Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
Resource
win10v2004-20241007-en
General
-
Target
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
-
Size
371KB
-
MD5
76b0182e3dc2f368facd1446a78d2ae0
-
SHA1
6e6f6df8ef1a845e335995fbfa48dab3526cea29
-
SHA256
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
-
SHA512
e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a
-
SSDEEP
6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/8113B4449D559D60
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/8113B4449D559D60
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8113B4449D559D60
http://xlowfznrg4wf7dli.ONION/8113B4449D559D60
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (407) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 3000 cmd.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+iwxag.html dakfjprvnatu.exe -
Executes dropped EXE 2 IoCs
pid Process 2784 dakfjprvnatu.exe 752 dakfjprvnatu.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\gihrktiqxohc = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dakfjprvnatu.exe\"" dakfjprvnatu.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2384 set thread context of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2784 set thread context of 752 2784 dakfjprvnatu.exe 35 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\System\ado\de-DE\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png dakfjprvnatu.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\es-ES\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jre7\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\de-DE\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Microsoft Games\Chess\en-US\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\de-DE\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Mozilla Firefox\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv dakfjprvnatu.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Media Player\Visualizations\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Microsoft Games\More Games\fr-FR\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\ja-JP\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Microsoft Games\Chess\ja-JP\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png dakfjprvnatu.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt dakfjprvnatu.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\dakfjprvnatu.exe 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe File opened for modification C:\Windows\dakfjprvnatu.exe 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dakfjprvnatu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dakfjprvnatu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CDFEF181-D5EF-11EF-BBD1-D686196AC2C0} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4595d1ebc4c754893cc672fc1b4219d00000000020000000000106600000001000020000000560d6468b748e09d9f2fef09936153a0d7c74bd1400879bc9ff25525954d4998000000000e8000000002000020000000ef5ea86e11b534475a2e61a7f8909a643269f380bef7f664c52d051731eb5e4d9000000048b36a31d9dcdcbb020d0d0b6470b43d3b2327f6b7a415429a044408dec765c687d513a1780bf4005c1199e44334c000264d194920611e05261a37f9f2621371269c4c72fa364b7f13531a42af82782462137655293c900ce98510808583cd38c738bed74d0d4bbb93ae253f17bf2abbeb262391c86d4a5da93f9efe762d87e0865a81d15aeb9b28a3f961d3f22694044000000044a083efaab4f6a1ff5271e790d8a53d12a54e97be4c70de8948da45c453d4279278622fdf4fb0c9b785ed00cf76f1237da6a4d48161128d0c107add976de342 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 804d6fa2fc69db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4595d1ebc4c754893cc672fc1b4219d000000000200000000001066000000010000200000006d26595dc8ea9548a132335ac8ada630444372ad2afffc9596c24df7471730e4000000000e80000000020000200000000b72413b79c93b7f848a9ad5cf5855aa0b12984ca3f913469055667d55cf288c200000004e6441b56e16764d673b4bffc28056b7e8df784d5cc53fd5313c8da2292b873f4000000045188912e1ea5682a86036ab476f1042db8e306162670af4259f5c6c55d3ea8b45d0687cb486a02d40ff686c3bf1e3a65d9140c11410f15f4783afd6e106f4ad iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1216 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe 752 dakfjprvnatu.