Analysis
-
max time kernel
126s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 13:07
Static task
static1
Behavioral task
behavioral1
Sample
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe
Resource
win10v2004-20240419-en
General
-
Target
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe
-
Size
131KB
-
MD5
5dd451691d249335fe3918b9865814d5
-
SHA1
da0b239b102c5266c1c2cb15b7c42b0a54b1ca23
-
SHA256
aff75f4ea273d6ab7a9cb9023c37ab723c827ca2a630342dd0054d9c4f0c1227
-
SHA512
c1d0a729ca243a192df7753c382a6ed503002b310ab7648f4fcc4618a8647366356aebb01a1e707fb9a1a75396d2a43436028b1099e35d96deef170fc917e8e6
-
SSDEEP
1536:EAzqL19QneOJQObmI/yPJJHAE4qJvbfxsIzAaVVlo/ba5CabNF+FsBDIQlfJ2hMM:PqtOJRf/yxJAmlRVHFb5J2yos2T
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B
http://cerberhhyed5frqa.gkfit9.win/7EC5-54FB-5552-006F-577B
http://cerberhhyed5frqa.305iot.win/7EC5-54FB-5552-006F-577B
http://cerberhhyed5frqa.dkrti5.win/7EC5-54FB-5552-006F-577B
http://cerberhhyed5frqa.cneo59.win/7EC5-54FB-5552-006F-577B
http://cerberhhyed5frqa.onion/7EC5-54FB-5552-006F-577B
Extracted
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2060 bcdedit.exe 1040 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exeinstnm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\instnm.exe\"" 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\instnm.exe\"" instnm.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3064 cmd.exe -
Drops startup file 2 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exeinstnm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\instnm.lnk 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\instnm.lnk instnm.exe -
Executes dropped EXE 1 IoCs
Processes:
instnm.exepid process 2200 instnm.exe -
Loads dropped DLL 3 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exeinstnm.exepid process 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe 2200 instnm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exeinstnm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\instnm = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\instnm.exe\"" 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\instnm = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\instnm.exe\"" 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\instnm = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\instnm.exe\"" instnm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\instnm = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\instnm.exe\"" instnm.exe -
Processes:
instnm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA instnm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
instnm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1C38.bmp" instnm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2472 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2628 taskkill.exe 1064 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exeinstnm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\instnm.exe\"" 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop instnm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\instnm.exe\"" instnm.exe -
Processes:
IEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{196745A1-0D3C-11EF-A34E-5E73522EB9B5} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000008e3b145ab508c923143938b59393ee3a060eed3346a16a31bc680156ef11ee44000000000e8000000002000020000000ffa6ddca9b1a4a5ef7abf913d4aa8f46b76ffbdf8b9e33886044140ebe059c0120000000d7513689cd4c6edd19a6dc03d9847a0b3bc5db58a7106796960dab5e7b597dc940000000db2b6b75039c2908141299aaa964db0b013f9c2ee4d9079edfd277ffa47c505c2b1d01500df08870e62987426cd7f2b8c43cfc27cc4eaa6cc3baf1552f7f2384 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207c2adc48a1da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{195DC021-0D3C-11EF-A34E-5E73522EB9B5} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000297ca15bd89c4d0b2e4cec6ad485cd00f305ef9f6962880223714af95b4c0276000000000e8000000002000020000000000d424581af2b6e973425ea53e79c8aa0832019d866f1aa7c9b4a43735b9a1d900000005144d8ae6f33977c0f0f9692f17926159feca472c9a5d41c9ce22cd1c1c6bb45e0b09e28ee32bc39b76b1164b1ee99db14fdfa972f1e87bf1022810e7ac05343cc83da8f1972f43cbba7f3b519055ce3700c951287ef5023f98137108ecb558d8e522e1ec174a02703e2689bbfdd384c1a5ffeddd37ae8542c258c67fb1d26f127d8ade19d6dda2c65a518d7f00147ac400000004b753dd51241649a688f4d3ccf053bc4028f174980104aba47edbf78f0989880ed22a307fee34e000db9ddf673dbf26840a4213936015ab0f53060479c750a94 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
instnm.exepid process 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe 2200 instnm.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exetaskkill.exeinstnm.exevssvc.exewmic.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe Token: SeDebugPrivilege 2628 taskkill.exe Token: SeDebugPrivilege 2200 instnm.exe Token: SeBackupPrivilege 2468 vssvc.exe Token: SeRestorePrivilege 2468 vssvc.exe Token: SeAuditPrivilege 2468 vssvc.exe Token: SeIncreaseQuotaPrivilege 2932 wmic.exe Token: SeSecurityPrivilege 2932 wmic.exe Token: SeTakeOwnershipPrivilege 2932 wmic.exe Token: SeLoadDriverPrivilege 2932 wmic.exe Token: SeSystemProfilePrivilege 2932 wmic.exe Token: SeSystemtimePrivilege 2932 wmic.exe Token: SeProfSingleProcessPrivilege 2932 wmic.exe Token: SeIncBasePriorityPrivilege 2932 wmic.exe Token: SeCreatePagefilePrivilege 2932 wmic.exe Token: SeBackupPrivilege 2932 wmic.exe Token: SeRestorePrivilege 2932 wmic.exe Token: SeShutdownPrivilege 2932 wmic.exe Token: SeDebugPrivilege 2932 wmic.exe Token: SeSystemEnvironmentPrivilege 2932 wmic.exe Token: SeRemoteShutdownPrivilege 2932 wmic.exe Token: SeUndockPrivilege 2932 wmic.exe Token: SeManageVolumePrivilege 2932 wmic.exe Token: 33 2932 wmic.exe Token: 34 2932 wmic.exe Token: 35 2932 wmic.exe Token: SeIncreaseQuotaPrivilege 2932 wmic.exe Token: SeSecurityPrivilege 2932 wmic.exe Token: SeTakeOwnershipPrivilege 2932 wmic.exe Token: SeLoadDriverPrivilege 2932 wmic.exe Token: SeSystemProfilePrivilege 2932 wmic.exe Token: SeSystemtimePrivilege 2932 wmic.exe Token: SeProfSingleProcessPrivilege 2932 wmic.exe Token: SeIncBasePriorityPrivilege 2932 wmic.exe Token: SeCreatePagefilePrivilege 2932 wmic.exe Token: SeBackupPrivilege 2932 wmic.exe Token: SeRestorePrivilege 2932 wmic.exe Token: SeShutdownPrivilege 2932 wmic.exe Token: SeDebugPrivilege 2932 wmic.exe Token: SeSystemEnvironmentPrivilege 2932 wmic.exe Token: SeRemoteShutdownPrivilege 2932 wmic.exe Token: SeUndockPrivilege 2932 wmic.exe Token: SeManageVolumePrivilege 2932 wmic.exe Token: 33 2932 wmic.exe Token: 34 2932 wmic.exe Token: 35 2932 wmic.exe Token: SeDebugPrivilege 1064 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exepid process 1680 iexplore.exe 1604 iexplore.exe 1680 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 1680 iexplore.exe 1680 iexplore.exe 1604 iexplore.exe 1604 iexplore.exe 1680 iexplore.exe 1680 iexplore.exe 1928 IEXPLORE.EXE 1928 IEXPLORE.EXE 2624 IEXPLORE.EXE 2624 IEXPLORE.EXE 2752 IEXPLORE.EXE 2752 IEXPLORE.EXE 2624 IEXPLORE.EXE 2624 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.execmd.exeinstnm.exeiexplore.exeiexplore.execmd.exedescription