Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 10:31
Static task
static1
Behavioral task
behavioral1
Sample
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Resource
win10v2004-20241007-en
General
-
Target
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
-
Size
371KB
-
MD5
c192a273a786b569df2056914faf8327
-
SHA1
87f24f470d678deae2cade1d3fd12255e796c091
-
SHA256
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced
-
SHA512
8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427
-
SSDEEP
6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/7D9EEAD73E82E178
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7D9EEAD73E82E178
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/7D9EEAD73E82E178
http://xlowfznrg4wf7dli.ONION/7D9EEAD73E82E178
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (407) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2808 cmd.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+iwxag.html dakfjprvnatu.exe -
Executes dropped EXE 2 IoCs
pid Process 3016 dakfjprvnatu.exe 2624 dakfjprvnatu.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\gihrktiqxohc = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dakfjprvnatu.exe\"" dakfjprvnatu.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2524 set thread context of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 3016 set thread context of 2624 3016 dakfjprvnatu.exe 35 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\Hearts\es-ES\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js dakfjprvnatu.exe File opened for modification C:\Program Files\MSBuild\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jre7\bin\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\es-ES\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png dakfjprvnatu.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png dakfjprvnatu.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png dakfjprvnatu.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Defender\en-US\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css dakfjprvnatu.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css dakfjprvnatu.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\_RECoVERY_+iwxag.html dakfjprvnatu.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Journal\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Windows NT\Accessories\ja-JP\_RECoVERY_+iwxag.txt dakfjprvnatu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_RECoVERY_+iwxag.png dakfjprvnatu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt dakfjprvnatu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\_RECoVERY_+iwxag.html dakfjprvnatu.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\dakfjprvnatu.exe e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe File opened for modification C:\Windows\dakfjprvnatu.exe e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dakfjprvnatu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dakfjprvnatu.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067ce3b9ae31c06448aecca112942c74100000000020000000000106600000001000020000000c1398c9852ce5b2702acb833b176979bdd9e698d3e893dcc410cb76a98abc3e3000000000e8000000002000020000000c3958ddce38f5166673ba61a3be5555c8b064feda783875aaf32fc34264132449000000027ef45f4083614070f699da1cf26724c5cf33ba5a53a76481cbee1cf11ebf45d52185768897a4655ad37664ef9e08cfb7c10657ccec097f8418435afd8dff0a48b500bf7b39b1318ad952e6532a99223311aac09a890b0a34b289a735a8375983e365262bca72163b3155d894e3506b752b8e6ab51aae9eecdd247ac4038ee936a4dabfe39fab6c5b91f010daf8a96a240000000945e32998807ce97917c7fce273408cf2cf7a92d85e582bda893cd3fd494ed8b41a7daf1b9bf22f3501318ea3669d1f5fbed196a3a200364d8bc19fac7a83ef4 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18C3A631-D7E3-11EF-BBD1-D686196AC2C0} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067ce3b9ae31c06448aecca112942c74100000000020000000000106600000001000020000000ac890e27908ca7f6900e03a13697bcaed096bc0d6e19581771b1b0140dedf527000000000e8000000002000020000000a0ac1fe336adc37f55db889cce2cc70242d417c4a4e9b179ad464dc12b19592f20000000bde36abe7964de1b2e6f2680a701cf3a9ffb2557d3dcaa0676cdf008a62f2cb4400000007fa569cfa189e0d363fbe02de0b64048eb5642e817600c142347819c1e247a8e27784ad50749713b0283a12d083bccc7a07e019f7ea28d03eaf0f51fbe7a6b1c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0cc38edef6bdb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1968 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe 2624 dakfjprvnatu.