teslacrypt | 342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0

Analysis

max time kernel
128s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
Size

384KB
MD5

88716ed91614ba43691f1204a8e1936c
SHA1

d8b3411ae843a5f1d4b506eccec26077fd2f29f2
SHA256

342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0
SHA512

e64af6563e672408ebefc089a02dc6c99082c7a1d4b0a67258c50da88add8bf8c58045041968e22d1a9924f95d62cf2245ed253ac41473c1d28c8d8c62f88bad
SSDEEP

6144:zBeJdbHCHcRlJUdarnrIM+PbeEnvutw2cVMuXrvEnODd0cpMLnJV6Xlxq+:zBCdG4l2rM+PFgYM+rcOd0l/elxz

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+nfuwn.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/17AC1A8991D1E10 2. http://tes543berda73i48fsdfsd.keratadze.at/17AC1A8991D1E10 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/17AC1A8991D1E10 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/17AC1A8991D1E10 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/17AC1A8991D1E10 http://tes543berda73i48fsdfsd.keratadze.at/17AC1A8991D1E10 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/17AC1A8991D1E10 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/17AC1A8991D1E10

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/17AC1A8991D1E10

http://tes543berda73i48fsdfsd.keratadze.at/17AC1A8991D1E10

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/17AC1A8991D1E10

http://xlowfznrg4wf7dli.ONION/17AC1A8991D1E10

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (425) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2372 cmd.exe

pid	process
2372	cmd.exe

Drops startup file 3 IoCs

Processes:

jtoweqsyjejb.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe

Executes dropped EXE 2 IoCs

Processes:

jtoweqsyjejb.exejtoweqsyjejb.exe

pid process

2644 jtoweqsyjejb.exe
2728 jtoweqsyjejb.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2644	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jtoweqsyjejb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\utvajryajdjw = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\jtoweqsyjejb.exe\""	jtoweqsyjejb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exejtoweqsyjejb.exe

description	pid	process	target process
PID 2100 set thread context of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2644 set thread context of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe

Drops file in Program Files directory 64 IoCs

Processes:

jtoweqsyjejb.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Media Player\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\en-US\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\localizedSettings.css	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\Services\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Defender\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\_RECOVERY_+nfuwn.txt	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_RECOVERY_+nfuwn.html	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\_RECOVERY_+nfuwn.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	jtoweqsyjejb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	jtoweqsyjejb.exe

Drops file in Windows directory 2 IoCs

Processes:

342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe

description	ioc	process
File created	C:\Windows\jtoweqsyjejb.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
File opened for modification	C:\Windows\jtoweqsyjejb.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A82AE3D1-0249-11EF-9371-CAFA5A0A62FD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000026f11ae2d96bf9fdda1147f54af9124ff9e08d46edc3ab2e4ae0369afd556f1c000000000e800000000200002000000070c9bf9bc62c8c4170010fcee08ea11ba442ab7915600df3b31c2208533b1ead2000000072a7a53c443ffbe4b84a5a1b969aedce5e0e2fa354bfb0a5985cb43f4d75ee3d40000000b996794f2c858c1a43d520742bbfe346c801511eb460fcc050841b27ddb28db1017b83ab4a5a15a191e1fe004d31d67c479d839486e13b238c5012aa1fe78cfb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000017d0468c2d1b2261817d31ecffc1fd1dc3a3ce3c8ceb28f09148a85ff17a38ba000000000e80000000020000200000004b35b0645748f3b6401645076162fba7034bdf0e26fe8ea3275ef5766237dbf490000000795678c02e139b425caf932c013393b6d2c151632a9635bea03875d7b1bca32706d424ced9272d7bc700dc7f56c429a8cf69ceddc630396c79da3dc7555c1a7ee6bf9605b838ef1a60a2cb45b92ce526014dfd34e4af53ee8d7e356946041f783bd2e40b3d0a52f0a0a23674630d700f8609789f7e1a9a59d3f82d2dafa5f7e34c8da6e488dedf63a7f37be71293cd4c40000000988cb4624048ccea465f87e50d4475dba317545c74198bddd09dcf924168cdaebe3d6653b5673a3d949d21a6c9da78740052dda67e64aaea4f6c14f6548617b9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0043ae7c5696da01	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

