teslacrypt | 0e73a69cb50ed4cc7e45c5b5913b7ed3b0b2ecb5ac946e0be78f026622bde396

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_40550e4313decb096d6300d7bc0e006f.exe
Size

332KB
MD5

40550e4313decb096d6300d7bc0e006f
SHA1

2d7154c146ba334d7f6862df6df9cebd89863ff2
SHA256

0e73a69cb50ed4cc7e45c5b5913b7ed3b0b2ecb5ac946e0be78f026622bde396
SHA512

1a3a903d4949a19acb2ca9adb09ce83432f5c28d017655a4a9f30bce111f293c78a38c920e81272f26577999d3dc099d8bcbfc78fd0c0ee6cd80c6bb0913ce2e
SSDEEP

6144:7cMG0Cmis0NH8A3/1uz7uodnIm5KJHLqreJDckzrYk/:AMZas0NcAvAzyQnR5KJHWreJRrY

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+akrmf.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/895FC520A028F94 2. http://tes543berda73i48fsdfsd.keratadze.at/895FC520A028F94 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/895FC520A028F94 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/895FC520A028F94 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/895FC520A028F94 http://tes543berda73i48fsdfsd.keratadze.at/895FC520A028F94 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/895FC520A028F94 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/895FC520A028F94

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/895FC520A028F94

http://tes543berda73i48fsdfsd.keratadze.at/895FC520A028F94

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/895FC520A028F94

http://xlowfznrg4wf7dli.ONION/895FC520A028F94

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (430) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2376 cmd.exe

pid	process
2376	cmd.exe

Drops startup file 3 IoCs

Processes:

dmwmgoxfccsv.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe

Executes dropped EXE 2 IoCs

Processes:

dmwmgoxfccsv.exedmwmgoxfccsv.exe

pid process

2664 dmwmgoxfccsv.exe
2684 dmwmgoxfccsv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2664	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dmwmgoxfccsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljpctapuewgj = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dmwmgoxfccsv.exe\""	dmwmgoxfccsv.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_40550e4313decb096d6300d7bc0e006f.exedmwmgoxfccsv.exe

description	pid	process	target process
PID 2016 set thread context of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2664 set thread context of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe

Drops file in Program Files directory 64 IoCs

Processes:

dmwmgoxfccsv.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\DisableConvertFrom.rar	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\main.css	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\DVD Maker\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_RECOVERY_+akrmf.html	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_RECOVERY_+akrmf.txt	dmwmgoxfccsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_RECOVERY_+akrmf.png	dmwmgoxfccsv.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_40550e4313decb096d6300d7bc0e006f.exe

description	ioc	process
File created	C:\Windows\dmwmgoxfccsv.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
File opened for modification	C:\Windows\dmwmgoxfccsv.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e4524428bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007a0e926db316734ebdd6a4e089e0a15d0000000002000000000010660000000100002000000008404fc6049617007f4093a2a9886f461c8c97aa14f9556ecc98f9d42a25b20b000000000e8000000002000020000000d3fbfce0d69035e63991d8d6421f115ee6d404ed17cb7f598c67bd79dd49732990000000e623aa7fa13e9d82efeaf0ab0f5dc4ab5136e721b20feb7cdfe7941c389db45f57c73065cf1f764ad9b7143497d0da285caa962ae4789db323d4b569ff44604f740c00869a68f597493daabd0488372c8c1ca0595ab8b46dec65b1b7c91cbf91b0c31b7b406c12b0db3b31a666ee1215f5d5859b8414c672582e47df71c6967efed468123071622a3cb37426382a057740000000d023a2262b3771d3b6b54fb20c04a6f99f20e6261e950750358450db28f2c19403c32eaf2b9ce42b8f5f73122b69bb8b7c30c86235f2a0680f8484e60bc59171	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6FDB6C11-271B-11EF-9907-E698D2733004} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007a0e926db316734ebdd6a4e089e0a15d0000000002000000000010660000000100002000000067ac648bc092382cce5a87c7630145193f6b93e62514c7a7a4825bc5c1c90796000000000e800000000200002000000052c4ba07ba399d0d86da62cba7dd28bc6f16637955422483ece33822385aeb27200000002acf1c620da28304961fe2b7edb58628b2cefaff9162fbca175c40fe9885678a400000009e88d854e472e9f65398200f795c90d9cf14cc8174e0b97e069a91e93fd85c71bd6b2f9141752e1319b20e10702006421b9c84ce1607f6f1a1177aa60680aa3c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2700 NOTEPAD.EXE