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2852 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Token: SeDebugPrivilege 2624 dakfjprvnatu.exe Token: SeIncreaseQuotaPrivilege 2484 WMIC.exe Token: SeSecurityPrivilege 2484 WMIC.exe Token: SeTakeOwnershipPrivilege 2484 WMIC.exe Token: SeLoadDriverPrivilege 2484 WMIC.exe Token: SeSystemProfilePrivilege 2484 WMIC.exe Token: SeSystemtimePrivilege 2484 WMIC.exe Token: SeProfSingleProcessPrivilege 2484 WMIC.exe Token: SeIncBasePriorityPrivilege 2484 WMIC.exe Token: SeCreatePagefilePrivilege 2484 WMIC.exe Token: SeBackupPrivilege 2484 WMIC.exe Token: SeRestorePrivilege 2484 WMIC.exe Token: SeShutdownPrivilege 2484 WMIC.exe Token: SeDebugPrivilege 2484 WMIC.exe Token: SeSystemEnvironmentPrivilege 2484 WMIC.exe Token: SeRemoteShutdownPrivilege 2484 WMIC.exe Token: SeUndockPrivilege 2484 WMIC.exe Token: SeManageVolumePrivilege 2484 WMIC.exe Token: 33 2484 WMIC.exe Token: 34 2484 WMIC.exe Token: 35 2484 WMIC.exe Token: SeIncreaseQuotaPrivilege 2484 WMIC.exe Token: SeSecurityPrivilege 2484 WMIC.exe Token: SeTakeOwnershipPrivilege 2484 WMIC.exe Token: SeLoadDriverPrivilege 2484 WMIC.exe Token: SeSystemProfilePrivilege 2484 WMIC.exe Token: SeSystemtimePrivilege 2484 WMIC.exe Token: SeProfSingleProcessPrivilege 2484 WMIC.exe Token: SeIncBasePriorityPrivilege 2484 WMIC.exe Token: SeCreatePagefilePrivilege 2484 WMIC.exe Token: SeBackupPrivilege 2484 WMIC.exe Token: SeRestorePrivilege 2484 WMIC.exe Token: SeShutdownPrivilege 2484 WMIC.exe Token: SeDebugPrivilege 2484 WMIC.exe Token: SeSystemEnvironmentPrivilege 2484 WMIC.exe Token: SeRemoteShutdownPrivilege 2484 WMIC.exe Token: SeUndockPrivilege 2484 WMIC.exe Token: SeManageVolumePrivilege 2484 WMIC.exe Token: 33 2484 WMIC.exe Token: 34 2484 WMIC.exe Token: 35 2484 WMIC.exe Token: SeBackupPrivilege 2940 vssvc.exe Token: SeRestorePrivilege 2940 vssvc.exe Token: SeAuditPrivilege 2940 vssvc.exe Token: SeIncreaseQuotaPrivilege 2276 WMIC.exe Token: SeSecurityPrivilege 2276 WMIC.exe Token: SeTakeOwnershipPrivilege 2276 WMIC.exe Token: SeLoadDriverPrivilege 2276 WMIC.exe Token: SeSystemProfilePrivilege 2276 WMIC.exe Token: SeSystemtimePrivilege 2276 WMIC.exe Token: SeProfSingleProcessPrivilege 2276 WMIC.exe Token: SeIncBasePriorityPrivilege 2276 WMIC.exe Token: SeCreatePagefilePrivilege 2276 WMIC.exe Token: SeBackupPrivilege 2276 WMIC.exe Token: SeRestorePrivilege 2276 WMIC.exe Token: SeShutdownPrivilege 2276 WMIC.exe Token: SeDebugPrivilege 2276 WMIC.exe Token: SeSystemEnvironmentPrivilege 2276 WMIC.exe Token: SeRemoteShutdownPrivilege 2276 WMIC.exe Token: SeUndockPrivilege 2276 WMIC.exe Token: SeManageVolumePrivilege 2276 WMIC.exe Token: 33 2276 WMIC.exe Token: 34 2276 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 960 iexplore.exe 1868 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 960 iexplore.exe 960 iexplore.exe 612 IEXPLORE.EXE 612 IEXPLORE.EXE 1868 DllHost.exe 1868 DllHost.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2524 wrote to memory of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2524 wrote to memory of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2524 wrote to memory of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2524 wrote to memory of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2524 wrote to memory of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2524 wrote to memory of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2524 wrote to memory of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2524 wrote to memory of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2524 wrote to memory of 2852 2524 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2852 wrote to memory of 3016 2852 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 32 PID 2852 wrote to memory of 3016 2852 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 32 PID 2852 wrote to memory of 3016 2852 