216 NOTEPAD.EXE

pid	process
216	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jtoweqsyjejb.exe

pid	process
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe
2728	jtoweqsyjejb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exejtoweqsyjejb.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2840	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
Token: SeDebugPrivilege	2728	jtoweqsyjejb.exe
Token: SeIncreaseQuotaPrivilege	1932	WMIC.exe
Token: SeSecurityPrivilege	1932	WMIC.exe
Token: SeTakeOwnershipPrivilege	1932	WMIC.exe
Token: SeLoadDriverPrivilege	1932	WMIC.exe
Token: SeSystemProfilePrivilege	1932	WMIC.exe
Token: SeSystemtimePrivilege	1932	WMIC.exe
Token: SeProfSingleProcessPrivilege	1932	WMIC.exe
Token: SeIncBasePriorityPrivilege	1932	WMIC.exe
Token: SeCreatePagefilePrivilege	1932	WMIC.exe
Token: SeBackupPrivilege	1932	WMIC.exe
Token: SeRestorePrivilege	1932	WMIC.exe
Token: SeShutdownPrivilege	1932	WMIC.exe
Token: SeDebugPrivilege	1932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1932	WMIC.exe
Token: SeRemoteShutdownPrivilege	1932	WMIC.exe
Token: SeUndockPrivilege	1932	WMIC.exe
Token: SeManageVolumePrivilege	1932	WMIC.exe
Token: 33	1932	WMIC.exe
Token: 34	1932	WMIC.exe
Token: 35	1932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1932	WMIC.exe
Token: SeSecurityPrivilege	1932	WMIC.exe
Token: SeTakeOwnershipPrivilege	1932	WMIC.exe
Token: SeLoadDriverPrivilege	1932	WMIC.exe
Token: SeSystemProfilePrivilege	1932	WMIC.exe
Token: SeSystemtimePrivilege	1932	WMIC.exe
Token: SeProfSingleProcessPrivilege	1932	WMIC.exe
Token: SeIncBasePriorityPrivilege	1932	WMIC.exe
Token: SeCreatePagefilePrivilege	1932	WMIC.exe
Token: SeBackupPrivilege	1932	WMIC.exe
Token: SeRestorePrivilege	1932	WMIC.exe
Token: SeShutdownPrivilege	1932	WMIC.exe
Token: SeDebugPrivilege	1932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1932	WMIC.exe
Token: SeRemoteShutdownPrivilege	1932	WMIC.exe
Token: SeUndockPrivilege	1932	WMIC.exe
Token: SeManageVolumePrivilege	1932	WMIC.exe
Token: 33	1932	WMIC.exe
Token: 34	1932	WMIC.exe
Token: 35	1932	WMIC.exe
Token: SeBackupPrivilege	2804	vssvc.exe
Token: SeRestorePrivilege	2804	vssvc.exe
Token: SeAuditPrivilege	2804	vssvc.exe
Token: SeIncreaseQuotaPrivilege	988	WMIC.exe
Token: SeSecurityPrivilege	988	WMIC.exe
Token: SeTakeOwnershipPrivilege	988	WMIC.exe
Token: SeLoadDriverPrivilege	988	WMIC.exe
Token: SeSystemProfilePrivilege	988	WMIC.exe
Token: SeSystemtimePrivilege	988	WMIC.exe
Token: SeProfSingleProcessPrivilege	988	WMIC.exe
Token: SeIncBasePriorityPrivilege	988	WMIC.exe
Token: SeCreatePagefilePrivilege	988	WMIC.exe
Token: SeBackupPrivilege	988	WMIC.exe
Token: SeRestorePrivilege	988	WMIC.exe
Token: SeShutdownPrivilege	988	WMIC.exe
Token: SeDebugPrivilege	988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	988	WMIC.exe
Token: SeRemoteShutdownPrivilege	988	WMIC.exe
Token: SeUndockPrivilege	988	WMIC.exe
Token: SeManageVolumePrivilege	988	WMIC.exe
Token: 33	988	WMIC.exe
Token: 34	988	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

