Analysis
-
max time kernel
146s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 10:17
Static task
static1
Behavioral task
behavioral1
Sample
7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
-
Size
388KB
-
MD5
7a4d85a1bef0ca4cecfe376e0ee91090
-
SHA1
0eaab4a4cf009d2d0d2d525bad4742356ca06317
-
SHA256
0cfff9ddd855236e2c89d1778e88bd87db965a29d0e4e6b75178add06fd4fdb0
-
SHA512
963509e2871858ba356a6b1e2af71b05c22019ffe4172a3ed8d70d54597bf10a67607d8083fef90e549521cf194d76af1112f7628b23943d0da0ebde0704e280
-
SSDEEP
6144:VPHkQ4ydZZb+Q7Qf4+4/X+8PvjAsYcHte9qYJkIb/VNIFNgQfo/Xse6+pA+Z0S:BrZZbJu4+Q+8RBe9qYacVNyN/l+pn5
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+pguwi.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9CD01F824DE9BE1A
http://tes543berda73i48fsdfsd.keratadze.at/9CD01F824DE9BE1A
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9CD01F824DE9BE1A
http://xlowfznrg4wf7dli.ONION/9CD01F824DE9BE1A
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (873) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation haolmjvtikuv.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+pguwi.txt haolmjvtikuv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+pguwi.html haolmjvtikuv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+pguwi.txt haolmjvtikuv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+pguwi.html haolmjvtikuv.exe -
Executes dropped EXE 2 IoCs
pid Process 4948 haolmjvtikuv.exe 4556 haolmjvtikuv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjsewjtnsbao = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\haolmjvtikuv.exe\"" haolmjvtikuv.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3548 set thread context of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 4948 set thread context of 4556 4948 haolmjvtikuv.exe 91 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Recovery+pguwi.txt haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-125.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\Recovery+pguwi.txt haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-150.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+pguwi.html haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-100.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-125.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\Recovery+pguwi.txt haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated_contrast-white.png haolmjvtikuv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+pguwi.txt haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-100_contrast-black.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\50.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Recovery+pguwi.html haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-16_altform-unplated.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-white.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-200_contrast-white.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\Recovery+pguwi.html haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Recovery+pguwi.txt haolmjvtikuv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\Recovery+pguwi.txt haolmjvtikuv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png haolmjvtikuv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\Recovery+pguwi.txt haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-125.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\Recovery+pguwi.txt haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30_altform-unplated.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100_contrast-white.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-125.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x86\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-125.png haolmjvtikuv.exe File opened for modification C:\Program Files\Internet Explorer\en-US\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-100_contrast-white.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\151.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+pguwi.html haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_contrast-white.