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 32 PID 2852 wrote to memory of 3016 2852 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 32 PID 2852 wrote to memory of 2808 2852 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 33 PID 2852 wrote to memory of 2808 2852 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 33 PID 2852 wrote to memory of 2808 2852 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 33 PID 2852 wrote to memory of 2808 2852 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 33 PID 3016 wrote to memory of 2624 3016 dakfjprvnatu.exe 35 PID 3016 wrote to memory of 2624 3016 dakfjprvnatu.exe 35 PID 3016 wrote to memory of 2624 3016 dakfjprvnatu.exe 35 PID 3016 wrote to memory of 2624 3016 dakfjprvnatu.exe 35 PID 3016 wrote to memory of 2624 3016 dakfjprvnatu.exe 35 PID 3016 wrote to memory of 2624 3016 dakfjprvnatu.exe 35 PID 3016 wrote to memory of 2624 3016 dakfjprvnatu.exe 35 PID 3016 wrote to memory of 2624 3016 dakfjprvnatu.exe 35 PID 3016 wrote to memory of 2624 3016 dakfjprvnatu.exe 35 PID 3016 wrote to memory of 2624 3016 dakfjprvnatu.exe 35 PID 2624 wrote to memory of 2484 2624 dakfjprvnatu.exe 36 PID 2624 wrote to memory of 2484 2624 dakfjprvnatu.exe 36 PID 2624 wrote to memory of 2484 2624 dakfjprvnatu.exe 36 PID 2624 wrote to memory of 2484 2624 dakfjprvnatu.exe 36 PID 2624 wrote to memory of 1968 2624 dakfjprvnatu.exe 45 PID 2624 wrote to memory of 1968 2624 dakfjprvnatu.exe 45 PID 2624 wrote to memory of 1968 2624 dakfjprvnatu.exe 45 PID 2624 wrote to memory of 1968 2624 dakfjprvnatu.exe 45 PID 2624 wrote to memory of 960 2624 dakfjprvnatu.exe 46 PID 2624 wrote to memory of 960 2624 dakfjprvnatu.exe 46 PID 2624 wrote to memory of 960 2624 dakfjprvnatu.exe 46 PID 2624 wrote to memory of 960 2624 dakfjprvnatu.exe 46 PID 960 wrote to memory of 612 960 iexplore.exe 48 PID 960 wrote to memory of 612 960 iexplore.exe 48 PID 960 wrote to memory of 612 960 iexplore.exe 48 PID 960 wrote to memory of 612 960 iexplore.exe 48 PID 2624 wrote to memory of 2276 2624 dakfjprvnatu.exe 49 PID 2624 wrote to memory of 2276 2624 dakfjprvnatu.exe 49 PID 2624 wrote to memory of 2276 2624 dakfjprvnatu.exe 49 PID 2624 wrote to memory of 2276 2624 dakfjprvnatu.exe 49 PID 2624 wrote to memory of 2036 2624 dakfjprvnatu.exe 51 PID 2624 wrote to memory of 2036 2624 dakfjprvnatu.exe 51 PID 2624 wrote to memory of 2036 2624 dakfjprvnatu.exe 51 PID 2624 wrote to memory of 2036 2624 dakfjprvnatu.exe 51 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dakfjprvnatu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" dakfjprvnatu.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\dakfjprvnatu.exeC:\Windows\dakfjprvnatu.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\dakfjprvnatu.exeC:\Windows\dakfjprvnatu.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2624 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1968
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:612
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DAKFJP~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3ED21~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2808
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1868
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD56e98ff45af9debf65e650c57264b57dd
SHA13683a07bfb4c8a6e22b6c48f34638df4689c39cc
SHA2567a40c5faa97ff9711bbc04f1a3e599feba2acd7463750cfc37672fabb977908c
SHA512119759b74cc0d5fcbf74098d5987526ace8cc17d6a2dc1200e64db8d52b0448be89282fa4c56b132fc93d25db208d994f7fd136f1a3d8069a36dec802f7c2d6b
-
Filesize
63KB
MD55507478787300d5792e4acc0c9109eb1
SHA197bd372bd1f8541fa7c2d41ec09a941d5fb2e4bc
SHA2561a60ea2a52068d34c2b85f5c89c382d2707633a8489e194ca34c5e22cb703d2c
SHA51215cbe3a4a933cdb92904455486d4dd638f36f5a0068960b7c88f768d8fbfcd8fc171eae52a8d09ed98e6e9b7b5bd7c699e6ca7c2cbd97c3f048f72db92ba944e
-
Filesize
1KB
MD58cedab90a35f61beb9ed807d7beb3933
SHA1d96b5dd1da396ad1c68a0089ae03486dd6f45549
SHA256628f79a04ecc08c8e5980fa18fa0bdd00b2e18bd21c6ee58a2d194747c38a4f2
SHA51256b6f5f710acc66c753a17c00e989031235b988c463c91d9792e99ab191b9d79caa89c78ed873b78de6bfe71d651c72f9d835c1ec78e96d21cc917e25690ec8a
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD508b38ddfb697c96a1db6954227a8a071