pid process target process PID 2188 wrote to memory of 2200 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe instnm.exe PID 2188 wrote to memory of 2200 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe instnm.exe PID 2188 wrote to memory of 2200 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe instnm.exe PID 2188 wrote to memory of 2200 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe instnm.exe PID 2188 wrote to memory of 3064 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe cmd.exe PID 2188 wrote to memory of 3064 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe cmd.exe PID 2188 wrote to memory of 3064 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe cmd.exe PID 2188 wrote to memory of 3064 2188 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe cmd.exe PID 3064 wrote to memory of 2628 3064 cmd.exe taskkill.exe PID 3064 wrote to memory of 2628 3064 cmd.exe taskkill.exe PID 3064 wrote to memory of 2628 3064 cmd.exe taskkill.exe PID 3064 wrote to memory of 2628 3064 cmd.exe taskkill.exe PID 3064 wrote to memory of 2452 3064 cmd.exe PING.EXE PID 3064 wrote to memory of 2452 3064 cmd.exe PING.EXE PID 3064 wrote to memory of 2452 3064 cmd.exe PING.EXE PID 3064 wrote to memory of 2452 3064 cmd.exe PING.EXE PID 2200 wrote to memory of 2472 2200 instnm.exe vssadmin.exe PID 2200 wrote to memory of 2472 2200 instnm.exe vssadmin.exe PID 2200 wrote to memory of 2472 2200 instnm.exe vssadmin.exe PID 2200 wrote to memory of 2472 2200 instnm.exe vssadmin.exe PID 2200 wrote to memory of 2932 2200 instnm.exe wmic.exe PID 2200 wrote to memory of 2932 2200 instnm.exe wmic.exe PID 2200 wrote to memory of 2932 2200 instnm.exe wmic.exe PID 2200 wrote to memory of 2932 2200 instnm.exe wmic.exe PID 2200 wrote to memory of 2060 2200 instnm.exe bcdedit.exe PID 2200 wrote to memory of 2060 2200 instnm.exe bcdedit.exe PID 2200 wrote to memory of 2060 2200 instnm.exe bcdedit.exe PID 2200 wrote to memory of 2060 2200 instnm.exe bcdedit.exe PID 2200 wrote to memory of 1040 2200 instnm.exe bcdedit.exe PID 2200 wrote to memory of 1040 2200 instnm.exe bcdedit.exe PID 2200 wrote to memory of 1040 2200 instnm.exe bcdedit.exe PID 2200 wrote to memory of 1040 2200 instnm.exe bcdedit.exe PID 2200 wrote to memory of 1680 2200 instnm.exe iexplore.exe PID 2200 wrote to memory of 1680 2200 instnm.exe iexplore.exe PID 2200 wrote to memory of 1680 2200 instnm.exe iexplore.exe PID 2200 wrote to memory of 1680 2200 instnm.exe iexplore.exe PID 2200 wrote to memory of 2392 2200 instnm.exe NOTEPAD.EXE PID 2200 wrote to memory of 2392 2200 instnm.exe NOTEPAD.EXE PID 2200 wrote to memory of 2392 2200 instnm.exe NOTEPAD.EXE PID 2200 wrote to memory of 2392 2200 instnm.exe NOTEPAD.EXE PID 1680 wrote to memory of 1928 1680 iexplore.exe IEXPLORE.EXE PID 1680 wrote to memory of 1928 1680 iexplore.exe IEXPLORE.EXE PID 1680 wrote to memory of 1928 1680 iexplore.exe IEXPLORE.EXE PID 1680 wrote to memory of 1928 1680 iexplore.exe IEXPLORE.EXE PID 1604 wrote to memory of 2752 1604 iexplore.exe IEXPLORE.EXE PID 1604 wrote to memory of 2752 1604 iexplore.exe IEXPLORE.EXE PID 1604 wrote to memory of 2752 1604 iexplore.exe IEXPLORE.EXE PID 1604 wrote to memory of 2752 1604 iexplore.exe IEXPLORE.EXE PID 1680 wrote to memory of 2624 1680 iexplore.exe IEXPLORE.EXE PID 1680 wrote to memory of 2624 1680 iexplore.exe IEXPLORE.EXE PID 1680 wrote to memory of 2624 1680 iexplore.exe IEXPLORE.EXE PID 1680 wrote to memory of 2624 1680 iexplore.exe IEXPLORE.EXE