Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/01/2025, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe
-
Size
316KB
-
MD5
1f9d9c8b17bc4e6ab42217e4ca879273
-
SHA1
ebbaefabffef6eac50f8c52c84a51cb7442ecaea
-
SHA256
c2f389b2ee29d7b7d23ba7f1d248b0e9fc9d8c8a60e77cd75b6bd8dd2b38db00
-
SHA512
9ff77d473a0cbaee33d576aea49cfde04946353c2334d18587ee732c90eb656eef35485996934385b32f94729999c6f2bf83ae572541f4adb56f4659cc9c848e
-
SSDEEP
3072:sP36v0ABWbDFp7yz5dwjtYjt+XOCGNjYQMhLwZil6hdZrz5ZbJnCgo5QTRpALo3:IhKjjtxVYQuwFhdZrz5ZC5aXALo
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+jlcio.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/5E2EF1A96E826026
http://tes543berda73i48fsdfsd.keratadze.at/5E2EF1A96E826026
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/5E2EF1A96E826026
http://xlowfznrg4wf7dli.ONION/5E2EF1A96E826026
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (404) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1812 cmd.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+jlcio.txt atljtvuwpbif.exe -
Executes dropped EXE 1 IoCs
pid Process 2352 atljtvuwpbif.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\penfxtcyogkl = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\atljtvuwpbif.exe\"" atljtvuwpbif.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png atljtvuwpbif.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Microsoft Games\Chess\fr-FR\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\en-US\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Defender\it-IT\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png atljtvuwpbif.exe File opened for modification C:\Program Files\7-Zip\Lang\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png atljtvuwpbif.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\fr-FR\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\fr-FR\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Windows NT\TableTextService\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\en-US\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jre7\lib\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jre7\lib\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_RECOVERY_+jlcio.html atljtvuwpbif.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_RECOVERY_+jlcio.txt atljtvuwpbif.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png atljtvuwpbif.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_RECOVERY_+jlcio.png atljtvuwpbif.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt atljtvuwpbif.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\atljtvuwpbif.exe 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe File opened for modification C:\Windows\atljtvuwpbif.exe 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atljtvuwpbif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d8f2b758eca7842ba7c25fe617c098000000000020000000000106600000001000020000000293fd96f7836b2e67972960c967097b23872fa58b25b89241b00199ec14002c2000000000e800000000200002000000095ddd8a032e5876714bde7a81a9a0633e89c8e054ef54a065f6a79fa973e8460900000008b75cf15c9f09547cb3ed36cd4af43cce64c452bd4363cd2c812865f137f85db3d7f2a99d55bca30ee45b10aa9c875e340f0d1c5ff2d849c21b78d8fdfa48d0b7ccd15274af04100f06dc45cecf2788906774938a7df8b922304d26f17e9acb3c6b33b97c29f7d031f5ac3a288a8a771ef2732cbd8dbf1ab66c1d73f94bc86436180459ab8170c4ca10b2d2038c1401440000000a1d7f4b35d9900c28465b636a68a36222f26fec977e61036fad2b16b7e033185273ea7560c4f555d775b719678f9d2b6a8c7a4a3a1a11b24b71ea98f1924973a iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d8f2b758eca7842ba7c25fe617c0980000000000200000000001066000000010000200000005bd4271a6cbcdcf7be45b83d2fdf07d5fae93e7265afe8fe40ae9bec9df387dd000000000e80000000020000200000006556de65d6cc2a37d4c3355d336c7de694b0df7ec06acb909f855fbd14d238182000000013ecbd192b4cf777fb23cd34675edd788f23e2b101532c21c91f4121c1e4c77a40000000dcea29f8126ab31527f7575878fa15c6dbf5251d55b9d6e8df9a991cceba7bdd4b475d27a1625b69fe636c787dce79f77317ec393376ba1a2f61e3ecd9ca8953 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442664660" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102d54894563db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4C74861-CF38-11EF-A7C1-EA7747D117E6} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1640 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe 2352 atljtvuwpbif.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2536 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe Token: SeDebugPrivilege 2352 atljtvuwpbif.exe Token: SeIncreaseQuotaPrivilege 2728 WMIC.exe Token: SeSecurityPrivilege 2728 WMIC.exe Token: SeTakeOwnershipPrivilege 2728 WMIC.exe Token: SeLoadDriverPrivilege 2728 WMIC.exe Token: SeSystemProfilePrivilege 2728 WMIC.exe Token: SeSystemtimePrivilege 2728 WMIC.exe Token: SeProfSingleProcessPrivilege 2728 WMIC.exe Token: SeIncBasePriorityPrivilege 2728 WMIC.exe Token: SeCreatePagefilePrivilege 2728 WMIC.exe Token: SeBackupPrivilege 2728 WMIC.exe Token: SeRestorePrivilege 2728 WMIC.exe Token: SeShutdownPrivilege 2728 WMIC.exe Token: SeDebugPrivilege 2728 WMIC.exe Token: SeSystemEnvironmentPrivilege 2728 WMIC.exe Token: SeRemoteShutdownPrivilege 2728 WMIC.exe Token: SeUndockPrivilege 2728 WMIC.exe Token: SeManageVolumePrivilege 2728 WMIC.exe Token: 33 2728 WMIC.exe Token: 34 2728 WMIC.exe Token: 35 2728 WMIC.exe Token: SeIncreaseQuotaPrivilege 2728 WMIC.exe Token: SeSecurityPrivilege 2728 WMIC.exe Token: SeTakeOwnershipPrivilege 2728 WMIC.exe Token: SeLoadDriverPrivilege 2728 WMIC.exe Token: SeSystemProfilePrivilege 2728 WMIC.exe Token: SeSystemtimePrivilege 2728 WMIC.exe Token: SeProfSingleProcessPrivilege 2728 WMIC.exe Token: SeIncBasePriorityPrivilege 2728 WMIC.exe Token: SeCreatePagefilePrivilege 2728 WMIC.exe Token: SeBackupPrivilege 2728 WMIC.exe Token: SeRestorePrivilege 2728 WMIC.exe Token: SeShutdownPrivilege 2728 WMIC.exe Token: SeDebugPrivilege 2728 WMIC.exe Token: SeSystemEnvironmentPrivilege 2728 WMIC.exe Token: SeRemoteShutdownPrivilege 2728 WMIC.exe Token: SeUndockPrivilege 2728 WMIC.exe Token: SeManageVolumePrivilege 2728 WMIC.exe Token: 33 2728 WMIC.exe Token: 34 2728 WMIC.exe Token: 35 2728 WMIC.exe Token: SeBackupPrivilege 2988 vssvc.exe Token: SeRestorePrivilege 2988 vssvc.exe Token: SeAuditPrivilege 2988 vssvc.exe Token: SeIncreaseQuotaPrivilege 2868 WMIC.exe Token: SeSecurityPrivilege 2868 WMIC.exe Token: SeTakeOwnershipPrivilege 2868 WMIC.exe Token: SeLoadDriverPrivilege 2868 WMIC.exe Token: SeSystemProfilePrivilege 2868 WMIC.exe Token: SeSystemtimePrivilege 2868 WMIC.exe Token: SeProfSingleProcessPrivilege 2868 WMIC.exe Token: SeIncBasePriorityPrivilege 2868 WMIC.exe Token: SeCreatePagefilePrivilege 2868 WMIC.exe Token: SeBackupPrivilege 2868 WMIC.exe Token: SeRestorePrivilege 2868 WMIC.exe Token: SeShutdownPrivilege 2868 WMIC.exe Token: SeDebugPrivilege 2868 WMIC.exe Token: SeSystemEnvironmentPrivilege 2868 WMIC.exe Token: SeRemoteShutdownPrivilege 2868 WMIC.exe Token: SeUndockPrivilege 2868 WMIC.exe Token: SeManageVolumePrivilege 2868 WMIC.exe Token: 33 2868 WMIC.exe Token: 34 2868 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1540 iexplore.exe 2276 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1540 iexplore.exe 1540 iexplore.exe 768 IEXPLORE.EXE 768 IEXPLORE.EXE 2276 DllHost.exe 2276 DllHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2352 2536 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 30 PID 2536 wrote to memory of 2352 2536 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 30 PID 2536 wrote to memory of 2352 2536 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 30 PID 2536 wrote to memory of 2352 2536 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 30 PID 2536 wrote to memory of 1812 2536 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 31 PID 2536 wrote to memory of 1812 2536 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 31 PID 2536 wrote to memory of 1812 2536 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 31 PID 2536 wrote to memory of 1812 2536 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 31 PID 2352 wrote to memory of 2728 2352 atljtvuwpbif.exe 33 PID 2352 wrote to memory of 2728 2352 atljtvuwpbif.exe 33 PID 2352 wrote to memory of 2728 2352 atljtvuwpbif.exe 33 PID 2352 wrote to memory of 2728 2352 atljtvuwpbif.exe 33 PID 2352 wrote to memory of 1640 2352 atljtvuwpbif.exe 42 PID 2352 wrote to memory of 1640 2352 atljtvuwpbif.exe 42 PID 2352 wrote to memory of 1640 2352 atljtvuwpbif.exe 42 PID 2352 wrote to memory of 1640 2352 atljtvuwpbif.exe 42 PID 2352 wrote to memory of 1540 2352 atljtvuwpbif.exe 43 PID 2352 wrote to memory of 1540 2352 atljtvuwpbif.exe 43 PID 2352 wrote to memory of 1540 2352 atljtvuwpbif.exe 43 PID 2352 wrote to memory of 1540 2352 atljtvuwpbif.exe 43 PID 1540 wrote to memory of 768 1540 iexplore.exe 44 PID 1540 wrote to memory of 768 1540 iexplore.exe 44 PID 1540 wrote to memory of 768 1540 iexplore.exe 44 PID 1540 wrote to memory of 768 1540 iexplore.exe 44 PID 2352 wrote to memory of 2868 2352 atljtvuwpbif.exe 46 PID 2352 wrote to memory of 2868 2352 atljtvuwpbif.exe 46 PID 2352 wrote to memory of 2868 2352 atljtvuwpbif.exe 46 PID 2352 wrote to memory of 2868 2352 atljtvuwpbif.exe 46 PID 2352 wrote to memory of 3060 2352 atljtvuwpbif.exe 48 PID 2352 wrote to memory of 3060 2352 atljtvuwpbif.exe 48 PID 2352 wrote to memory of 3060 2352 atljtvuwpbif.exe 48 PID 2352 wrote to memory of 3060 2352 atljtvuwpbif.exe 48 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System atljtvuwpbif.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" atljtvuwpbif.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\atljtvuwpbif.exeC:\Windows\atljtvuwpbif.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2352 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1640
