teslacrypt | 4bcb995d10d907933ffddc84d50c36a57464cd1192384744b8d62f18084c0e86

Analysis

max time kernel
126s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe
Size

360KB
MD5

b702f4bdd3ddbb11baaed1c12cd69a8e
SHA1

fb7efeb7aecfe40e719177b0fe99e4ab5cddc837
SHA256

4bcb995d10d907933ffddc84d50c36a57464cd1192384744b8d62f18084c0e86
SHA512

88a8f76ca2a7c73e99944631345c159e6bd0b14ca6aada1c29a585287d4702200298dc4f78f7eb5dced5537f2081bd019aeff3f21ea124bc3c29457ead4d9157
SSDEEP

6144:lwWQWOQ2Gl8KgCNrvkAVShWOsyAm4Y+P/ggUDKmdZ0gwJF1qUiWBd3Rb77V3N:bQWx2Gl6yziyyeY+XgfHPVUiI3NPV9

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xokkd.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D5327317E538B66 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D5327317E538B66 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/D5327317E538B66 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/D5327317E538B66 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D5327317E538B66 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D5327317E538B66 http://yyre45dbvn2nhbefbmh.begumvelic.at/D5327317E538B66 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/D5327317E538B66

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D5327317E538B66

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D5327317E538B66

http://yyre45dbvn2nhbefbmh.begumvelic.at/D5327317E538B66

http://xlowfznrg4wf7dli.ONION/D5327317E538B66

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (394) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe

