Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe
Resource
win10v2004-20241007-en
General
-
Target
cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe
-
Size
612KB
-
MD5
d21f6b4bcb3c52061dd42d7830823940
-
SHA1
5474cd41a7eca331c1fce96cb0acacc5161a1dd7
-
SHA256
cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281
-
SHA512
abac923025aa36a6cff948eafea91f048fe1441be98f4375ab8ab7583c6011c428d1c76209505ba30281c1271240d6e64b166c0070654c0d4de2355ea35b1968
-
SSDEEP
12288:+dXmAPpb7y6MeBG7QvsHdZ6MgQ5luq2G:ULy6Mek73TllLF
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+edalr.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/B26C99A7E8F1A4C
http://tes543berda73i48fsdfsd.keratadze.at/B26C99A7E8F1A4C
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/B26C99A7E8F1A4C
http://xlowfznrg4wf7dli.ONION/B26C99A7E8F1A4C
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (438) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3028 cmd.exe -
Drops startup file 6 IoCs
Processes:
bjiwpcuutejk.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+edalr.txt bjiwpcuutejk.exe -
Executes dropped EXE 1 IoCs
Processes:
bjiwpcuutejk.exepid process 2016 bjiwpcuutejk.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bjiwpcuutejk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tpinyhoxevbs = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\bjiwpcuutejk.exe\"" bjiwpcuutejk.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
Processes:
bjiwpcuutejk.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows NT\Accessories\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css bjiwpcuutejk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png bjiwpcuutejk.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\fr-FR\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Defender\en-US\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\library.js bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css bjiwpcuutejk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png bjiwpcuutejk.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png bjiwpcuutejk.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\it-IT\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\_RECOVERY_+edalr.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png bjiwpcuutejk.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\localizedSettings.css bjiwpcuutejk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\_RECOVERY_+edalr.html bjiwpcuutejk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Common Files\System\it-IT\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_RECOVERY_+edalr.png bjiwpcuutejk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_RECOVERY_+edalr.html bjiwpcuutejk.exe -
Drops file in Windows directory 2 IoCs
Processes:
cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exedescription ioc process File opened for modification C:\Windows\bjiwpcuutejk.exe cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe File created C:\Windows\bjiwpcuutejk.exe cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
IEXPLORE.EXEcmd.execf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exebjiwpcuutejk.execmd.exeNOTEPAD.EXEDllHost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjiwpcuutejk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30797715ca27db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436124519" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40DC5411-93BD-11EF-8C8D-7E918DD97D05} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000002193326ff615629cd7de13dcd6a3b57b4ca31477addd28503ab8edb2ba1d794a000000000e80000000020000200000005302dd713e7ec37ab078364032920f0a13570e0a17c3860d592486e7760f6d8590000000e99e401898461e5f829ebf4ca79927817d9c6f9ab020c5c916b546961e5469102423a7f5047de3197cbc6ea7235c38d82e50e8efe266910f3734d17c60370b052b9cf1f3916fc6d7c80aef42d9c338d57ce05e977246d745b088644ccf0508bb3b056a6f4240bb649fbdaa339ed480fdd8cba3f25745730ef34ccb073ff5dfeb87da0e68ed7aacd6c62c6e5ae274c03e400000004a3c1f79da29229d1d3c5162339f3e47a8edbd0b9260aa3f905371c236ce6c3843690deb2221372e21a929514e1d2dbd89881bd0703929bc4546725d9d56e976 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000e1ba4300eea68d9dda10fc6098cd084b267f6598500436e5e79e99b00ae8b004000000000e8000000002000020000000b9a489fc0dd48c865fb20ea2cac4cfdf41e51c5876506f8d026fc25f256780c020000000b1711e88725aa2ff598bb6268c48955ebf17e37cfb409534c6edba2aaa6da40840000000460bd94fde07b03bc150d4280ea486a75bc2b8a502df1f70c455bb2c83bb7065397f1e9c7fc2b1abb5336731eacdd8e958f54f8785f5bf99c9c49972a4e6de66 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2596 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bjiwpcuutejk.exepid process 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe 2016 bjiwpcuutejk.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exebjiwpcuutejk.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2480 cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe Token: SeDebugPrivilege 2016 bjiwpcuutejk.exe Token: SeIncreaseQuotaPrivilege 2192 WMIC.exe Token: SeSecurityPrivilege 2192 WMIC.exe Token: SeTakeOwnershipPrivilege 2192 WMIC.exe Token: SeLoadDriverPrivilege 2192 WMIC.exe Token: SeSystemProfilePrivilege 2192 WMIC.exe Token: SeSystemtimePrivilege 2192 WMIC.exe Token: SeProfSingleProcessPrivilege 2192 WMIC.exe Token: SeIncBasePriorityPrivilege 2192 WMIC.exe Token: SeCreatePagefilePrivilege 2192 WMIC.exe Token: SeBackupPrivilege 2192 WMIC.exe Token: SeRestorePrivilege 2192 WMIC.exe Token: SeShutdownPrivilege 2192 WMIC.exe Token: SeDebugPrivilege 2192 WMIC.exe Token: SeSystemEnvironmentPrivilege 2192 WMIC.exe Token: SeRemoteShutdownPrivilege 2192 WMIC.exe Token: SeUndockPrivilege 2192 WMIC.exe Token: SeManageVolumePrivilege 2192 WMIC.exe Token: 33 2192 WMIC.exe Token: 34 2192 WMIC.exe Token: 35 2192 WMIC.exe Token: SeIncreaseQuotaPrivilege 2192 WMIC.exe Token: SeSecurityPrivilege 2192 WMIC.exe Token: SeTakeOwnershipPrivilege 2192 WMIC.exe Token: SeLoadDriverPrivilege 2192 WMIC.exe Token: SeSystemProfilePrivilege 2192 WMIC.exe Token: SeSystemtimePrivilege 2192 WMIC.exe Token: SeProfSingleProcessPrivilege 2192 WMIC.exe Token: SeIncBasePriorityPrivilege 2192 WMIC.exe Token: SeCreatePagefilePrivilege 2192 WMIC.exe Token: SeBackupPrivilege 2192 WMIC.exe Token: SeRestorePrivilege 2192 WMIC.exe Token: SeShutdownPrivilege 2192 WMIC.exe Token: SeDebugPrivilege 2192 WMIC.exe Token: SeSystemEnvironmentPrivilege 2192 WMIC.exe Token: SeRemoteShutdownPrivilege 2192 WMIC.exe Token: SeUndockPrivilege 2192 WMIC.exe Token: SeManageVolumePrivilege 2192 WMIC.exe Token: 33 2192 WMIC.exe Token: 