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:768
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ATLJTV~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:3060
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1812
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2276
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57611109bfb9d92e54d47c5d9503cb2da
SHA1d43e0eba979db44d9da10203f90d0492777559d5
SHA25687e8976b7305eefb04f9810083bb6c233941ce8fa096e00af588d114358da8d3
SHA51233f836ba65b0c014d9699db17691908ae2db8b9b2d5fb663e254d6a1b7756628e8e36d796914d6eac4a270c13e789ac74920024e6c5c8b11fe9d5203c4c87353
-
Filesize
62KB
MD5c36f0f2818b784d442b03f33d9f5c41a
SHA17c3a52a011c4f1bdd5650f8fcb8ccb0209dc15dc
SHA256e7ea32aebc324e11837c5f19b1aff0a4e070f1910b0f88594de19a00b9b0e495
SHA512206c2e0db9e0d979b8cf1bb209d21795bee81ab6f19435466c1b63581da544604b94bec62b1fcb8d2f41ca0ca8ce5fdebb7ec83e14c3edb36a3da6b390ce82f9
-
Filesize
1KB
MD56b8b1646427e499b5c6a3fec80c723bc
SHA1ba7672c64b714b1468dee27a334ab7d8440c9833
SHA2561a13c6d0873ad1909664176a8ac90a587beb312979e4d96c17b97155faf6e50d
SHA512d508461e1813c333aae2afc49558ca95ef37dde1c479c25350bd234e8f07523e01348888624e3e524e241077af998fb01c1f38726bb5956a113beaa5f28585f9
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5d8efe19e82bbc4696ce29384e585aa2d
SHA195b8afbe731f2ae2d44a3a1025e54a1b6059d2a3
SHA2565d7cdd8a616fb0973e1b0873ac9d939397fb2a25ef820e4588b1ceb3027ed405
SHA5124d53e1d607503f231ef27ac8a28c9b9f70d9020be3ffabd415619403c79836f8680f4e3c5d4fa73f93a594340c3820327bd469ca4eb91facb1a8202d96faa3d0
-
Filesize
109KB
MD5d37c3fc03b81617d68eb524f2d131c59
SHA14dc973e99a14b16c683c139c814ae34ac758c76e
SHA256773e78845bbdf93e3581036b1059274494f4023282516fa752e70bf58aa5b958
SHA5122347086f5994e43405518bfd2a03e782dd5528f79c2eccbede1ce2ecd55f5692ba8aa22295173417fd6ebd72cc05ffe9d85e4b910febc88d032e9d4f9c43f103
-
Filesize
173KB
MD5ec92e318a69ef18bce196ce07e4bcd05
SHA1aa0e04e2aa84e65e8c9ee39ff47a420bb7f0a370
SHA256e52132db0f8df323a169233583f8abe2c6a1af226756289c5f47bf258d8c3b0f
SHA51242bea948cd0d98fcb773008e3d9aa2d3a7aa1af4bbac027bf90d9e59c4f63ada5985c7909d5bf9c370cc54c73576cf385d772568bd9e6586a39bfd112bf47866
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54741d99afa451dc73b2050f199d19f1d
SHA10008d8dea91daf09d762f9013579c86d57349f4d
SHA25607c5bc98bbdd4ece540f09b675daefb76e94a54d814273a7568c168ec3303536
SHA5129c1f4c0bba1c0495febeb3c590630dfba2fd04b5ef27739b536f26e9cdbe4f057a2f896c19b46a150a7ab1153e86a4fb4d4ac3a9eb75f7b8ccaf0cb97d171740
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5643740a7579d739d0aacf19dd8237187
SHA19eee5e1aa1f86050e73fe9228e7d8ecfaf163b3e
SHA256c3fd875794eb2641a16f0f396e1ddd9ad8c76638deea87a58cc3d0ba65d26f79