PID 2200 wrote to memory of 2924 2200 instnm.exe WScript.exe PID 2200 wrote to memory of 2924 2200 instnm.exe WScript.exe PID 2200 wrote to memory of 2924 2200 instnm.exe WScript.exe PID 2200 wrote to memory of 2924 2200 instnm.exe WScript.exe PID 2200 wrote to memory of 1540 2200 instnm.exe cmd.exe PID 2200 wrote to memory of 1540 2200 instnm.exe cmd.exe PID 2200 wrote to memory of 1540 2200 instnm.exe cmd.exe PID 2200 wrote to memory of 1540 2200 instnm.exe cmd.exe PID 1540 wrote to memory of 1064 1540 cmd.exe taskkill.exe PID 1540 wrote to memory of 1064 1540 cmd.exe taskkill.exe PID 1540 wrote to memory of 1064 1540 cmd.exe taskkill.exe PID 1540 wrote to memory of 784 1540 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe"C:\Users\Admin\AppData\Local\Temp\09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\instnm.exe"C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\instnm.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:668673 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "instnm.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\instnm.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "instnm.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.urlFilesize
85B
MD5855016e88e8681057fa255efcc1945d0
SHA15432fc2bd00c82e8fb617ee05554fab9b5c2b2de
SHA2563ceb8a8daf46f5f80037b7a71ce94dd4af9025ff2dcbe58471fce3f2acb62b4d
SHA512dfbe659001aa06da882c072aeaab38aa7459e5f473e8efb632c7260663c87e2523a7251e5889546527358759bb897748973a14fe1639dc74a817e7883a47bfc2
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.htmlFilesize
12KB
MD53373f94d4c0763e14b720aadef093dd8
SHA179a709b9891819f55ab87c8f2b5a410472e80a60
SHA2568ec094ce6442dd8ae156dee4b2da3780c5900de8139690a98b462cc96c11ada5
SHA51210e7c4c647537973844c35e685b7f216cede38d35d72dc69e8b9bf8c9f2c49d5c6fa1d8173445b820f7ee338a942f1ec86cb3024c5780a391a1c2ceb27b763e9
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txtFilesize
10KB
MD5816a10203afbc3e12fc5bd71ae62caa6
SHA12c50075ca3aa2d8e9da6f1393be2430213e7c005
SHA25663e6913f67a7deb8f3e9475a4930b013d6088a2b841cb33783541067b9574b49
SHA51294dbd05bf7f8ed135c03ab49657284836f747ca1a83cfd1e74e41c9600d6486ba3ec3802493cc05fdea2dae5b0c713fab63eba2f234a7a1fb6c30e3da195f314
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ef965220c9f641d209ca78bc21b404d3
SHA17c05f7fad0e94ef59b1a6bf5270ba629ffd18404
SHA2568b5aa70f51347456c1b3ae7c62b8964188fc0e7828a99a582ad37f5bb578a00e
SHA5125d0bc3d7a031af0ad3cd01d39a138a96d31bd5b169c3f8e381f3053541d980f0dd1de47b1c6bd6103368740823ac76287fbd12d7b9f3425e7b79b4a1e5dc5f97
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ed0598fe0a7942052f8ae0ff43817274
SHA1f0b842726ec2c3d11b17706732b79d4c2e235a2e
SHA2568503f2be60f0bc822903b2e4a36fde469323add266bfc681fd9b133902ca5154
SHA51234abe69398ca598c9ecb88bbc8e45b280006af81f2fc3e6e39d5cca5c24cc475f6b1d02c9920277e6c82a35ce2c7bb00fb9ced003bcf52f50c30c72856530dd9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54d099b3ce4ddaa31396d421f077b2d75
SHA1c6681266cbb7965dcb00a4a1123ddab3975192ad
SHA2560e11eaea34cf9f7b2b991b7477801bb5f3c0ce1edfc0639c8152feab04dd16ee
SHA512393ed9bcf97da1144008173c475288a04b4f879d9c9df62d5f11fd5aa49e3a7e53ec521c5cf628fd4e6d21beb267eb2f7675b782486666119b3e7e7b6fc4f720
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56352141c85362b6bd89a148187b93303
SHA18484a6a1f6f5efe6b46cc58fdb3bc09b408d149f
SHA2568b8e0369f8761f3ff05c9f1ff4419476085bf23a4f7ee56e630c353d0cf5f74a
