teslacrypt | 56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_4e826024050255ddf739c2656f2d9a77.exe
Size

368KB
MD5

4e826024050255ddf739c2656f2d9a77
SHA1

856eca0fb51d6994d9d472dfe5358b4c9b5293d7
SHA256

56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab
SHA512

fb25c55a9710133214b97bbd9492f39df0f2f43ea9e056cf05f6f4943d9f26031e7832d77df5dd2f69f49c97de92b3d9fbb2d3477215d9f405dcf178488ea8ff
SSDEEP

6144:r/VDu6UsyDUOxfDiyQhbw4tRN7eD7Lct/jG2kOREwMunfHAbxwcLNT:hDu6UsibiPbNt370Lcta9OSCnfPuNT

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lotja.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/95E3EA678DAB33 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/95E3EA678DAB33 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/95E3EA678DAB33 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/95E3EA678DAB33 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/95E3EA678DAB33 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/95E3EA678DAB33 http://yyre45dbvn2nhbefbmh.begumvelic.at/95E3EA678DAB33 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/95E3EA678DAB33

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/95E3EA678DAB33

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/95E3EA678DAB33

http://yyre45dbvn2nhbefbmh.begumvelic.at/95E3EA678DAB33

http://xlowfznrg4wf7dli.ONION/95E3EA678DAB33

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (418) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2840 cmd.exe

pid	process
2840	cmd.exe

Drops startup file 3 IoCs

Processes:

fuwmoviexxcu.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe

Executes dropped EXE 2 IoCs

Processes:

fuwmoviexxcu.exefuwmoviexxcu.exe

pid process

2920 fuwmoviexxcu.exe
2876 fuwmoviexxcu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2920	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fuwmoviexxcu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\qdshfuo = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\fuwmoviexxcu.exe"	fuwmoviexxcu.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_4e826024050255ddf739c2656f2d9a77.exefuwmoviexxcu.exe

description	pid	process	target process
PID 1340 set thread context of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 2920 set thread context of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe

Drops file in Program Files directory 64 IoCs

Processes:

fuwmoviexxcu.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseover.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\settings.css	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_ReCoVeRy_+lotja.html	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_ReCoVeRy_+lotja.txt	fuwmoviexxcu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_ReCoVeRy_+lotja.png	fuwmoviexxcu.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_4e826024050255ddf739c2656f2d9a77.exe

description	ioc	process
File created	C:\Windows\fuwmoviexxcu.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
File opened for modification	C:\Windows\fuwmoviexxcu.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F9A6EF51-271B-11EF-8004-DAAF2542C58D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000037a353c83c7dfcb753491b8b8cf1bb4216e26dbff1fa9de4e10fe395bb465cb5000000000e8000000002000020000000391438c248c43f5e9728cc412ffb64485cae6a8c015ceee04dd6c04fc5d3fca29000000047a25831ea7c717e9eae860928237f7db81be6983f659f5955049bdb4bf913ebb42885c4657a0b52138c7d25e3f8d2aa0410d5457880e09445a039366c44afd41f6ea03cb8483b9fef1dcdbbe575b0fc77af240e0b3ca6a2a1c1921a02046f3719e1cc5b16de76a4ec7afe142f416e6868f0b42884510038b620f56a4b71bd05777163aa3d9ec90b22db5190040cfb404000000016843957cbda162e11ce873602b7d4426207de850c2ccc0f09f60191a72b5d24be138e1d4eaae206af20344107a8417c06cf40b5c60c1d7670de3c8d54c76d76	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000074f1f37ccc3401d03b94547f58dab6d7bbb26127bd531f9b705174f1c06d9b72000000000e8000000002000020000000a07bbf40881b8e42b7617973d34cfe78eb64239d9255582eecfc85c81c4e942820000000bd998c8e12cf5625e74349c26d5ef117cd173f23fc6cfed49fda2cfa6dcaf71640000000dd983f1d509b084d42d47d3c7f41d9eb2813f7534557a473e54a627e11efdc23d4e76c5317a4dd4d1090a81a2eff69b3933ef7c2d1fac2a70bd090532441fa06	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40061cce28bbda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1924 NOTEPAD.EXE

pid	process
1924	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fuwmoviexxcu.exe