pid	process
2700	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dmwmgoxfccsv.exe

pid	process
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe
2684	dmwmgoxfccsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_40550e4313decb096d6300d7bc0e006f.exedmwmgoxfccsv.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2560	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
Token: SeDebugPrivilege	2684	dmwmgoxfccsv.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemProfilePrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeProfSingleProcessPrivilege	1840	WMIC.exe
Token: SeIncBasePriorityPrivilege	1840	WMIC.exe
Token: SeCreatePagefilePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeDebugPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeRemoteShutdownPrivilege	1840	WMIC.exe
Token: SeUndockPrivilege	1840	WMIC.exe
Token: SeManageVolumePrivilege	1840	WMIC.exe
Token: 33	1840	WMIC.exe
Token: 34	1840	WMIC.exe
Token: 35	1840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemProfilePrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeProfSingleProcessPrivilege	1840	WMIC.exe
Token: SeIncBasePriorityPrivilege	1840	WMIC.exe
Token: SeCreatePagefilePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeDebugPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeRemoteShutdownPrivilege	1840	WMIC.exe
Token: SeUndockPrivilege	1840	WMIC.exe
Token: SeManageVolumePrivilege	1840	WMIC.exe
Token: 33	1840	WMIC.exe
Token: 34	1840	WMIC.exe
Token: 35	1840	WMIC.exe
Token: SeBackupPrivilege	1164	vssvc.exe
Token: SeRestorePrivilege	1164	vssvc.exe
Token: SeAuditPrivilege	1164	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe
Token: SeSecurityPrivilege	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1792	WMIC.exe
Token: SeLoadDriverPrivilege	1792	WMIC.exe
Token: SeSystemProfilePrivilege	1792	WMIC.exe
Token: SeSystemtimePrivilege	1792	WMIC.exe
Token: SeProfSingleProcessPrivilege	1792	WMIC.exe
Token: SeIncBasePriorityPrivilege	1792	WMIC.exe
Token: SeCreatePagefilePrivilege	1792	WMIC.exe
Token: SeBackupPrivilege	1792	WMIC.exe
Token: SeRestorePrivilege	1792	WMIC.exe
Token: SeShutdownPrivilege	1792	WMIC.exe
Token: SeDebugPrivilege	1792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1792	WMIC.exe
Token: SeRemoteShutdownPrivilege	1792	WMIC.exe
Token: SeUndockPrivilege	1792	WMIC.exe
Token: SeManageVolumePrivilege	1792	WMIC.exe
Token: 33	1792	WMIC.exe
Token: 34	1792	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1696 iexplore.exe
2832 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1696 iexplore.exe
1696 iexplore.exe
2336 IEXPLORE.EXE
2336 IEXPLORE.EXE

pid	process
1696	iexplore.exe
2832	DllHost.exe

pid	process
1696	iexplore.exe
1696	iexplore.exe
2336	IEXPLORE.EXE
2336	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

VirusShare_40550e4313decb096d6300d7bc0e006f.exeVirusShare_40550e4313decb096d6300d7bc0e006f.exedmwmgoxfccsv.exedmwmgoxfccsv.exeiexplore.exe

