teslacrypt | b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
Size

356KB
MD5

5ef1fdd422951c153db8c39b87e84e5d
SHA1

a89966004343653b2d20c06b373b1390ed0450d3
SHA256

b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e
SHA512

94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871
SSDEEP

6144:nOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:nFeq0F+PzcOLyWRsHA93/oswe

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ovqqg.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/B48242B6AACE1235 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/B48242B6AACE1235 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/B48242B6AACE1235 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/B48242B6AACE1235 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/B48242B6AACE1235 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/B48242B6AACE1235 http://yyre45dbvn2nhbefbmh.begumvelic.at/B48242B6AACE1235 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/B48242B6AACE1235

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/B48242B6AACE1235

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/B48242B6AACE1235

http://yyre45dbvn2nhbefbmh.begumvelic.at/B48242B6AACE1235

http://xlowfznrg4wf7dli.ONION/B48242B6AACE1235

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (434) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2536 cmd.exe

pid	process
2536	cmd.exe

Drops startup file 3 IoCs

Processes:

ejblvonofdil.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe

Executes dropped EXE 2 IoCs

Processes:

ejblvonofdil.exeejblvonofdil.exe

pid process

2452 ejblvonofdil.exe
2680 ejblvonofdil.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2452	ejblvonofdil.exe
2680	ejblvonofdil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ejblvonofdil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcnfuwn = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\ejblvonofdil.exe"	ejblvonofdil.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exeejblvonofdil.exe

description	pid	process	target process
PID 2192 set thread context of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2452 set thread context of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe

Drops file in Program Files directory 64 IoCs

Processes:

ejblvonofdil.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css	ejblvonofdil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Common Files\System\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\UninstallClose.jpeg	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	ejblvonofdil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_ReCoVeRy_+ovqqg.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_ReCoVeRy_+ovqqg.txt	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png	ejblvonofdil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_ReCoVeRy_+ovqqg.html	ejblvonofdil.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css	ejblvonofdil.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe

description	ioc	process
File created	C:\Windows\ejblvonofdil.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
File opened for modification	C:\Windows\ejblvonofdil.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000763437ee184e464bab83e900cde350b20000000002000000000010660000000100002000000082eed3176e9a4b34cd15a080b01d3d6d11131743653a3009f0ba26ba2c48a3fa000000000e80000000020000200000002440675eea6bbd184ea020bfbbb12346c1ee7e588ee5779b71d1a41cf9fa5f8c20000000adc71756a7b6cd1f22a89ff14119fb7ede76007f30b3ddd564e4e4d17e5a314240000000cbf92597caa3047447a621d0f655d158e0062a0a8f292ac47328541e29c9c8b681a7bb42567498fde2f098192b42122c4375864db9bd9a056ab294eaaeca6250	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 300561ed2abbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000763437ee184e464bab83e900cde350b2000000000200000000001066000000010000200000002070e54f48620633346d3e49f2bc75f262fa9b5e76266e3a70db0c250b0ea9ed000000000e8000000002000020000000e3be09b971e78ff0fedbd535d64f7e7e91dbae3df35d9bcf73225c53a77aa85890000000ddf9c68fd290b4d884e0e32c9f18948267a7ff052cbdd7457c92a8c00b5349c763db359f4b1a24361fdb263586fbf85b687a22057f9547b14ae0c6082ad6ecb313fb31a093b1d82b0ea2f238c46015565072d843a726c8af1fab8edc62321e6ab3fafeb1aba5614e8a25dde4e1d673ce9b43cd65a961a3bf4b84ed75b239942f0f7a268207f472bebc8eea8de5a7d7e7400000003c525d7f68288f8978e1453b4b50050922c8e0e75db4e71f8dadb6946f52d837e80e2a7a1024191895ebecb4e7b29dac12bcae1137a028ae501a6dbab66d2c3a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18D8EB11-271E-11EF-9D76-F65846C0010F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2464 NOTEPAD.EXE

pid	process
2464	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ejblvonofdil.exe