SHA5124c13c18c2245d012b4d8418eebe05bcda08cc52a2d17993200de6c3047fa20702ed24a1f56f72be9cb96dd7a87db3fcdd495e67410e9abd076aa077fd3a8025f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a75831d47549201e70f4b8d7f730dabd
SHA1043514a8bf633db495d1bbf172b5910aff0d6045
SHA2568c93fefa512a53cc6eb3e1702728631baadfd4b211adccdd5654643237b74605
SHA5124835affba27afbda94885780fd6a2e49b16584778ce9cac55e474e12298f6801e181919f28aab96cf715ac3f56546844310bdfff32d33f26464b1f7a44ce32db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae7a96fb944d07e6eda33e704c0c0fd4
SHA1342b06e3474ab98bfa8db875c8a830cccc7ce478
SHA25612ac0ca03072fe70d69c51dbb970ace5a1537a1959cb78f4b0fe638efe94ff7f
SHA5121c0996d80499c71ae92e9ee6f1d161750de9e037475cd3440dc39d0c698957436e4ac9b8532444dd62c773ef5db4c53a4d2e147ec2d764397a590b51bf55261f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a89eb42f1ddbb04e97e7f097841aa9a
SHA19f30cd304726251ceec86941eb713eaa342267c0
SHA256303910af98190898b59b0a039beac573554416844f7e5e00e1c7edef3e5c44ed
SHA51266f3e22a9a1fe4a1a5b56c0c4073af64ba723ab13573255591c13c521ccc7f95a735e87d692466c792032cfb3b7f9f679b7004396ebdfa078a87c06877ad88cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e73dc41d5eea4ddaa50b72129a84a4e1
SHA116b862b484b47f21153467a2a5b4a77a2233a725
SHA256c438975c0b09510bf6854ef616ab4150c7948b7382fd7362fde61cebddd38b3e
SHA512b6537a7713b1e24398833199426eee3e79ad70044ea0ae93a550755fbc092531f7491b5b7b4736ca86f60d98fea40f219dad57d066eff2750ca7a5412041aa24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50d35bd4a806c1985258b46ddd3c7b93a
SHA1dd168682988d175de129fe6723d3edcb74f106f7
SHA256f1b5f0b35a91e7b4659462a0d7465c362360971c6631d56a59aa61bea0cbb8dd
SHA512197f32a4bf815a0785450a4c05043f9b4552a9b379c62fce21f5d23160d0b4f0661223d850fd0e76ce787d98c891fdec6a134a183f60296e962a66262818d807
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD556187306229d3e2854a4de1483325794
SHA12af49add066ff270b5756cf4ca7d9351c89bb28d
SHA256cb35aa34f607739dec69e43555f96d2545efc56eb553a6d65b1ead2b02e0f0d4
SHA5125a0f8ce27adc8764da10d2f40dbf4c489ab732b6791204ba761b853ba9784bdc93fe090b954906d5755cf7b67b8cfe010d203f4a6164b164a1572a535d2cd988
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a2410f49946a81dc2ba7153ce842926a
SHA1705d5200dcbd69b7a7ee078deab357cad04684c9
SHA256f714b9da86bdde491169111b22692afb82c25c631b19b436ade843039b307b88
SHA5123140ab1a45812544a2dba2b988a3f71ee5d6193676dd4d1039fc6fc7313451fd0929c9e3fdebbc5c6841217750f50b7e77950646a64fa7f2d11953601eb8eceb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53bec6a7e613e6a3cdccbf1aab08b43fc
SHA161c833603c390c609ba7678f5a2714fbf50fe8e5
SHA25651a51bff963f074326f2eb7cc7a3b9a73b9b4df9b3f59f752ae773d37941f8d7
SHA512905a269fc5296ecff072c8d1eda651eda27cb6288985bb9cbaeb51de35a26f657b8bb7860de2f3b8d814d4001fbae66280a88ada3dbaa7f91c92e9f8fd2776b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54b9bcffaf9412fb220b2b85ea4112cc6
SHA1bd715f4f4b105ac9df83fcb28713b8027837205f
SHA256122bc835450b649ebbb868476aff0a8a8a407584ba66e46eebab146127e00aef