pid	process
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe
2876	fuwmoviexxcu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_4e826024050255ddf739c2656f2d9a77.exefuwmoviexxcu.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2676	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
Token: SeDebugPrivilege	2876	fuwmoviexxcu.exe
Token: SeIncreaseQuotaPrivilege	1200	WMIC.exe
Token: SeSecurityPrivilege	1200	WMIC.exe
Token: SeTakeOwnershipPrivilege	1200	WMIC.exe
Token: SeLoadDriverPrivilege	1200	WMIC.exe
Token: SeSystemProfilePrivilege	1200	WMIC.exe
Token: SeSystemtimePrivilege	1200	WMIC.exe
Token: SeProfSingleProcessPrivilege	1200	WMIC.exe
Token: SeIncBasePriorityPrivilege	1200	WMIC.exe
Token: SeCreatePagefilePrivilege	1200	WMIC.exe
Token: SeBackupPrivilege	1200	WMIC.exe
Token: SeRestorePrivilege	1200	WMIC.exe
Token: SeShutdownPrivilege	1200	WMIC.exe
Token: SeDebugPrivilege	1200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1200	WMIC.exe
Token: SeRemoteShutdownPrivilege	1200	WMIC.exe
Token: SeUndockPrivilege	1200	WMIC.exe
Token: SeManageVolumePrivilege	1200	WMIC.exe
Token: 33	1200	WMIC.exe
Token: 34	1200	WMIC.exe
Token: 35	1200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1200	WMIC.exe
Token: SeSecurityPrivilege	1200	WMIC.exe
Token: SeTakeOwnershipPrivilege	1200	WMIC.exe
Token: SeLoadDriverPrivilege	1200	WMIC.exe
Token: SeSystemProfilePrivilege	1200	WMIC.exe
Token: SeSystemtimePrivilege	1200	WMIC.exe
Token: SeProfSingleProcessPrivilege	1200	WMIC.exe
Token: SeIncBasePriorityPrivilege	1200	WMIC.exe
Token: SeCreatePagefilePrivilege	1200	WMIC.exe
Token: SeBackupPrivilege	1200	WMIC.exe
Token: SeRestorePrivilege	1200	WMIC.exe
Token: SeShutdownPrivilege	1200	WMIC.exe
Token: SeDebugPrivilege	1200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1200	WMIC.exe
Token: SeRemoteShutdownPrivilege	1200	WMIC.exe
Token: SeUndockPrivilege	1200	WMIC.exe
Token: SeManageVolumePrivilege	1200	WMIC.exe
Token: 33	1200	WMIC.exe
Token: 34	1200	WMIC.exe
Token: 35	1200	WMIC.exe
Token: SeBackupPrivilege	1640	vssvc.exe
Token: SeRestorePrivilege	1640	vssvc.exe
Token: SeAuditPrivilege	1640	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2680	WMIC.exe
Token: SeSecurityPrivilege	2680	WMIC.exe
Token: SeTakeOwnershipPrivilege	2680	WMIC.exe
Token: SeLoadDriverPrivilege	2680	WMIC.exe
Token: SeSystemProfilePrivilege	2680	WMIC.exe
Token: SeSystemtimePrivilege	2680	WMIC.exe
Token: SeProfSingleProcessPrivilege	2680	WMIC.exe
Token: SeIncBasePriorityPrivilege	2680	WMIC.exe
Token: SeCreatePagefilePrivilege	2680	WMIC.exe
Token: SeBackupPrivilege	2680	WMIC.exe
Token: SeRestorePrivilege	2680	WMIC.exe
Token: SeShutdownPrivilege	2680	WMIC.exe
Token: SeDebugPrivilege	2680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2680	WMIC.exe
Token: SeRemoteShutdownPrivilege	2680	WMIC.exe
Token: SeUndockPrivilege	2680	WMIC.exe
Token: SeManageVolumePrivilege	2680	WMIC.exe
Token: 33	2680	WMIC.exe
Token: 34	2680	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1584 iexplore.exe
2764 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1584 iexplore.exe
1584 iexplore.exe
848 IEXPLORE.EXE
848 IEXPLORE.EXE

pid	process
1584	iexplore.exe
2764	DllHost.exe

pid	process
1584	iexplore.exe
1584	iexplore.exe
848	IEXPLORE.EXE
848	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