pid	process
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe
2680	ejblvonofdil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exeejblvonofdil.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2576	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
Token: SeDebugPrivilege	2680	ejblvonofdil.exe
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe
Token: 35	2144	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe
Token: 35	2144	WMIC.exe
Token: SeBackupPrivilege	1984	vssvc.exe
Token: SeRestorePrivilege	1984	vssvc.exe
Token: SeAuditPrivilege	1984	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3000	WMIC.exe
Token: SeSecurityPrivilege	3000	WMIC.exe
Token: SeTakeOwnershipPrivilege	3000	WMIC.exe
Token: SeLoadDriverPrivilege	3000	WMIC.exe
Token: SeSystemProfilePrivilege	3000	WMIC.exe
Token: SeSystemtimePrivilege	3000	WMIC.exe
Token: SeProfSingleProcessPrivilege	3000	WMIC.exe
Token: SeIncBasePriorityPrivilege	3000	WMIC.exe
Token: SeCreatePagefilePrivilege	3000	WMIC.exe
Token: SeBackupPrivilege	3000	WMIC.exe
Token: SeRestorePrivilege	3000	WMIC.exe
Token: SeShutdownPrivilege	3000	WMIC.exe
Token: SeDebugPrivilege	3000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3000	WMIC.exe
Token: SeRemoteShutdownPrivilege	3000	WMIC.exe
Token: SeUndockPrivilege	3000	WMIC.exe
Token: SeManageVolumePrivilege	3000	WMIC.exe
Token: 33	3000	WMIC.exe
Token: 34	3000	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2460 iexplore.exe
1940 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2460 iexplore.exe
2460 iexplore.exe
2536 IEXPLORE.EXE
2536 IEXPLORE.EXE

pid	process
2460	iexplore.exe
1940	DllHost.exe

pid	process
2460	iexplore.exe
2460	iexplore.exe
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exeVirusShare_5ef1fdd422951c153db8c39b87e84e5d.exeejblvonofdil.exeejblvonofdil.exeiexplore.exe

description	pid	process	target process
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2192 wrote to memory of 2576	2192	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
PID 2576 wrote to memory of 2452	2576	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	ejblvonofdil.exe
PID 2576 wrote to memory of 2452	2576	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	ejblvonofdil.exe
PID 2576 wrote to memory of 2452	2576	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	ejblvonofdil.exe
PID 2576 wrote to memory of 2452	2576	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	ejblvonofdil.exe
PID 2576 wrote to memory of 2536	2576	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	cmd.exe
PID 2576 wrote to memory of 2536	2576	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	cmd.exe
PID 2576 wrote to memory of 2536	2576	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	cmd.exe
PID 2576 wrote to memory of 2536	2576	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	cmd.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2452 wrote to memory of 2680	2452	ejblvonofdil.exe	ejblvonofdil.exe
PID 2680 wrote to memory of 2144	2680	ejblvonofdil.exe	WMIC.exe
PID 2680 wrote to memory of 2144	2680	ejblvonofdil.exe	WMIC.exe
PID 2680 wrote to memory of 2144	2680	ejblvonofdil.exe	WMIC.exe
PID 2680 wrote to memory of 2144	2680	ejblvonofdil.exe	WMIC.exe
PID 2680 wrote to memory of 2464	2680	ejblvonofdil.exe	NOTEPAD.EXE
PID 2680 wrote to memory of 2464	2680	ejblvonofdil.exe	NOTEPAD.EXE
PID 2680 wrote to memory of 2464	2680	ejblvonofdil.exe	NOTEPAD.EXE
PID 2680 wrote to memory of 2464	2680	ejblvonofdil.exe	NOTEPAD.EXE
PID 2680 wrote to memory of 2460	2680	ejblvonofdil.exe	iexplore.exe
PID 2680 wrote to memory of 2460	2680	ejblvonofdil.exe	iexplore.exe
PID 2680 wrote to memory of 2460	2680	ejblvonofdil.exe	iexplore.exe
PID 2680 wrote to memory of 2460	2680	ejblvonofdil.exe	iexplore.exe
PID 2460 wrote to memory of 2536	2460	iexplore.exe	IEXPLORE.EXE
PID 2460 wrote to memory of 2536	2460	iexplore.exe	IEXPLORE.EXE
PID 2460 wrote to memory of 2536	2460	iexplore.exe	IEXPLORE.EXE
PID 2460 wrote to memory of 2536	2460	iexplore.exe	IEXPLORE.EXE
PID 2680 wrote to memory of 3000	2680	ejblvonofdil.exe	WMIC.exe
PID 2680 wrote to memory of 3000	2680	ejblvonofdil.exe	WMIC.exe
PID 2680 wrote to memory of 3000	2680	ejblvonofdil.exe	WMIC.exe
PID 2680 wrote to memory of 3000	2680	ejblvonofdil.exe	WMIC.exe
PID 2680 wrote to memory of 580	2680	ejblvonofdil.exe	cmd.exe
PID 2680 wrote to memory of 580	2680	ejblvonofdil.exe	cmd.exe
PID 2680 wrote to memory of 580	2680	ejblvonofdil.exe	cmd.exe
PID 2680 wrote to memory of 580	2680	ejblvonofdil.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ejblvonofdil.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ejblvonofdil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ejblvonofdil.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\ejblvonofdil.exe
    C:\Windows\ejblvonofdil.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\ejblvonofdil.exe
      C:\Windows\ejblvonofdil.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2680
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2464
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2536
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\EJBLVO~1.EXE
        5⤵
        