Executes dropped EXE 2 IoCs

pid	Process
2708	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuxripj = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\fsnahrfqlohq.exe"	fsnahrfqlohq.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2708 set thread context of 1868	2708	fsnahrfqlohq.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_ReCoVeRy_+xokkd.txt	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\weather.js	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\_ReCoVeRy_+xokkd.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_ReCoVeRy_+xokkd.html	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\flyout_background.png	fsnahrfqlohq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png	fsnahrfqlohq.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fsnahrfqlohq.exe	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe
File opened for modification	C:\Windows\fsnahrfqlohq.exe	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsnahrfqlohq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsnahrfqlohq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000003ba6ecbd7e8e64c8d7abfb9567fecc100000000020000000000106600000001000020000000041fd1a46c1bca9ee8a44c3fc5b7dddd3337e306e57ee8d6f3079cc1c09c1706000000000e80000000020000200000001009ef7a5e8ceb09ebbc559091985fbe11e2b5b332df7e3af1d4593e15369de2200000001b61402853686327d555e714c6f9377ef815fd7482e47ce2974e16918d63c591400000005cb85439f13c815906bfafd3e612ec5a6748f3bdc79dedc00a38d8449ea5da0ac0f7cbf425ce4a39a731b334f45f67cfe0a215a6cf6bbeee4f12bc026c2c0c39	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 803460ef7a44db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000003ba6ecbd7e8e64c8d7abfb9567fecc100000000020000000000106600000001000020000000b7cd4a701a63e30939f81514487e6cad51b2c109f7bc2c4e5796397205bab875000000000e80000000020000200000003c09bd4f9e5692926f7ce5a31b7ab53bf83c8a40943f857d090ac29f7185c44e90000000d0ddca208821955cdaeae7bcc2136c8127441fa6b1616fa84892c8b8a89d485e3b33ddbad8584ee79bdeced9719911a33ded038f5902e45d1df951a6e79f06a91da556ccb01b3cb3173b6111cfc4d010fe0bdc1f1da7a7d9334bd9aebc5c0736280643f6577ead470ea6b8da29e9de2fa176dacbeee6ae40e185827b969d7f1e59f0a6138e26b9ee6a765eb705c965aa400000009e48aa85b106e34b9adab9cd4f65c8285cbfe4e1b3bb5d15d9c27428a308c753a419d11bdda01a6b4ca2810da031a65ae9d9df67958ebfe4a9230b994ac2d65a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1ADF2711-B06E-11EF-9628-7EC7239491A4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3004	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe
1868	fsnahrfqlohq.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe
Token: SeDebugPrivilege	1868	fsnahrfqlohq.exe
Token: SeIncreaseQuotaPrivilege	588	WMIC.exe
Token: SeSecurityPrivilege	588	WMIC.exe
Token: SeTakeOwnershipPrivilege	588	WMIC.exe
Token: SeLoadDriverPrivilege	588	WMIC.exe
Token: SeSystemProfilePrivilege	588	WMIC.exe
Token: SeSystemtimePrivilege	588	WMIC.exe
Token: SeProfSingleProcessPrivilege	588	WMIC.exe
Token: SeIncBasePriorityPrivilege	588	WMIC.exe
Token: SeCreatePagefilePrivilege	588	WMIC.exe
Token: SeBackupPrivilege	588	WMIC.exe
Token: SeRestorePrivilege	588	WMIC.exe
Token: SeShutdownPrivilege	588	WMIC.exe
Token: SeDebugPrivilege	588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	588	WMIC.exe
Token: SeRemoteShutdownPrivilege	588	WMIC.exe
Token: SeUndockPrivilege	588	WMIC.exe
Token: SeManageVolumePrivilege	588	WMIC.exe
Token: 33	588	WMIC.exe
Token: 34	588	WMIC.exe
Token: 35	588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	588	WMIC.exe
Token: SeSecurityPrivilege	588	WMIC.exe
Token: SeTakeOwnershipPrivilege	588	WMIC.exe
Token: SeLoadDriverPrivilege	588	WMIC.exe
Token: SeSystemProfilePrivilege	588	WMIC.exe
Token: SeSystemtimePrivilege	588	WMIC.exe
Token: SeProfSingleProcessPrivilege	588	WMIC.exe
Token: SeIncBasePriorityPrivilege	588	WMIC.exe
Token: SeCreatePagefilePrivilege	588	WMIC.exe
Token: SeBackupPrivilege	588	WMIC.exe
Token: SeRestorePrivilege	588	WMIC.exe
Token: SeShutdownPrivilege	588	WMIC.exe
Token: SeDebugPrivilege	588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	588	WMIC.exe
Token: SeRemoteShutdownPrivilege	588	WMIC.exe
Token: SeUndockPrivilege	588	WMIC.exe
Token: SeManageVolumePrivilege	588	WMIC.exe
Token: 33	588	WMIC.exe
Token: 34	588	WMIC.exe
Token: 35	588	WMIC.exe
Token: SeBackupPrivilege	1952	vssvc.exe
Token: SeRestorePrivilege	1952	vssvc.exe
Token: SeAuditPrivilege	1952	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2380	WMIC.exe
Token: SeSecurityPrivilege	2380	WMIC.exe
Token: SeTakeOwnershipPrivilege	2380	WMIC.exe
Token: SeLoadDriverPrivilege	2380	WMIC.exe
Token: SeSystemProfilePrivilege	2380	WMIC.exe
Token: SeSystemtimePrivilege	2380	WMIC.exe
Token: SeProfSingleProcessPrivilege	2380	WMIC.exe
Token: SeIncBasePriorityPrivilege	2380	WMIC.exe
Token: SeCreatePagefilePrivilege	2380	WMIC.exe
Token: SeBackupPrivilege	2380	WMIC.exe
Token: SeRestorePrivilege	2380	WMIC.exe
Token: SeShutdownPrivilege	2380	WMIC.exe
Token: SeDebugPrivilege	2380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2380	WMIC.exe
Token: SeRemoteShutdownPrivilege	2380	WMIC.exe
Token: SeUndockPrivilege	2380	WMIC.exe
Token: SeManageVolumePrivilege	2380	WMIC.exe
Token: 33	2380	WMIC.exe
Token: 34	2380	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2888	iexplore.exe
2504	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2888	iexplore.exe
2888	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
2504	DllHost.exe
2504	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2672	2328	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2708	2672	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2708	2672	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2708	2672	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2708	2672	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2584	2672	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	32
PID 2672 wrote to memory of 2584	2672	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	32
PID 2672 wrote to memory of 2584	2672	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	32
PID 2672 wrote to memory of 2584	2672	b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe	32
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 2708 wrote to memory of 1868	2708	fsnahrfqlohq.exe	34
PID 1868 wrote to memory of 588	1868	fsnahrfqlohq.exe	35
PID 1868 wrote to memory of 588	1868	fsnahrfqlohq.exe	35
PID 1868 wrote to memory of 588	1868	fsnahrfqlohq.exe	35
PID 1868 wrote to memory of 588	1868	fsnahrfqlohq.exe	35
PID 1868 wrote to memory of 3004	1868	fsnahrfqlohq.exe	43
PID 1868 wrote to memory of 3004	1868	fsnahrfqlohq.exe	43
PID 1868 wrote to memory of 3004	1868	fsnahrfqlohq.exe	43
PID 1868 wrote to memory of 3004	1868	fsnahrfqlohq.exe	43
PID 1868 wrote to memory of 2888	1868	fsnahrfqlohq.exe	44
PID 1868 wrote to memory of 2888	1868	fsnahrfqlohq.exe	44
PID 1868 wrote to memory of 2888	1868	fsnahrfqlohq.exe	44
PID 1868 wrote to memory of 2888	1868	fsnahrfqlohq.exe	44
PID 2888 wrote to memory of 1624	2888	iexplore.exe	46
PID 2888 wrote to memory of 1624	2888	iexplore.exe	46
PID 2888 wrote to memory of 1624	2888	iexplore.exe	46
PID 2888 wrote to memory of 1624	2888	iexplore.exe	46
PID 1868 wrote to memory of 2380	1868	fsnahrfqlohq.exe	47
PID 1868 wrote to memory of 2380	1868	fsnahrfqlohq.exe	47
PID 1868 wrote to memory of 2380	1868	fsnahrfqlohq.exe	47
PID 1868 wrote to memory of 2380	1868	fsnahrfqlohq.exe	47
PID 1868 wrote to memory of 820	1868	fsnahrfqlohq.exe	49
PID 1868 wrote to memory of 820	1868	fsnahrfqlohq.exe	49
PID 1868 wrote to memory of 820	1868	fsnahrfqlohq.exe	49
PID 1868 wrote to memory of 820	1868	fsnahrfqlohq.exe	49

