Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-06-2024 10:17

General

  • Target

    7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe

  • Size

    388KB

  • MD5

    7a4d85a1bef0ca4cecfe376e0ee91090

  • SHA1

    0eaab4a4cf009d2d0d2d525bad4742356ca06317

  • SHA256

    0cfff9ddd855236e2c89d1778e88bd87db965a29d0e4e6b75178add06fd4fdb0

  • SHA512

    963509e2871858ba356a6b1e2af71b05c22019ffe4172a3ed8d70d54597bf10a67607d8083fef90e549521cf194d76af1112f7628b23943d0da0ebde0704e280

  • SSDEEP

    6144:VPHkQ4ydZZb+Q7Qf4+4/X+8PvjAsYcHte9qYJkIb/VNIFNgQfo/Xse6+pA+Z0S:BrZZbJu4+Q+8RBe9qYacVNyN/l+pn5

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+pguwi.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9CD01F824DE9BE1A 2. http://tes543berda73i48fsdfsd.keratadze.at/9CD01F824DE9BE1A 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9CD01F824DE9BE1A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/9CD01F824DE9BE1A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9CD01F824DE9BE1A http://tes543berda73i48fsdfsd.keratadze.at/9CD01F824DE9BE1A http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9CD01F824DE9BE1A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/9CD01F824DE9BE1A
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9CD01F824DE9BE1A

http://tes543berda73i48fsdfsd.keratadze.at/9CD01F824DE9BE1A

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9CD01F824DE9BE1A

http://xlowfznrg4wf7dli.ONION/9CD01F824DE9BE1A

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (873) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\haolmjvtikuv.exe
        C:\Windows\haolmjvtikuv.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4948
        • C:\Windows\haolmjvtikuv.exe
          C:\Windows\haolmjvtikuv.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4556
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:180
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:2508
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3528
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe0d646f8,0x7fffe0d64708,0x7fffe0d64718
              6⤵
                PID:3452
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
                6⤵
                  PID:3768
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
                  6⤵
                    PID:2524
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
                    6⤵
                      PID:1144
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
                      6⤵
                        PID:4372
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                        6⤵
                          PID:1356
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
                          6⤵
                            PID:608
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
                            6⤵
                              PID:1988
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
                              6⤵
                                PID:2256
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
                                6⤵
                                  PID:3736
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
                                  6⤵
                                    PID:2288
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
                                    6⤵
                                      PID:2348
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1884
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HAOLMJ~1.EXE
                                    5⤵
                                      PID:4036
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\7A4D85~1.EXE
                                  3⤵
                                    PID:4356
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1548
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2840
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:1604

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\Recovery+pguwi.html

                                    Filesize

                                    11KB

                                    MD5

                                    46d530352ac2da4cf30c739589dab2a6

                                    SHA1

                                    df811bbe29b211d2c3e1176643c2f4359c4aea18

                                    SHA256

                                    c96a5eb3007c355bce48755b18c0c9c4b0c851058f19785b2dc7475eabb15cec

                                    SHA512

                                    2ba159d0f7e69e84818570d6d004e3847fbea418ebf1feaafdae959a53550ecfcf05f4fb88ab53a279b7696c6f82d6cf6d58919b45bbd7d5f24368bbc34f404e

                                  • C:\Program Files\7-Zip\Lang\Recovery+pguwi.png

                                    Filesize

                                    64KB

                                    MD5

                                    6716cfa8310dc7c1db07588a8811cf58

                                    SHA1

                                    f2d52335a6d98938e8d56897cacd01af37ede579

                                    SHA256

                                    e5d26e5a89e454e3c59fa10686db093ab8cd093e6cbb1b32790ec9d5617b7874

                                    SHA512

                                    cd333863acbc6839cbf5efc931349fbb21360cd6d87d5609f73303d6dc246d2be49e77ffbdbf7e1aa85439cd64424126c4fde9159dadeae692a602869f6e5847

                                  • C:\Program Files\7-Zip\Lang\Recovery+pguwi.txt

                                    Filesize

                                    1KB

                                    MD5

                                    480b51180ca3e75751cf1136c8e6eec3

                                    SHA1

                                    011d83fa281ddc6f11c334d20928631b96927dbf

                                    SHA256

                                    587c932049e785b0e97d429b7c480bb9e3a405485a07c6570804587d92b9e838

                                    SHA512

                                    9876b2f0effd3222156a0a2493d50437484517835069a8c11540d99663e97a454d13842acb0f8625cd6e6f82a703999baa9560bc2b9bc3e56f562f25c5b195f2

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                    Filesize

                                    560B

                                    MD5

                                    acb21e6e429c340b15f00104510a52df

                                    SHA1

                                    f6570d45d46be6bc2bd8483add7950e8280a0791

                                    SHA256

                                    047522b87320e7a94f62f88a8ae8db3362f99aa8d5d88534ef622da09e47ea1d

                                    SHA512

                                    31ff872830bf6f8dfbfa7ca3d8e0a28cb988602ea96fad45498681825da35d7e7047a052f2ba66948b726e1bf282de2cd74110dfcd9cc0bd036ac8bb29612acd

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                    Filesize

                                    560B

                                    MD5

                                    2c28ef6e3c24d7d56dec00dcc2c679a2

                                    SHA1

                                    291deece0016fa50bda46f951f9de60cdda07de2

                                    SHA256

                                    cbc43dbf64b7fb949aeee17a6c1f3b319ae3653570413959459fa76d005de9ce

                                    SHA512

                                    69e37204691087600d4483ebfc62db9b9318a42a5e0e180e75712e5f268a91393c3c1033db2fa5571f5bb54d45e19adddd9859bf9c2b79b591fccfa782174223