SHA5120c5fd03c8c9827268536df4aa61fdfafaf83522e278a819910bad0f2e990f96ba5f163873fbdbf7f9c942eba8154bc6ce0915f80fff6edd736efa8dfd8600d69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5db1cce741bdcd12357d6bff10c78e58e
SHA13f73fb67e2078d7c630db2bace55782d653c1138
SHA25695db272d28bf77805d595b322c2b3a0c78d605e77aa950242463f6f687b05c77
SHA5125b2150f1700955a74a64f18239ea13f13b8d01f8f08fc768535bd1dc04008c468b0549039044b2b62efb0c2d8c3b0f1bc805d66cf4425bc1acb3c2793f3f1f2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD58673cc76a973a19ff397089fa62addb4
SHA12c025cb92d562709449566a3e786075de12ef590
SHA256491360acc2083ddfb431ced87421983bd4de2bfc44f4582904267079e0caefbd
SHA512d5e40e25debb421e917cf34bc0c7b949ad57911bf3a178f521db6b476486c843a39c9b45b6d7fe627eefb3742b2383fb972eae5db9c18aab8fdcf161a309b9e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5a9fcdd3ef939cfded7404ad0226ea27c
SHA1961c6ffc9e4b0f93f9a95e26db292bd139a82866
SHA2569d3890a1001ae009ef434a2ac1eaf608093f7f5f2f938f815d55d86bc7813f60
SHA512558bdf4d4c836f0342189620129e666d1659ce6c76c34824daea0f6348e670baa278ae459aabfde59e0105aa81e12c035543250a77644868519a8a308aae7747
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD51fe27bf3f2cd8cc33f9721a756ee5d99
SHA1dc21f0cde38aa047576eb8667ae8248f2bd13179
SHA25650878f428003e81753017062ac341a818eea21a06d6f70aa2459b13626805a55
SHA51292f1aa475155f43fc7efb7b77fc4b69d817f4d5b99dfb4db3837fa8b5c10b1c08947ca25cea684ebacb3cfd36087d1899eb716953ec840ff7144ff17cf90cfed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52f944227cebc10ededb983a87589cf68
SHA1eceb10723ee361e87ab752241e20755cd0f02b0b
SHA25630ba3cea49e9d51762939926cc8b10023d2a20277b4fabdf8469adc570bcde60
SHA512e68ea7ce79098b01c8f26c8fcad6e1f15a63cfa5b65d680eca44788087d74b338a5145de6d827ee133ec2ecab20c471bcd5011b1486cb33b7e642aaea38cd1d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5dc16ae247d0836b45e6502428181c035
SHA1e8763af8b2f61a934c7ddcba95b539da1cdd320f
SHA2564b0c94bfe352dfd5d334bc586a076341c87fa140480581d721ea3b1183693625
SHA5122d95a3bd7c9c371e00afc312232ccf4e9bb7b2c0dfcdfdabfc5907803e343bcb5b134a7e8dc15a5cb1101c757ff309c389ee8ebbbb16be7a8dd71068de527df5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59bb3ea7fa18d7d042c002e8e64c8f6b6
SHA1568c6e1a2ec2136c9b97c7aa6295fd9cd81f8490
SHA25616dda0a317a1eb2eaee5b8f6d9e24141b819cdf29c623dd052d484eea41cc03d
SHA512c8ab69477ab8bacfa62ae8dfcb1e90955466e26f51952dd78c99df5358f60efd3dcdb0e3742da25181c8ee027f8325baa670474e72e5dd4716432d93a5224f7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53872190de9cfa5e8f7d9cee891cb463e
SHA101492986eb923d4ade99d7e6d79a9808550c845e
SHA2565bb068cd69cbb683a4c1f6b85da16bcedbdfbf13a9fc8de39ab42b7b56f1c0b7
SHA5121c39a0e2cd5e24eee10e9cacbbcbec68746042728cc96d6b38b7de1d5a682457b672ee638f38d49de1b6b49e56867c8ee17a4bffb74fdf72f48f29e5aeb1ac2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d7091a202eb2717edb825b316893581d
SHA16753f532d2a55feeca91ec7f68eb971d7bb797c3
SHA256973033a13ca7b2b5ca76536d1dc5f4223d67fa5b849849b0ae527b6bfc52391b
SHA512e65a1033bd5f030d49146310407d6d428a56cfde486ffebdd5cbd0c2baea7c73317d2aeb15501a8867eabfbb588c2a60d2bfef1353e448c9a3d9cd6f80cb2b21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5b5ad7d4a9ffcff6f4c5bee96e6b6619a
SHA1573de82d319f0611c4f013c9416aec38abfd528d
SHA256a4e15b1ebf232e6f453e91a4f0b4e981ebf682b40679ce9c197d8ca388f67596
SHA5128dc68cf51396403de5ef8032ef43a5c26f99d2fb4d8c6df4b0b387272afeb26763a9abd11c694b3a19ae15f2710f7a8959ca42b396819b745ef1b360bc8651ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD568d7755b8ae2454c509950ba18cc223a
SHA1ad3aeaba00d854d56b8c52979dc3b143b96e4dda