VirusShare_4e826024050255ddf739c2656f2d9a77.exeVirusShare_4e826024050255ddf739c2656f2d9a77.exefuwmoviexxcu.exefuwmoviexxcu.exeiexplore.exe

description	pid	process	target process
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 1340 wrote to memory of 2676	1340	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
PID 2676 wrote to memory of 2920	2676	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	fuwmoviexxcu.exe
PID 2676 wrote to memory of 2920	2676	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	fuwmoviexxcu.exe
PID 2676 wrote to memory of 2920	2676	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	fuwmoviexxcu.exe
PID 2676 wrote to memory of 2920	2676	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	fuwmoviexxcu.exe
PID 2676 wrote to memory of 2840	2676	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	cmd.exe
PID 2676 wrote to memory of 2840	2676	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	cmd.exe
PID 2676 wrote to memory of 2840	2676	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	cmd.exe
PID 2676 wrote to memory of 2840	2676	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	cmd.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2920 wrote to memory of 2876	2920	fuwmoviexxcu.exe	fuwmoviexxcu.exe
PID 2876 wrote to memory of 1200	2876	fuwmoviexxcu.exe	WMIC.exe
PID 2876 wrote to memory of 1200	2876	fuwmoviexxcu.exe	WMIC.exe
PID 2876 wrote to memory of 1200	2876	fuwmoviexxcu.exe	WMIC.exe
PID 2876 wrote to memory of 1200	2876	fuwmoviexxcu.exe	WMIC.exe
PID 2876 wrote to memory of 1924	2876	fuwmoviexxcu.exe	NOTEPAD.EXE
PID 2876 wrote to memory of 1924	2876	fuwmoviexxcu.exe	NOTEPAD.EXE
PID 2876 wrote to memory of 1924	2876	fuwmoviexxcu.exe	NOTEPAD.EXE
PID 2876 wrote to memory of 1924	2876	fuwmoviexxcu.exe	NOTEPAD.EXE
PID 2876 wrote to memory of 1584	2876	fuwmoviexxcu.exe	iexplore.exe
PID 2876 wrote to memory of 1584	2876	fuwmoviexxcu.exe	iexplore.exe
PID 2876 wrote to memory of 1584	2876	fuwmoviexxcu.exe	iexplore.exe
PID 2876 wrote to memory of 1584	2876	fuwmoviexxcu.exe	iexplore.exe
PID 1584 wrote to memory of 848	1584	iexplore.exe	IEXPLORE.EXE
PID 1584 wrote to memory of 848	1584	iexplore.exe	IEXPLORE.EXE
PID 1584 wrote to memory of 848	1584	iexplore.exe	IEXPLORE.EXE
PID 1584 wrote to memory of 848	1584	iexplore.exe	IEXPLORE.EXE
PID 2876 wrote to memory of 2680	2876	fuwmoviexxcu.exe	WMIC.exe
PID 2876 wrote to memory of 2680	2876	fuwmoviexxcu.exe	WMIC.exe
PID 2876 wrote to memory of 2680	2876	fuwmoviexxcu.exe	WMIC.exe
PID 2876 wrote to memory of 2680	2876	fuwmoviexxcu.exe	WMIC.exe
PID 2876 wrote to memory of 2776	2876	fuwmoviexxcu.exe	cmd.exe
PID 2876 wrote to memory of 2776	2876	fuwmoviexxcu.exe	cmd.exe
PID 2876 wrote to memory of 2776	2876	fuwmoviexxcu.exe	cmd.exe
PID 2876 wrote to memory of 2776	2876	fuwmoviexxcu.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

fuwmoviexxcu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fuwmoviexxcu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	fuwmoviexxcu.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_4e826024050255ddf739c2656f2d9a77.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_4e826024050255ddf739c2656f2d9a77.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\VirusShare_4e826024050255ddf739c2656f2d9a77.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_4e826024050255ddf739c2656f2d9a77.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\fuwmoviexxcu.exe
    C:\Windows\fuwmoviexxcu.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\fuwmoviexxcu.exe
      C:\Windows\fuwmoviexxcu.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2876
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1924
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1584 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:848
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FUWMOV~1.EXE
        5⤵
        
        PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - Deletes itself
    PID:2840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lotja.html

Filesize
12KB

MD5
2640aad7798870cdd44f549c01520df6

SHA1
37d9317c756d98b745e467f094c12b1cad0770a0

SHA256
f004161aaa13891dbf1f3fdab971bf3b15052927fc91a2ceca447366803f89e2

SHA512
638579c3cb1056556bc7784f511e0d8cb13d4411482b9a3115c71726d05b24f1193757377874f93871c9b28371429768537951264a1f9f6218e12b52903a84af

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lotja.png

Filesize
64KB

MD5
c940ec4f7c411095ad55291a31457867

SHA1
0ec105e88116c0a6e156fd866ccc287f6f5ee50d

SHA256
10b1b6fb014538db97c5aef0e6327e95418140b18a3f4b84596ee8542db4fdf2

SHA512
df2e50fa283ac4a7cfbe464a9069ec062a94d4483a37665c48f09be827ef7ff01fdf02def0a93e1b5c6eea40edbc1076291500c709345b0f9e1f2ba26ef8d6b2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lotja.txt

Filesize
1KB

MD5
fd6b53f050ac649e5e0d593b7883684d

SHA1
eda598d9434b39b974333daf7f3438c40c0aa408

SHA256
e50f76c0dcf04717129017d8e768cdcde2ea09f0a20b19f911e62667e9e8d5ea

SHA512
3bdc0fa7f79ee11410c098d09b296e7011b21258b87fdcf547701c1d6a97e557499914724ef6cb0ed5f3a4a6817d70101dc6f4fef53c692a3ec25f0b299a5d5b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
29a3a787443eebbbe19e446fd066e31f

SHA1
7a603dd5f5dcea52f8e1453482b8466aece77034

SHA256
dc261f069f7d788fa8db9daea48fdfb728e50124b4b9643d6555e709a89d6b26

SHA512
dc08e5ec48ece7d99b9b002ded30f2a4cf02124f9f975607590b2d7b704dbb815c0251acffa50291a2fda4eb98e4d920d488a2039cf84d96c8b1a08f6cefeb64

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
1d0f8fb096ded7e9768ff31e7fffb900

SHA1
b1b5ce9a1bee6e1c4b32a7c3af5d288e3152ff19

SHA256
e48a053b590ac11e4c7c091fcc0262caad56d0ca4e5998e2f347efb5b5f1ee95

SHA512
f87bee9993086ec064daaafef94cd8b0d82b6f32c07463303d09a65a9214f66562722d12de8bbe3154f1a703b2a4733973374e69d95cfada6466ee099dd8db0f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
cf90ea76173b6592032a031c2905e7ae

SHA1
81848aea29b1e8f7abfe7cda2f4d21918192618b

SHA256
89a0d2b42882f68095b604adc04b3fa54e10b947adb449384acc4baea768c01a

SHA512
d6a722d3be27bdfa1a6105db3b925a3acac8dc3f6ba0cdd492ad0708fc6e26ca4db7cd49e3879d544501412900404c020357bd9cb4369baaaddcaa27bb4a165c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3e4e3e66f2807420c96efa51df1c64c

SHA1
4d224891fd8a335666865399592f5d6ea6398b6a

SHA256
f8e7f690bd6d66ad8c4479d136abc25d432968a049411cb6b699a3c6e9bc4f41

SHA512
d20adaadb24803109a80a046cbd480efd59480355cddb1c5982e9702ab46d4f24985a59e88a61ae920224d0e4dce70a8647539bf927cfbec5ea738413d044667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e284d2a82e074e0b1c532b6f62afd381

SHA1
35c6df4c434b6097f3291b61dbcfc3b20355ff90

SHA256
6bc7b80e37e16928585b3316686de35342237caa798cc5ec3015c8806dca8797

SHA512
5269fa4a9a408872ca03f94acde07ab5cc82e163db0a9506b44fa4a2d867f391c1db8de566def2ebc836a805e5029b21715fa25590cc1d4b5a9d773cc364a972

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
581da62ae1d243c28dd021fcc10072fc