description	pid	process	target process
PID 2016 wrote to memory of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2016 wrote to memory of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2016 wrote to memory of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2016 wrote to memory of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2016 wrote to memory of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2016 wrote to memory of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2016 wrote to memory of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2016 wrote to memory of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2016 wrote to memory of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2016 wrote to memory of 2560	2016	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	VirusShare_40550e4313decb096d6300d7bc0e006f.exe
PID 2560 wrote to memory of 2664	2560	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	dmwmgoxfccsv.exe
PID 2560 wrote to memory of 2664	2560	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	dmwmgoxfccsv.exe
PID 2560 wrote to memory of 2664	2560	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	dmwmgoxfccsv.exe
PID 2560 wrote to memory of 2664	2560	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	dmwmgoxfccsv.exe
PID 2560 wrote to memory of 2376	2560	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	cmd.exe
PID 2560 wrote to memory of 2376	2560	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	cmd.exe
PID 2560 wrote to memory of 2376	2560	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	cmd.exe
PID 2560 wrote to memory of 2376	2560	VirusShare_40550e4313decb096d6300d7bc0e006f.exe	cmd.exe
PID 2664 wrote to memory of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe
PID 2664 wrote to memory of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe
PID 2664 wrote to memory of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe
PID 2664 wrote to memory of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe
PID 2664 wrote to memory of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe
PID 2664 wrote to memory of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe
PID 2664 wrote to memory of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe
PID 2664 wrote to memory of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe
PID 2664 wrote to memory of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe
PID 2664 wrote to memory of 2684	2664	dmwmgoxfccsv.exe	dmwmgoxfccsv.exe
PID 2684 wrote to memory of 1840	2684	dmwmgoxfccsv.exe	WMIC.exe
PID 2684 wrote to memory of 1840	2684	dmwmgoxfccsv.exe	WMIC.exe
PID 2684 wrote to memory of 1840	2684	dmwmgoxfccsv.exe	WMIC.exe
PID 2684 wrote to memory of 1840	2684	dmwmgoxfccsv.exe	WMIC.exe
PID 2684 wrote to memory of 2700	2684	dmwmgoxfccsv.exe	NOTEPAD.EXE
PID 2684 wrote to memory of 2700	2684	dmwmgoxfccsv.exe	NOTEPAD.EXE
PID 2684 wrote to memory of 2700	2684	dmwmgoxfccsv.exe	NOTEPAD.EXE
PID 2684 wrote to memory of 2700	2684	dmwmgoxfccsv.exe	NOTEPAD.EXE
PID 2684 wrote to memory of 1696	2684	dmwmgoxfccsv.exe	iexplore.exe
PID 2684 wrote to memory of 1696	2684	dmwmgoxfccsv.exe	iexplore.exe
PID 2684 wrote to memory of 1696	2684	dmwmgoxfccsv.exe	iexplore.exe
PID 2684 wrote to memory of 1696	2684	dmwmgoxfccsv.exe	iexplore.exe
PID 1696 wrote to memory of 2336	1696	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 2336	1696	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 2336	1696	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 2336	1696	iexplore.exe	IEXPLORE.EXE
PID 2684 wrote to memory of 1792	2684	dmwmgoxfccsv.exe	WMIC.exe
PID 2684 wrote to memory of 1792	2684	dmwmgoxfccsv.exe	WMIC.exe
PID 2684 wrote to memory of 1792	2684	dmwmgoxfccsv.exe	WMIC.exe
PID 2684 wrote to memory of 1792	2684	dmwmgoxfccsv.exe	WMIC.exe
PID 2684 wrote to memory of 608	2684	dmwmgoxfccsv.exe	cmd.exe
PID 2684 wrote to memory of 608	2684	dmwmgoxfccsv.exe	cmd.exe
PID 2684 wrote to memory of 608	2684	dmwmgoxfccsv.exe	cmd.exe
PID 2684 wrote to memory of 608	2684	dmwmgoxfccsv.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

dmwmgoxfccsv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dmwmgoxfccsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dmwmgoxfccsv.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_40550e4313decb096d6300d7bc0e006f.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_40550e4313decb096d6300d7bc0e006f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\VirusShare_40550e4313decb096d6300d7bc0e006f.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_40550e4313decb096d6300d7bc0e006f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\dmwmgoxfccsv.exe
    C:\Windows\dmwmgoxfccsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\dmwmgoxfccsv.exe
      C:\Windows\dmwmgoxfccsv.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2684
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2700
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2336
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DMWMGO~1.EXE
        5⤵
        
