b6ae167bc7a98a16120698f2f11452449118662dd3f1cc88e6ef7286465b45ca

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2025, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Videos/crypt154.exe
Size

728KB
MD5

ee91aeacff16d4ef5fe74b7252291665
SHA1

88adb2573e183e44babf88005298cab9a9901d2d
SHA256

ea585b7e84b67e8170b76f87115c0fc8423fe6d7184db32ba32b5bfc155e2b34
SHA512

d12cf47211a38fe595d855fe336f30946a0a76a4a559e0430e212f68601cd28cab63ffd4acd04c76f4f83950ad2261efb49dff6a2b03fd2aaa4617bc49b1b8a4
SSDEEP

12288:R/7tmBxTq87Rro7jx0/O2EbiJtzhCg3sph0lhSMXliuqJTJRg9J:RztmTqwRrSjx0/OpiDhdSh0lhSMXltqe

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\READ_NOTE.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">VGqXnw92/n+gwzXc6TSfWJkO/eTGlFLp4aMjMDTZpIeurAJ1wbDy6M4SfZgn5XThgG4lUBVJHqXUJCL7Td9qkMVb1RQdY2TaQY3naw1LerWPesq8gRZpzSdq8BS07KN/mzsYFCh3mesmgbpmrysX8Hxj9XJ4tLeJfQQa7j5yX+AG8w0gghTnjf8tP5ZPPEk6am+OCkReywL5BfIO858IIsNTqFZP5waUmp4g+t21GEhSLjf8obrNY1HrqJMneAhbjch5mLu4HTIE7Iuo+9qHEyWZkjDuTWDVbu5oYoCEjFbWrc8U8ZYLEHyoYgG3IhhcscunEW/W6LRC0xnGDIiFgQ==�</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4232 created 3400	4232	crypt154.exe	56