SHA2566957629ae9f0a4d9c484702b5a57bb2a98eac5b97c783f812d05b34a815977f6
SHA5122d2ebf27e4f7ab49fe1bc30a40dc7e0ea430b7e9a2cdc76f7ec979949c715db9702fc0742dffdc67d1ec4ee8174a537552653431e4e639242d902c03643828bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e1aa283d091c941cfde3d822dd0ceb3a
SHA1fe75599bb30866f5ca3695d3bda153671199da1e
SHA2560b65c8b486ce2fff09094b6a1445fb6baf6753ddbc88e1e4a9346a2061d9da93
SHA512027fc6a2ffeaf2c0c2a160ff063155304f951f0e241660d0f464e03367cf03e664f121da5d8c4761469d7c19dda43d8595782a0175c89a78463cea419110ece4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59ec4a9c24cb56e63ac87bbef85060c14
SHA17647e786a046b785807eca44823c948f1db3e3ce
SHA2563a7360a23cf1b860d6c593f7d55958d1ae93c75756453bc1ccb2ecca08009860
SHA5122a313d2534fb66eb380efbda218694760efcf2727196256b0eb5087cdcc90f0a985bb44011d1cf87bf6014fbfa1fd63bc9e56dd4633b115b06376ecc9a11c8f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50cc7f67a4087a07fd8cd270b1314898f
SHA1593e40900bb65099ac98d5c764709a44540a0b70
SHA2565fafd53d32b47b2ca88fefcdc30dc0987f607dd5e2ddc221a70ae92998d7ccd8
SHA512028ec760035f8ad41825b9af7fd62f3e4e8d5dbfcc014190483b71779f65bfe0e675c655998fe90112145913be6b5612501e46b7c57ab834f20527b4943c0960
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD535711466d88d38ce2eb974ede607b3a4
SHA170057107a4e7a76e577f4ef9acce645d95fe6728
SHA256394158808390e785e21dd44ee421f5938c579e590026e619cb1e689be9b0b056
SHA5127de5ce1be4ff438b82907df0c6d02dc8408bb88fc7921041b5670069756d0fcb5cff588c4dcfe333ff50fbda39444b038ad77bb30bde6653bdec02a0e955072e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{195DC021-0D3C-11EF-A34E-5E73522EB9B5}.datFilesize
5KB
MD5c1ea0bf6af53dece17aba93547ea6ff9
SHA14cd965b3c57eeb3e07ebae35e9ecd9129cd0d91c
SHA256487ded9b391b35d8536c5f5d28928639cb326128787a172cf8cce7dc5254bede
SHA512f51b610841b5a48214323be2d5e2d48089d03ff6ffdfb11ae8b67b2db238a004c2b53811cb69a87d4f614e0697ad1d4aa26f5fb751342968aa2b19e335cbdd7b
-
C:\Users\Admin\AppData\Local\Temp\Cab3314.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar33E4.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\instnm.lnkFilesize
1KB
MD5253b3ea6762c53592913e6746b2e0f00
SHA16b54d01472f102fb4f61dbb9fa79a761e2af8a3a
SHA25690bb08b510feb79a138690c81f83b6dd1d3d7d0bc9d52179e1e767a4b72ddbc2
SHA512b21ae2024ae5b3943b09c43e229b68919b7c7abbae887feee2aa9a74f562d7921c1faf9c8894f8a0f8810dcca6e53ea0d848e5d31b1f8f7a30a201457ff2505e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\instnm.exeFilesize
131KB
MD55dd451691d249335fe3918b9865814d5
SHA1da0b239b102c5266c1c2cb15b7c42b0a54b1ca23
SHA256aff75f4ea273d6ab7a9cb9023c37ab723c827ca2a630342dd0054d9c4f0c1227
SHA512c1d0a729ca243a192df7753c382a6ed503002b310ab7648f4fcc4618a8647366356aebb01a1e707fb9a1a75396d2a43436028b1099e35d96deef170fc917e8e6
-
memory/2188-13-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2188-0-0x0000000000020000-0x0000000000036000-memory.dmpFilesize
88KB
-
memory/2188-1-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2200-21-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2200-22-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2200-483-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2200-19-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/2200-16-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2200-14-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2200-24-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2200-471-0x0000000003A20000-0x0000000003A22000-memory.dmpFilesize
8KB
-
memory/2200-960-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB