teslacrypt | a9bcbc903b6a4fe98280f6de765c3362bdddc2fd49ce3312287c0a9ccdb4a526

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_820330e49a0f1aa4aca6fed989d07083.exe
Size

352KB
MD5

820330e49a0f1aa4aca6fed989d07083
SHA1

a9a90a57252ae0ce4adf0a6d1b2a7de0cc4775d1
SHA256

a9bcbc903b6a4fe98280f6de765c3362bdddc2fd49ce3312287c0a9ccdb4a526
SHA512

425229479c423bcd16502954d851cbad8199fa2ac4fe1e8b2a029470e589bfbff41aab6ae9bea2216f4cb3c3fa69f1cc54c8f1747cf44d1d82551c875640930c
SSDEEP

6144:pMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:pTb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+sxkdi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/95481C9AC03AB8 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/95481C9AC03AB8 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/95481C9AC03AB8 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/95481C9AC03AB8 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/95481C9AC03AB8 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/95481C9AC03AB8 http://yyre45dbvn2nhbefbmh.begumvelic.at/95481C9AC03AB8 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/95481C9AC03AB8

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/95481C9AC03AB8

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/95481C9AC03AB8

http://yyre45dbvn2nhbefbmh.begumvelic.at/95481C9AC03AB8

http://xlowfznrg4wf7dli.ONION/95481C9AC03AB8

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (439) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2996 cmd.exe

pid	process
2996	cmd.exe

Drops startup file 3 IoCs

Processes:

ocaocsdtkfev.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe

Executes dropped EXE 1 IoCs

Processes:

ocaocsdtkfev.exe

pid process

1540 ocaocsdtkfev.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ocaocsdtkfev.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\hfdwdbu = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\ocaocsdtkfev.exe"	ocaocsdtkfev.exe

Drops file in Program Files directory 64 IoCs

Processes:

ocaocsdtkfev.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\ja-JP\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_ReCoVeRy_+sxkdi.txt	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_ReCoVeRy_+sxkdi.html	ocaocsdtkfev.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_ReCoVeRy_+sxkdi.png	ocaocsdtkfev.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_820330e49a0f1aa4aca6fed989d07083.exe

description	ioc	process
File created	C:\Windows\ocaocsdtkfev.exe	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe
File opened for modification	C:\Windows\ocaocsdtkfev.exe	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab3667cdfe926e40911c7abe494d1b6900000000020000000000106600000001000020000000d5b8a6c68694d94214e1325bef351376199b57c38071b7ab479db7eab53b019d000000000e80000000020000200000004babd8cedc06780a6cf6bd582be3f289790d27fa5bbe7f70ee9a41744790069d90000000a158cbf54a68d8c8fed83689ab00f1b06ac5c63f5180cf5f35efc45f1ca143d668d1c4abc9417dbe9da308d8f66e58603faf183a7415ff001b4769c5affa07686aca820facd047d1cc136b4a9df1be9500ed87db9e4e8b10bdd00557a2612d5346830f3311dc55e9f5175bbfc7253211d48b0c83ef084cd4142bfd3ab0bcee727aa2740026d579c3f47f73b1a40022f040000000f18e47fa5e6cbe12d0a5410a9ed895e1c821765924a8a0fc6b55f8f65e6b6a7870c83b9472d56373537727aa3439b13c365e4304609a3c389aab2229c9143de4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{125652A1-271E-11EF-AF73-469E18234AA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0fed4e62abbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab3667cdfe926e40911c7abe494d1b69000000000200000000001066000000010000200000001b424736d1ee4f5f220716119afb4e7a27e2e8a944d13878bf0b5833ac5f9eac000000000e8000000002000020000000b2edd8dc2c87aaec8ebc6ed645f87118ec2a4b79356f9405cf27386873d1728b20000000215239796393921a843c32b237c60604bba16954bb39fbad15f5dc2e11766ebd4000000081af52159a1fc446a990aff3ceacb28d6d4e1d3ebe97a2c362fbfc3ce64ea891fac8f3828474eb3b24d42cabddc41366f9c61509be1ce61ea6592ce4050d2238	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424181425"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2016 NOTEPAD.EXE

pid	process
2016	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ocaocsdtkfev.exe

