Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
Resource
win10v2004-20241007-en
General
-
Target
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
-
Size
371KB
-
MD5
76b0182e3dc2f368facd1446a78d2ae0
-
SHA1
6e6f6df8ef1a845e335995fbfa48dab3526cea29
-
SHA256
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
-
SHA512
e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a
-
SSDEEP
6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+gjvix.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/F97D7F90599446A
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F97D7F90599446A
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F97D7F90599446A
http://xlowfznrg4wf7dli.ONION/F97D7F90599446A
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (438) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2808 cmd.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+gjvix.html shtjtucrlkrj.exe -
Executes dropped EXE 2 IoCs
pid Process 2764 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lofqkvmyajgj = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\shtjtucrlkrj.exe\"" shtjtucrlkrj.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1732 set thread context of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2764 set thread context of 288 2764 shtjtucrlkrj.exe 35 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\main.css shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\es-ES\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kab\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\ja-JP\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\picturePuzzle.css shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\it-IT\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Mail\en-US\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows NT\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows NT\TableTextService\es-ES\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jre7\lib\management\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png shtjtucrlkrj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\_RECoVERY_+gjvix.html shtjtucrlkrj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_RECoVERY_+gjvix.png shtjtucrlkrj.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\en-US\_RECoVERY_+gjvix.txt shtjtucrlkrj.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\shtjtucrlkrj.exe 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe File opened for modification C:\Windows\shtjtucrlkrj.exe 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shtjtucrlkrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shtjtucrlkrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5043a725fe69db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000955bf58191ec9643aa3d2b385cd3436c000000000200000000001066000000010000200000007e32663517203daf625bfb081cde266b5f00d4d44ac986ddcd275dc78cc6a43a000000000e80000000020000200000001995feede78a03ae55a0961eeaa72493c252851e1ef2a56f415ad4b5671486ea90000000ed07dc74e009c900186668a06892b485be3046483a4dd07d8b0994e8036c0e1c5ed888be3359b2ce79828bced9fe88da1f241785009d628debf52fdab9fa955bd9b779f44cf03311346e218c7c44b4c2e8ca6e2c7b8aecb9411fc9e39fa4a5b46b1eb771318e9d02f4cbf1dc67da0bb68f2f23151df58307777724d56eb367d227367adcae58c7a79c6a800ca5a70ac240000000c612f557c613e2f3aa3f0e03659f7cb005f746239bc054ad8118d5ed5848b2221ee4cba382e9c226b64221b05113d63172c6dbaee8933d6fc45a0bf42a9c0cbf iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51322491-D5F1-11EF-949F-EAF933E40231} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000955bf58191ec9643aa3d2b385cd3436c00000000020000000000106600000001000020000000b61c734c84409c36fcae5c03a49e6d966e174b4cffacabaf285edac7adc73a0b000000000e8000000002000020000000620166dff1b513c50360b559c830ab393660a5813e1cef7343dc84598f17545320000000feeea9157e35fd6b5270a8ff2dfdc31af01b9e0268f9b1665fbee155a5c6ed56400000003a26c10731d3cf5943b0cc9e61665bb47e41e42f2c9812c96f24baad7dd86cc9d546babe62cd00c1631149144da449a0436e9af64c61088104238b5c77055e23 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1220 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe 288 shtjtucrlkrj.