        PID:580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - Deletes itself
    PID:2536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ovqqg.html

Filesize
12KB

MD5
f806104f32ec390c23fbf3ce53dc88f8

SHA1
817087513203df1a34726278014e66d2bf56b521

SHA256
82286cdbf12f26e3676292d232b24cc1e53c0711c596e753ad0f6fdcf359d683

SHA512
ba3c4fe26dee096f6fbdc301c40458f9fa724a3817fb31fbb262fbeca8e7a4ca628e4baf7e4d5290f09107aafd4f759922a96536390f4a89021dea670989147c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ovqqg.png

Filesize
65KB

MD5
883e59c5a65ab74d3fbc78b64a09af06

SHA1
c1b98e30d75f0837a2f3f03be7a0da8b3e195f82

SHA256
7fbecf3ee7c29dec03c83ce6f6fd0080b62e441854c9f62981c2cbcfac75ef1b

SHA512
0d0ec219108b9fa910c7c3d598b31b5137813f2b1f26ad2d97990a1de306d4f2a49f3eb068b5692a45c3de20b3f28c475b4ac083b5b28d89a22de12f9911f70d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ovqqg.txt

Filesize
1KB

MD5
a7278445f71dd0fab0e77eab54b33a9f

SHA1
d4aa122611360f19aac37e01f2df6a9524159bbb

SHA256
cc6f8450a39a676c01588890b5456c620a7f37f01dd00ae580b90fdea7f8a022

SHA512
db002f4494d2d892e1f51a4ca6f5839d3edc19f1ccd912e0abcf2aab0106af8cc36168bc8506681ec3c2084b1b86a0b2a48729a020673a9dc93818b9d74d0593

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.mp3

Filesize
11KB

MD5
86792bab8dfb72dfa9eb6e585d4bdfb3

SHA1
30ef8dc82d95a1713d5f73ee29e66f5c2d9a882d

SHA256
f57ae6d857a58f538d88ffdff0467c9a5a9e05dae32f5ef235c2c94357beccd1

SHA512
f02125d1d82e9710ffd5f1e1617215b4c07a01bf44ba06f0552e61de60ab84ea7e754d1a2e0a66ed252ef6115e7c67d9745258a427761d56dc98be5b16ece11c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
fe5c2904fffa2e9780016c3ad6c97b1d

SHA1
bd2f5c64c3fa5ad30131736e45c2623aae0f9487

SHA256
6c3f484571e27712fafa03d468d0a41c0661970f06abedfb4f46fdc38351d9b3

SHA512
a1867bfed8e436b165fa37207a5fe9fd46dce1d89e7459003f23f0542984030c976ba26d41840bc28a8038a4005ef625561df6f9d38bd92792f970c710afb715

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
e4c4f8fd68065e2b0e603ed6fce3df46

SHA1
d8382ad92776cafe5b471c0dfa02bf8ea28c24f9

SHA256
d610e8c708e6222ca36065dc160dfe3b55f284c0cb9b03cd2cc9e19d04cdb720

SHA512
fc52c778366f52b7352e6ae4c4ab145e98d0c5f6a7b76f8d6387a3982de4ecc76767e6a68d5a770d0cb4d668d862c1a05eaf10b9e39cacadf590b5e07b588d1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76c63a9681415e9930061b53997a5893

SHA1
e8a5ed535055d6fd4f42cf39757a6a6a1bd4b30d

SHA256
eaffc78e997d15b685ac2686f9c159cddc9b5f82cd998c60a0d7906266f0311c

SHA512
64062105e2527de2e1df1e16971c5dbeaf52a47948b1964fc26b54373bd755a26131b0fd272f10f2e427f2b2a927eb59c079085f25c7e2c649e8add0b5563e6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92d79134b0fe07a861914dc93ac588e6