pid	process
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe
1540	ocaocsdtkfev.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_820330e49a0f1aa4aca6fed989d07083.exeocaocsdtkfev.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2740	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe
Token: SeDebugPrivilege	1540	ocaocsdtkfev.exe
Token: SeIncreaseQuotaPrivilege	2716	WMIC.exe
Token: SeSecurityPrivilege	2716	WMIC.exe
Token: SeTakeOwnershipPrivilege	2716	WMIC.exe
Token: SeLoadDriverPrivilege	2716	WMIC.exe
Token: SeSystemProfilePrivilege	2716	WMIC.exe
Token: SeSystemtimePrivilege	2716	WMIC.exe
Token: SeProfSingleProcessPrivilege	2716	WMIC.exe
Token: SeIncBasePriorityPrivilege	2716	WMIC.exe
Token: SeCreatePagefilePrivilege	2716	WMIC.exe
Token: SeBackupPrivilege	2716	WMIC.exe
Token: SeRestorePrivilege	2716	WMIC.exe
Token: SeShutdownPrivilege	2716	WMIC.exe
Token: SeDebugPrivilege	2716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2716	WMIC.exe
Token: SeRemoteShutdownPrivilege	2716	WMIC.exe
Token: SeUndockPrivilege	2716	WMIC.exe
Token: SeManageVolumePrivilege	2716	WMIC.exe
Token: 33	2716	WMIC.exe
Token: 34	2716	WMIC.exe
Token: 35	2716	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2716	WMIC.exe
Token: SeSecurityPrivilege	2716	WMIC.exe
Token: SeTakeOwnershipPrivilege	2716	WMIC.exe
Token: SeLoadDriverPrivilege	2716	WMIC.exe
Token: SeSystemProfilePrivilege	2716	WMIC.exe
Token: SeSystemtimePrivilege	2716	WMIC.exe
Token: SeProfSingleProcessPrivilege	2716	WMIC.exe
Token: SeIncBasePriorityPrivilege	2716	WMIC.exe
Token: SeCreatePagefilePrivilege	2716	WMIC.exe
Token: SeBackupPrivilege	2716	WMIC.exe
Token: SeRestorePrivilege	2716	WMIC.exe
Token: SeShutdownPrivilege	2716	WMIC.exe
Token: SeDebugPrivilege	2716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2716	WMIC.exe
Token: SeRemoteShutdownPrivilege	2716	WMIC.exe
Token: SeUndockPrivilege	2716	WMIC.exe
Token: SeManageVolumePrivilege	2716	WMIC.exe
Token: 33	2716	WMIC.exe
Token: 34	2716	WMIC.exe
Token: 35	2716	WMIC.exe
Token: SeBackupPrivilege	2452	vssvc.exe
Token: SeRestorePrivilege	2452	vssvc.exe
Token: SeAuditPrivilege	2452	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2300	WMIC.exe
Token: SeSecurityPrivilege	2300	WMIC.exe
Token: SeTakeOwnershipPrivilege	2300	WMIC.exe
Token: SeLoadDriverPrivilege	2300	WMIC.exe
Token: SeSystemProfilePrivilege	2300	WMIC.exe
Token: SeSystemtimePrivilege	2300	WMIC.exe
Token: SeProfSingleProcessPrivilege	2300	WMIC.exe
Token: SeIncBasePriorityPrivilege	2300	WMIC.exe
Token: SeCreatePagefilePrivilege	2300	WMIC.exe
Token: SeBackupPrivilege	2300	WMIC.exe
Token: SeRestorePrivilege	2300	WMIC.exe
Token: SeShutdownPrivilege	2300	WMIC.exe
Token: SeDebugPrivilege	2300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2300	WMIC.exe
Token: SeRemoteShutdownPrivilege	2300	WMIC.exe
Token: SeUndockPrivilege	2300	WMIC.exe
Token: SeManageVolumePrivilege	2300	WMIC.exe
Token: 33	2300	WMIC.exe
Token: 34	2300	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2436 iexplore.exe
2296 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2436 iexplore.exe
2436 iexplore.exe
2244 IEXPLORE.EXE
2244 IEXPLORE.EXE

pid	process
2436	iexplore.exe
2296	DllHost.exe

pid	process
2436	iexplore.exe
2436	iexplore.exe
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