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2776 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Token: SeDebugPrivilege 288 shtjtucrlkrj.exe Token: SeIncreaseQuotaPrivilege 1868 WMIC.exe Token: SeSecurityPrivilege 1868 WMIC.exe Token: SeTakeOwnershipPrivilege 1868 WMIC.exe Token: SeLoadDriverPrivilege 1868 WMIC.exe Token: SeSystemProfilePrivilege 1868 WMIC.exe Token: SeSystemtimePrivilege 1868 WMIC.exe Token: SeProfSingleProcessPrivilege 1868 WMIC.exe Token: SeIncBasePriorityPrivilege 1868 WMIC.exe Token: SeCreatePagefilePrivilege 1868 WMIC.exe Token: SeBackupPrivilege 1868 WMIC.exe Token: SeRestorePrivilege 1868 WMIC.exe Token: SeShutdownPrivilege 1868 WMIC.exe Token: SeDebugPrivilege 1868 WMIC.exe Token: SeSystemEnvironmentPrivilege 1868 WMIC.exe Token: SeRemoteShutdownPrivilege 1868 WMIC.exe Token: SeUndockPrivilege 1868 WMIC.exe Token: SeManageVolumePrivilege 1868 WMIC.exe Token: 33 1868 WMIC.exe Token: 34 1868 WMIC.exe Token: 35 1868 WMIC.exe Token: SeIncreaseQuotaPrivilege 1868 WMIC.exe Token: SeSecurityPrivilege 1868 WMIC.exe Token: SeTakeOwnershipPrivilege 1868 WMIC.exe Token: SeLoadDriverPrivilege 1868 WMIC.exe Token: SeSystemProfilePrivilege 1868 WMIC.exe Token: SeSystemtimePrivilege 1868 WMIC.exe Token: SeProfSingleProcessPrivilege 1868 WMIC.exe Token: SeIncBasePriorityPrivilege 1868 WMIC.exe Token: SeCreatePagefilePrivilege 1868 WMIC.exe Token: SeBackupPrivilege 1868 WMIC.exe Token: SeRestorePrivilege 1868 WMIC.exe Token: SeShutdownPrivilege 1868 WMIC.exe Token: SeDebugPrivilege 1868 WMIC.exe Token: SeSystemEnvironmentPrivilege 1868 WMIC.exe Token: SeRemoteShutdownPrivilege 1868 WMIC.exe Token: SeUndockPrivilege 1868 WMIC.exe Token: SeManageVolumePrivilege 1868 WMIC.exe Token: 33 1868 WMIC.exe Token: 34 1868 WMIC.exe Token: 35 1868 WMIC.exe Token: SeBackupPrivilege 2004 vssvc.exe Token: SeRestorePrivilege 2004 vssvc.exe Token: SeAuditPrivilege 2004 vssvc.exe Token: SeIncreaseQuotaPrivilege 1500 WMIC.exe Token: SeSecurityPrivilege 1500 WMIC.exe Token: SeTakeOwnershipPrivilege 1500 WMIC.exe Token: SeLoadDriverPrivilege 1500 WMIC.exe Token: SeSystemProfilePrivilege 1500 WMIC.exe Token: SeSystemtimePrivilege 1500 WMIC.exe Token: SeProfSingleProcessPrivilege 1500 WMIC.exe Token: SeIncBasePriorityPrivilege 1500 WMIC.exe Token: SeCreatePagefilePrivilege 1500 WMIC.exe Token: SeBackupPrivilege 1500 WMIC.exe Token: SeRestorePrivilege 1500 WMIC.exe Token: SeShutdownPrivilege 1500 WMIC.exe Token: SeDebugPrivilege 1500 WMIC.exe Token: SeSystemEnvironmentPrivilege 1500 WMIC.exe Token: SeRemoteShutdownPrivilege 1500 WMIC.exe Token: SeUndockPrivilege 1500 WMIC.exe Token: SeManageVolumePrivilege 1500 WMIC.exe Token: 33 1500 WMIC.exe Token: 34 1500 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1312 iexplore.exe 1644 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1312 iexplore.exe 1312 iexplore.exe 1748 IEXPLORE.EXE 1748 IEXPLORE.EXE 1644 DllHost.exe 1644 DllHost.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 1732 wrote to memory of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 1732 wrote to memory of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 1732 wrote to memory of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 1732 wrote to memory of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 1732 wrote to memory of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 1732 wrote to memory of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 1732 wrote to memory of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 1732 wrote to memory of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 1732 wrote to memory of 2776 1732 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2776 wrote to memory of 2764 2776 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 32 PID 2776 wrote to memory of 2764 2776 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 32 PID 2776 wrote to memory of 2764 2776 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 32 PID 2776 wrote to memory of 2764 2776 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 32 PID 