34 2192 WMIC.exe Token: 35 2192 WMIC.exe Token: SeBackupPrivilege 2580 vssvc.exe Token: SeRestorePrivilege 2580 vssvc.exe Token: SeAuditPrivilege 2580 vssvc.exe Token: SeIncreaseQuotaPrivilege 2772 WMIC.exe Token: SeSecurityPrivilege 2772 WMIC.exe Token: SeTakeOwnershipPrivilege 2772 WMIC.exe Token: SeLoadDriverPrivilege 2772 WMIC.exe Token: SeSystemProfilePrivilege 2772 WMIC.exe Token: SeSystemtimePrivilege 2772 WMIC.exe Token: SeProfSingleProcessPrivilege 2772 WMIC.exe Token: SeIncBasePriorityPrivilege 2772 WMIC.exe Token: SeCreatePagefilePrivilege 2772 WMIC.exe Token: SeBackupPrivilege 2772 WMIC.exe Token: SeRestorePrivilege 2772 WMIC.exe Token: SeShutdownPrivilege 2772 WMIC.exe Token: SeDebugPrivilege 2772 WMIC.exe Token: SeSystemEnvironmentPrivilege 2772 WMIC.exe Token: SeRemoteShutdownPrivilege 2772 WMIC.exe Token: SeUndockPrivilege 2772 WMIC.exe Token: SeManageVolumePrivilege 2772 WMIC.exe Token: 33 2772 WMIC.exe Token: 34 2772 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 3068 iexplore.exe 588 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEDllHost.exepid process 3068 iexplore.exe 3068 iexplore.exe 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE 588 DllHost.exe 588 DllHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exebjiwpcuutejk.exeiexplore.exedescription pid process target process PID 2480 wrote to memory of 2016 2480 cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe bjiwpcuutejk.exe PID 2480 wrote to memory of 2016 2480 cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe bjiwpcuutejk.exe PID 2480 wrote to memory of 2016 2480 cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe bjiwpcuutejk.exe PID 2480 wrote to memory of 2016 2480 cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe bjiwpcuutejk.exe PID 2480 wrote to memory of 3028 2480 cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe cmd.exe PID 2480 wrote to memory of 3028 2480 cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe cmd.exe PID 2480 wrote to memory of 3028 2480 cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe cmd.exe PID 2480 wrote to memory of 3028 2480 cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe cmd.exe PID 2016 wrote to memory of 2192 2016 bjiwpcuutejk.exe WMIC.exe PID 2016 wrote to memory of 2192 2016 bjiwpcuutejk.exe WMIC.exe PID 2016 wrote to memory of 2192 2016 bjiwpcuutejk.exe WMIC.exe PID 2016 wrote to memory of 2192 2016 bjiwpcuutejk.exe WMIC.exe PID 2016 wrote to memory of 2596 2016 bjiwpcuutejk.exe NOTEPAD.EXE PID 2016 wrote to memory of 2596 2016 bjiwpcuutejk.exe NOTEPAD.EXE PID 2016 wrote to memory of 2596 2016 bjiwpcuutejk.exe NOTEPAD.EXE PID 2016 wrote to memory of 2596 2016 bjiwpcuutejk.exe NOTEPAD.EXE PID 2016 wrote to memory of 3068 2016 bjiwpcuutejk.exe iexplore.exe PID 2016 wrote to memory of 3068 2016 bjiwpcuutejk.exe iexplore.exe PID 2016 wrote to memory of 3068 2016 bjiwpcuutejk.exe iexplore.exe PID 2016 wrote to memory of 3068 2016 bjiwpcuutejk.exe iexplore.exe PID 3068 wrote to memory of 1056 3068 iexplore.exe IEXPLORE.EXE PID 3068 wrote to memory of 1056 3068 iexplore.exe IEXPLORE.EXE PID 3068 wrote to memory of 1056 3068 iexplore.exe IEXPLORE.EXE PID 3068 wrote to memory of 1056 3068 iexplore.exe IEXPLORE.EXE PID 2016 wrote to memory of 2772 2016 bjiwpcuutejk.exe WMIC.exe PID 2016 wrote to memory of 2772 2016 bjiwpcuutejk.exe WMIC.exe PID 2016 wrote to memory of 2772 2016 bjiwpcuutejk.exe WMIC.exe PID 2016 wrote to memory of 2772 2016 bjiwpcuutejk.exe WMIC.exe PID 2016 wrote to memory of 2056 2016 bjiwpcuutejk.exe cmd.exe PID 2016 wrote to memory of 2056 2016 bjiwpcuutejk.exe cmd.exe PID 2016 wrote to memory of 2056 2016 bjiwpcuutejk.exe cmd.exe PID 2016 wrote to memory of 2056 2016 bjiwpcuutejk.