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fsnahrfqlohq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	fsnahrfqlohq.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\fsnahrfqlohq.exe
    C:\Windows\fsnahrfqlohq.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\fsnahrfqlohq.exe
      C:\Windows\fsnahrfqlohq.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1868
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:3004
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1624
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FSNAHR~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B702F4~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xokkd.html

Filesize
12KB

MD5
e688b2d272e707f17bc0382fe833ae95

SHA1
07616d025ff0e58593bed9845348eb3cd2683196

SHA256
c5665355c8d9b5a3e63840ec839bf61bf7189a0e14bed879f9fb9f5638753ca2

SHA512
8eadd513898f386daf620101da302adfd9370e604f48bca462a312220dbe7aef78141e31a406e83b0d899cb913dfb9b93d5f81a30e4ca526bb2eeb684e672e30

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xokkd.png

Filesize
64KB

MD5
28a04c3db3e66fcbdb42047b40daca4a

SHA1
54d1d034e8cc2b88c26ab151390d86696de4dc96

SHA256
7682d013ca6986b0e4cc45f30ccab237307538493e2d956ae0ac511f389eb57e

SHA512
e1e56f3e5487fe1420a2b0b6017faf6ae9dbe6c01f88c9326357bf3d8e9254d67ab0ebbf7ec076b6aedfb2aa8257fd145c4c44222d89a2742e313b54a5189b16

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xokkd.txt

Filesize
1KB

MD5
aba898208f2bae1a56db4eb68c91c835

SHA1
74d649942a7bded2bedc544a92e97fb291ee85b9

SHA256
e6f60474ed5c73a91e339dafdc2b4412b19f0f3099ea72566a19bb2f26fdd9d9

SHA512
72fdb6ad8732fd1a4d8063aad07967bcd604b661a4493152bfca60c46805faf025b82b84b719af871d3632a253983e50b12389eb06d1f3077a5b83aeb39b5df9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
fe8a72d81771402209e63f8086bb07d8

SHA1
a678658e3e044d9feafb6224232ef302ee3d035a

SHA256
bb5f2f220826f953bba97a2780775c451e7d8afc0118f085e09a41ff44f82454

SHA512
d393c5624fb7a6954920d665b12ca13f20c131ffacdaad23d04f35f7111cabd36e961247c77eb0b525ee965896d7f754faf33c205c3cd7cb9da02fa403e7076a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
dfc8b660d795f97622af3c6b39124a79

SHA1
0e507fd6b7507be2a7ab978ddaf1d9fed529fad3

SHA256
17d02a9115773e876faee5021db8e544af5fc0bbd49ab6ce93063f3459f8ffa0

SHA512
4638a0ed4f1a20f2d8142454f98594c965149151b457e375985c0ab95bbf26694c27ea3750afa447ce17cee11fecdd7c735fd53dbaf4e3b80a02ec0ef69a908d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
81b6e6e13c76313381cc696ea26d4114

SHA1
fb39639804a77c7180b679b1a437c896c88554fa

SHA256
bee49c694184ecffe37277a36489c0e61a2caa44afd365eff853dac8c35a3413

SHA512
091324e9abae3de2c7ac15ef25527a36d1d38dc2e068abaf4ea14dfe8bc27a47040d261bb041c6a1683ab3cf84e2ba62f35709a6fc15fd01923f68ec14935a95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e82378240adbe7bff45f161337e0513b

SHA1
37dd082afe3910a0656f5e7399ca24a7b83f523e

SHA256
512b2ab5f46e2fadef9340d81763d6b10c78a2f9949fcf36ca8c9d726d64bbcb

SHA512
6b7b20c677eb5bddfe4c47ebe654eda06b004512fa4236a551ae9cc7cdf0240498b5444190b0b0819b2adf03faec92de055f115ae73652ece2dc7ea299f62a2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b731f473281739289c70ee73a8d0c6bb