SHA1
e2c6c1fd5487c8877b7c50af5b9f4514a458e600

SHA256
a82901e0e3059fb3c952ee473eab4c1810bf21506d40d8b3d92ac9d2ec97d5ae

SHA512
3208296d9b5930e7f671adaf39f9c251d80e2eba4eda6296855eb0d43f5bbc34acb6b8e3c7c98366887391cdaa8ae0abbed43cdd39f4c86805165b75f6488041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ef4f199dbe6c9754524b9a17684001d

SHA1
bcf1cd5e096d0809fab6fa89b6dc9dc2c9eb698e

SHA256
dac000242ef11b6a50dbe0b2c15a22c8b38a88600f942553f53797a2c9823432

SHA512
1158f2bbdcb1e047882e2f78f7692c8f1047fe519ec6090c1e9ba7fcd8a9de6b8d869764fbac56f8ad4c11f0aae558be63b0dc9cf79cf7f2e591413d195ed8f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5678a378b9f42b7e4605a972da37ae9c

SHA1
ef5d465e2844680458306cc66beccf06ea39ea0e

SHA256
3bae1af67b94fa20e607dbd86c1562162b34c95d9ee7a56167adf4bf22f16b9b

SHA512
7a9a674db6e6cd8ffba1501139a80e27fdd67e918267ecb5576d0ab4615b3518da7c03c7e5af54317341002885e0568e198e616c9bc5f41ad983828c67bac957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19b15ba9daff66b2153190b992f9da40

SHA1
c5a3b689f2f9342edcba256c5e7b0b15da43006a

SHA256
d9518905f10f8433955689e00b11fb6295f26ccdb40abfebc66fe5f4cc6a0762

SHA512
8bea4d149b0b7bc9106562064713c04e99b71c1e95bba7d835f011d0e6c363994373aa06c730f89f846f67d2f0f6ce7ca0c377e04abdb9d4529908338fa8ad9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e095c00257af0a36eea908f289a5813b

SHA1
3c6ca98ba63c456cefb7e9aecdde305bfa115d9a

SHA256
e40f3fc32dae17af094d3f2ea890de55114fc17c96816f85774045421a98d67a

SHA512
5d630690dbda050f268030620eafdafd3f1a5b69064dcb747f42f63c8d856a6cb26965f8e2b8099a2e934e03761057316ad0c82f86226d5166ac835b91f1f3e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ed876426042fb5c37170665db60b249

SHA1
be348dcedf1832593ef1385ae5259c8a8a9bd146

SHA256
c1e5fe29f58df3e693b8d7dcb0ef622f9acb79432d44664e8251f37aa8efd4c8

SHA512
a4bbaf297c74367463a798d31b9c8dcabae8451ca3d8ee9a8da0f00cfe4f0d36a6a144045dfc9f0147c71240f0f075db3c4adba5b13bc546c8bce2c0ac141786

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41d1711b89d273c13d79c9e582d89634

SHA1
995509c4aa43c74905484ed281e1a649b9edc39a

SHA256
681d99e5607ade1ce9f8dd98a165c469c6757731caa7768b4fe206d709b8a618

SHA512
cd37b9f16cc1fab53ab0f0eef894871a9e79cb89a5a3a07116c04d86a3af2bd51f03941c3479907ff50c962db0a2e808e28273de4ea21c80e59b8b9630d9a737

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7B0A.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7BD1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\fuwmoviexxcu.exe

Filesize
368KB

MD5
4e826024050255ddf739c2656f2d9a77

SHA1
856eca0fb51d6994d9d472dfe5358b4c9b5293d7

SHA256
56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab

SHA512
fb25c55a9710133214b97bbd9492f39df0f2f43ea9e056cf05f6f4943d9f26031e7832d77df5dd2f69f49c97de92b3d9fbb2d3477215d9f405dcf178488ea8ff

Download Submit
memory/1340-0-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/1340-17-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/1340-1-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/2676-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2676-29-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2676-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2676-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2676-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2676-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2676-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2676-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2676-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2676-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2764-6066-0x00000000003A0000-0x00000000003A2000-memory.dmp

Filesize
8KB

Download
memory/2876-5585-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-6069-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-6558-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-6068-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-6065-0x0000000002C40000-0x0000000002C42000-memory.dmp

Filesize
8KB

Download
memory/2876-6058-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-49-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-2541-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2876-589-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2920-28-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download