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlCone.png haolmjvtikuv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-150.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-96_altform-unplated.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\StoreLogo.scale-100.png haolmjvtikuv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\Recovery+pguwi.html haolmjvtikuv.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\Recovery+pguwi.html haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-200.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64_altform-unplated.png haolmjvtikuv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\Pages\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\29.jpg haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-lightunplated.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100.png haolmjvtikuv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\Recovery+pguwi.html haolmjvtikuv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\Recovery+pguwi.html haolmjvtikuv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-125.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\Recovery+pguwi.png haolmjvtikuv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png haolmjvtikuv.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\haolmjvtikuv.exe 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe File created C:\Windows\haolmjvtikuv.exe 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings haolmjvtikuv.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2508 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe 4556 haolmjvtikuv.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1748 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe Token: SeDebugPrivilege 4556 haolmjvtikuv.exe Token: SeIncreaseQuotaPrivilege 180 WMIC.exe Token: SeSecurityPrivilege 180 WMIC.exe Token: SeTakeOwnershipPrivilege 180 WMIC.exe Token: SeLoadDriverPrivilege 180 WMIC.exe Token: SeSystemProfilePrivilege 180 WMIC.exe Token: SeSystemtimePrivilege 180 WMIC.exe Token: SeProfSingleProcessPrivilege 180 WMIC.exe Token: SeIncBasePriorityPrivilege 180 WMIC.exe Token: SeCreatePagefilePrivilege 180 WMIC.exe Token: SeBackupPrivilege 180 WMIC.exe Token: SeRestorePrivilege 180 WMIC.exe Token: SeShutdownPrivilege 180 WMIC.exe Token: SeDebugPrivilege 180 WMIC.exe Token: SeSystemEnvironmentPrivilege 180 WMIC.exe Token: SeRemoteShutdownPrivilege 180 WMIC.exe Token: SeUndockPrivilege 180 WMIC.exe Token: SeManageVolumePrivilege 180 WMIC.exe Token: 33 180 WMIC.exe Token: 34 180 WMIC.exe Token: 35 180 WMIC.exe Token: 36 180 WMIC.exe Token: SeIncreaseQuotaPrivilege 180 WMIC.exe Token: SeSecurityPrivilege 180 WMIC.exe Token: SeTakeOwnershipPrivilege 180 WMIC.exe Token: SeLoadDriverPrivilege 180 WMIC.exe Token: SeSystemProfilePrivilege 180 WMIC.exe Token: SeSystemtimePrivilege 180 WMIC.exe Token: SeProfSingleProcessPrivilege 180 WMIC.exe Token: SeIncBasePriorityPrivilege 180 WMIC.exe Token: SeCreatePagefilePrivilege 180 WMIC.exe Token: SeBackupPrivilege 180 WMIC.exe Token: SeRestorePrivilege 180 WMIC.exe Token: SeShutdownPrivilege 180 WMIC.exe Token: SeDebugPrivilege 180 WMIC.exe Token: SeSystemEnvironmentPrivilege 180 WMIC.exe Token: SeRemoteShutdownPrivilege 180 WMIC.exe Token: SeUndockPrivilege 180 WMIC.exe Token: SeManageVolumePrivilege 180 WMIC.exe Token: 33 180 WMIC.exe Token: 34 180 WMIC.exe Token: 35 180 WMIC.exe Token: 36 180 WMIC.exe Token: SeBackupPrivilege 1548 vssvc.exe Token: SeRestorePrivilege 1548 vssvc.exe Token: SeAuditPrivilege 1548 vssvc.exe Token: SeIncreaseQuotaPrivilege 1884 WMIC.exe Token: SeSecurityPrivilege 1884 WMIC.exe Token: SeTakeOwnershipPrivilege 1884 WMIC.exe Token: SeLoadDriverPrivilege 1884 WMIC.exe Token: SeSystemProfilePrivilege 1884 WMIC.exe Token: SeSystemtimePrivilege 1884 WMIC.exe Token: SeProfSingleProcessPrivilege 1884 WMIC.exe Token: SeIncBasePriorityPrivilege 1884 WMIC.exe Token: SeCreatePagefilePrivilege 1884 WMIC.exe Token: SeBackupPrivilege 1884 WMIC.exe Token: SeRestorePrivilege 1884 WMIC.exe Token: SeShutdownPrivilege 1884 WMIC.exe Token: SeDebugPrivilege 1884 WMIC.exe Token: SeSystemEnvironmentPrivilege 1884 WMIC.exe Token: SeRemoteShutdownPrivilege 