Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe
-
Size
316KB
-
MD5
1f9d9c8b17bc4e6ab42217e4ca879273
-
SHA1
ebbaefabffef6eac50f8c52c84a51cb7442ecaea
-
SHA256
c2f389b2ee29d7b7d23ba7f1d248b0e9fc9d8c8a60e77cd75b6bd8dd2b38db00
-
SHA512
9ff77d473a0cbaee33d576aea49cfde04946353c2334d18587ee732c90eb656eef35485996934385b32f94729999c6f2bf83ae572541f4adb56f4659cc9c848e
-
SSDEEP
3072:sP36v0ABWbDFp7yz5dwjtYjt+XOCGNjYQMhLwZil6hdZrz5ZbJnCgo5QTRpALo3:IhKjjtxVYQuwFhdZrz5ZC5aXALo
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+ssyav.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/17B5879A629D7C
http://tes543berda73i48fsdfsd.keratadze.at/17B5879A629D7C
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/17B5879A629D7C
http://xlowfznrg4wf7dli.ONION/17B5879A629D7C
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (411) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 3040 cmd.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe -
Executes dropped EXE 1 IoCs
pid Process 2880 mnvdacbqdlyj.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\uoagttewqukh = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\mnvdacbqdlyj.exe\"" mnvdacbqdlyj.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\zi\America\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kab\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js mnvdacbqdlyj.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseover.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\library.js mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak mnvdacbqdlyj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css mnvdacbqdlyj.exe File opened for modification C:\Program Files\Microsoft Games\More Games\es-ES\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Reference Assemblies\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Mail\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Journal\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Microsoft Games\Chess\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_RECOVERY_+ssyav.txt mnvdacbqdlyj.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_RECOVERY_+ssyav.html mnvdacbqdlyj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\_RECOVERY_+ssyav.png mnvdacbqdlyj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js mnvdacbqdlyj.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\mnvdacbqdlyj.exe 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe File opened for modification C:\Windows\mnvdacbqdlyj.exe 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mnvdacbqdlyj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CBBE321-C5DA-11EF-93CA-E62D5E492327} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009dedbfc9d5126949abe4469f9535ba13000000000200000000001066000000010000200000001ef3e07cd7243240610e714d3660a861e9dfb9675bfd43ae2c0f96b1e7703b94000000000e800000000200002000000085a0ac0175becd7840059305d17b966b7d1b95b159c824cb6a20635ad32a4df72000000043b64a62295f6c7c84bdfd660b99f7a07652a97b5e3589065e2cd45975dc49fa400000001550068f9f0eeacb2412ca83de9b5ca0d02b4a0bef4967fbce0cadf00de9a57371db76790e28f231c309966d1640abbfa9249f869c6467028a9c40367dfa0c8e iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009dedbfc9d5126949abe4469f9535ba130000000002000000000010660000000100002000000003c7044f2e137e8609af3de612999c841537ab6bd4015a19dbb7ea3b247c2b76000000000e80000000020000200000003906fc0d000fbea21155ff9592886ed62f7b06e2c043682854f49111de4ccb89900000007da8c77fa72722aeae8d8d58b0ab7fbd4ca6c217f9692eee30a4ff0cbbc5300fbb52ca498baa4fc31fdfc4394b4b658bbe61e731bc4034b2483a895027fd0af2a15340218958574c8134b4c871a84ca57ee1c181685749a236c53c2030262d797398ee002635e239ad28437d89de507fa8c913642ce16810391dea6fb8a10dc3cf43a8db4dd0fc946a7fb52e49b53179400000006f34e45134d2f12f035c858ea2df2d7c25c8c4f78351c760f6dd1a9dcf1f07e0eaf829e925e068f44cb2594b6ce355200ef5719b2e0f231d5d5fbd8f3f76772e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0533301e759db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441634499" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1804 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe 2880 mnvdacbqdlyj.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2284 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe Token: SeDebugPrivilege 2880 mnvdacbqdlyj.exe Token: SeIncreaseQuotaPrivilege 2716 WMIC.exe Token: SeSecurityPrivilege 2716 WMIC.exe Token: SeTakeOwnershipPrivilege 2716 WMIC.exe Token: SeLoadDriverPrivilege 2716 WMIC.exe Token: SeSystemProfilePrivilege 2716 WMIC.exe Token: SeSystemtimePrivilege 2716 WMIC.exe Token: SeProfSingleProcessPrivilege 2716 WMIC.exe Token: SeIncBasePriorityPrivilege 2716 WMIC.exe Token: SeCreatePagefilePrivilege 2716 WMIC.exe Token: SeBackupPrivilege 2716 WMIC.exe Token: SeRestorePrivilege 2716 WMIC.exe Token: SeShutdownPrivilege 2716 WMIC.exe Token: SeDebugPrivilege 2716 WMIC.exe Token: SeSystemEnvironmentPrivilege 2716 WMIC.exe Token: SeRemoteShutdownPrivilege 2716 WMIC.exe Token: SeUndockPrivilege 2716 WMIC.exe Token: SeManageVolumePrivilege 2716 WMIC.exe Token: 33 2716 WMIC.exe Token: 34 2716 WMIC.exe Token: 35 2716 WMIC.exe Token: SeIncreaseQuotaPrivilege 2716 WMIC.exe Token: SeSecurityPrivilege 2716 WMIC.exe Token: SeTakeOwnershipPrivilege 2716 WMIC.exe Token: SeLoadDriverPrivilege 2716 WMIC.exe Token: SeSystemProfilePrivilege 2716 WMIC.exe Token: SeSystemtimePrivilege 2716 WMIC.exe Token: SeProfSingleProcessPrivilege 2716 WMIC.exe Token: SeIncBasePriorityPrivilege 2716 WMIC.exe Token: SeCreatePagefilePrivilege 2716 WMIC.exe Token: SeBackupPrivilege 2716 WMIC.exe Token: SeRestorePrivilege 2716 WMIC.exe Token: SeShutdownPrivilege 2716 WMIC.exe Token: SeDebugPrivilege 2716 WMIC.exe Token: SeSystemEnvironmentPrivilege 2716 WMIC.exe Token: SeRemoteShutdownPrivilege 2716 WMIC.exe Token: SeUndockPrivilege 2716 WMIC.exe Token: SeManageVolumePrivilege 2716 WMIC.exe Token: 33 2716 WMIC.exe Token: 34 2716 WMIC.exe Token: 35 2716 WMIC.exe Token: SeBackupPrivilege 2664 vssvc.exe Token: SeRestorePrivilege 2664 vssvc.exe Token: SeAuditPrivilege 2664 vssvc.exe Token: SeIncreaseQuotaPrivilege 2076 WMIC.exe Token: SeSecurityPrivilege 2076 WMIC.exe Token: SeTakeOwnershipPrivilege 2076 WMIC.exe Token: SeLoadDriverPrivilege 2076 WMIC.exe Token: SeSystemProfilePrivilege 2076 WMIC.exe Token: SeSystemtimePrivilege 2076 WMIC.exe Token: SeProfSingleProcessPrivilege 2076 WMIC.exe Token: SeIncBasePriorityPrivilege 2076 WMIC.exe Token: SeCreatePagefilePrivilege 2076 WMIC.exe Token: SeBackupPrivilege 2076 WMIC.exe Token: SeRestorePrivilege 2076 WMIC.exe Token: SeShutdownPrivilege 2076 WMIC.exe Token: SeDebugPrivilege 2076 WMIC.exe Token: SeSystemEnvironmentPrivilege 2076 WMIC.exe Token: SeRemoteShutdownPrivilege 2076 WMIC.exe Token: SeUndockPrivilege 2076 WMIC.exe Token: SeManageVolumePrivilege 2076 WMIC.exe Token: 33 2076 WMIC.exe Token: 34 2076 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2996 iexplore.exe 1080 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2996 iexplore.exe 2996 iexplore.exe 2660 IEXPLORE.EXE 2660 IEXPLORE.EXE 1080 DllHost.exe 1080 DllHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2880 2284 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 28 PID 2284 wrote to memory of 2880 2284 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 28 PID 2284 wrote to memory of 2880 2284 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 28 PID 2284 wrote to memory of 2880 2284 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 28 PID 2284 wrote to memory of 3040 2284 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 29 PID 2284 wrote to memory of 3040 2284 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 29 PID 2284 wrote to memory of 3040 2284 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 29 PID 2284 wrote to memory of 3040 2284 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 29 PID 2880 wrote to memory of 2716 2880 mnvdacbqdlyj.exe 31 PID 2880 wrote to memory of 2716 2880 mnvdacbqdlyj.exe 31 PID 2880 wrote to memory of 2716 2880 mnvdacbqdlyj.exe 31 PID 2880 wrote to memory of 2716 2880 mnvdacbqdlyj.exe 31 PID 2880 wrote to memory of 1804 2880 mnvdacbqdlyj.exe 38 PID 2880 wrote to memory of 1804 2880 mnvdacbqdlyj.exe 38 PID 2880 wrote to memory of 1804 2880 mnvdacbqdlyj.exe 38 PID 2880 wrote to memory of 1804 2880 mnvdacbqdlyj.exe 38 PID 2880 wrote to memory of 2996 2880 mnvdacbqdlyj.exe 39 PID 2880 wrote to memory of 2996 2880 mnvdacbqdlyj.exe 39 PID 2880 wrote to memory of 2996 2880 mnvdacbqdlyj.exe 39 PID 2880 wrote to memory of 2996 2880 mnvdacbqdlyj.exe 39 PID 2996 wrote to memory of 2660 2996 iexplore.exe 41 PID 2996 wrote to memory of 2660 2996 iexplore.exe 41 PID 2996 wrote to memory of 2660 2996 iexplore.exe 41 PID 2996 wrote to memory of 2660 2996 iexplore.exe 41 PID 2880 wrote to memory of 2076 2880 mnvdacbqdlyj.exe 42 PID 2880 wrote to memory of 2076 2880 mnvdacbqdlyj.exe 42 PID 2880 wrote to memory of 2076 2880 mnvdacbqdlyj.exe 42 PID 2880 wrote to memory of 2076 2880 mnvdacbqdlyj.exe 42 PID 2880 wrote to memory of 1720 2880 mnvdacbqdlyj.exe 46 PID 2880 wrote to memory of 1720 2880 mnvdacbqdlyj.exe 46 PID 2880 wrote to memory of 1720 2880 mnvdacbqdlyj.exe 46 PID 2880 wrote to memory of 1720 2880 mnvdacbqdlyj.