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
512	bcdedit.exe

Renames multiple (4572) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3436	wbadmin.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
39	2084	Process not Found
69	1924	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Videos\\crypt154.exe\""	crypt154.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	crypt154.exe
File opened (read-only)	\??\P:	crypt154.exe
File opened (read-only)	\??\R:	crypt154.exe
File opened (read-only)	\??\W:	crypt154.exe
File opened (read-only)	\??\B:	crypt154.exe
File opened (read-only)	\??\E:	crypt154.exe
File opened (read-only)	\??\N:	crypt154.exe
File opened (read-only)	\??\Z:	crypt154.exe
File opened (read-only)	\??\Z:	crypt154.exe
File opened (read-only)	\??\I:	crypt154.exe
File opened (read-only)	\??\K:	crypt154.exe
File opened (read-only)	\??\E:	crypt154.exe
File opened (read-only)	\??\I:	crypt154.exe
File opened (read-only)	\??\O:	crypt154.exe
File opened (read-only)	\??\X:	crypt154.exe
File opened (read-only)	\??\Y:	crypt154.exe
File opened (read-only)	\??\R:	crypt154.exe
File opened (read-only)	\??\V:	crypt154.exe
File opened (read-only)	\??\U:	crypt154.exe
File opened (read-only)	\??\H:	crypt154.exe
File opened (read-only)	\??\M:	crypt154.exe
File opened (read-only)	\??\M:	crypt154.exe
File opened (read-only)	\??\O:	crypt154.exe
File opened (read-only)	\??\T:	crypt154.exe
File opened (read-only)	\??\F:	crypt154.exe
File opened (read-only)	\??\A:	crypt154.exe
File opened (read-only)	\??\X:	crypt154.exe
File opened (read-only)	\??\Y:	crypt154.exe
File opened (read-only)	\??\B:	crypt154.exe
File opened (read-only)	\??\H:	crypt154.exe
File opened (read-only)	\??\J:	crypt154.exe
File opened (read-only)	\??\Q:	crypt154.exe
File opened (read-only)	\??\P:	crypt154.exe
File opened (read-only)	\??\W:	crypt154.exe
File opened (read-only)	\??\S:	crypt154.exe
File opened (read-only)	\??\G:	crypt154.exe
File opened (read-only)	\??\G:	crypt154.exe
File opened (read-only)	\??\U:	crypt154.exe
File opened (read-only)	\??\S:	crypt154.exe
File opened (read-only)	\??\K:	crypt154.exe
File opened (read-only)	\??\L:	crypt154.exe
File opened (read-only)	\??\N:	crypt154.exe
File opened (read-only)	\??\T:	crypt154.exe
File opened (read-only)	\??\V:	crypt154.exe
File opened (read-only)	\??\L:	crypt154.exe
File opened (read-only)	\??\Q:	crypt154.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org
25	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\Desktop\Wallpaper = "\\\\?\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Videos\\output.bmp"	crypt154.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-250.png	crypt154.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\READ_NOTE.html	crypt154.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\splashscreen.scale-100.png	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-white.png	crypt154.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\READ_NOTE.html	crypt154.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Canary.msix	crypt154.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.en-us.msi.16.en-us.vreg.dat	crypt154.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl	crypt154.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	crypt154.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\READ_NOTE.html	crypt154.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js	crypt154.exe
File created	C:\Program Files (x86)\Common Files\System\ja-JP\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	crypt154.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\3DViewerProductDescription-universal.xml	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png	crypt154.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\FeatureStaging-SnipAndSketch.xml	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\resources.pri	crypt154.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_duplicate_18.svg	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main-selector.css	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_listview_18.svg	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\playstore.png	crypt154.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\nl.pak	crypt154.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\PREVIEW.GIF	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\3DViewerProductDescription-universal.xml	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-150.png	crypt154.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\READ_NOTE.html	crypt154.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\READ_NOTE.html	crypt154.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\ui-strings.js	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell-2x.png	crypt154.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf	crypt154.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-125_contrast-black.png	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\ui-strings.js	crypt154.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\avatar310x150.png	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-200_contrast-white.png	crypt154.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js	crypt154.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties	crypt154.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\ui-strings.js	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	crypt154.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-150.png	crypt154.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML	crypt154.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-150.png	crypt154.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\ui-strings.js	crypt154.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.Tests.ps1	crypt154.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WMSysPr9.prx	crypt154.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\READ_NOTE.html	crypt154.exe