VirusShare_820330e49a0f1aa4aca6fed989d07083.exeocaocsdtkfev.exeiexplore.exe

description	pid	process	target process
PID 2740 wrote to memory of 1540	2740	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	ocaocsdtkfev.exe
PID 2740 wrote to memory of 1540	2740	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	ocaocsdtkfev.exe
PID 2740 wrote to memory of 1540	2740	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	ocaocsdtkfev.exe
PID 2740 wrote to memory of 1540	2740	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	ocaocsdtkfev.exe
PID 2740 wrote to memory of 2996	2740	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	cmd.exe
PID 2740 wrote to memory of 2996	2740	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	cmd.exe
PID 2740 wrote to memory of 2996	2740	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	cmd.exe
PID 2740 wrote to memory of 2996	2740	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	cmd.exe
PID 1540 wrote to memory of 2716	1540	ocaocsdtkfev.exe	WMIC.exe
PID 1540 wrote to memory of 2716	1540	ocaocsdtkfev.exe	WMIC.exe
PID 1540 wrote to memory of 2716	1540	ocaocsdtkfev.exe	WMIC.exe
PID 1540 wrote to memory of 2716	1540	ocaocsdtkfev.exe	WMIC.exe
PID 1540 wrote to memory of 2016	1540	ocaocsdtkfev.exe	NOTEPAD.EXE
PID 1540 wrote to memory of 2016	1540	ocaocsdtkfev.exe	NOTEPAD.EXE
PID 1540 wrote to memory of 2016	1540	ocaocsdtkfev.exe	NOTEPAD.EXE
PID 1540 wrote to memory of 2016	1540	ocaocsdtkfev.exe	NOTEPAD.EXE
PID 1540 wrote to memory of 2436	1540	ocaocsdtkfev.exe	iexplore.exe
PID 1540 wrote to memory of 2436	1540	ocaocsdtkfev.exe	iexplore.exe
PID 1540 wrote to memory of 2436	1540	ocaocsdtkfev.exe	iexplore.exe
PID 1540 wrote to memory of 2436	1540	ocaocsdtkfev.exe	iexplore.exe
PID 2436 wrote to memory of 2244	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2244	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2244	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2244	2436	iexplore.exe	IEXPLORE.EXE
PID 1540 wrote to memory of 2300	1540	ocaocsdtkfev.exe	WMIC.exe
PID 1540 wrote to memory of 2300	1540	ocaocsdtkfev.exe	WMIC.exe
PID 1540 wrote to memory of 2300	1540	ocaocsdtkfev.exe	WMIC.exe
PID 1540 wrote to memory of 2300	1540	ocaocsdtkfev.exe	WMIC.exe
PID 1540 wrote to memory of 1792	1540	ocaocsdtkfev.exe	cmd.exe
PID 1540 wrote to memory of 1792	1540	ocaocsdtkfev.exe	cmd.exe
PID 1540 wrote to memory of 1792	1540	ocaocsdtkfev.exe	cmd.exe
PID 1540 wrote to memory of 1792	1540	ocaocsdtkfev.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ocaocsdtkfev.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ocaocsdtkfev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ocaocsdtkfev.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_820330e49a0f1aa4aca6fed989d07083.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_820330e49a0f1aa4aca6fed989d07083.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\ocaocsdtkfev.exe
  C:\Windows\ocaocsdtkfev.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1540
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2016
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2436 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2244
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OCAOCS~1.EXE
    3⤵
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  - Deletes itself
  PID:2996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+sxkdi.html

Filesize
12KB

MD5
9df2c475c08c004e4e5c484a439d82ff

SHA1
ac4ca30c752d2cd7fba29d50489c79be603f050f

SHA256
d531f4c4cf1b3230404724064f72455f6352f98dbca452a474432a687f7ca20e

SHA512
b6358e1fd56eab949aa24ccd374527d7f645dda460da188d288ddfd4bf7885ee167336ec6fbf19a755790c7e08d3ea5dc9e06a9dbceb8d464dc86b19546b0eae

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+sxkdi.png

Filesize
64KB

MD5
4e172e6b23ef1929779972d9e026d6f8

SHA1
ed864ffeb50b252d0808a5921134e53d82abf227

SHA256
b4adfbb5f8e26cc3cca8b944b1de2ca8d6ca56416a837b389cba0a9c342a5a61

SHA512
0d938fc12f8e574d9b6721192b57a21ee2d65fb88527b7a913c594d1f14842fac7aafcb6ef38f0f18a3c7ceb0e7270b42fb93f2f15b6f30d384160925025afe7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+sxkdi.txt

Filesize
1KB

MD5
31993a39bbdea763da0312c3e7c36ff1

SHA1
acbfcc629f59da6d6b3927ee05836b5123aab6a2

SHA256
1595fa94daba26bd8d0ff4fa9d0a2d92ac042d7217c054a7a02afbc28385ea59

SHA512
6fc001f6ff5cf62db89c2967a2bf2ec5e0188eb2973af9cf35fada969ef682ec9cfe523cde18c3ed5b05a5c5c31964b18bb0c296487b81c208737949bbcc0411

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
ffd3204538519d126220291e2c65f663

SHA1
c7dcd0e5501692a81af0c677568a8ce2a769523e

SHA256
e57cc1c3f081047c178ab09ac5c788b418ae7826b283897b26d97af1268fb1b4

SHA512
5b472ec3f8ee93554750ec9687b80444e4abf43be26d0ea9e72e3a03b44a75fd5b12a7f3af7494841370c21a0045519cd4755a919f9e00a7b205b491abfca97f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
96bfedd1de71783bd32537cc9331d119

SHA1
c91834f637d795dff30d1604e630c0d83905049a

SHA256
6a5f89ed6043d9882af68c41718bf922a518eab37db4ef39ad4fe069be06d9ee

SHA512
9e46e717b47e088683253d6338b1282229cf1f476f1a4c5fab9d73a792327e9ecbbc70a412160ee1521c2d01c25b0c8875c7fb2849d49d9b616bac042d26ed2c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
3018b3a19300a1179282aa58f4b09177

SHA1
e3619411e6d818806184deefbecfbd2a511adf60

SHA256
c6198c463f23bd89d61294550186a5432823429a5d0186511d86553307b0c637

SHA512
0536b0c34b40dda1d3d5abfb5c5bbcd6ccde8715ff70424e94b2aa2957206c65411eab9b7a50943fcf2d83f62c4a7ca9ea8b6b02c037e7f962b29074f5d0dc75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02cde3bfc3a18af2294aedec4d3952bf

SHA1
d10f0f6c7f974c6102037108adac3c985188e22e

SHA256
01ed425ca64a0072c9a02f3af4f90544fefc905d95f30ee489eb76994520400b

SHA512
8630daefc4e8cca0dc6cbb30e799cf032a7cb7bbdd5916c54e7e41615bce5fffd7464cc11a4c31dfe862a8ec92017a77153d0870def46e08e2b2b0d4ecf26402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1be924b80ee02a05e6685e9d72a45cec

SHA1
44a7eaeeeaaeba16cbf13944912a4b4c7991703b

SHA256
b06cdc51a6a4d8bdfe4da2f15d2100e1b3cb77d3154a1222442fe707a5f1e070

SHA512
a7cd4bed5c1daf69d988adb196d17f064b12e8e43b4d2aad7523434620c609b6b30425dd0d80f2def3c1a014eb0ff66b8ebb1ea7ea39ad8cfedeafcb167da99e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
937f7e7b6b56fdd4eb8a7af6561133c9

SHA1
99cc5f942172ec578e80a1eda1b85a2993b69e33

SHA256
dcd35015553176def963433e2620218f853dc431310ad5cf50f08ad0ff7f4c6d

SHA512
71faa8c7d5cadf13e894cda8d69c301fc7d335b93ed8bef591998834b5e6af2df0ce4ccea540368be6725d1e8106b50a01365776d8a01c1ac4901929a5463bd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf0d2d07c1ba630d83ca8fc29c24449b

SHA1
5dd7e83843ce40ff139926da917b321c2f93df1e

SHA256
e85452775a8e81bb9741d3ad6536e9acc2f642e66cd22e534a65ee18c490e21a

SHA512
77b61750cae9cbddf967dbba7d20699c2b22095d60015817f225fef21e22fa6547f0e1536b3abcf8b6e87b925dd2e9717921c3544c2ed431e582c12b7e3a9233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69fa28304ab11123fc6476bb6e108dda

SHA1
37663533de6efc7e67941f876ca754a013b3cf08

SHA256
dbf1e480c449975de284975514ccdd1405f16a737ec1b0bcade8c6349a458126

SHA512
856f4727d3c507c5efc42efc835a79d2a3047f2f1dce021ba317e5ec588ed12fc5dd97ffca67a7342999a0ee8b412fc7412e6c128fd4daeb5291676e1bb7bb0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d68c513058b2f0de81addf52e2d59a67

SHA1
5e58f0fab4e16bb66637353a5cdd587b4c867a94

SHA256
4256984b05d0a932d99660a1fb9aa893e3400cf9b5793707dc60b78b54186e43

SHA512
2d443140354b2309d66648c08d465f925ab89ed2ef525fb6a1c9c55701e69734fc0f67d2ccecea4d5af73b008fc1f789ddf673a314efffd63acc4d8cb9e05302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ce655a0ec684b8ae6c7d3c431e5376e

SHA1
1c6396f9477a10f6240088306f59840e4eb53cda

SHA256
8a2e5da3f37e04420f1d5d73e1db0c01939d279e7a983765c72da1f129746039

SHA512
6f59b347cf2cf00e561a2ae90e872bae151310a58d95ad2bab9a58db01e01c8819dde4a952e789a8b9be129cd1cb6dfb144fb4b5a88c86693937348316ac7ff6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
672b54af07512eb76dd14b7ddd7c1809

SHA1
68a7ebd1a98d56f6e5bfdee661f349480728b17b

SHA256
1476d50ef040b38934e65a71a55fc7c6b9fb1aab9d137b9232ad29963a0d30cf

SHA512
07388a75907ace751850ffc6dbef0c35dc6c9b491dae71e44f208936590515d3421e06328752c8c811dbc3112d4b71ce91088c3af48efaef3e5fc46a33e0ad3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b923623364c9913ca6c0a67b8431cad0

SHA1
65fde94ea901cfbfe282e454644cbd9faec429f2

SHA256
ed800770a48e9538dd9dc4174ab17a31b1b15228849a2c96a0dde967cd181def

SHA512
7d89953c0c18df2eb1e2cb622d18b342261875a084bc15c27450dbf261f7540648fec534f1f464659eef2181cf5ecedabcda8def5b559a3c5a6d2b37000ccc24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7beac92efafa3743c6f258a7b06f7626

SHA1
94ff1e8c027cc5d8108299f97cfe29b9b5fd1212

SHA256
64ff04e621c5422d8aed9f420d14f1c0bb4226c93be73f2d3f02ca830db4e880

SHA512
d3a53159058198707290064beb70c7abfe47d6ee0d2cdbb906f8c0bad91caa6e3eca1d3d2caded4364673317bf76b1886d61d47b44c824846c01eda5d3eb998c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f4ffa97cf4592f46118d4ab33af870f

SHA1
90417bd45ebf9f321e736734a0a0a378b8a4a4f5

SHA256
0d8a38ad48bfcbf485d4aed52bcd30b78f8fd36ab70cc6817563bc609859b8c9

SHA512
0e62c35efc2ce0e9509cae94d9b82b5430f7cd5301ddc43a28acc7ac5e39d563d60907d57529553c94969f763ba35b1d657ca9c4cd1db2e50c19dbfc9cf5c289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd6b4dba8d0627c132044db2fea50fe4

SHA1
ff41c4c11d665fac0d377e1b569993f4a6e07472

SHA256
18060c501d84cf2b91d06b02bb5846c24eebfc6d2c0cb2a171861d3cd60f2374

SHA512
ea876f0ba1336c4a594612dae08f909d2f0151ea669c59def3553a51723ede55c9fb3f57f7b6405856ebf69496f296b4e278a2968638d56dc5424febe0df3896

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8118fad2d4df51d3657f90242715de17

SHA1
bd092a4b59894f057c3f08ab9ed2174dbe324352

SHA256
4d44415672342d2b514c477cb8ab223f8dc3aa93ebea6567195bf9dc7158d42b

SHA512
7b8370753f559997ee506e70ba66606410abb599d9523eef180e93e0efa802d182deab6a33c06110388b8c575d4951b3bcfc6decc854363757f195a45eaf03f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f92b01ef352cb2e8c16dcaf61abf6d4a