SHA1
5e952aef67dafe15fd5694185e1d5850a29b401f

SHA256
ee8e2204b6e6c55704535f2e73d5f9c30a4c4e0715ca8f264d1dd1bf92d1021c

SHA512
6dd81d1c90cda37df2d769feaaf2a61dc983f6ed20b0e5ff32d20aa3723231947a42eae490bf38c74eabb6eabb3cdc0ed53ff0d2d97385528cf1f6a3bd702998

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a84f8604290762eac85a619523f4998

SHA1
bfa36434be6fe0ed8110ff0e8d8cb0098b5264ee

SHA256
6c25543536d3a872d8eb531db3e07c0a26e187ba2ae313f208ee395487ebf3b2

SHA512
56cc5aefa7186f4764bd29af7a5395fe4ddd49959bd9ea19414177dea50aee13f6eb10aef682f772db7d3b7da7ea4fd5a265c76ad7a627b6c12858ee7b2df6ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffb138bcd0471db98d8279c92a728f28

SHA1
5d56630795e98e4b1dc7cb1b88cb9cd0107ac1a0

SHA256
72a4d3ffac7db332cb2c8206eeec413c901cd3d1bb590a7cf15714fbafac5d85

SHA512
6d289ca06fc863e003185d6ca1beef22092e29fc348e1c1636a95c2856413b7b045fb55e0d848af85bcac1c8b0cbc15baaee095836b5ea10691d9ea0f5fac1d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c80361ba85c7418e64f9cc05232ac6df

SHA1
4b50c53d36d6b80516e816427289ffeec7a10029

SHA256
c2e90423dcad530b830094841c3061cd131ae19eb861b22ab276e49005bb5ea7

SHA512
d01f6862a05b1f0fb171ef8283df996eb1d71e016bf6d348a9082544664875f4a85523e62f7585d4383752d062250367afff3c8487d2807b640437211bbc73f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ae9bda91f6bd422180f647b198c1030

SHA1
9875846bbce85b106892211f4b30096faaeff770

SHA256
09c2b4b5ec1abbe25c6693dbcb5171cad9ecf101717180a1108a54f3f94889b9

SHA512
b7f52cdff5fc568afa4fe8cd293d1bf3ebf073f3444239e3700d7d04ff35e91e4dd6bad5e1040376927bad3cc85b9f8ba5d86eedf9b084f9730568f463ca7e20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9314eb889f0bfa9405c6ab16f0f2868c

SHA1
f7a6d038744632290d4df6ab416a517e3f0ab137

SHA256
a4c4f5aba9b0db085b036c236ec2a2cca40f38d6dfaccb41091761dd2ab89796

SHA512
eb2a8ab85dbaeaf57bc97ac12c9188f8fbb56642d4453763f61bbc26e5be66a0a08aafc08f104bbe4eeba7cba5936879c5b10890a4a51633f1f06763bc0a5658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93349877afc1ba75618036d3eb0fd251

SHA1
b6d29c8caf55d877e171062bc1e821f054010293

SHA256
f33d7e841a1ddfdd1dd5da0f7721c4d4f01d1be0dc73dd28274d6fc82f56956c

SHA512
2fbef2f06ee95aad8262e5e44748628983ec0d97261ec6afc93d0308edf7d69f1fd4bd86bb1fea72cfcc6ebf69eab19ac75a263216cdd202b629bd3abcd70e43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ffad7b4849ce4b96888ed85407f1daa

SHA1
03aadc80c15e3472b46a9ea5fb67c8b61a12b27f

SHA256
068f7582d60d5e9e848492ddd20a44e728a279038142ff38134dfd131b57af18

SHA512
12d747f68584c13e754b00b56c261495dad2209a81fe2efa1977b82ec4a67410e176ab76b7de5ffd931f520569cace485b3ead8a864700e6bc13f7e339e2d08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB444.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB4C5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\fsnahrfqlohq.exe

Filesize
360KB

MD5
b702f4bdd3ddbb11baaed1c12cd69a8e

SHA1
fb7efeb7aecfe40e719177b0fe99e4ab5cddc837

SHA256
4bcb995d10d907933ffddc84d50c36a57464cd1192384744b8d62f18084c0e86

SHA512
88a8f76ca2a7c73e99944631345c159e6bd0b14ca6aada1c29a585287d4702200298dc4f78f7eb5dced5537f2081bd019aeff3f21ea124bc3c29457ead4d9157

Download Submit
memory/1868-6050-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-6036-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-759-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-932-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-6051-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-6046-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-3608-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-6035-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1868-6042-0x00000000040A0000-0x00000000040A2000-memory.dmp

Filesize
8KB

Download
memory/2328-0-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/2328-17-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/2328-1-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/2504-6043-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2672-31-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-28-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download