SHA14d6aa353f1c02317c0e6bdee72daf0ad5cfb4eff
SHA2568075f164169a0cc585509413ab5c572fa7ffb4fcb87d4be681136333a5fe8cf0
SHA512c4749c85df8391bfaa6274436d1d6e108c4ca7914430d87226b94011636b9307d75edd7ea8631ca444ee58e1034c16523637333cefbf758d91f1411e8b1b1507
-
Filesize
109KB
MD526de235f316342e366b49325832bb4ff
SHA1cb1d5836da5455bb5d9e1aa679773e93ad039250
SHA256634a4b7f056e13aab793e2c7b97bf207ec769bdcf86cd80c6e3a418565405083
SHA51250762ea167743e0a88eee8f320c05870bde779521a249ef7fcd8950cb57363f83c621916acc19e567fbd150291ee4a9365717b3e913c3e11fed30789a0402486
-
Filesize
173KB
MD555c7030e0c3e8b833d1856666ecc8f47
SHA16451c3dd5534c055772d713e3583ccfb0a6899ea
SHA256bfeac4a036d4026b22539102ced8fc90e58834110d43e43c6216ec328b1d4ff0
SHA5126d57fd415756a77fe5e0c137750adb6f71ea40ffacf2582330f7cce1eecb6385446ddb06a7799f5f39654efef10469265be8650954f93fdbadcf3c05e39e2e67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fe435f082a4419d0e289e1ddbcd2733d
SHA12b47bba86440e8ef6f139285e05ca5e6f1cee2de
SHA256de4ba4a8e4d6c4af20ea8da04c81ba9f566683cebcbb7143cd1f2f82dc5f7d3d
SHA512917a77440cff07e3e97f6eaa20756eb29adedb400d7fe63a390ea877e817ad5b3b50d447f98dafbd43a3d68c29ba4721be3f3c45f11fa8accdfae6fae700a1b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d1ca8c59d324ccba7d577bee0a2c31b0
SHA164b9dd540926650a50f628f96883509643bb7fc1
SHA256da9289b38e518e97e1a43595f3bdcb216ad4fa3ad613bf662e88a7834e59b777
SHA51269c06a1835e233b8b1115cbd03b96946553d45503c10555d00c80e551b995f31ed7ee7046e5c4e69eccf6b6151b916eae29d603f7c2ab7c11912b7978b28c730
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a708888e6d6ef7dae59442628c1eb058
SHA15664d3e1ba29bfce199cd971c1eda6893f2f9ff5
SHA25655eefe3713f72c1a82874d6c8fb311bee4dccbf82f0f50d58da15fba1cd5eb75
SHA5127657ae1c3d587a79b6cf5401bca5dcb2b6514c9d245ea7a0cc8881efd54cd6c0a20c7bb5ce9fd4ce60ca6d1e48b92c9a5f2df59d4071a298c47909d430fa8533
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c683d9d3d5be5cd8698d80a5f6dce48
SHA1c3623b1a4c3ad759b170743964ba8cb87601fe51
SHA256baa711998e653c53ee4bbfbcab91d98927f113c4647f20cd6c6660016a28142c
SHA512e28c0216718b85907178e02424913f770d353bf90ffff52b9bd1bf9901342f6fda94ac2fc34c4c6781b002526a4c4d6f5ed3bd0939eb6d79d4a8a90b29173f35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff22968790aeb64a3eaba63f859e468c
SHA1cab1fea81419de44a22ebd299eb319470ea0048f
SHA256050675599a0c07b2036e550503bbf21d5f570d3b6732a0e995db47a8ddfd53ab
SHA51250f740c65f4deb346c392f9c72daeaa6411bcccc021d9ab574f26588786824e5fadfc9fce652911730d391d110307a9747ca1a92db1b634b0b942c09b66c7372
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51925c14efedf21a4ab81cf38facda4d1
SHA1f245045410e823f3f413c388dd89491ec871efc2
SHA256e1f73bc87f8bf05099b1408c3b9c230d58add1d5790ac7b4ab85fe7dd7a16199
SHA5123f0e491be742cc5963fa6c7f2ba90400bf889d55e235a25cb48a2803a00d8af2d0ce4cac5390d2bd2247e47e968165c5893f75634dcad67453a2890b8e5549cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD538eb8cafb48b37771efe15f871eda110
SHA1612b56cbef014deae5a96098350b4a72d00cf7fb
SHA256d8f447594ce722412057031149c3f1f0b920f13daa5e01251661809063a85f1b
SHA5127e4bb3846ad308f7efcc09cdc41b9e39c741aedb537fa3337f7f66e88dad9e3a682c7bfc4c675228eb5eac9a9418c5562db9d4fb501e9785419169d881a5ee44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD560f8851c6feef5698cfe6b41d424a0be
SHA11d25e5f5d7599398174353e335d46dd396ba0cd6
SHA256dcc2c2ca81a45ee891b14b53e65c46016b69e0ef6c401f1b57467a88d20156bb
SHA512ec0e83fa31efab6746b2ff2da3ff79b9de0622eac6e0f304698120194caf393c94f7421f1d9588f7d7582c6ef056575a2de23bbd125882f424dc91247d662bec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a9458d1cc26cd9fd9628b986918f947d
SHA1d26c44e91741042ce43243a60dc1410f1663f922
SHA25634624ea4414dce88fb05f565395ba4fdc38e1e7c6efb1f4ffc79c0bbb866ffae
SHA5125361553bbfd9881dee0adc27101d48988eb3df4188809e670640ab35a08e0719583740b8a81ddc15c7f8a9be60f73460dd3610284cf81810f9a7d7889605e489
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
371KB
MD5c192a273a786b569df2056914faf8327
SHA187f24f470d678deae2cade1d3fd12255e796c091
SHA256e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced
SHA5128e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427