        PID:608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - Deletes itself
    PID:2376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+akrmf.html

Filesize
11KB

MD5
6e11e2d92e559455f9ae67343af5a28e

SHA1
9d6cb88e2eac9e670fd3a79eeb4c4492d29ecaa0

SHA256
6954de1cdc53304c9231e21666c461bd28955438cdd65bf01187537d1cc4a432

SHA512
882f5d4a860554f1b7137ba66aa2f988d29e0b0aeb9fdcad47cd78b83abd346b6d65d7b234cc93d2e66cb7c5df800746d408b3e73768119253c18857740e146a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+akrmf.png

Filesize
62KB

MD5
b5c65f28a4c3d6ec6e8cfdc712fd0542

SHA1
aee0792a7ffd77087819392ff5aa38afff2e3bcf

SHA256
0c98d0a4ea8aca4e45e13d2748b24274f52a40aac245c6839f0c3f4b1f9c36fe

SHA512
a94b07910e5c49642b0c696087e7e2f63aa5c638b07bd7b5b2d7235655509e117385b79c53d35e74f86d0904dea0ef78395f1fd325a31dfc13e91c68ae6b3470

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+akrmf.txt

Filesize
1KB

MD5
53b065a8cfec163e97a792f3efa93be8

SHA1
fa51d5855488fe076f7f7c5c2f103abf0bed0871

SHA256
51b926716eeaec66a4b4ce73d1fdea69ae589ccd2e95a6ac31455ab6d6ea1b65

SHA512
827ca94b605991065e669018ee9fcff1ef2ace70eebffdf09f8f5351e03d257390292597616946b50b6dd521cde2c5d2b259c8e2810b07f2c7e66c9818182511

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
7b08530de29aa7bd60a5fe6cc867eb4a

SHA1
78db2b864151d375957e061d97dec098ccab61d4

SHA256
5c89d835a059e647c514f6518542e1f942d94f73f43655b21ca85640bf80ea38

SHA512
46fc62fd173e282c848af08c0bfbd207106b3edf443b86ed302af02b327793a4b72f22ac674b6299229a56dfa929ec0e72a5f269ce3a5b51dd39f40bb09636a8

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
4674f3e7cc2b7a28c651d0d5dd0c2c94

SHA1
e758e209147c3f656c54940f436892888cf9adf2

SHA256
55482482aec5c250ec6008af73d4aec68b64bb5722f79b528144b9a32a1d20a5

SHA512
76984d15edda2eceb2bc971864b66b93614ef3540d0aff895df2a1c3e8df9c7d1452e060e786185d2f39de3d74dfffb49bdb2a61b89badb03067083406b04312

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
dba8ae23d2d2dcbe5affbb01c3129875

SHA1
3049c503731accc95f69fc8dac3e5a3d78812d78

SHA256
3e9486013d2215847a4972281aabfbb5122bbfd484004179bf2fcd49ad6e400f

SHA512
227cac28a5ff7ad23c4407c7e01995eed2162e4c117e509be5143cc1203ec82ca7bda33282e1c96afaf075893956191f055bf4e90211b69693137734be2660ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c13b18f4985d360fc1eb156503c65f31

SHA1
e34b6052c14a8e390787e62ccf5fa587be6f3c08

SHA256
db613293d8596374257d7af239a3c36bbf1ee63be23e14806cc04949802f3b79

SHA512
6da7d1b78aca27a38a11807ed188a446c17abbdf99c90b869e78538ba068d5b2c83363e9d6085979f4666b7626459101d2aa485f5f2a10836c1480990027f656

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5546ec3240a759dc236ff0ae06e750fd

SHA1
dccdf832650720070795204b02918ceb883f9fc6

SHA256
4bbd219f75a905ea0aa3ba53d2af402abd3e167ca58b780178277871f133d825

SHA512
ceaaede5c6a7211ba17cf9dbf35d1b1864e9e82471ff7217e99c47f0fba84f855aa3dcd76e625c713afe97b0f1d0151ac56db0ed43ef3d11ed3c125749ac0195