File opened for modification	C:\Windows\bootstat.dat	crypt154.exe
File opened for modification	C:\Windows\mib.bin	crypt154.exe
File opened for modification	C:\Windows\Professional.xml	crypt154.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
432	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	crypt154.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	crypt154.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	crypt154.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	crypt154.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3868	vssadmin.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1318997816-2171176372-1451785247-1000\{9EAE348C-AD7E-4EEC-9364-CD3F53D85129}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe
4232	crypt154.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe
Token: SeSecurityPrivilege	1204	WMIC.exe
Token: SeTakeOwnershipPrivilege	1204	WMIC.exe
Token: SeLoadDriverPrivilege	1204	WMIC.exe
Token: SeSystemProfilePrivilege	1204	WMIC.exe
Token: SeSystemtimePrivilege	1204	WMIC.exe
Token: SeProfSingleProcessPrivilege	1204	WMIC.exe
Token: SeIncBasePriorityPrivilege	1204	WMIC.exe
Token: SeCreatePagefilePrivilege	1204	WMIC.exe
Token: SeBackupPrivilege	1204	WMIC.exe
Token: SeRestorePrivilege	1204	WMIC.exe
Token: SeShutdownPrivilege	1204	WMIC.exe
Token: SeDebugPrivilege	1204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1204	WMIC.exe
Token: SeRemoteShutdownPrivilege	1204	WMIC.exe
Token: SeUndockPrivilege	1204	WMIC.exe
Token: SeManageVolumePrivilege	1204	WMIC.exe
Token: 33	1204	WMIC.exe
Token: 34	1204	WMIC.exe
Token: 35	1204	WMIC.exe
Token: 36	1204	WMIC.exe
Token: SeBackupPrivilege	3236	vssvc.exe
Token: SeRestorePrivilege	3236	vssvc.exe
Token: SeAuditPrivilege	3236	vssvc.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeCreatePagefilePrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeCreatePagefilePrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeCreatePagefilePrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeCreatePagefilePrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeCreatePagefilePrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeCreatePagefilePrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeCreatePagefilePrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeCreatePagefilePrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeCreatePagefilePrivilege	1456	explorer.exe
Token: SeShutdownPrivilege	1456	explorer.exe
Token: SeCreatePagefilePrivilege	1456	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2168	4232	crypt154.exe	89
PID 4232 wrote to memory of 2168	4232	crypt154.exe	89
PID 4232 wrote to memory of 2168	4232	crypt154.exe	89
PID 4232 wrote to memory of 4940	4232	crypt154.exe	90
PID 4232 wrote to memory of 4940	4232	crypt154.exe	90
PID 4232 wrote to memory of 4940	4232	crypt154.exe	90
PID 4232 wrote to memory of 4608	4232	crypt154.exe	91
PID 4232 wrote to memory of 4608	4232	crypt154.exe	91
PID 4232 wrote to memory of 4608	4232	crypt154.exe	91
PID 4232 wrote to memory of 3392	4232	crypt154.exe	92
PID 4232 wrote to memory of 3392	4232	crypt154.exe	92
PID 4232 wrote to memory of 3392	4232	crypt154.exe	92
PID 2168 wrote to memory of 3924	2168	cmd.exe	93
PID 2168 wrote to memory of 3924	2168	cmd.exe	93
PID 4608 wrote to memory of 1412	4608	cmd.exe	94
PID 4608 wrote to memory of 1412	4608	cmd.exe	94
PID 4940 wrote to memory of 4760	4940	cmd.exe	97
PID 4940 wrote to memory of 4760	4940	cmd.exe	97
PID 3392 wrote to memory of 4900	3392	cmd.exe	98
PID 3392 wrote to memory of 4900	3392	cmd.exe	98
PID 4760 wrote to memory of 3436	4760	cmd.exe	99
PID 4760 wrote to memory of 3436	4760	cmd.exe	99
PID 3924 wrote to memory of 3868	3924	cmd.exe	100
PID 3924 wrote to memory of 3868	3924	cmd.exe	100
PID 1412 wrote to memory of 1204	1412	cmd.exe	101
PID 1412 wrote to memory of 1204	1412	cmd.exe	101
PID 4900 wrote to memory of 512	4900	cmd.exe	102
PID 4900 wrote to memory of 512	4900	cmd.exe	102
PID 4232 wrote to memory of 3112	4232	crypt154.exe	107
PID 4232 wrote to memory of 3112	4232	crypt154.exe	107
PID 3112 wrote to memory of 1768	3112	crypt154.exe	110
PID 3112 wrote to memory of 1768	3112	crypt154.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe
  "C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:512
- C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe -network -skip_misc
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0RCNEIyOUYtRjJDMC00NzA3LUI3RDQtNDVFQ0Y3NTAwRjZFfSIgdXNlcmlkPSJ7MTNGNjMyNDctMDZDMy00NkI0LThEOUUtODU0REZBNzc5MzdEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDM2Mzc3MkEtNTRCOS00MDQyLUI2RTYtQ0RGMzNBOUNDNEJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Nzk4NTAxNjkwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:432