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1296 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Token: SeDebugPrivilege 752 dakfjprvnatu.exe Token: SeIncreaseQuotaPrivilege 772 WMIC.exe Token: SeSecurityPrivilege 772 WMIC.exe Token: SeTakeOwnershipPrivilege 772 WMIC.exe Token: SeLoadDriverPrivilege 772 WMIC.exe Token: SeSystemProfilePrivilege 772 WMIC.exe Token: SeSystemtimePrivilege 772 WMIC.exe Token: SeProfSingleProcessPrivilege 772 WMIC.exe Token: SeIncBasePriorityPrivilege 772 WMIC.exe Token: SeCreatePagefilePrivilege 772 WMIC.exe Token: SeBackupPrivilege 772 WMIC.exe Token: SeRestorePrivilege 772 WMIC.exe Token: SeShutdownPrivilege 772 WMIC.exe Token: SeDebugPrivilege 772 WMIC.exe Token: SeSystemEnvironmentPrivilege 772 WMIC.exe Token: SeRemoteShutdownPrivilege 772 WMIC.exe Token: SeUndockPrivilege 772 WMIC.exe Token: SeManageVolumePrivilege 772 WMIC.exe Token: 33 772 WMIC.exe Token: 34 772 WMIC.exe Token: 35 772 WMIC.exe Token: SeIncreaseQuotaPrivilege 772 WMIC.exe Token: SeSecurityPrivilege 772 WMIC.exe Token: SeTakeOwnershipPrivilege 772 WMIC.exe Token: SeLoadDriverPrivilege 772 WMIC.exe Token: SeSystemProfilePrivilege 772 WMIC.exe Token: SeSystemtimePrivilege 772 WMIC.exe Token: SeProfSingleProcessPrivilege 772 WMIC.exe Token: SeIncBasePriorityPrivilege 772 WMIC.exe Token: SeCreatePagefilePrivilege 772 WMIC.exe Token: SeBackupPrivilege 772 WMIC.exe Token: SeRestorePrivilege 772 WMIC.exe Token: SeShutdownPrivilege 772 WMIC.exe Token: SeDebugPrivilege 772 WMIC.exe Token: SeSystemEnvironmentPrivilege 772 WMIC.exe Token: SeRemoteShutdownPrivilege 772 WMIC.exe Token: SeUndockPrivilege 772 WMIC.exe Token: SeManageVolumePrivilege 772 WMIC.exe Token: 33 772 WMIC.exe Token: 34 772 WMIC.exe Token: 35 772 WMIC.exe Token: SeBackupPrivilege 2764 vssvc.exe Token: SeRestorePrivilege 2764 vssvc.exe Token: SeAuditPrivilege 2764 vssvc.exe Token: SeIncreaseQuotaPrivilege 2480 WMIC.exe Token: SeSecurityPrivilege 2480 WMIC.exe Token: SeTakeOwnershipPrivilege 2480 WMIC.exe Token: SeLoadDriverPrivilege 2480 WMIC.exe Token: SeSystemProfilePrivilege 2480 WMIC.exe Token: SeSystemtimePrivilege 2480 WMIC.exe Token: SeProfSingleProcessPrivilege 2480 WMIC.exe Token: SeIncBasePriorityPrivilege 2480 WMIC.exe Token: SeCreatePagefilePrivilege 2480 WMIC.exe Token: SeBackupPrivilege 2480 WMIC.exe Token: SeRestorePrivilege 2480 WMIC.exe Token: SeShutdownPrivilege 2480 WMIC.exe Token: SeDebugPrivilege 2480 WMIC.exe Token: SeSystemEnvironmentPrivilege 2480 WMIC.exe Token: SeRemoteShutdownPrivilege 2480 WMIC.exe Token: SeUndockPrivilege 2480 WMIC.exe Token: SeManageVolumePrivilege 2480 WMIC.exe Token: 33 2480 WMIC.exe Token: 34 2480 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1236 iexplore.exe 1968 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1236 iexplore.exe 1236 iexplore.exe 700 IEXPLORE.EXE 700 IEXPLORE.EXE 1968 DllHost.exe 1968 DllHost.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2384 wrote to memory of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2384 wrote to memory of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2384 wrote to memory of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2384 wrote to memory of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2384 wrote to memory of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2384 wrote to memory of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2384 wrote to memory of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2384 wrote to memory of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2384 wrote to memory of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 2384 wrote to memory of 1296 2384 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 31 PID 1296 wrote to memory of 2784 1296 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 32 PID 1296 wrote to memory of 2784 1296 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 32 PID 1296 wrote to memory of 2784 1296 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 32 PID 1296 wrote to memory of 2784 