1884 WMIC.exe Token: SeUndockPrivilege 1884 WMIC.exe Token: SeManageVolumePrivilege 1884 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3548 wrote to memory of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 3548 wrote to memory of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 3548 wrote to memory of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 3548 wrote to memory of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 3548 wrote to memory of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 3548 wrote to memory of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 3548 wrote to memory of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 3548 wrote to memory of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 3548 wrote to memory of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 3548 wrote to memory of 1748 3548 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 86 PID 1748 wrote to memory of 4948 1748 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 87 PID 1748 wrote to memory of 4948 1748 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 87 PID 1748 wrote to memory of 4948 1748 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 87 PID 1748 wrote to memory of 4356 1748 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 88 PID 1748 wrote to memory of 4356 1748 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 88 PID 1748 wrote to memory of 4356 1748 7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe 88 PID 4948 wrote to memory of 4556 4948 haolmjvtikuv.exe 91 PID 4948 wrote to memory of 4556 4948 haolmjvtikuv.exe 91 PID 4948 wrote to memory of 4556 4948 haolmjvtikuv.exe 91 PID 4948 wrote to memory of 4556 4948 haolmjvtikuv.exe 91 PID 4948 wrote to memory of 4556 4948 haolmjvtikuv.exe 91 PID 4948 wrote to memory of 4556 4948 haolmjvtikuv.exe 91 PID 4948 wrote to memory of 4556 4948 haolmjvtikuv.exe 91 PID 4948 wrote to memory of 4556 4948 haolmjvtikuv.exe 91 PID 4948 wrote to memory of 4556 4948 haolmjvtikuv.exe 91 PID 4948 wrote to memory of 4556 4948 haolmjvtikuv.exe 91 PID 4556 wrote to memory of 180 4556 haolmjvtikuv.exe 92 PID 4556 wrote to memory of 180 4556 haolmjvtikuv.exe 92 PID 4556 wrote to memory of 2508 4556 haolmjvtikuv.exe 97 PID 4556 wrote to memory of 2508 4556 haolmjvtikuv.exe 97 PID 4556 wrote to memory of 2508 4556 haolmjvtikuv.exe 97 PID 4556 wrote to memory of 3528 4556 haolmjvtikuv.exe 98 PID 4556 wrote to memory of 3528 4556 haolmjvtikuv.exe 98 PID 3528 wrote to memory of 3452 3528 msedge.exe 99 PID 3528 wrote to memory of 3452 3528 msedge.exe 99 PID 4556 wrote to memory of 1884 4556 haolmjvtikuv.exe 100 PID 4556 wrote to memory of 1884 4556 haolmjvtikuv.exe 100 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 PID 3528 wrote to memory of 3768 3528 msedge.exe 102 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System haolmjvtikuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" haolmjvtikuv.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\haolmjvtikuv.exeC:\Windows\haolmjvtikuv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\haolmjvtikuv.exeC:\Windows\haolmjvtikuv.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4556 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:180
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- Opens file in notepad (likely ransom note)
PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe0d646f8,0x7fffe0d64708,0x7fffe0d647186⤵PID:3452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:26⤵PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:36⤵PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:86⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:16⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:16⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:86⤵PID:608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:86⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:16⤵PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:16⤵PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:16⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:16⤵PID:2348