2776 wrote to memory of 2808 2776 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 33 PID 2776 wrote to memory of 2808 2776 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 33 PID 2776 wrote to memory of 2808 2776 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 33 PID 2776 wrote to memory of 2808 2776 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 33 PID 2764 wrote to memory of 288 2764 shtjtucrlkrj.exe 35 PID 2764 wrote to memory of 288 2764 shtjtucrlkrj.exe 35 PID 2764 wrote to memory of 288 2764 shtjtucrlkrj.exe 35 PID 2764 wrote to memory of 288 2764 shtjtucrlkrj.exe 35 PID 2764 wrote to memory of 288 2764 shtjtucrlkrj.exe 35 PID 2764 wrote to memory of 288 2764 shtjtucrlkrj.exe 35 PID 2764 wrote to memory of 288 2764 shtjtucrlkrj.exe 35 PID 2764 wrote to memory of 288 2764 shtjtucrlkrj.exe 35 PID 2764 wrote to memory of 288 2764 shtjtucrlkrj.exe 35 PID 2764 wrote to memory of 288 2764 shtjtucrlkrj.exe 35 PID 288 wrote to memory of 1868 288 shtjtucrlkrj.exe 36 PID 288 wrote to memory of 1868 288 shtjtucrlkrj.exe 36 PID 288 wrote to memory of 1868 288 shtjtucrlkrj.exe 36 PID 288 wrote to memory of 1868 288 shtjtucrlkrj.exe 36 PID 288 wrote to memory of 1220 288 shtjtucrlkrj.exe 45 PID 288 wrote to memory of 1220 288 shtjtucrlkrj.exe 45 PID 288 wrote to memory of 1220 288 shtjtucrlkrj.exe 45 PID 288 wrote to memory of 1220 288 shtjtucrlkrj.exe 45 PID 288 wrote to memory of 1312 288 shtjtucrlkrj.exe 46 PID 288 wrote to memory of 1312 288 shtjtucrlkrj.exe 46 PID 288 wrote to memory of 1312 288 shtjtucrlkrj.exe 46 PID 288 wrote to memory of 1312 288 shtjtucrlkrj.exe 46 PID 1312 wrote to memory of 1748 1312 iexplore.exe 47 PID 1312 wrote to memory of 1748 1312 iexplore.exe 47 PID 1312 wrote to memory of 1748 1312 iexplore.exe 47 PID 1312 wrote to memory of 1748 1312 iexplore.exe 47 PID 288 wrote to memory of 1500 288 shtjtucrlkrj.exe 49 PID 288 wrote to memory of 1500 288 shtjtucrlkrj.exe 49 PID 288 wrote to memory of 1500 288 shtjtucrlkrj.exe 49 PID 288 wrote to memory of 1500 288 shtjtucrlkrj.exe 49 PID 288 wrote to memory of 752 288 shtjtucrlkrj.exe 51 PID 288 wrote to memory of 752 288 shtjtucrlkrj.exe 51 PID 288 wrote to memory of 752 288 shtjtucrlkrj.exe 51 PID 288 wrote to memory of 752 288 shtjtucrlkrj.exe 51 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System shtjtucrlkrj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" shtjtucrlkrj.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\shtjtucrlkrj.exeC:\Windows\shtjtucrlkrj.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\shtjtucrlkrj.exeC:\Windows\shtjtucrlkrj.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:288 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1220
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1748
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SHTJTU~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:752
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2808
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1644
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD52f35ec797f6345b3a1d8372d7fd1860d
SHA151b1ca7c6f4002a77013443b16b58fb95ad6ac9d
SHA2564d46dbfcf61de65aed9bfbc43a46bb801e7758bcf9abee46765c1b53e6db3204
SHA512eac71e4ed0fbc08d04618116aaea19f89bb55804f920e68687c35ed8825d08b1517e67f23ed88707639356be5b7caef51ec3d56fb78d5e8242587d7365b660e9
-
Filesize
63KB
MD5c3fae2129a3d48d937819bf4ac31237d
SHA1d7e780d0b5ff491215e78432eb85a8a783499762
SHA256d07cdddcb6870f1c2f466fb77f1bff7f340d8e267f99566c97eaf232be8c32c3
SHA51205eacffab8eb821267432e74db5d0d8f9e9e7d17dc966cba9b387dd5dfcbe45b855048b6dd848d3232c957aa4df1366ee87f3e58a14022008d6e23d18e2833de
-
Filesize
1KB
MD56cf443e8212057fa54289f7d6dcb65b5
SHA10d3db1460bad132b1220e52a252fbbd12487a4d1
SHA256fc856dd24ddf4fbf459c6da49dc92ccdf56362fde9d6af3eb66e82d440200548
SHA5126a590a95c21ab902a4f7b247885e6fc028b0eccc4e63524f3a44bcba38140ecbecc517325398bda43bc4ac0c5f744b02d8391d367628015d9fb33546046643de
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5eb267c05ec37eb9025c40062ccaedc68
SHA15f3db4418dca30ae74d21bec49d4e7fe74add63b
