6a7c81a3ea8b423c01a00777ccc8408ec83355f9dd6fe3272f6df66f7844354

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab28C8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2977.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\xjiodgtqkcvb.exe

Filesize
376KB

MD5
b4c370efce46e7abfec0b147f3118b6e

SHA1
d08babb7e379e05f24270b005efd42c57834d6f1

SHA256
ce70e4c500aa39d8d43b1fc93909894c87b68843420b359f4017bec77292fa7d

SHA512
61573d888601dec15e2eae0777df7a15a5205f3af28c44349aa76f29d712f32d287dedb1187ca1121262b1f7715244bb4c31cc3e878728d77a28619a9207b30f

Download Submit
memory/2600-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-57-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-6237-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-6238-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-52-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-6133-0x0000000002A50000-0x0000000002A52000-memory.dmp

Filesize
8KB

Download
memory/2600-54-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-6137-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-1742-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-1743-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-1747-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-4585-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-6127-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-6136-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-31-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-10-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-8-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-28-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2956-6134-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2976-19-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2976-0-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2976-1-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download