1296 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 32 PID 1296 wrote to memory of 3000 1296 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 33 PID 1296 wrote to memory of 3000 1296 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 33 PID 1296 wrote to memory of 3000 1296 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 33 PID 1296 wrote to memory of 3000 1296 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 33 PID 2784 wrote to memory of 752 2784 dakfjprvnatu.exe 35 PID 2784 wrote to memory of 752 2784 dakfjprvnatu.exe 35 PID 2784 wrote to memory of 752 2784 dakfjprvnatu.exe 35 PID 2784 wrote to memory of 752 2784 dakfjprvnatu.exe 35 PID 2784 wrote to memory of 752 2784 dakfjprvnatu.exe 35 PID 2784 wrote to memory of 752 2784 dakfjprvnatu.exe 35 PID 2784 wrote to memory of 752 2784 dakfjprvnatu.exe 35 PID 2784 wrote to memory of 752 2784 dakfjprvnatu.exe 35 PID 2784 wrote to memory of 752 2784 dakfjprvnatu.exe 35 PID 2784 wrote to memory of 752 2784 dakfjprvnatu.exe 35 PID 752 wrote to memory of 772 752 dakfjprvnatu.exe 36 PID 752 wrote to memory of 772 752 dakfjprvnatu.exe 36 PID 752 wrote to memory of 772 752 dakfjprvnatu.exe 36 PID 752 wrote to memory of 772 752 dakfjprvnatu.exe 36 PID 752 wrote to memory of 1216 752 dakfjprvnatu.exe 45 PID 752 wrote to memory of 1216 752 dakfjprvnatu.exe 45 PID 752 wrote to memory of 1216 752 dakfjprvnatu.exe 45 PID 752 wrote to memory of 1216 752 dakfjprvnatu.exe 45 PID 752 wrote to memory of 1236 752 dakfjprvnatu.exe 46 PID 752 wrote to memory of 1236 752 dakfjprvnatu.exe 46 PID 752 wrote to memory of 1236 752 dakfjprvnatu.exe 46 PID 752 wrote to memory of 1236 752 dakfjprvnatu.exe 46 PID 1236 wrote to memory of 700 1236 iexplore.exe 48 PID 1236 wrote to memory of 700 1236 iexplore.exe 48 PID 1236 wrote to memory of 700 1236 iexplore.exe 48 PID 1236 wrote to memory of 700 1236 iexplore.exe 48 PID 752 wrote to memory of 2480 752 dakfjprvnatu.exe 49 PID 752 wrote to memory of 2480 752 dakfjprvnatu.exe 49 PID 752 wrote to memory of 2480 752 dakfjprvnatu.exe 49 PID 752 wrote to memory of 2480 752 dakfjprvnatu.exe 49 PID 752 wrote to memory of 2792 752 dakfjprvnatu.exe 51 PID 752 wrote to memory of 2792 752 dakfjprvnatu.exe 51 PID 752 wrote to memory of 2792 752 dakfjprvnatu.exe 51 PID 752 wrote to memory of 2792 752 dakfjprvnatu.exe 51 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dakfjprvnatu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" dakfjprvnatu.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\dakfjprvnatu.exeC:\Windows\dakfjprvnatu.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\dakfjprvnatu.exeC:\Windows\dakfjprvnatu.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:752 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1216
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:700
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DAKFJP~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3000
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1968
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5347ab51eb34f8c68d813ffb4489b3aba
SHA15b14b5904ce0b6346d4b68038f45db618c8ebce5
SHA25676283b752b08a3b081494f6a9993748e8c68f4b26817c7a94d5a0b5554474a85
SHA512751852e41fe519e5011c1f8df6d58fe48b0878d1854fcde3fdbda97f0c6dde1a7d1f062483747f03267666f32227b2db989cc4e338a314a9d19794e510b8183b
-
Filesize
63KB
MD575eee0569e25e9ae9f452ef29ef0d08e
SHA129fc0f471596fe2c0cd9cbfa83ebd60f2ba0d9dc
SHA25698f1e93cb96d95013c3d837f568b17c76ac4b7ad99d55bb70777cd305fa21051
SHA51271e62ab4245e08709858763804130884a7aa4edc4de4bd23fc1f6f3f42471e059e5699be8451645b83fc13d1df0c1b13fce13bf88dd1db9128753a07790dd05e
-
Filesize
1KB
MD5de745cf681a6d79663d1a122cd2a8e56
SHA1eb28f46e53c30246a2c7513d38e717e506816a11
SHA25673d7ce7b5e4da05cc56e4a6199cd9b5254c9d415bde40111209fad5892353bc2
SHA51291f8465b1965ff0de69cb153e42f0e5345641e0e6f2fed6cbaef94f80d03e6807817d5040073176792b0956a1e91d79ba72a18b49308ac7c142a4474092f5754
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD52ed304b9347d3f41c4ccc6542e3c2461
SHA1306742e1b8628df74f3f226e2b07fb89747b9674
