teslacrypt | e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Size

371KB
MD5

c192a273a786b569df2056914faf8327
SHA1

87f24f470d678deae2cade1d3fd12255e796c091
SHA256

e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced
SHA512

8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427
SSDEEP

6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/7D9EEAD73E82E178 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7D9EEAD73E82E178 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/7D9EEAD73E82E178 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/7D9EEAD73E82E178 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/7D9EEAD73E82E178 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7D9EEAD73E82E178 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/7D9EEAD73E82E178 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/7D9EEAD73E82E178

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/7D9EEAD73E82E178

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7D9EEAD73E82E178

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/7D9EEAD73E82E178

http://xlowfznrg4wf7dli.ONION/7D9EEAD73E82E178

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (407) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+iwxag.html	dakfjprvnatu.exe

Executes dropped EXE 2 IoCs

pid	Process
3016	dakfjprvnatu.exe
2624	dakfjprvnatu.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\gihrktiqxohc = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dakfjprvnatu.exe\""	dakfjprvnatu.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 3016 set thread context of 2624	3016	dakfjprvnatu.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js	dakfjprvnatu.exe
File opened for modification	C:\Program Files\MSBuild\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Java\jre7\bin\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_RECoVERY_+iwxag.html	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Journal\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\_RECoVERY_+iwxag.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_RECoVERY_+iwxag.png	dakfjprvnatu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	dakfjprvnatu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_RECoVERY_+iwxag.html	dakfjprvnatu.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dakfjprvnatu.exe	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
File opened for modification	C:\Windows\dakfjprvnatu.exe	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dakfjprvnatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dakfjprvnatu.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067ce3b9ae31c06448aecca112942c74100000000020000000000106600000001000020000000c1398c9852ce5b2702acb833b176979bdd9e698d3e893dcc410cb76a98abc3e3000000000e8000000002000020000000c3958ddce38f5166673ba61a3be5555c8b064feda783875aaf32fc34264132449000000027ef45f4083614070f699da1cf26724c5cf33ba5a53a76481cbee1cf11ebf45d52185768897a4655ad37664ef9e08cfb7c10657ccec097f8418435afd8dff0a48b500bf7b39b1318ad952e6532a99223311aac09a890b0a34b289a735a8375983e365262bca72163b3155d894e3506b752b8e6ab51aae9eecdd247ac4038ee936a4dabfe39fab6c5b91f010daf8a96a240000000945e32998807ce97917c7fce273408cf2cf7a92d85e582bda893cd3fd494ed8b41a7daf1b9bf22f3501318ea3669d1f5fbed196a3a200364d8bc19fac7a83ef4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18C3A631-D7E3-11EF-BBD1-D686196AC2C0} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067ce3b9ae31c06448aecca112942c74100000000020000000000106600000001000020000000ac890e27908ca7f6900e03a13697bcaed096bc0d6e19581771b1b0140dedf527000000000e8000000002000020000000a0ac1fe336adc37f55db889cce2cc70242d417c4a4e9b179ad464dc12b19592f20000000bde36abe7964de1b2e6f2680a701cf3a9ffb2557d3dcaa0676cdf008a62f2cb4400000007fa569cfa189e0d363fbe02de0b64048eb5642e817600c142347819c1e247a8e27784ad50749713b0283a12d083bccc7a07e019f7ea28d03eaf0f51fbe7a6b1c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0cc38edef6bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1968	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe
2624	dakfjprvnatu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Token: SeDebugPrivilege	2624	dakfjprvnatu.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: SeBackupPrivilege	2940	vssvc.exe
Token: SeRestorePrivilege	2940	vssvc.exe
Token: SeAuditPrivilege	2940	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2276	WMIC.exe
Token: SeSecurityPrivilege	2276	WMIC.exe