832 iexplore.exe
2344 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

832 iexplore.exe
832 iexplore.exe
3064 IEXPLORE.EXE
3064 IEXPLORE.EXE

pid	process
832	iexplore.exe
2344	DllHost.exe

pid	process
832	iexplore.exe
832	iexplore.exe
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exejtoweqsyjejb.exejtoweqsyjejb.exeiexplore.exe

description	pid	process	target process
PID 2100 wrote to memory of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2100 wrote to memory of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2100 wrote to memory of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2100 wrote to memory of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2100 wrote to memory of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2100 wrote to memory of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2100 wrote to memory of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2100 wrote to memory of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2100 wrote to memory of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2100 wrote to memory of 2840	2100	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
PID 2840 wrote to memory of 2644	2840	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	jtoweqsyjejb.exe
PID 2840 wrote to memory of 2644	2840	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	jtoweqsyjejb.exe
PID 2840 wrote to memory of 2644	2840	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	jtoweqsyjejb.exe
PID 2840 wrote to memory of 2644	2840	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	jtoweqsyjejb.exe
PID 2840 wrote to memory of 2372	2840	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	cmd.exe
PID 2840 wrote to memory of 2372	2840	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	cmd.exe
PID 2840 wrote to memory of 2372	2840	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	cmd.exe
PID 2840 wrote to memory of 2372	2840	342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe	cmd.exe
PID 2644 wrote to memory of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe
PID 2644 wrote to memory of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe
PID 2644 wrote to memory of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe
PID 2644 wrote to memory of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe
PID 2644 wrote to memory of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe
PID 2644 wrote to memory of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe
PID 2644 wrote to memory of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe
PID 2644 wrote to memory of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe
PID 2644 wrote to memory of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe
PID 2644 wrote to memory of 2728	2644	jtoweqsyjejb.exe	jtoweqsyjejb.exe
PID 2728 wrote to memory of 1932	2728	jtoweqsyjejb.exe	WMIC.exe
PID 2728 wrote to memory of 1932	2728	jtoweqsyjejb.exe	WMIC.exe
PID 2728 wrote to memory of 1932	2728	jtoweqsyjejb.exe	WMIC.exe
PID 2728 wrote to memory of 1932	2728	jtoweqsyjejb.exe	WMIC.exe
PID 2728 wrote to memory of 216	2728	jtoweqsyjejb.exe	NOTEPAD.EXE
PID 2728 wrote to memory of 216	2728	jtoweqsyjejb.exe	NOTEPAD.EXE
PID 2728 wrote to memory of 216	2728	jtoweqsyjejb.exe	NOTEPAD.EXE
PID 2728 wrote to memory of 216	2728	jtoweqsyjejb.exe	NOTEPAD.EXE
PID 2728 wrote to memory of 832	2728	jtoweqsyjejb.exe	iexplore.exe
PID 2728 wrote to memory of 832	2728	jtoweqsyjejb.exe	iexplore.exe
PID 2728 wrote to memory of 832	2728	jtoweqsyjejb.exe	iexplore.exe
PID 2728 wrote to memory of 832	2728	jtoweqsyjejb.exe	iexplore.exe
PID 832 wrote to memory of 3064	832	iexplore.exe	IEXPLORE.EXE
PID 832 wrote to memory of 3064	832	iexplore.exe	IEXPLORE.EXE
PID 832 wrote to memory of 3064	832	iexplore.exe	IEXPLORE.EXE
PID 832 wrote to memory of 3064	832	iexplore.exe	IEXPLORE.EXE
PID 2728 wrote to memory of 988	2728	jtoweqsyjejb.exe	WMIC.exe
PID 2728 wrote to memory of 988	2728	jtoweqsyjejb.exe	WMIC.exe
PID 2728 wrote to memory of 988	2728	jtoweqsyjejb.exe	WMIC.exe
PID 2728 wrote to memory of 988	2728	jtoweqsyjejb.exe	WMIC.exe
PID 2728 wrote to memory of 1876	2728	jtoweqsyjejb.exe	cmd.exe
PID 2728 wrote to memory of 1876	2728	jtoweqsyjejb.exe	cmd.exe
PID 2728 wrote to memory of 1876	2728	jtoweqsyjejb.exe	cmd.exe
PID 2728 wrote to memory of 1876	2728	jtoweqsyjejb.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

jtoweqsyjejb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jtoweqsyjejb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jtoweqsyjejb.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
"C:\Users\Admin\AppData\Local\Temp\342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe
  "C:\Users\Admin\AppData\Local\Temp\342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\jtoweqsyjejb.exe
    C:\Windows\jtoweqsyjejb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\jtoweqsyjejb.exe
      C:\Windows\jtoweqsyjejb.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2728
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:216
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3064
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JTOWEQ~1.EXE
        5⤵
        
        PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\342A08~1.EXE
    3⤵
    - Deletes itself
    PID:2372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+nfuwn.html

Filesize
11KB

MD5
f0dd1cfae884b5d71393af95e3f378af

SHA1
06a4271a422df5fee314cbeb710d2df0f3453c9f

SHA256
262a812563130ac14ce048b5d9af485638983174dd7b801811cfa729effbb726

SHA512
dc3cb216cb3ca6911dbca208f2c5ad3f1f04d4603fe6917889c2dd1080a38030e2a448ff8fee70504679ae91b08b8fc094be44108d485943b07e148c6e3d133b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+nfuwn.png

Filesize
62KB

MD5
00845e283c109113304820ff5033843f

SHA1
2c739798b63ba6dcc09516c9b313070d4e075d37

SHA256
118ca694d2bad231b14de154e4c6a13a1651a41b4be8b9fd10dec4c0cc1dc052

SHA512
62d5cc6d12237b0247822b0536148fa71c407a2a9b2d6daa6d68acb56518ad1bdc2487aab55bd2491318040f4b53bd4d3b85ca7dd281f00e8bf5f4999cf43df5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+nfuwn.txt

Filesize
1KB

MD5
04d0fa47736f32bd264c42559a70b31c

SHA1
37890a29dea4dd2682f000a673701308c9fba41b

SHA256
07f273424d9671e76924797d66d5ce347684a21d1544af002e4b5592a79bc4d2

SHA512
8eca46efb88470c0bd33edf8e823f699da74b8f1d6a5f3648804a16acb1c7a3de31abaf4063ab0f93cc77f46a32620d7d390af6fc4ec9ca6bd82d955370f441a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
b2bb92771fe588b85ab11773fa57e2f0

SHA1
60644877ffd1cc1b904e87ce1bcc1f2c0ed2ca78

SHA256
45cc6180da58fb81e028aadb026fd5d14282b7904dabd5dcc813a370096f2452

SHA512
d23969bdd46e3de9060c2643096d277f6954fd1324b0203c523d371d83dd9fc439732b77bcf0d764e61166ea22e41086679f40028d3d0b7df4583b15b48f968a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
b23f8fe1e5f5116d37518494da41034f

SHA1
3b982a0366cf3dac3955c1b39f27711d46c0b720

SHA256
31438ae8705ca6859c5dae73b62ba1f2e2ad110f0876a215f7db287978b98d3e

SHA512
12a0772b7846cf56511cd357c18775d3d4120f128c844aa1530beedd8bcd2e5f11391f38b455d504c432df5c691522ca71a40135afdae223bf0da6d3f7c961e9

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
1b8428569870ba40c955e2e3aad11656

SHA1
443bd1df9f3a46192f5aa60e25d75b8a41a1d8d9

SHA256
30462f4daf22fe12a7cba9a8394a4fd7c78463a18f5ba0d9d504f5257dec1969

SHA512
6f341e31975fb45be1f9162309153537b2c3f54c84a9068146d3c57459e4a0a94053affb4996c2559fc1a86689685d39a6284e389ee1b53d23a9d918dc9120b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38d432672d022b24833cf95440a2c5e2

SHA1
56dd665069f529bae9a457ec67bc8a9d4485d0ab

SHA256
3173f1c238ce49b821194156115f83e037da236fd652779e6d5a8638fbe45dbe

SHA512
a21dbfbf5f3071524c55c69c1fc5f7d45dd594b58aaca5afeed2c9b7bb98ef7b12443ce150e499c612499648ea2d31f883bea9c0bcdf0ee03108413acfcf7508

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c985d2a2d9b347105b037065c30788b0