SHA512f697af93e44612614cef9a98488551a1d74da812ff2dd101e7cbb3de0338ebabdf605e7a43cfedeb10fcdc1d0e7f16b442a0e8c8687de9b3d68eb78150e950d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51ef1b07642380ff6bb64ad8edc568219
SHA1e3060fbc569f79c41d31c61a2851ffacb41e54c1
SHA256e7096fa3c0a0f4fada3534abf85405e8870e81d6cd89513e8421ff02f8f64137
SHA51228227dacb794122bd2fe976084cabe3b62c1afc4698a10995950a67e39252b5de48c8d097004523bbf08d33e237a37e7e89c2a9574cc4a1aa828ebdf04b35b03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52941eba133cdaa38506ad7266b773208
SHA15ae6f03097f754093d29a93e171860f8da4b2eb6
SHA2565dc2a923d840c4b8efc6690a129510ba995debeb69e5b3d87ad562f6af16829f
SHA512298883e12bad3002330e2e2b061ceb5ef8fc68f5e1128df62b2ba63af9de70108a862e1f4cf71a5e438279480862441347f955a9fd00627f77d744fa6656a21a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c58d3a2e0f43fc08fa58d4f5c16c750c
SHA14c848ba17fcdb2f9bec2b6baecad798776a496d9
SHA256a492d06f043d62d1692bb8e7e23549e8385e72e372ef6c0e057eb0a8a1090823
SHA51284b81e00db494e092b8047419cc33726605c278538da91ef2770172e84543d84ac87f60c8c8f8070255e84bc4aa6aca2d9b6d39593d4ea11c55187cca51992b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD517b51611f364f7a370873d93a3596e0a
SHA1985bc9e77f5b66a1269256c557fa4725f9f4120b
SHA256df824b8090346758f8f2d7336baa0974f200999b910e7ba6f4fa87627786a21f
SHA51287251e7da9e34280f57413c32d7b4041c776b1577eeed52e8ebb972425e04da0b8597b67f04e7bcd17848285c27156a4ee94d091d1b022a924bb477a73362378
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ecd514e44a18a8d5e93ad2213a9a805e
SHA1cd62f64881d15ece9adca5f080da0ac1c0b76273
SHA256d884c32871c0a31f6ecf91df561f75f31f40ae61f2cd940b9265c3280ea1c5d5
SHA512b699ccd9b3e49ca02ea533416818b5512f2a4c1cd039b859571fa03fe4ade3a674668cd43cbe8183aa11490831f070ba5fed8570286fd6d99895b5b0c67605cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d05ea18f92d447b942490548e3c26686
SHA1e6913ec9b39cdaf454f608b0f4e025a145faf201
SHA256a2ae16055c47bcbdb6dcf031a6aec67b75fa1f50b9f605267e0cfe0da6f09140
SHA512ac4b012d71b5e76b9793f4306089aed8bc41162ae2febcac24cabb803ca3909b2335fb779d5944fda95d8e7eefe0f284d78a3af57d609c585a56c659c1dcb1d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d3a2d0510a5f291ea90bf33109e38069
SHA196c0acbdf806e0e049ff597361d8ea5b8895fc79
SHA256ac759361d34479e4df042dca33b8a0b80a61f675b7d120aed705fad767897387
SHA512e9921dcf2fbe10444e182738642920e0cfcec8602587641e6d53e52fde07ceabdd9c2eede515d99aa931937b848360e948ff30bb1f93c68ac5fb7e9af6a34484
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD553a31c0115b061728e1a0f36c2ad3f03
SHA1f39d63c169c97773a3e5dc659fe1d6e7a8c0ec4e
SHA256cca999c7fe5fb48bebf371e8ec5341dff54d560f287004d48b93784c09f7218f
SHA51248cdb89d32c8471b7f66e15da74d2a549711365564682c286161063f3b3cd1cb8c8e3e0b0b4711f1f1dc4d1366609373bc3018f9f8611230bf5bfa8fe8ffc004
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
316KB
MD51f9d9c8b17bc4e6ab42217e4ca879273
SHA1ebbaefabffef6eac50f8c52c84a51cb7442ecaea
SHA256c2f389b2ee29d7b7d23ba7f1d248b0e9fc9d8c8a60e77cd75b6bd8dd2b38db00
SHA5129ff77d473a0cbaee33d576aea49cfde04946353c2334d18587ee732c90eb656eef35485996934385b32f94729999c6f2bf83ae572541f4adb56f4659cc9c848e