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mnvdacbqdlyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" mnvdacbqdlyj.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\mnvdacbqdlyj.exeC:\Windows\mnvdacbqdlyj.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2880 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MNVDAC~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3040
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1080
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD506f547008b20ff37fb19d0654f40c1f5
SHA10fba0064242b42f07d4263370b21051457bc5951
SHA25609eaa8df5acf1dbe68ec7df90ee7a80005aa9fec658a80dd61c468a814ab5eba
SHA512ab302aa04af8a830a7116c673649f13ef2809aeff4371e6134f7f6f113b367376f4a9a9d86f21fce773e9410ea3986cd95a26a0bb47c04eff58a52e94b865a57
-
Filesize
62KB
MD5efd9cf1a9ea396588428a9fe61acf1e5
SHA1c761c10aaedfd4fb430dfe8ef0149f73bf6da8a7
SHA256d22852c208fd00d8e69a71a4ec939b34f2ac7fc6037130a6c3f337ad40cf0b9e
SHA51294832a36f58c14a99c333e6407e1ea07e5c9500073598a9e93637d11913d12939d885074e90ede5c2a1671eb812414aa7d2eab9b990236a9d872a887ec7e6b14
-
Filesize
1KB
MD50e6b36a0bb61f934ddce5337f2942ee6
SHA186e7bb73c74a40355d9db417e63e9e923bcfa1d9
SHA256bb492d6d38b7fd9da7810edfb57b766b027bf88e771aa96f69c168e295550e8a
SHA5129f18a33848cc18b767529a63cd1ed5b14c930b6dc08b0e95130c0cf5f5ba00218090d7752c7b4ccdd333f4d7348a1c6bb46bddd682082758bfadc49b379ffbb1
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD550183108afe9f40b5ea5bd1a5a41603c
SHA1f14ad69f782da796a8d7ff1d896dc223e76230af
SHA256dd2e968f46b1aab88088c31d44078bd17f27c9280ea82a94b505642134bc2d27
SHA512e01905035be9da572d15ec0b61ecd35eb1a626dda858b52fc978d4717dbea0f44e0374ec117fd11cd3d6df6ab86d827cd810ddb461b81ed945a8725608e3c366
-
Filesize
109KB
MD50ee93b34065ba0b9b73d486ded34a4fa
SHA16bd8caed411cec74ac95191f404e2cccd11e8c42
SHA25633b4ae739b1880337171a937886005ed16b5377fe62afff59767ffca010ba5ed
SHA512d9191b650f7210b1207a826b95ac24664c4eb3d64c2ad36894077f24a46a524b16eae4ce58505e049aeea49046e47246ef48a94c573871f658166cb5b2bf60bc
-
Filesize
173KB
MD591d421e753c23ae72c0702cbcfcf1ffd
SHA1d36e5f6193188292598bffb5d6381c976cd332d3
SHA256764a3fd7e7d954873a6b6c7d6eb35f29664ff47a17f7b12e4a3ee03425c71fa1
SHA512da5bf5d529c94c86c29d3fe5d34a9d9b3bc954954c8988486fdf18bc38a139e3e46ee0f4616f8872eeb76b3b3be7d756360b097e95083a66572d2052b63d9e73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57eb99ac8829117d0793bb7792fe0f003
SHA19fa9c7a08daeab83d7eb3b61a86b38c302029f80
SHA25642fafd2352fa624f854de09dceec1688b686562e70834eea500551f262dd28b1
SHA512e39739a2a9ee58fb220be92a9024fbd6ecf70fa3dc733184aff2d7e2c9a04e85ab7e40ef593246e08715beca18d7dfcf48d3784507ed08bdc867a2e3f8791525
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2bf65056d5a397a434579bc797aff26
SHA148ddc4018e58700332ed22d10c4aa6e1ced313a3
SHA2569d910d774ec90fdd34167cc6ec02d8ea4de1c1b9561fbb497d9da60eeae9c367