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce7e6e88a6c334d3e702dd685737767a

SHA1
e51f39eff6a1d2c6d44dc238425135d670aafa01

SHA256
53b9b7b1c036ad6c969b086f6f5d2c2bcacb07f1ad93020df3cc87864b358727

SHA512
49ce2a5f37b33d9e2ef755457b01e198cacdb5daab74546903a98127c464625e0f579a5bb412613a41a964797f00863e99620773bb019bbdd9282c49467ec687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1efd00720441b00593e987eec666c1f

SHA1
a38a728edb13dfb641a06deed8bd27a4dfbc1d7f

SHA256
92416d31468afa51dcd36b17545304171f002a000ca67a8f89ec0d85e986862d

SHA512
85ca491f1ff033b78e30c97ab434115d02a6753acf301f1b32a58b41695fd1159a992847b498e634c91834bfc3e93460b72ccbb1945ceb30a12412d0131ef5e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a67b56acecbc61a9e715d0fe7a6cd7a

SHA1
e5eb5f7c3d6b27a91667761f4924a81ad5c95c7d

SHA256
9a9d549462c8b91fac40484c8db202c38f9e7e301ac9e0ec09561776ec822fbe

SHA512
97a82fca6c42e2165d78da33a14a460e3924d8fb918aaec842e03087fb747fa56134e38b7d5485cbbf9f6377e66a35f8d211759f10a6c76492a88d85e7c83596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4331fb523eb7392defc7765ebbfd4ce3

SHA1
8b313d7dcf9c997f3d2472e62b5b742a01070391

SHA256
2d5b2d355bd763a59d8b4ca00bf1320c77fac786f0645f9338d726394e20b631

SHA512
45d61747cf5158271fb36b1ea6b7c9916ce868385cfd3d88dea42c88632cf0ab8d9ec1109a808af1c106e896e554573df7dbbc2e45a2ee3738e3052fcfd55e6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
284e5dae31e08bb0ea94d2878ac989ce

SHA1
fbf1a77cc5348c19898d799b0434ad55cf8ba734

SHA256
6129da2535a3829cad81eeac151c8d2849a01062ccf3db253eda6b160cab1d25

SHA512
4343b8f7adae7f45b8ae8739659c04de72cf5145ffa996db6186a84a845dbc7e6400025b40749c7f0f80c8cc6003e60e3bc7bab0cb9d6c0cb0a4e8e7b800ddb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14b1db428127301a23c5e8db83bb5e3a

SHA1
ab96f3e690ddad743ab507a8c8fe0bd2d988da35

SHA256
705db3d4b9bca1955f45332b33db9ad990623d526837a184bd27104d36f84423

SHA512
4bbbd3936425713de9e752cb898d2d467c52b2ffe6d42597e3d10aff7dfdbed60f146523c67b60b19262c021c349380ab2848e4a6251da3a522ceb21a919af6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab86B0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar87B1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\dmwmgoxfccsv.exe

Filesize
332KB

MD5
40550e4313decb096d6300d7bc0e006f

SHA1
2d7154c146ba334d7f6862df6df9cebd89863ff2

SHA256
0e73a69cb50ed4cc7e45c5b5913b7ed3b0b2ecb5ac946e0be78f026622bde396

SHA512
1a3a903d4949a19acb2ca9adb09ce83432f5c28d017655a4a9f30bce111f293c78a38c920e81272f26577999d3dc099d8bcbfc78fd0c0ee6cd80c6bb0913ce2e

Download Submit
memory/2016-0-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2016-15-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2560-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2560-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2560-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2560-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2560-10-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2560-27-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2560-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2560-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2560-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2664-28-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/2684-609-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-6030-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-6044-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-6047-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-6039-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-6036-0x0000000003100000-0x0000000003102000-memory.dmp

Filesize
8KB

Download
memory/2684-6040-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-5617-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-2482-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2684-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2832-6037-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download