Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 03:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe
-
Size
92KB
-
MD5
5b3f40d956be53a1e5acbb36124ed577
-
SHA1
bd077f5467d840e3e782841b687c61512b96bc47
-
SHA256
e2636c32991e3e8b061d88daf3e769a6263d9a02ee27eae9a2e78ccf3ef1fec5
-
SHA512
b6ab8ccbc8fdbef4dff66f1062e4ea37da1f76421e306b4cf7a43f58fe9e520bd8ba29363e8897b55a98facf42a52215386506aeebf8e93551e00c96edee3e78
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4Ab6FDs1AtY4cvCPu5KLp+f87:Qw+asqN5aW/hL96FDs1ADPiipc87
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
cobson@hwabag.us
https://soyjak.party/raid/
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (496) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 8 IoCs
Processes:
mshta.exemshta.exeflow pid process 34 6556 mshta.exe 35 5692 mshta.exe 37 6556 mshta.exe 38 5692 mshta.exe 39 6556 mshta.exe 40 5692 mshta.exe 41 6556 mshta.exe 42 5692 mshta.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe -
Drops startup file 5 IoCs
Processes:
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe = "C:\\Windows\\System32\\2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe" 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Public\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Public\Music\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 36 raw.githubusercontent.com 37 raw.githubusercontent.com 38 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
Processes:
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exedescription ioc process File created C:\Windows\System32\2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Windows\System32\Info.hta 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\ui-strings.js.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psm1 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\ui-strings.js 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ui-strings.js.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\THMBNAIL.PNG.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-400.png 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\xmlrw.dll 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.js.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_mr.dll.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-400.png 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\Example1.Diagnostics.Tests.ps1 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\Office16\Resources.pri.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White@2x.png.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de.gif.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql2000.xsl.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-125.png 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBCTRAC.DLL 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\Welcome.html.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_uk.dll 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\WindowsFormsIntegration.resources.dll.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-250.png 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_da.dll 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotBeNullOrEmpty.snippets.ps1xml 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.WebSockets.Client.dll 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-16_contrast-white.png 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Base.dll.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_es-419.dll.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Pipes.dll.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\ui-strings.js.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\ui-strings.js.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\desktop_acrobat_logo.png.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\ui-strings.js.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Tasks.Parallel.dll 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_pl.dll.id-0C99FD02.[cobson@hwabag.us].HWABAG 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4588 vssadmin.exe 4924 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exepid process 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 776 vssvc.exe Token: SeRestorePrivilege 776 vssvc.exe Token: SeAuditPrivilege 776 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.execmd.execmd.exedescription pid process target process PID 2840 wrote to memory of 232 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe cmd.exe PID 2840 wrote to memory of 232 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe cmd.exe PID 232 wrote to memory of 1076 232 cmd.exe mode.com PID 232 wrote to memory of 1076 232 cmd.exe mode.com PID 232 wrote to memory of 4588 232 cmd.exe vssadmin.exe PID 232 wrote to memory of 4588 232 cmd.exe vssadmin.exe PID 2840 wrote to memory of 1912 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe cmd.exe PID 2840 wrote to memory of 1912 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe cmd.exe PID 1912 wrote to memory of 6096 1912 cmd.exe mode.com PID 1912 wrote to memory of 6096 1912 cmd.exe mode.com PID 1912 wrote to memory of 4924 1912 cmd.exe vssadmin.exe PID 1912 wrote to memory of 4924 1912 cmd.exe vssadmin.exe PID 2840 wrote to memory of 6556 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe mshta.exe PID 2840 wrote to memory of 6556 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe mshta.exe PID 2840 wrote to memory of 5692 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe mshta.exe PID 2840 wrote to memory of 5692 2840 2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe mshta.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Blocklisted process makes network request
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Blocklisted process makes network request
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-0C99FD02.[cobson@hwabag.us].HWABAGFilesize
2.9MB
MD577524f9839b460a686ee1c818f076c84
SHA122611c6ae2c94a799d95063d013a927275aca352
SHA256f9915734559d95e83793dd233d8330c98349226222ac8cd572908b4b86c3e298
SHA5126a01a5ed63e361fdc87b34afee84bfec016ccdfa7886dafaeee8e84cfaea053316037b15f38238a66d1525bd7216829e41426a959d0609564448076b80a68e73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5063736d1569164c37bae852beae60487
SHA1577a9c940013a63cbd820c113a124b5b67d30a6c
SHA256efa1444be7c95125fd8a9439bfbaa9a131cb17c9105ff5e2ed92de6b52af2e2f
SHA512dfabd502c67d2a20313169d459fd43257079023ebcf70704f1e919de95ae07fbaa9c430dfd4ae9d30c1cd9333ed280fc4544a9e2421768e5d629e5caf51f61df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419Filesize
471B
MD5a68f27f923cf5167d6942e4b2084fbd2
SHA1ec28890ecee3820d30d068caffc020a5653543c7
SHA25677e8a86261956ee2820c7559db145194087a144806cab742ed26fbdffbd06727
SHA51246a1bc694ea8c8265737de5cea4a21b20728566a536adecedac7faf3f22b937585a9846b1967be66109e1a3669f2549ec82a8627e31c92316c9d774f196f02f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD508ded4cefea4fa6ab84a22d98812a446
SHA1a879b2d05311633f5ecdc5a6e6fba7069534dcfc
SHA256fefea2c27dd4a752bc8ee62ce0530375d2235a74dcd364a19ee34124dcdc2366
SHA51212a6bc1ac8a69d3460597b6e5ae034872e421d24a7ab34f51219d0d9e56873cf30cdf297c6fe7d417a89e4f1e7afb0f1dbaa18ce8154b6fe3682d82c5fb1da39
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5fe42654120c6ec0a80c8545259ff0745
SHA1ab26dc15b4e773794fde8ea8f65174e1b8e0246b
SHA2561b2c0043ee985418d15b7d69509cce2a9b7b3d5cb606942fae7bc851c185a795
SHA512d06161c6e65a2346bc0f5da2a4565554b36de36af2118928d9c1e6dd88d6dc6e9b184197e828e113c7d680777c60b238a8ff3f28612e1c5f2e0a17bb264f5fcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419Filesize
412B
MD5ea26f31f5e761650f585863e90d8e9d4
SHA1eec3def86b680f5ffd7c90ed63efbaee7111e724
SHA256d9ef6a1f5f4498fd6fe78cb117a67f99a0afe1232bb0d0167b6a945e5d2bfca1
SHA51235bc1f7b3ac6e22fb473bd7073c55b964469d64edcbfcb95ba44dd30a5e8fe4ea6fbf4d73c510085a59aaf765e243c71d7419e43fa90d2ac0bc0ea020fb42975
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
4KB
MD57609170e9177fe54b7b3626fc10b2c23
SHA1861b4d134af72ae828f9833ff1242c8181d2e5c5
SHA256f10122832c8a2ee1f06780dbb52161a91f06b85d3f314986c68f5c71ab3538da
SHA5125856a35c1fb125bfbc3f18bbe5348fcc17fc8f55c355a0d77c324a68a832516969bdd3eb6db1f3b7a18b928fdb84ecf1cc4e6c71b5e87caff7abc7a76f63309f