Token: SeTakeOwnershipPrivilege	2276	WMIC.exe
Token: SeLoadDriverPrivilege	2276	WMIC.exe
Token: SeSystemProfilePrivilege	2276	WMIC.exe
Token: SeSystemtimePrivilege	2276	WMIC.exe
Token: SeProfSingleProcessPrivilege	2276	WMIC.exe
Token: SeIncBasePriorityPrivilege	2276	WMIC.exe
Token: SeCreatePagefilePrivilege	2276	WMIC.exe
Token: SeBackupPrivilege	2276	WMIC.exe
Token: SeRestorePrivilege	2276	WMIC.exe
Token: SeShutdownPrivilege	2276	WMIC.exe
Token: SeDebugPrivilege	2276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2276	WMIC.exe
Token: SeRemoteShutdownPrivilege	2276	WMIC.exe
Token: SeUndockPrivilege	2276	WMIC.exe
Token: SeManageVolumePrivilege	2276	WMIC.exe
Token: 33	2276	WMIC.exe
Token: 34	2276	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
960	iexplore.exe
1868	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
960	iexplore.exe
960	iexplore.exe
612	IEXPLORE.EXE
612	IEXPLORE.EXE
1868	DllHost.exe
1868	DllHost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 2524 wrote to memory of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 2524 wrote to memory of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 2524 wrote to memory of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 2524 wrote to memory of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 2524 wrote to memory of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 2524 wrote to memory of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 2524 wrote to memory of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 2524 wrote to memory of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 2524 wrote to memory of 2852	2524	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	31
PID 2852 wrote to memory of 3016	2852	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	32
PID 2852 wrote to memory of 3016	2852	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	32
PID 2852 wrote to memory of 3016	2852	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	32
PID 2852 wrote to memory of 3016	2852	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	32
PID 2852 wrote to memory of 2808	2852	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	33
PID 2852 wrote to memory of 2808	2852	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	33
PID 2852 wrote to memory of 2808	2852	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	33
PID 2852 wrote to memory of 2808	2852	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	33
PID 3016 wrote to memory of 2624	3016	dakfjprvnatu.exe	35
PID 3016 wrote to memory of 2624	3016	dakfjprvnatu.exe	35
PID 3016 wrote to memory of 2624	3016	dakfjprvnatu.exe	35
PID 3016 wrote to memory of 2624	3016	dakfjprvnatu.exe	35
PID 3016 wrote to memory of 2624	3016	dakfjprvnatu.exe	35
PID 3016 wrote to memory of 2624	3016	dakfjprvnatu.exe	35
PID 3016 wrote to memory of 2624	3016	dakfjprvnatu.exe	35
PID 3016 wrote to memory of 2624	3016	dakfjprvnatu.exe	35
PID 3016 wrote to memory of 2624	3016	dakfjprvnatu.exe	35
PID 3016 wrote to memory of 2624	3016	dakfjprvnatu.exe	35
PID 2624 wrote to memory of 2484	2624	dakfjprvnatu.exe	36
PID 2624 wrote to memory of 2484	2624	dakfjprvnatu.exe	36
PID 2624 wrote to memory of 2484	2624	dakfjprvnatu.exe	36
PID 2624 wrote to memory of 2484	2624	dakfjprvnatu.exe	36
PID 2624 wrote to memory of 1968	2624	dakfjprvnatu.exe	45
PID 2624 wrote to memory of 1968	2624	dakfjprvnatu.exe	45
PID 2624 wrote to memory of 1968	2624	dakfjprvnatu.exe	45
PID 2624 wrote to memory of 1968	2624	dakfjprvnatu.exe	45
PID 2624 wrote to memory of 960	2624	dakfjprvnatu.exe	46
PID 2624 wrote to memory of 960	2624	dakfjprvnatu.exe	46
PID 2624 wrote to memory of 960	2624	dakfjprvnatu.exe	46
PID 2624 wrote to memory of 960	2624	dakfjprvnatu.exe	46
PID 960 wrote to memory of 612	960	iexplore.exe	48
PID 960 wrote to memory of 612	960	iexplore.exe	48
PID 960 wrote to memory of 612	960	iexplore.exe	48
PID 960 wrote to memory of 612	960	iexplore.exe	48
PID 2624 wrote to memory of 2276	2624	dakfjprvnatu.exe	49
PID 2624 wrote to memory of 2276	2624	dakfjprvnatu.exe	49
PID 2624 wrote to memory of 2276	2624	dakfjprvnatu.exe	49
PID 2624 wrote to memory of 2276	2624	dakfjprvnatu.exe	49
PID 2624 wrote to memory of 2036	2624	dakfjprvnatu.exe	51
PID 2624 wrote to memory of 2036	2624	dakfjprvnatu.exe	51
PID 2624 wrote to memory of 2036	2624	dakfjprvnatu.exe	51
PID 2624 wrote to memory of 2036	2624	dakfjprvnatu.exe	51