SHA1
a4ff2b43888c5befaab42911eaa8004b1f047e01

SHA256
4f8b1bf23e908ab220ebae3923e7fca967bf0b4f3bdee3934de5a2f593f863dd

SHA512
cc14356d9681d2b634b7d0fcc2e315fee5bf9500419ad0e3a793c54aa3c2dc6a714fe62eac2281a799c6c1349fdd8d5ee6d452c01649597c3a84b0f2e7fa13e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6c042dcb1bfc22e6c47ab037a4ebd07

SHA1
5a8b9ea414bb94ff1d3b81c5cc4a6d28fc198fad

SHA256
ae3899fd7cafa2cebd59ac7dce26907183e274dedeb3cd7dd883a657dc4e9794

SHA512
1b9b7163df7c36dfb93b2e4a2095ae58239102585dae55b5e432d0ba1e6083610da1ed3c06ea903d772c3eaee9712df95065e70ffc8951966c6fe0d623fcfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76074917bec9edaa2d7b028c416d9f6c

SHA1
0e6f785e437d3876ee719d4598495868bd3398a3

SHA256
924aa05db4c2db11c38caf7009c917ef0902cc0f07d87e471a9333775a4eaca2

SHA512
14873d681edf6ee987dec8f5432fe2b6f876a51384abdc684fa228305b3ff295912f941382774ddd3f0c93b9197f89399fd4b9f62376dbbf014d7ac74dc93a21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1423c6be00ddcb3ef878f94bf24a9cc9

SHA1
d0deed9a369b40eaa408d23ca46e29e6c13b1497

SHA256
1dba170819d1873ea48554207948501a0f21cce04960bd6d76cf827d26b10b88

SHA512
d1265bc4b91a80e5b5bc743ca3e5a355d352b8c481d08c031ad56d90d94fd8409b4bbb680e2a32243cf581fbff8dd48173814830be8f94e97b96b9250dd445b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b823b5739d6b089e7ded4564bcc1c983

SHA1
ecacfda07fadca6fb0d3e61754ec3acb19a7eec5

SHA256
c1383417db9cf30e9c0ad9a45644c0d4af745265663e870fc7e288106513d1dd

SHA512
b2440795f00204e86fd6ff9fb41e1ee4131d1726c3a930ceece11fbe49e515f9f29a8b775e500b79fe9045c09065c10632e5f6d05b17b02942e6b349dba0065a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2950f26787f7c8a6418c98d2cde05ee

SHA1
9e18ae32de0cb2a6b3d5567ebf5ce67399f3b9ef

SHA256
63c9ead02680054b049c1755f5939c06aaf80abb6b387dd87cda47ab0511e41f

SHA512
c8ef57784159b8ba3e5db992eea190444cabd4b788fcecc6efb90fda2b3d2f08e6d679d3103cfe9d9110af59ee0ddfc3b142b8e29f6062e8e4a7e99c3417f1d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41bf19b3e600d7ed42b9627c75f30dbe

SHA1
41c966a801786d6a13d6ca71598a90a1959da5ce

SHA256
b02e350b69fe2237a77551dc5d2bd7241bfeca26b03eaf94ab4229056ddd45db

SHA512
daf53cf1946bc0333004b2e15ebaddd1bf886b027e547b7a40692dbf3f433286117c922c56ce7a19819b7d9dd799feeb5da77bf97fa308ae98388e9290d29741

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80046986a845b27ed993d416f0dfdf9b

SHA1
34daa4773ac64221fc6e5f11704241ba83f33391

SHA256
2d64d00a309fe5dbb45eb29c437cdca923c0cf9930b077bbec910cafb322ffbc

SHA512
ec1afbc251d0b4726ad1889ab4f8c06f8aa7341bf985b92ea29b893750bc45dee4efc0fc310408b639d1f54d297c38d66ada5e1f16f2ffafc1c3e4dee6c25dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8B80.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C62.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\ejblvonofdil.exe

Filesize
356KB

MD5
5ef1fdd422951c153db8c39b87e84e5d

SHA1
a89966004343653b2d20c06b373b1390ed0450d3

SHA256
b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e

SHA512
94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871

Download Submit
memory/1940-6050-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2192-0-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2192-17-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2192-1-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2452-28-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2576-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-31-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-6043-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-6061-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-6054-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-6052-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-6049-0x0000000002CD0000-0x0000000002CD2000-memory.dmp

Filesize
8KB

Download
memory/2680-763-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-4910-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-2027-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2680-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download