SHA1
74ca731d3cae661f0ba8275207be35456f3d18f5

SHA256
5c9cc47621bd2800d6528684d49ba2def4955992f12dbc9aebf191c2887ea6a4

SHA512
efbfadd189919a1687087fbcd78400df742f917fd6a4337ac22b683fded2e86980299c754e4024246cca413c4cd8ef039ad5e133a6dd7ab86f519e9bf78b9f3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41925ea041e59ac381f5886355dc3f98

SHA1
443b0f61e4aa17e0e365611240b9e50779afd34c

SHA256
b68a00898ccb6afcbb9db7885492a7c7cd08065a20db642889553b3fb3f58b33

SHA512
06fa584d1767fe0e951a5a9f9399d096b3b268ac1176a1cf3f42b2b3a58e85749dbed2653bdd2ed9ec1bf68722568ea5b116105b6e7f1c28020f174e728328a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86293e671b2f0e00edecab2859240193

SHA1
0b302db44eb7c8ea2b921d55b468ac03f2632ac4

SHA256
daabd2de1547d01b080dbffe298e8ca6895f0a6eaed69f5168479097955a30c9

SHA512
0df195811d9b5361e1f11c832b6217f1536d38ac1ded5050595caa846e7f6144fa4b792139844e392f564cd4df189c1605e248568e017539a7b93b8780c7a72b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a332e5905efa167ef483aa8ea195ef9d

SHA1
d7dac7ad045487563539a8ade58cc62cde9a2ff8

SHA256
83bdf7efbd06fa6d65c945f9c8cf5a1b11b4b5d59c154f63ab27958b28bacc8f

SHA512
af86445086302af5844e9ce1b74bb83580997b53fed3b59515864ab1b1f6e4dfbfbc4ac0e8463782ad507e6ffb4b5d30ed0a034d68fcc18eb1a4af749fd28e9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0acef6ff641c32e15e0c734289d72f94

SHA1
81ea2afb7541030e619e50e35ad5d6b4d11e87cf

SHA256
4f0a2db07185214d0ea56d906f52d06011a82a7fe603543ff4fdfd639302fc73

SHA512
393bd18e8e9837177a842a78faf6cc0fa9c8e397493ad5e683502c2445d5895b0a2397a155b7b70190911ec4344cd3051ea3f6f472afbb0b221c7b6a37471eb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11a8c090945628d641e385104af302bc

SHA1
932f16b48f64a766591a0ee0de78989a3df47a94

SHA256
5e2a1574baf4620dcaed55371c451a50e113edf532323cdf15f643a4c332ff84

SHA512
274e2184d612d5d9e471060baa4b94930de554c303112f7a96ed4775a0aa5cd6a22d5b34c34431730f4dd523d3f388a5fcfe8335818eb60c1a97d7137aaf5599

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab847C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar85BD.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\jtoweqsyjejb.exe

Filesize
384KB

MD5
88716ed91614ba43691f1204a8e1936c

SHA1
d8b3411ae843a5f1d4b506eccec26077fd2f29f2

SHA256
342a08c1e2c325f96fcc2361f66c4f8e00e35e6613143bda7aab679ce52d6dd0

SHA512
e64af6563e672408ebefc089a02dc6c99082c7a1d4b0a67258c50da88add8bf8c58045041968e22d1a9924f95d62cf2245ed253ac41473c1d28c8d8c62f88bad

Download Submit
memory/2100-2-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/2100-8-0x0000000002020000-0x000000000231D000-memory.dmp

Filesize
3.0MB

Download
memory/2100-0-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/2100-1-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/2100-18-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/2344-6019-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2344-6018-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2344-6511-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2644-30-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/2728-54-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-6011-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-6520-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-6510-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-6508-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-2381-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-5371-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-6519-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-6017-0x00000000048F0000-0x00000000048F2000-memory.dmp

Filesize
8KB

Download
memory/2728-56-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-52-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-6509-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2728-49-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2840-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2840-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2840-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2840-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2840-28-0x0000000002800000-0x0000000002AFD000-memory.dmp

Filesize
3.0MB

Download
memory/2840-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-29-0x0000000002800000-0x0000000002AFD000-memory.dmp

Filesize
3.0MB

Download
memory/2840-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2840-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2840-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2840-31-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2840-10-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download