Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 05:00
Static task
static1
Behavioral task
behavioral1
Sample
06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780c.exe
Resource
win10v2004-20220812-en
General
-
Target
06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780c.exe
-
Size
1.1MB
-
MD5
732642d91b8fcb116b053152accadf6f
-
SHA1
17871feee8f967a7d1d9a43dea3bec8f83f38de3
-
SHA256
06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780c
-
SHA512
d3bb7a3f23663fa2065bd79b31af946966aa2559691099fe5383232f0a5857a1625df2f0ad876a86048f6e1c407ca5f715229e96029858ce9487c6474ed69832
-
SSDEEP
24576:LiM5uIshBc6ReEJwdQx5L9MFy75C7HMIPga:xuj06wdU9MZMQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4856 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe 4820 WaterMark.exe -
resource yara_rule behavioral2/memory/4856-138-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4856-139-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4856-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4856-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4856-150-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4820-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4820-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4820-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4820-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4820-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4820-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4820-162-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxC345.tmp 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1940 3276 WerFault.exe 83 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987829" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3A38D981-4228-11ED-AECB-C264E7FE3618} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3A34145C-4228-11ED-AECB-C264E7FE3618} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987829" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "289586808" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987829" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371462584" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987829" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "289586808" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "256461480" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "256461480" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe 4820 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4820 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1824 iexplore.exe 4424 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1824 iexplore.exe 1824 iexplore.exe 4424 iexplore.exe 4424 iexplore.exe 3768 IEXPLORE.EXE 3768 IEXPLORE.EXE 5056 IEXPLORE.EXE 5056 IEXPLORE.EXE 3768 IEXPLORE.EXE 3768 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4856 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe 4820 WaterMark.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4960 wrote to memory of 4856 4960 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780c.exe 81 PID 4960 wrote to memory of 4856 4960 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780c.exe 81 PID 4960 wrote to memory of 4856 4960 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780c.exe 81 PID 4856 wrote to memory of 4820 4856 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe 82 PID 4856 wrote to memory of 4820 4856 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe 82 PID 4856 wrote to memory of 4820 4856 06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe 82 PID 4820 wrote to memory of 3276 4820 WaterMark.exe 83 PID 4820 wrote to memory of 3276 4820 WaterMark.exe 83 PID 4820 wrote to memory of 3276 4820 WaterMark.exe 83 PID 4820 wrote to memory of 3276 4820 WaterMark.exe 83 PID 4820 wrote to memory of 3276 4820 WaterMark.exe 83 PID 4820 wrote to memory of 3276 4820 WaterMark.exe 83 PID 4820 wrote to memory of 3276 4820 WaterMark.exe 83 PID 4820 wrote to memory of 3276 4820 WaterMark.exe 83 PID 4820 wrote to memory of 3276 4820 WaterMark.exe 83 PID 4820 wrote to memory of 4424 4820 WaterMark.exe 87 PID 4820 wrote to memory of 4424 4820 WaterMark.exe 87 PID 4820 wrote to memory of 1824 4820 WaterMark.exe 88 PID 4820 wrote to memory of 1824 4820 WaterMark.exe 88 PID 1824 wrote to memory of 5056 1824 iexplore.exe 89 PID 1824 wrote to memory of 5056 1824 iexplore.exe 89 PID 1824 wrote to memory of 5056 1824 iexplore.exe 89 PID 4424 wrote to memory of 3768 4424 iexplore.exe 90 PID 4424 wrote to memory of 3768 4424 iexplore.exe 90 PID 4424 wrote to memory of 3768 4424 iexplore.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780c.exe"C:\Users\Admin\AppData\Local\Temp\06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exeC:\Users\Admin\AppData\Local\Temp\06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:3276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 2045⤵