SHA512fbd2f309376677a67b7e7dd2f55ac9c5ee08f7b8987ba4882fc4043086b077573be3d827a66c0ded162119bb76632cd7f079316c17c2cc08e2f2242c61b8be10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd403430da512d44ad6ccae9d697befa
SHA1a1075f333e680a292c87984da21cb223d3f0e285
SHA256b471c52713efcd55c9ebca29023f2bd1600ef76ea04f873e2414bf34430a8aae
SHA512ee460035d50bc3c277ed0d4b0506de329c6ca3be3f70d17a36fdb2467e5e5c9b9333afbd0d6df2a349c8ed73d25f21f386769088bf866beb1cc1b33554d488f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD586ac927863bb109bb0ad2b4b77400ac4
SHA14de0f04529abc9f0541e2bf1f8affc1caa86493e
SHA256e36f80f67b3796944719b56c9ed5abaed0960e907063108be8bd8f7565d1f61a
SHA512de4b510b3aedc0c210ad5c140325f7040469d74fe248bc0b651ec72d6fe8b2452767e065b2c5bda76f6ef98b4df98b84200f03b82f77bc6826d7d4d6020a61c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5758cde2fa3a4e9caf65737136f40907f
SHA143e892638a17325335bc0fbefccc710f00942c7b
SHA256a071a2fcb21502c800f5045374b176c29a3c9afd9ce1d497f1c2c59e070a92ac
SHA51285e3d19a5781883007f2d5fa4e6c158431dec110a9a40d0257d5299d2f549160f5198efcc71c68ef183882fbb803c818914952aefe7a122a31b810a11fe55aaf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58158d30474798659b67e332b7ad7529f
SHA197822f41e41ab07b47e6614ccdb516c3dcef93e8
SHA2567c08dc64b2008e42bd41a6d2cea21ec7819b920d4243169fd188089bc10b7019
SHA5126f52fa78a206a7ab04911b414587d026f423fbfa6a75494014cde18a07bee22a8fb1cd3eae08f44111a16a6376d9f50137c98b0142d6d4b01831b9f286ba300a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b8ae8fc54bc93b673232b04741f7e76
SHA16f64448413d1c91a2afb50ebc4464a78ad7cdaa0
SHA2562abe99bbf24df5ccc401d7d6d887fafc0b4639453b21746fd9688c8d39cf669a
SHA5120075bfa0f6e4a244ef2e137b1f55aed5e6bb31d2014a1c80381f122697f69e91d01a55a42e3773a7b22be496c5b66c640d4a6e48da0ee16efd6f79fb8b8c544a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5262777a87538f04d7c522cdd700b47a8
SHA1eac09769ade1cc21471113019c4fdaee51916212
SHA256e2507b72ff4f4985fa05e9ae75260c403da3de06002d0a5a5e55af65dc99c6d1
SHA512cb263f29f975acd49e9dc31675cfd1e4363179fbf62688f4e0e6c05df6e53ff943914792390ec9000ec2fb7cb5656d372c775d11424d6f78d2cd8615d42744a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d29e1aa2e4e63b11ac46821d8370e525
SHA174b94458ebe93970427f3eae7ca12deabfe7f79e
SHA256f15ea205e5fadff82e54082fde6cdceaea74464b0fea20f8b5820c4caa13c9f4
SHA5123b9642be17089c80a2b8c7e14b7a44aa1f5e30d46abccbc71388f13c0a37dc398b456c0561184df6f82a83b078e4009fa4eb8fc77f196e585acd9123b2f6579d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fdd4daac10350c4e0e87f647356dfa28
SHA1048ab6cf5b7bc47d25df7c03959213219054e2c5
SHA256ed401c277c3e94dec621199d2bfa9e19328ab99c174f78d1706faf67c32cb307
SHA512a0cf96e424217e0d90608a750a9518dfa9fd41f333c1ab5136efa266941ac5aaf69816c269119d4849345e7e848bc4bbe425eed6110336266adc42cd19128f4b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5db26d051405ec6964d0a37e0d4a69e05
SHA18415cdf093418d6654d709986af41a836b5a6dcf
SHA2565a88ab23d8c035d37084e9ba6247f9d4b625a1097aa82c6909f94faee4f74674
SHA512e92ff2783c4e688c3db1dbafe0af641377d6a0b42848b2d593c83aa050571a1561831c10eb6183bd46f805ad434dc523074d0c09efbc174fb005bcd94398c24b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54f6ddc66fcaabd1ffab84002a4294b91