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HAOLMJ~1.EXE5⤵PID:4036
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\7A4D85~1.EXE3⤵PID:4356
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2840
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD546d530352ac2da4cf30c739589dab2a6
SHA1df811bbe29b211d2c3e1176643c2f4359c4aea18
SHA256c96a5eb3007c355bce48755b18c0c9c4b0c851058f19785b2dc7475eabb15cec
SHA5122ba159d0f7e69e84818570d6d004e3847fbea418ebf1feaafdae959a53550ecfcf05f4fb88ab53a279b7696c6f82d6cf6d58919b45bbd7d5f24368bbc34f404e
-
Filesize
64KB
MD56716cfa8310dc7c1db07588a8811cf58
SHA1f2d52335a6d98938e8d56897cacd01af37ede579
SHA256e5d26e5a89e454e3c59fa10686db093ab8cd093e6cbb1b32790ec9d5617b7874
SHA512cd333863acbc6839cbf5efc931349fbb21360cd6d87d5609f73303d6dc246d2be49e77ffbdbf7e1aa85439cd64424126c4fde9159dadeae692a602869f6e5847
-
Filesize
1KB
MD5480b51180ca3e75751cf1136c8e6eec3
SHA1011d83fa281ddc6f11c334d20928631b96927dbf
SHA256587c932049e785b0e97d429b7c480bb9e3a405485a07c6570804587d92b9e838
SHA5129876b2f0effd3222156a0a2493d50437484517835069a8c11540d99663e97a454d13842acb0f8625cd6e6f82a703999baa9560bc2b9bc3e56f562f25c5b195f2
-
Filesize
560B
MD5acb21e6e429c340b15f00104510a52df
SHA1f6570d45d46be6bc2bd8483add7950e8280a0791
SHA256047522b87320e7a94f62f88a8ae8db3362f99aa8d5d88534ef622da09e47ea1d
SHA51231ff872830bf6f8dfbfa7ca3d8e0a28cb988602ea96fad45498681825da35d7e7047a052f2ba66948b726e1bf282de2cd74110dfcd9cc0bd036ac8bb29612acd
-
Filesize
560B
MD52c28ef6e3c24d7d56dec00dcc2c679a2
SHA1291deece0016fa50bda46f951f9de60cdda07de2
SHA256cbc43dbf64b7fb949aeee17a6c1f3b319ae3653570413959459fa76d005de9ce
SHA51269e37204691087600d4483ebfc62db9b9318a42a5e0e180e75712e5f268a91393c3c1033db2fa5571f5bb54d45e19adddd9859bf9c2b79b591fccfa782174223
-
Filesize
416B
MD54354b333b9313991c8f69986f24c64a7
SHA1b5913fa559f5fc4ed528cc3d9acbec5e7c07de63
SHA256f044636eb386f1dca7f34d75294f0548a0f2ff225e78f2b54466672f4c09699c
SHA512a40093bdeb033d84a2058caa86ad2cdeefa14ce2264789e88822cbc7440254a3ca1d6ebd232a24535230a7b0ef6ea3a5dbd3856986e7d5da2a457ccee5770cee
-
Filesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
Filesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
Filesize
6KB
MD5de7ab097f2639242d0804c57c7710030
SHA13e7d45043f69b8eba8f44301c164395b93d16160
SHA256b669452ff93910fd97ce00688f61c293c039dd44ac89ac40a28779ac4526908c
SHA512d0ce1f0f8721f06249870d365821289d07a25f07a37b748e77cd8d46dba47f396a21bfd862495b4d0484f1d78b10fba4860f4921f7544182aefef0534fbfe24e
-
Filesize
6KB
MD5d39f8cc7b2a44d42a34eb9462ea5ba92
SHA1d2212b0ea730033e863a1f08e683e909db7b1559
SHA256bbb70f8131ff4a28c8a38b612c9179e13e6b08f0bf4f97b26e7b2c4810340846
SHA5127afa5d4fe6b6a37def5566c61c85885643eac600c008700e24e304b62eb6fe6e9f9398aff1301ed38d82dead34da9ab4dc570a7abbc53554df7861be759b830c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5b514e226a85f0bea2b8d5326f90e7a8b
SHA1ccc7bc9da72aee6163e2cc652de4f6669935426f
SHA25674995b375af74028883d3040dea265675a66820f52dffc1023639e079c582f6d
SHA51220104ec965bb1e1aa0e4175528b26919ef0efe1c20d5a7492cbc9777950186ac24087cc5655206ee4d85c1bd7592479adacee7646364753ed761d26f3dafd34f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626047837275686.txt
Filesize77KB
MD590b42883d56334cf99693be5909b6ec3
SHA16dcccde976cd2193a81c8f579128034e5118d5cc
SHA2569872850e5a2ca986f232e23f89968487d4e52cdf44ca4c2364883a1c3001eee0
SHA5120a3b3253e4cb6d73ac5045ceb5d9dfd152a7d46a9dce591e6bef46205edd005425023fc85703b7f9f92d01cdc820dc8d7bc1032c9118a9c0b13bb51ab06fd6fe
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626070414459428.txt
Filesize75KB
MD565b39e7be0383e0fc6a7f3e3c0526f3d
SHA13396773904befc1d2d102de568c9e0989763cec2
SHA25676e7f020678879a497c91beb0b43d8255933c2a8b4bd1c3329bfee915dd2f6fc
SHA5128d8a77fbb837a60afcb44228392c638195b727058852816c3844b50d33bcd9d043ae448fa6ff0536747743813fde04fc1b02658d37427d98eb256a8bbc57424e
-
Filesize
388KB
MD57a4d85a1bef0ca4cecfe376e0ee91090
SHA10eaab4a4cf009d2d0d2d525bad4742356ca06317
SHA2560cfff9ddd855236e2c89d1778e88bd87db965a29d0e4e6b75178add06fd4fdb0
SHA512963509e2871858ba356a6b1e2af71b05c22019ffe4172a3ed8d70d54597bf10a67607d8083fef90e549521cf194d76af1112f7628b23943d0da0ebde0704e280