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
bjiwpcuutejk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" bjiwpcuutejk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bjiwpcuutejk.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe"C:\Users\Admin\AppData\Local\Temp\cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\bjiwpcuutejk.exeC:\Windows\bjiwpcuutejk.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2016 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3068 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1056
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BJIWPC~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:2056
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\CF2B87~1.EXE2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:588
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD53d0a85f0d3b5c9339a173c2a653f183f
SHA1c6d29587f4af794fae1400fcbb43e2538ace862e
SHA2564fe66322ab394ebe096b106a6b92ced602aba211c354dcf7e1f5a554633eaf66
SHA5126ea8f67b503242fbff94aa5931cba4e127d9ece6cf7c31ad4ef26c052edee6b2df12dc86e9ce5534172b433c36167c1cfd36a7e5fdee4254eb3bbcb8ecd10c72
-
Filesize
62KB
MD52363eb9d457cd6b41947d3708e374a0b
SHA10f34471e178749292b6b4b2b4187905316135174
SHA2567c5be91675f0a4cf6f7241c9c6e0dd4b369af05d57a4b1e84ec542653db7bb47
SHA512548f3ff1e5f9b23f198a9289fcf1ae34beb9305ff778b92997f6398500187af2634898164bc4d1d29a3b0849df451b5b7d888d505297190735ce69410f76b52d
-
Filesize
1KB
MD5989c2bb6bb0a59e6528022dd73241325
SHA1b5661ffe4be2daa25549fa3e3dff002a2bbf9520
SHA256f5168c73993a7f3d22e38a87d7b856ed994e4386215dcc00a0c2dc6cd37749ef
SHA5122624112cca25b8bc0034fe63d198b7e6179598c6a5886031ccbf690b599ccc7b73129ddcf44ba71f6aa255495dc2ae00da864befea19e3339fb2d0ffa29c423c
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5f4df8eb932e95e0db963b1bb4fe5dcbb
SHA1ac9bdcac60ba2f40135f9047414a767aaabddb8a
SHA25688a561171dad0dc29ef4d4ab9d91dc75e40dca1a3b6ecebd529e927eae256f8a
SHA5128e6e1ab44c6bf8e659e70aa5ad9ff35eddb78fa0a1932eee8243aa284b39c3bea805d00203abcd4e45ddcdd5ed33f275987d054a6fc4f56731da240038c3381b
-
Filesize
109KB
MD5024e6072e20fd9a7f4c73c17ee96af83
SHA1b0e08f7b494cfc43402b5bb966407e3e40dffe75
SHA2562bf73168e9afcaa9cde45e0aba4c5a6fbbc3ae63694bc0be39e4114c46ada197
SHA512c97e00868cb5c962a0d6ae0e704cd1e8597901ba00c9a3dfc41d38575486e8a91499c5c39f2f8c98fd8c03213028b8285bfd401106bf2d3d9c3de811bc0605bb
-
Filesize
173KB
MD59e6c38adec4e65e966d35e3358b78518
SHA14d5b490b137288c72a84a881e2613972d8f77ae8
SHA25676a2ae45ab4c2c1fb1c19c2eb70ad8b0c63ac8730df933dc3262e905fa03ffb7
SHA512834434cf105567580e3431686e946628d2e6dc41d314eaf01df5eb4c105411b12037e6fdd09574a497b80a5341ea29b6fc374fc6680966784fe9f7871896160c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d07e35e9c813817ac3cbeb021e28dfa9
SHA1796eaa4035854c17c88d9daf72f115816fc7761e