SHA256a87482eeda88919cf474ada9c45759de6a649cab6ab5ed0472fd587cbd181f45
SHA512b5853a53c0073cd830eef6347cc7f2f1e65ec9252acf1b77a66db79349a7ac6f3eb848d63e8186bfbad7a8922feffb15d46d71b8763d53213490fb66ef8f61df
-
Filesize
109KB
MD578c60438ccaa47501435eca11eb29ba7
SHA11223c0692a042b5031a214d362a2f77dfdf240e4
SHA256f9cb0b56d3c40dd9be0219142c88ffe90a0345fda23c4ed6d80f9a3d16cbf06f
SHA512f8691f83e46e4fcaae44e07915858a240505f948e793ca1d281eb610696c63ef2a134e96077e1b656ba023b0e64de7fb2196daab37a7e0439bbc3b009a8422cb
-
Filesize
173KB
MD50ebae12b0dcb6db99c42a62bba07ceae
SHA18e86f841e7e1108e74eb52150e408f8ee65e597d
SHA256894e65a590251cf3f193051a6c22e835491c851dda23630dc8b9a2232dcd9f5f
SHA512ae332a3c11c642e9804502403030aba1bfc5a28f1504d2904de73433c52a0c56bfde7a31c9b213d34eb9a277c20da53e73cfd18f7520db61218059c8044c33c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e48087a2737ad065ef8c342b977d6c6f
SHA16c020f3ea9044d10de09d386daace92667a0fece
SHA256cf37c85ea937c1a65178a88c7ea70687cb906d3a42592945e0f5b6c545d9ff5b
SHA5128c589f80fca0cb689bdbc14abc229fa406330875694baad4658545df2a1e17b4d64779b698cbf81ada063f2d4b2b65280677ec7afa597c7a1e97833481863fb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d64083a474ea0c4d169a0f2392c7a1b
SHA18fc8d326fd3465aab92df443c495ff889c06d983
SHA256671068e25ec1cc91339e928ec11728ee0673befacdbebf304d262f7caf6a5da1
SHA512805fcfc88dde8d90d5165763a60e5be5c841895090e907129b991b05587e672427af2158445c302d1dc151c8b05d6f48cb93d42765a098d919036ff7c00f0549
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e38a66e01b13c5568b1251846a36edd4
SHA134f0d671fa66ef8501218ec63bc557ceb13de281
SHA2560b9e5a2a0342c4c8ec4eb41f24f501bb96088bdc1e23e5823dae4d27a1cdbfe9
SHA512b1b152f11be7423092dfc7261fed11445423ee77ebdd6a2bc0b2e27e7692cdbcfbeab697372d5be4e54d1226f5bd2333889974434056051ccee51c1a09f3ade6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c79eb57967ba356719cc0fc56bb04a72
SHA1c1db6698e45445c5b986cd87e10f8d6a538f1e19
SHA25609e50321c99524c2e3120514e06316662234737ce63740d4d7d99d943d774d11
SHA5126f8fb6657f7b5b267273edf21cc8740d53cf08daab722531534d2f0016acbe5c650e85d7fdf13aefb57964f955da19ee8cb6307f9a6d359f1cc8829b0134fc2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5129e4f339d65f870eadac774a5a38b55
SHA152572f74e841d23376a0d91b11fb66a6b14b52e2
SHA2565cb473bf1389b81a54a2ce921a9435441f4c52d1fea9ad9f3e01fe70f57f5c2b
SHA512fc65c6c50483379113a5f559c2753b1ddd8f25ae0b9498b894566918e44fd8b8788efe9e24cad86d005e9be2e69f16adcd5b7c1f137875fd947b44f8b68b1bf6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5615577917b538f1e20f603a0232a0b40
SHA124f3f0927b949c9255f41bea2b6845d224f14869
SHA25636d831172b8c8ee86d0afc3dc6c4579cbd7427c9b0d38662a119dd13252e8f00
SHA5121628aa0d8e9388dcec01d0fc5c68a049ae4e91b6e6d0563f2fbbbd7ffde60f95b941f6fb24f2daa6aee762152fd88e7f3f8f120f81a70122975799531057e5f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD537cb0e44b0d3bc2e49565dabc378a73f
SHA1095ea0d9434ab15d27d66949ca3699bbed92e34a
SHA256571c02013b32f9c01e2c7865a1a54403aacf13ad481baafbc8e9feee3e0aed22
SHA512f9918b639c7fed383b66e42b1fe7c67d8fa2c7664d7595872d2ac80ab56f6ccd56f27754e43921c43f1583d79e7b38938b2216885b877578a3549dfc949be6ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51fdd3f9338b0bf126a603fc790255b4d
SHA1d82eaf84323f3d2ed699702c7ce0ab62e4eeaf62
SHA2568579077c3f119866e00a5b05bd2efe5df0f3f58194b673e4809058d5a59b0b0f
SHA5128f3a492c19b6e1d1beaf98a6ecbc5824128056804180ebc68375295746cacaa8d201c976deb369f42490db8879b61d501d0c13adffe1b2cf57cd380cffbeb79a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c0e8c2ceb172b48d3f4821b8cc7887a5
SHA1bb69b1332806c34cc51c08d3497492496b090996
SHA256e2d74bfd2c61b1dee14396e7077f7c8022befc1f584acb856b29ff73caf4eed9
SHA51280734fc177405563a1949af62119cbd8184360bd91ce8ef5cc37f21db86c8750bcb6edb5d7a2710ba3b3e401701e3867dcc685a11582e1c039ef27a442983d68
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
371KB
MD576b0182e3dc2f368facd1446a78d2ae0
SHA16e6f6df8ef1a845e335995fbfa48dab3526cea29
SHA2563aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
SHA512e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a