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dakfjprvnatu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dakfjprvnatu.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
"C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
  "C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\dakfjprvnatu.exe
    C:\Windows\dakfjprvnatu.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\dakfjprvnatu.exe
      C:\Windows\dakfjprvnatu.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2624
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1968
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:612
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DAKFJP~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3ED21~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.html

Filesize
9KB

MD5
6e98ff45af9debf65e650c57264b57dd

SHA1
3683a07bfb4c8a6e22b6c48f34638df4689c39cc

SHA256
7a40c5faa97ff9711bbc04f1a3e599feba2acd7463750cfc37672fabb977908c

SHA512
119759b74cc0d5fcbf74098d5987526ace8cc17d6a2dc1200e64db8d52b0448be89282fa4c56b132fc93d25db208d994f7fd136f1a3d8069a36dec802f7c2d6b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.png

Filesize
63KB

MD5
5507478787300d5792e4acc0c9109eb1

SHA1
97bd372bd1f8541fa7c2d41ec09a941d5fb2e4bc

SHA256
1a60ea2a52068d34c2b85f5c89c382d2707633a8489e194ca34c5e22cb703d2c

SHA512
15cbe3a4a933cdb92904455486d4dd638f36f5a0068960b7c88f768d8fbfcd8fc171eae52a8d09ed98e6e9b7b5bd7c699e6ca7c2cbd97c3f048f72db92ba944e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.txt

Filesize
1KB

MD5
8cedab90a35f61beb9ed807d7beb3933

SHA1
d96b5dd1da396ad1c68a0089ae03486dd6f45549

SHA256
628f79a04ecc08c8e5980fa18fa0bdd00b2e18bd21c6ee58a2d194747c38a4f2

SHA512
56b6f5f710acc66c753a17c00e989031235b988c463c91d9792e99ab191b9d79caa89c78ed873b78de6bfe71d651c72f9d835c1ec78e96d21cc917e25690ec8a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
08b38ddfb697c96a1db6954227a8a071

SHA1
4d6aa353f1c02317c0e6bdee72daf0ad5cfb4eff

SHA256
8075f164169a0cc585509413ab5c572fa7ffb4fcb87d4be681136333a5fe8cf0

SHA512
c4749c85df8391bfaa6274436d1d6e108c4ca7914430d87226b94011636b9307d75edd7ea8631ca444ee58e1034c16523637333cefbf758d91f1411e8b1b1507

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
26de235f316342e366b49325832bb4ff

SHA1
cb1d5836da5455bb5d9e1aa679773e93ad039250

SHA256
634a4b7f056e13aab793e2c7b97bf207ec769bdcf86cd80c6e3a418565405083

SHA512
50762ea167743e0a88eee8f320c05870bde779521a249ef7fcd8950cb57363f83c621916acc19e567fbd150291ee4a9365717b3e913c3e11fed30789a0402486

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
55c7030e0c3e8b833d1856666ecc8f47

SHA1
6451c3dd5534c055772d713e3583ccfb0a6899ea

SHA256
bfeac4a036d4026b22539102ced8fc90e58834110d43e43c6216ec328b1d4ff0

SHA512
6d57fd415756a77fe5e0c137750adb6f71ea40ffacf2582330f7cce1eecb6385446ddb06a7799f5f39654efef10469265be8650954f93fdbadcf3c05e39e2e67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe435f082a4419d0e289e1ddbcd2733d

SHA1
2b47bba86440e8ef6f139285e05ca5e6f1cee2de

SHA256
de4ba4a8e4d6c4af20ea8da04c81ba9f566683cebcbb7143cd1f2f82dc5f7d3d

SHA512
917a77440cff07e3e97f6eaa20756eb29adedb400d7fe63a390ea877e817ad5b3b50d447f98dafbd43a3d68c29ba4721be3f3c45f11fa8accdfae6fae700a1b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1ca8c59d324ccba7d577bee0a2c31b0

SHA1
64b9dd540926650a50f628f96883509643bb7fc1

SHA256
da9289b38e518e97e1a43595f3bdcb216ad4fa3ad613bf662e88a7834e59b777

SHA512
69c06a1835e233b8b1115cbd03b96946553d45503c10555d00c80e551b995f31ed7ee7046e5c4e69eccf6b6151b916eae29d603f7c2ab7c11912b7978b28c730

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a708888e6d6ef7dae59442628c1eb058

SHA1
5664d3e1ba29bfce199cd971c1eda6893f2f9ff5

SHA256
55eefe3713f72c1a82874d6c8fb311bee4dccbf82f0f50d58da15fba1cd5eb75

SHA512
7657ae1c3d587a79b6cf5401bca5dcb2b6514c9d245ea7a0cc8881efd54cd6c0a20c7bb5ce9fd4ce60ca6d1e48b92c9a5f2df59d4071a298c47909d430fa8533

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c683d9d3d5be5cd8698d80a5f6dce48

SHA1
c3623b1a4c3ad759b170743964ba8cb87601fe51

SHA256
baa711998e653c53ee4bbfbcab91d98927f113c4647f20cd6c6660016a28142c

SHA512
e28c0216718b85907178e02424913f770d353bf90ffff52b9bd1bf9901342f6fda94ac2fc34c4c6781b002526a4c4d6f5ed3bd0939eb6d79d4a8a90b29173f35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff22968790aeb64a3eaba63f859e468c

SHA1
cab1fea81419de44a22ebd299eb319470ea0048f

SHA256
050675599a0c07b2036e550503bbf21d5f570d3b6732a0e995db47a8ddfd53ab

SHA512
50f740c65f4deb346c392f9c72daeaa6411bcccc021d9ab574f26588786824e5fadfc9fce652911730d391d110307a9747ca1a92db1b634b0b942c09b66c7372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1925c14efedf21a4ab81cf38facda4d1

SHA1
f245045410e823f3f413c388dd89491ec871efc2

SHA256
e1f73bc87f8bf05099b1408c3b9c230d58add1d5790ac7b4ab85fe7dd7a16199

SHA512
3f0e491be742cc5963fa6c7f2ba90400bf889d55e235a25cb48a2803a00d8af2d0ce4cac5390d2bd2247e47e968165c5893f75634dcad67453a2890b8e5549cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38eb8cafb48b37771efe15f871eda110

SHA1
612b56cbef014deae5a96098350b4a72d00cf7fb

SHA256
d8f447594ce722412057031149c3f1f0b920f13daa5e01251661809063a85f1b

SHA512
7e4bb3846ad308f7efcc09cdc41b9e39c741aedb537fa3337f7f66e88dad9e3a682c7bfc4c675228eb5eac9a9418c5562db9d4fb501e9785419169d881a5ee44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60f8851c6feef5698cfe6b41d424a0be

SHA1
1d25e5f5d7599398174353e335d46dd396ba0cd6

SHA256
dcc2c2ca81a45ee891b14b53e65c46016b69e0ef6c401f1b57467a88d20156bb

SHA512
ec0e83fa31efab6746b2ff2da3ff79b9de0622eac6e0f304698120194caf393c94f7421f1d9588f7d7582c6ef056575a2de23bbd125882f424dc91247d662bec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9458d1cc26cd9fd9628b986918f947d

SHA1
d26c44e91741042ce43243a60dc1410f1663f922

SHA256
34624ea4414dce88fb05f565395ba4fdc38e1e7c6efb1f4ffc79c0bbb866ffae

SHA512
5361553bbfd9881dee0adc27101d48988eb3df4188809e670640ab35a08e0719583740b8a81ddc15c7f8a9be60f73460dd3610284cf81810f9a7d7889605e489

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3851.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3910.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\dakfjprvnatu.exe

Filesize
371KB

MD5
c192a273a786b569df2056914faf8327

SHA1
87f24f470d678deae2cade1d3fd12255e796c091

SHA256
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

SHA512
8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427

Download Submit
memory/1868-6079-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/2524-14-0x00000000003B0000-0x00000000003B3000-memory.dmp

Filesize
12KB

Download
memory/2524-0-0x00000000003B0000-0x00000000003B3000-memory.dmp

Filesize
12KB

Download
memory/2624-1940-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-5388-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-1500-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-1944-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-6072-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-6078-0x0000000003DA0000-0x0000000003DA2000-memory.dmp

Filesize
8KB

Download
memory/2624-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-6081-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-6082-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-6089-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2624-6086-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2852-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2852-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2852-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2852-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2852-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2852-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2852-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2852-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2852-27-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2852-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3016-28-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download