SHA256bd377463802aebe149a9d2b85e8ac3c64a942a4ad0dae4f045f0c31e4eb47593
SHA5122ccfe43abcbdc4deffb322950d7c9cebbd8ad41d95868f8aa2a2313073740e97abf56f6de4ca1c965640964bc0809bb169307eff493a1cae7cfaa43a0b22f84b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cb44a951d70b0528d985b61b2abe4458
SHA1c7356e614bec3d897e3a2a73f327ca804deed2e1
SHA256d30419ea377df3e0440dea102d62e48788945abe721ff37862bebc3ff199eecf
SHA512909c6ca968b7860f046fb6a743a04dd7842c64c7bc5eb5d7c233852cb6b574cdc6282c18ddd0deb4daaf2aad53094a7f5f34e00adb02eae87eae2ca9c7e49edb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD531ba116f581bd5852127e6f4a114b02d
SHA1cd167f004d6ad91bc7d787d1eab8fd3ac9affa6f
SHA256f27e612a337e5ed1fb31e0f347bc9b281d0ce28fe1abe3b5895bc0c827df1b65
SHA5125599aa085bec6abda613c78fa61a6987ea451785844a0c30f72a7ced502f531a580cc0d76377157f099ff68e665a90b5ff890e104d5277916b94b244890da2b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50caac6e9158d421a9688aa7266cbd487
SHA102a3705bad059aeb70203dfed7541b7092b62ed3
SHA25623cc7cb61b3f153f82f7594da4705d7958d437aba607b7c51e35e9eaef83ed00
SHA5120df041466f02557fc6c40f38ea9db05b0909e96ec63aa3a666406cd389b8ec9e2a8c46aea6f904edd01b01a9aac0d515591138b6b8c4a13ec15da89aeb808e86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5627d489f88fa7ce43140d17a21092821
SHA1da7772e4fdd3999b6bf5cae2d63d8ad60114123d
SHA2564c378657ba1b9b3a20cb7ca591a6d2caf41423a89174b14b93975d4d51dffad0
SHA51210e975ffb451f73609c16290f18546fbe7f2592419d107da255b3d9c269cd72df307359c360a690fc50beaa6602bfb083e3d1ec560a91c09d1fb4794d01be8b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51500b5838c6b38f080e56d7f205917a8
SHA1c5c1a72c6b966935fb0c20c8e23e3b0f3438ae72
SHA25675dcc1809db4b7dcf7b18a171e5960d952e4881c4019bbb8d26f9c24346376c7
SHA512a359e37783948208b9db45df97163d308bf7417680404bebc828cead1100ac0b48df03672afd37fd3f31fa8ce4b0e7bf8ea95b2bccb7ea92e776e72a95e69938
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d7a9b26908a338a333955f0387b580dd
SHA1f471f7e359e730a189070a9cc8a02457cc304fad
SHA2561b4514cf41bb9b6ab177fb58365cb30116b682490bc958ce9f3b2d2355a78cc4
SHA5123f18f603f4cc3956b3bebe12a6766d6963ba4e28842c0339fe5ccbbcb2d556886657c7b3d8ce3dc86ee90b9b613030451f8eb3e1e9afc980a1e3a1e3dcd4181d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ba10699a23bce4a779f24d3bb148feb
SHA1a9d9eb9837db858f8e9c47b45ef0b937356c3452
SHA256f480437776e71307a00c9bc5bfdde1016bf1e9b8989f1bd9eef16a1ea1a1b28c
SHA5129b2ab9a30f6637ef0dccb5f77e5a3363a53b18e2dbf3ae1e77206e3078a7843964f757b9a9bcb34fb48a42cbd7ca7950888557ac776ee98283c5af76ff077399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD576406d721179e8e4c42166d0a7ec5699
SHA103ca483e57dedcb0e016e2d2b2af82e843ff0c26
SHA256e2f9aa74d7cfe3f7f75225461636051219abeccad497c1c40894f49249d8aed7
SHA512fee8b98136b319c39d7ccbe217ef01b15be5c5d461b14726c2ee10c257f88fea1e639f87e12d8d8f0520f416da1a134978a4d3df49bc9353d87da8717c65db2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a811c265bf2bc5779b7399268f79fd4c
SHA1478c443df99570a91b9c047e7b790721b73b21e1
SHA256e71c62f891062e589198564dc5fd37ea41778b43e409dd2a347db0c0c1fca594
SHA512bcd0670b0975dd1b92be1b0ac6ac4ebe71d16aa2524fb898ec388e19829acb05549c04e44b2b4a1b4df585521fbe6a778444abae49d480598d63e46fe631dd49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD521ff7825ce0fa12bde03fb989c0232f2