SHA19f8f072e1f6a41e38317da99189dbd052f87e5cd
SHA2563f53383206e187d603484b5b8aab00c0863be3a535d1e4e791beea2f859e65d7
SHA512d4221af1f641920510487f8e925fdc2bec1348201135b811e26e52be49e330e20ee8fe865b19afebceba7c7c34a660c893f6c29ca5cffd5ea401daa11f517d1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5755e851718346299b101c927f21dd12d
SHA103d07814f7090ac7f668d98fd4338f4a1229e879
SHA256488aef01f20f71f562d7b8e74113c507aaeec8859681812c2a2165d56deb893b
SHA5120196df710a3094a9c95552f81eab00ebd551211e8bcac29182290e874a4be84f5b596dcf40ac377915d10dcdc161989b6e3207428aaafe561bd10fd0f5c48f3d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ea1c6cf686939e9cd4f30966e4d7561
SHA18337984aef17f9ef96135f432ca9223005769fe5
SHA256df60e59d5d2392098e8004e2a5b08d346b8315647f9b1ca17cccf3cce2e40e68
SHA5129eefccd4a9113f5e487268050f0fb73d9573c21abf32e8bc00fc766221a2c767c238156e4eac116cf849f031cd887a3e624aad76ba27d97c2cd08090786aeb3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56071498834ba1a77d87af15595cef5fc
SHA17a033c4ec907bedbce043adf705c093909e6a84d
SHA256970b9508dc4b0275984c3506def3705811137d6198eda97654cfda74fe84b0bf
SHA512bb04a4e8ec60da2b2039098d7066caf3dd85d36464106e2ced2396e7eec07562a62d89657e3d3f097cffce5d411f21016b4a485ece031f381ae74f7ecc3c8625
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c68614bb09dd99f5515efb474a0eebc7
SHA11a251596ac4f6a7a23a957df2eb7aaa7c1f9e626
SHA256d92101e6191c1d019699e298dd7a6abe96ab1ac01372b9b223cc6e0a9287e6cc
SHA51210f1995a0e9593383838fb9e8cb44c20e14a707abb8ec2813d92e68f36cd7a2d466e5f8fd1fbfe843482af184edf9651d5c3ccc6221d1cd819c0ee79a808f7d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587ff2314b315e8a83d22ebce9b834835
SHA1f83600180d9b56f7c19fb1d4e1c706cbb99c2ca1
SHA256a96c4f486f8f02f3075df56d8e10b04e2d98678343e27da95384943433f191b7
SHA5120674f211035ef3b09b05a9902d1f9978e0e9f9b90f634beae639317cfbc16110d35d4b1e899fb185b33bf343c17b14643f325f55993b9a89f30649fde398507b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e2f89fe525aa54a4460214bdaabb771
SHA1211867dfce2e780414207c2544db664236a68210
SHA256758e30316030ca89a653a0129e925d1ff0cf0a8188cd813374b904fe2ab21fbf
SHA5128cf0b41289bbf8a4bdbf3d02fb278729754ad5e798a6193f855942c2bc16d39966c37806867de5498fe575ddb686a713e943180bf846b0a5d3e58ce16a805a70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD596835ed382c8bb1c3cadf83d8b86154c
SHA1fe5d5840a82fa746851385348a59873dce13ae74
SHA256caabad2ac53d00fc0f5eac3dab42f56f79fc13e5c2ee85bb152a9ecc20340b56
SHA51212bddb729ae9eda54540ef211917faaa275c0a53515b5808ad492d5fb10c30b754a32fd2699301efe33d716a21e3abfdc4127d8314946cae20d21745c69214e9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
316KB
MD51f9d9c8b17bc4e6ab42217e4ca879273
SHA1ebbaefabffef6eac50f8c52c84a51cb7442ecaea
SHA256c2f389b2ee29d7b7d23ba7f1d248b0e9fc9d8c8a60e77cd75b6bd8dd2b38db00
SHA5129ff77d473a0cbaee33d576aea49cfde04946353c2334d18587ee732c90eb656eef35485996934385b32f94729999c6f2bf83ae572541f4adb56f4659cc9c848e