SHA1
a84fced79f40594f97652fa7e8b78e689bbe9c3b

SHA256
e377c7c1ce3dece2fdac23e1afc496f26a8673c2f4d6186b74b52224b059a374

SHA512
47c74bd4f54ccfe6ce44ae5e6adc95d80973224339ebb94a01bd46f908d123f711bd3a0c471b14e16c8627a7b3816433b3657de3fa0eed674295fcc58170470c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cd97dcd40dbf62fec1f97864b59e74c

SHA1
0e57ffb9dd1f3945bdafe9d775bb8af593295d92

SHA256
69add3b1d0ed01ab0fa1ff22b2bb6c25581f140aed4f2ac2c351701b0873be9d

SHA512
62c1a682734daba833ef2b8d92b6da4ab67298b521852c5006b47dcb999193d84356f02e19457cf1d4fea3af5e18f2c11020092f9cc21dce63ef683bc2214a07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84a99d5d88ce7e52e970b4616f4dc85c

SHA1
713c29db3e56c77f8a303659cd30b2bbab3fe182

SHA256
0c2067203c1a137193841a6368bbb988cbcf2ac4268038bbed94a28d07b348c0

SHA512
831793a900b708c0047600b145879ab8eea06fa752034d8b66a1be0115be3a22bc2d7c96cd4c1bc22fb8293aaa21c1f3c682be2769e7d3eb3ebd8f1d3dde437a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a4670f717939a7a24e640b3a9512f88

SHA1
07e88cf3eb4563d78f64388d418827cdf1651f43

SHA256
de525e8a2e42c4b3ebddfd80e20e24cde6b0e59712738c930b02f0526cbe686a

SHA512
5fe6e23d071699788a85ece140e62b399c43b78031837a527d53eea1bd3434cff360a7c6edacfc3caf1a033a0738de147a0bf474c9729e2ef3dbf94010f5280f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08df44460f49b70436f36f6d68b07c75

SHA1
21aa925d9d209ae9c28a4186944b878e8ed1909a

SHA256
3b077ac5104d3c5dd4a1db72c4e13f762ef3a0fabeec8728b3279ade4af0b9c4

SHA512
a488b6f9b29aab783c93e064f4956cefce0914b0f42859c1e65aab9830d7d03c74dea0ca5165fabe27b1c04cc768e3e0a2784d6caa892f377b6011246a33f50d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48b74e669785c71c67c761ea08220499

SHA1
6d95ba870a8a2289d956559ed1e30a55a0e8a6f7

SHA256
3b95dbe6f591f90a7e470d1d669564e9959b2ab523484e3077efdf45001767de

SHA512
3a1350a8bd2e755a4e7d210e736e88222d722260bc828bd393c79abc55ff955d67ef9244131cdc8e8ca530bccd550be5d6a51a9079593174b9c54935a7011930

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA352.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA445.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\ocaocsdtkfev.exe

Filesize
352KB

MD5
820330e49a0f1aa4aca6fed989d07083

SHA1
a9a90a57252ae0ce4adf0a6d1b2a7de0cc4775d1

SHA256
a9bcbc903b6a4fe98280f6de765c3362bdddc2fd49ce3312287c0a9ccdb4a526

SHA512
425229479c423bcd16502954d851cbad8199fa2ac4fe1e8b2a029470e589bfbff41aab6ae9bea2216f4cb3c3fa69f1cc54c8f1747cf44d1d82551c875640930c

Download Submit
memory/1540-13-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1540-6022-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1540-6513-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1540-6018-0x0000000002C50000-0x0000000002C52000-memory.dmp

Filesize
8KB

Download
memory/1540-4292-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1540-1775-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1540-16-0x0000000000310000-0x0000000000396000-memory.dmp

Filesize
536KB

Download
memory/2296-6019-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2740-12-0x0000000000280000-0x0000000000306000-memory.dmp

Filesize
536KB

Download
memory/2740-11-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2740-0-0x0000000000280000-0x0000000000306000-memory.dmp

Filesize
536KB

Download
memory/2740-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download