SHA10595c027c68889dab0a31262a93df0df8a9319c2
SHA256494a2cf2280ab773670ee7ae3001279128346917a39b8b491144d470d302a26c
SHA512642212d851e0a77dd31edbc2fc907138b6f84426b0b43c1b22717c1526c0c3906904cd2cf554ebd55e01f5efe580f9fabfac97b7f4ed04e2c6616339e9f29922
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56621e71994dbd9d3cd8c2999fb84d316
SHA19f1178d9976cdb7200e9afa1208fdd1d622148e7
SHA2560733c034617193793141f9a4de8604193815c3543b01957a7728e0b76ca0e53b
SHA512e4326f422d716c78dc6ae607b0f145d87981a030a2c2868a3f1ebe025d14dc3847123c8bc49d87327bf438c291048cdec1b4b8ec7b705c357ce9a7968670290f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cedfb196d86d3af2b40d66e4b3fff4d2
SHA163a3ab41ef12af7cf27e35910069023d7aacb483
SHA2563a93736c847f4ef4f8775cf591ad860e369802c4f6a3e73ef1d7347355a57714
SHA5124be03ed6e926e790f39abac87cf764eac3a8925595be4499019d952b8534818fcbf93c4319250e2b4cd6dc1d274e4002519ef4ef89e3596b47800291d75195c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba117a326786659f3df4e31936914612
SHA1cd36e878ccfaff02587b39c8c0d4cb256963ab9f
SHA2569c729cc3dc88f6bbdb6b5dfd6fa2bfb662bdd89c6eacec026513cf873b3e52b9
SHA5120170a0877e96261b8740d4eecaba50a2cc5e7226758dafe540f49a302aa6a49b83f03c04adcd68c3bfef412e28e90aaa30bf6b81a92f80a48acf030d0fe1e7a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5088829863b53aba7887065aa536b34af
SHA1e21a18571dffd7d85ca475e3346bad3c609ec7f4
SHA25603cfb9a41af07f4258861e969289f3fbd7e8582bedfbdb8bf1d3c86a3a0ef82f
SHA512ede701ac7b308c0000167a832dad37a488d3411e52afa772a10be6b2df0567a738cfa5721bad409cab64b987cd16413a845177dbee13ea5ff252d9b9447d2325
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587098303bdb736285b9ce6a9be3eb2ff
SHA118cf94ea4a7a1a2b6efcb7b20c5587b946929898
SHA2569bbef767acc11ec4728f04068dde70e6c9a53d6362cf317dbe3180e3bae732f4
SHA512d187407d412de40c47836b59ead6e7b910137605160fbb5a1cb12c8f16274c9fb2e1dcb3d09d7365ff42b15ceb7c14c261e0499713dfab217195e85cba6e8d39
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fe3c016597e838a48a4b15f23404e31d
SHA191610cf2cb63dd61bddd1796d22f6e08114eb9fb
SHA256ff89caa05c941fdb114f446b2d6d4cbb089389a2f62af5a331deaa7d7be18635
SHA5121250e380a78a9362536ad5fbc323673cf458fa9d8bd6796604cf682da26bed4baa3203b1475613c421e64cd2ed182483a00b6039f8d7c0a735091a65b45809d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cb7c3ed0482ae735ccabf6504d2e658c
SHA14bb11f617719d2aa4707f8a911cab2a92df8499f
SHA256776d43d4a0bd4c817e637ff31a567e46c927895a7fefe820ff25e756def767f9
SHA5126ec1ff28e23bdd8252b54c878d294b936436e5e5491b129817ede462b526303b48298a5e3db4e3eb5e2193cb234ca6e261e48b839241cc232fdf9fac67e8ce2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50d527a7b03a43ee22984d8cd3afb2ed5
SHA1df9f6ded42a2908ee44488c64e6daa1af5ab334a
SHA256e0dbcf6fb728e5e4e2175f78e8d4fc3504424ad40a176739e103923a82e5b537
SHA512cd58cbb5da05fefa59bbbcf081968a3b6cc2cca5435cc8e04264fa88de3ec4b4543dadfcb2f7f41f0d109b60060bcf2cd95aff540a11c80e1f2ecf55af45387d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
612KB
MD5d21f6b4bcb3c52061dd42d7830823940
SHA15474cd41a7eca331c1fce96cb0acacc5161a1dd7
SHA256cf2b8758dec69d650d88fea72b8ffcb34ade8f6b7f9b66401ce23a2160c53281
SHA512abac923025aa36a6cff948eafea91f048fe1441be98f4375ab8ab7583c6011c428d1c76209505ba30281c1271240d6e64b166c0070654c0d4de2355ea35b1968