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                    Filesize

                                    416B

                                    MD5

                                    4354b333b9313991c8f69986f24c64a7

                                    SHA1

                                    b5913fa559f5fc4ed528cc3d9acbec5e7c07de63

                                    SHA256

                                    f044636eb386f1dca7f34d75294f0548a0f2ff225e78f2b54466672f4c09699c

                                    SHA512

                                    a40093bdeb033d84a2058caa86ad2cdeefa14ce2264789e88822cbc7440254a3ca1d6ebd232a24535230a7b0ef6ea3a5dbd3856986e7d5da2a457ccee5770cee

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    56067634f68231081c4bd5bdbfcc202f

                                    SHA1

                                    5582776da6ffc75bb0973840fc3d15598bc09eb1

                                    SHA256

                                    8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

                                    SHA512

                                    c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    81e892ca5c5683efdf9135fe0f2adb15

                                    SHA1

                                    39159b30226d98a465ece1da28dc87088b20ecad

                                    SHA256

                                    830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

                                    SHA512

                                    c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    de7ab097f2639242d0804c57c7710030

                                    SHA1

                                    3e7d45043f69b8eba8f44301c164395b93d16160

                                    SHA256

                                    b669452ff93910fd97ce00688f61c293c039dd44ac89ac40a28779ac4526908c

                                    SHA512

                                    d0ce1f0f8721f06249870d365821289d07a25f07a37b748e77cd8d46dba47f396a21bfd862495b4d0484f1d78b10fba4860f4921f7544182aefef0534fbfe24e

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    d39f8cc7b2a44d42a34eb9462ea5ba92

                                    SHA1

                                    d2212b0ea730033e863a1f08e683e909db7b1559

                                    SHA256

                                    bbb70f8131ff4a28c8a38b612c9179e13e6b08f0bf4f97b26e7b2c4810340846

                                    SHA512

                                    7afa5d4fe6b6a37def5566c61c85885643eac600c008700e24e304b62eb6fe6e9f9398aff1301ed38d82dead34da9ab4dc570a7abbc53554df7861be759b830c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    b514e226a85f0bea2b8d5326f90e7a8b

                                    SHA1

                                    ccc7bc9da72aee6163e2cc652de4f6669935426f

                                    SHA256

                                    74995b375af74028883d3040dea265675a66820f52dffc1023639e079c582f6d

                                    SHA512

                                    20104ec965bb1e1aa0e4175528b26919ef0efe1c20d5a7492cbc9777950186ac24087cc5655206ee4d85c1bd7592479adacee7646364753ed761d26f3dafd34f

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626047837275686.txt

                                    Filesize

                                    77KB

                                    MD5

                                    90b42883d56334cf99693be5909b6ec3

                                    SHA1

                                    6dcccde976cd2193a81c8f579128034e5118d5cc

                                    SHA256

                                    9872850e5a2ca986f232e23f89968487d4e52cdf44ca4c2364883a1c3001eee0

                                    SHA512

                                    0a3b3253e4cb6d73ac5045ceb5d9dfd152a7d46a9dce591e6bef46205edd005425023fc85703b7f9f92d01cdc820dc8d7bc1032c9118a9c0b13bb51ab06fd6fe

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626070414459428.txt

                                    Filesize

                                    75KB

                                    MD5

                                    65b39e7be0383e0fc6a7f3e3c0526f3d

                                    SHA1

                                    3396773904befc1d2d102de568c9e0989763cec2

                                    SHA256

                                    76e7f020678879a497c91beb0b43d8255933c2a8b4bd1c3329bfee915dd2f6fc

                                    SHA512

                                    8d8a77fbb837a60afcb44228392c638195b727058852816c3844b50d33bcd9d043ae448fa6ff0536747743813fde04fc1b02658d37427d98eb256a8bbc57424e

                                  • C:\Windows\haolmjvtikuv.exe

                                    Filesize

                                    388KB

                                    MD5

                                    7a4d85a1bef0ca4cecfe376e0ee91090

                                    SHA1

                                    0eaab4a4cf009d2d0d2d525bad4742356ca06317

                                    SHA256

                                    0cfff9ddd855236e2c89d1778e88bd87db965a29d0e4e6b75178add06fd4fdb0

                                    SHA512

                                    963509e2871858ba356a6b1e2af71b05c22019ffe4172a3ed8d70d54597bf10a67607d8083fef90e549521cf194d76af1112f7628b23943d0da0ebde0704e280

                                  • memory/1748-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/1748-13-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/1748-4-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/1748-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/1748-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/3548-5-0x0000000000B70000-0x0000000000B73000-memory.dmp

                                    Filesize

                                    12KB

                                  • memory/3548-1-0x0000000000B70000-0x0000000000B73000-memory.dmp

                                    Filesize

                                    12KB

                                  • memory/3548-0-0x0000000000B70000-0x0000000000B73000-memory.dmp

                                    Filesize

                                    12KB

                                  • memory/4556-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-5616-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-2843-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-9127-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-10395-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-10396-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-10404-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-10405-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-613-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-25-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-10460-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4556-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/4948-12-0x0000000000400000-0x000000000052B000-memory.dmp

                                    Filesize

                                    1.2MB