- Program crash
PID:1940
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3768
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5056
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3276 -ip 32761⤵PID:4248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD59d5d609dc8e2554054733d19eed45c5c
SHA1ce72453fca9f477940a9def32bd8463549c6e1e4
SHA2567a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1
SHA512012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b
-
Filesize
119KB
MD59d5d609dc8e2554054733d19eed45c5c
SHA1ce72453fca9f477940a9def32bd8463549c6e1e4
SHA2567a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1
SHA512012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5f525b778e6901e8c416e2920e4e3dc0b
SHA1917ce8ae6d64bdd4dd438488176253022c57a083
SHA256c9eee793aa4aa79f35d393f9f1d863483aaf4004dea6ac19bda868e92a71f8bd
SHA512f6f47a4935c09769b8df316e1b459c7b153ed26ac409d4bf2ce62a1635dba4eaf7ce77de5ce83100d6f3ce7aadffed7591fb7cee7ac10a0c081a2d3c613f1ad8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5f525b778e6901e8c416e2920e4e3dc0b
SHA1917ce8ae6d64bdd4dd438488176253022c57a083
SHA256c9eee793aa4aa79f35d393f9f1d863483aaf4004dea6ac19bda868e92a71f8bd
SHA512f6f47a4935c09769b8df316e1b459c7b153ed26ac409d4bf2ce62a1635dba4eaf7ce77de5ce83100d6f3ce7aadffed7591fb7cee7ac10a0c081a2d3c613f1ad8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD500cd4d888cba0a5d8c7902c61c92f4ab
SHA1bb0d6c3d5af64e19a7f364ef67dc6d78ca4cdc6a
SHA25674d8cb40f63bd74efa03a25fe1d1ea5d859e234213b7979f0b4db80fd4e664b0
SHA5126911d14e41606e009de0ec1383a1b46bd580e0a8234a640dd0c21905f8116435fe7a07fe746b7b6a592be496cc83c2e4a193c155f664f7155985f2f5f636c4d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5d212e087686ba5284c910eb652e44379
SHA1a984cca1a5c2e9e639043449a3efcec3760e57c9
SHA2567264610138b8cdd7d1758dd9adfb68adbf85efe8c8674b4ead562f4f119b918f
SHA5126a22a4f6987c89bbb47e44f8de976373d90ff838cc0d7b5b7b7f4db2eb26dd8333386d349bf97b9e61aaa420cdbf9863f599681e025f36bad262d3639ff29b71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5d212e087686ba5284c910eb652e44379
SHA1a984cca1a5c2e9e639043449a3efcec3760e57c9
SHA2567264610138b8cdd7d1758dd9adfb68adbf85efe8c8674b4ead562f4f119b918f
SHA5126a22a4f6987c89bbb47e44f8de976373d90ff838cc0d7b5b7b7f4db2eb26dd8333386d349bf97b9e61aaa420cdbf9863f599681e025f36bad262d3639ff29b71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5d212e087686ba5284c910eb652e44379
SHA1a984cca1a5c2e9e639043449a3efcec3760e57c9
SHA2567264610138b8cdd7d1758dd9adfb68adbf85efe8c8674b4ead562f4f119b918f
SHA5126a22a4f6987c89bbb47e44f8de976373d90ff838cc0d7b5b7b7f4db2eb26dd8333386d349bf97b9e61aaa420cdbf9863f599681e025f36bad262d3639ff29b71
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3A34145C-4228-11ED-AECB-C264E7FE3618}.dat
Filesize5KB
MD5f4a2fadee1c5ecc3726ff72c185e01e0
SHA1f3729b7b458590dc57f1db27991cb84e9a80300d
SHA256b5df13c9391428984ee7f152da0d34a3112d621699bdb8fcee7ef3bbb58a4f20
SHA51289f2f76007e933ba772c89ef32432f02f2b600292af27f12ce0a37c6803bbe236297740598ae01a98aec544970e08fa8c6bd3c41010f74e2432b8a86be41127a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3A38D981-4228-11ED-AECB-C264E7FE3618}.dat
Filesize3KB
MD5183ad15467594f27b5d349e382c48d8f
SHA1a930fe566f91ae3b7469e91d9babe7e134031374
SHA2565bb0e842aa74081eeea95eb2cd31f8a5d099f0cbff81be94a2b39b2768f7db2b
SHA51264736b897cd9f449253fe4a22d6d0d1d7f1f752955fe3f2a3c48b7220cd9bbd08dd58e3b3bdf95f65da766cadf43bc637d6407e8a8b93d02f75ade88c885a63f
-
C:\Users\Admin\AppData\Local\Temp\06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe
Filesize119KB
MD59d5d609dc8e2554054733d19eed45c5c
SHA1ce72453fca9f477940a9def32bd8463549c6e1e4
SHA2567a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1
SHA512012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b
-
C:\Users\Admin\AppData\Local\Temp\06f5a82e39012ff2b5862fb7037df8178b734c462d74e036ed1beb3951ea780cmgr.exe
Filesize119KB
MD59d5d609dc8e2554054733d19eed45c5c
SHA1ce72453fca9f477940a9def32bd8463549c6e1e4
SHA2567a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1
SHA512012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b