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\READ_NOTE.html

Filesize
3KB

MD5
977a5ee3a4717d28b01a94745fad558c

SHA1
abe0ae00a91f378ffb765a20cff240c98ab05ca0

SHA256
1cf2deec24c2111ce217e83f884e13942651096bd23e0745e257cf1fcaa8305a

SHA512
729b66f59e678d9b95c983199cd43a43c67ff4a4e48641561c130a108c9931e7b8391a1ba11504ce6a2b1af74db55497dbdcffae4474a54c006cea19e38cc42a

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Mu\Content.DATA.crypt154

Filesize
8KB

MD5
8f2592bd1d6801ba0517877488e41891

SHA1
dca994ce5581679e7af0cc155b710030fc524820

SHA256
6f32e9a44f8ec560d9087e1856e7454fae3ec2751e1b6c7e4643ce735e299d42

SHA512
4cec9af5a583f47dc4e179f9806a6aa3f47ce4445195e71d888276703a89a5656107b8feffddbbe866d54abae0c459ef46d2e6186030fc9c3abec6585f0c48a9

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Mu\Cryptomining.DATA.crypt154

Filesize
2KB

MD5
c5f41bdb83bdfb5c31c95af78548b3ae

SHA1
4bf62102d8c79af12ea75948474696578fbc12b1

SHA256
c983c8b9481d1dc7dd4e3402a09b6d4e24f87e441b450e85bb17c636d6c84099

SHA512
a661d41f32a44a95582f01f6329bae118261289d8de617acd2130f71bbbcd92f46c26e0e890713e15f9017f7b7a3da722f369682c27c39859db52b8f97d652bd

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Trust Protection Lists\Mu\Entities

Filesize
70KB

MD5
6afc498bc0ec11d3fb9bbd332346c2d2

SHA1
3fb39623db9ca4049da0003f2f5b42b269f7a34a

SHA256
ab7b508c9f7fb251d9b7c7cd3e4858525895852f2f7adf502dd6e19321ebf4e8

SHA512
476ed2a28ab1b26bd4a50d32784a42d9874976d60ca8c8a6b84308419159c693495794a6e36f335e95691f3a4dd886a89ecb4cf16181e5c75597f4d19f38d425

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\resources.pak

Filesize
26.1MB

MD5
fed251628270b412903b1d7908115689

SHA1
2147fd179093316221a0ac9c01244840d7c29e04

SHA256
f8f2f09d6fd338e8d524948a308cb015233c293456d09a9139a575646007698b

SHA512
6cb634b4ec695f7f29b7ba0a8075abbe6df8c0cd9a791d6d24c383be2473beeeb51887d4b2c564db13f32c36e5e68410826c2627a9923ba86adf93e282ea532a

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.crypt154

Filesize
624KB

MD5
a7ad90287564ee8a274cdf39c3124337

SHA1
a35fb1572fd61e863bac643e792574a9cedcd705

SHA256
add6c0371f4489d5d41c52c22d1df2028c0cb947199ceb2c36dfae065e029d32

SHA512
15a8c523b6259e374a0c01a23f9761e7c2fd00e59347f4d188122a6e37a5b3209f28157410183760a73afee8f7de8acf7329606801a67e2532f158901430df9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
2023ff94e6d1619d343023163a606a51

SHA1
e7b0503f4f7342046d49234fda9a945fd9376739

SHA256
67f8de69d413f4b1cfb263028f95402eed5c966fce6cfe6a4ff613c36dd48e3c

SHA512
75706743acd9c6e3fcca8b06d9cd6404753ea665ae2542c67a94a50d135642fd582ad631a114909c63dec50b68d8f625d5c393039082473e4e675186c5b1e75b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
1ebe339a6f772e3562c92135659b255a

SHA1
6995ab0f87e56a2ca362a5bcf6b521b7b09cb2f9

SHA256
30a31184728eb6778aa1483daac8dc4e1e4c40d2fd0cff4b495e7b9cffbb7fcd

SHA512
5071434f78c9776dfd65322ccd5092b349b5621e76c754a78dbe149dbe5f48eacb5b351972007a2a62fff76aefdf17f6180403a3dc496263b4f89e3ef2731db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Videos\external_ip.crypt154

Filesize
14B

MD5
e3eb2b4cff0d56624daa49116976aeb4

SHA1
234db53081db6fc733d22a896f6dac5068eb066a

SHA256
3b9efd080931e6b2d3b89e8dcd2655792329a41c4699ffade4b48288bfdb0ffd

SHA512
ab0ce3a7301fe64594408380f5d55c8ebf24b0c94527fd2b29ff83bb2a10ab57be5a9de4ef56f532b0002e921c74cae14db0cc0f86d79e49d9d14f073d65d12d

Download Submit