SHA2563ecb17e7a85c8e92d8dc7348c4cff032aef746b3ba3ec0a823eb94374e6a51ce
SHA512b85c56bef0ec8184c97dce42b7a13478f048f082475105f98290849d3b211d536105ad2d33c0cc4db49e75734fa3ca3144e532bbde80671a6945e7c7db1f90b3
-
Filesize
109KB
MD5d9960cad9463342570a870740e49ae89
SHA1a5e41c3662b8ced534d74b2993f060b35b937875
SHA2561f8c5994dd63eadd802bdd9b191e0e457e42f68d78edd27414cb9f001dbf32d0
SHA512cce443884ad552724ecd179955dfe3d30bd6670933c36509d4ab25b0e8fe50a0334c8364107f9045ebc3df5417b4e092d30e85b58c99beeaf866b4547626ecfc
-
Filesize
173KB
MD585700501b4b9adb4eabbf7968085fbc8
SHA1e102152df4c3cbd3204c8393f2bcb8b777555239
SHA256de88c50036f8443a4b829f7d43c01a4af29b8e53f4f684174d827de9edd4bb2c
SHA5124da822de7edeb78b9993908b7f3fec4e28c420ea2ea27fdfa0f21c246ee2e78ebd4c27467684c45ef0eca65823a2904507344c414fcf020d8e01ffed26ba58c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53b2d6281fdea7dbd078ddb77b6260a7a
SHA11a2fde30593cdb59d158854625d2c255c2af29de
SHA256d32aed0b40b292a7c3d4b1f68466b3d1afe8d37cc4ebdd9d83927591aff7009d
SHA512a9a23e0e24f41c5195646e84e5f4608b24ba365ff6344cec0add84f28bac3909a32ecfddd0fbe0d78cdde6d1c940b4c19d4dc085a19a9c0c97a977052528b841
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590fa67d36864c25a3e6b4132d064240e
SHA1d3dd8a757eb161a461d1529fed58d39c0445c6e2
SHA2569d47cdab46524d5871983a28dbf1241f6a7dc7e887c94f77b11d02d4e045da8b
SHA5120bd9ee52185f08827dcea291a12f145e6318404e49bab910b373d7177842840c9802e491de039b7c2f59a0f7f325b5c9ba5a9e47a4898cc039ffb39650adc95f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c32e964daa07f70624181205b53b2c0d
SHA1ccd82d9631adba2a1060210f5a1bed27b1ac0a45
SHA256f3dcecd31d5eedb15894cc5e539331e94830206baf634b8ca5f0e257e2c9eea5
SHA51298148fd4d666e0c7b7911ced82f82df13c794720f27e80c510097b170a9fdbc169c5a8eb3bc4f452fafb430a3d7e2a59e83487dbbbee25380f60956d85e6fac5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f43033b87140b0faba2252c29ebd98a
SHA196481ebab856993aa9a885b6d74f04ed2f997ad9
SHA25654565f5f656be7e9db66894ec98de03cd980f77af7bb5c5dc5002188884af2fb
SHA512a34b9f1883ff16bd3122363839176853ab1e32aaa22ce812c8e1c2b3a70be15de91b0daacd4780a54a344b7fb6b1ba0f439201fb301cc335b65d216c5474896b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b7ecf78338fd0b503709287af1e9c4de
SHA11507ba155360fe4ac59b2f49697b3acec90bd215
SHA256bed0be7c3328c4a242438ff9f682bb8b9ac6b9155e1387d8b4a94f9f7a012f3f
SHA512211bb7213c74f0b212ef4b8690ec2798459fe4d32ef1bfdaba9111ad679be75ac674ce2875e660d3ddec7395353477ccf1b6ba2373f7dd55ec589f7833613570
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5091cc3b2208570ad28e93e836325d62e
SHA13a3da77f14747f5d486aa924e9802afb06d2897e
SHA256649428e555f253aa92af7bcb4285ea197483bcd738a31ad87ec3617a91b7ee19
SHA512dba0658e4c5ecb97771758bc390af455b383fb5ab5c2642404b94f362f1732fed36e4426c0bba3fc9e7f6ed70efcce362c775a4ea23038be0e1d33dda3e186fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546c9525f92fe3d3b28e8e467157a4318
SHA1b65c4742f03b3d875a92a6e62f4377ba860c4e2f
SHA2569fdee33d38a4156441206fd91b6fc2a24a5c8ec13ddb2223628a097713be98ea
SHA51247b0ab0431e005f952e82b95adfd62089fb567cc83b2f5efb0670f79d00fd055421ab4be35a72cbb13528379be519523dffbcd799db8bf81022e89194791dc99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b4cc935f67631453d9aec838ceed3e5
SHA1f4b8b6a9125a71b0f5d02f76f7811ebbe3447394
SHA2567e1386a51a61b2bd4cd77a26f6af89a56078d878a89f1f5af3b910e7b5a53558
SHA512d53f7be6600df58498ed33be2349efa3d952823dc603171d46045b552045e1c159fe64c3abfa57d81c42f12c88c9175189680d7b48a5e0ac59668a9eb67d4c5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b8833f2fd4eb1a409ce845f3c6f476f4
SHA1fdc5873dfec46b5d84b088ce40135eb6e555c1b6
SHA256b33ce8c02dceb67d083c91785812f4a15aedfad2548aff5223776d6a59af0e35
SHA512ed559fb7844bd7dcc32b6906e73bd30028e54c5edc3f0c3fb8f36244dca0f17f897fea18415f47d60120be9278d8b48e2ba78255813e17926f4e28b39787ecd5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
371KB
MD576b0182e3dc2f368facd1446a78d2ae0
SHA16e6f6df8ef1a845e335995fbfa48dab3526cea29
SHA2563aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
SHA512e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a