Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 12:21
Static task
static1
Behavioral task
behavioral1
Sample
006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe
-
Size
553KB
-
MD5
f7030b13576de49beebb29da2d5c8890
-
SHA1
26ccbc9c36c030258d5e38d59bf09423e5204750
-
SHA256
006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786
-
SHA512
a29d7264c3040a04ca036641295670ca7c6678ad8b2092153c51acbf9cd91e05f273d0c7926f07f05d8569eb4e49d64bb3d2d31dd7741aea49aa5c2f5c9b38c6
-
SSDEEP
6144:oGyrwsYlcsaBx6ukx409hRpC75c7bx7+AeEgYXuRrPXCWvFza:bqwsYlc9jQ4cRA7W7bxqAeEgY+Zzvda
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+iipfp.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1326466A3AF4F51
http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/1326466A3AF4F51
http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/1326466A3AF4F51
http://xlowfznrg4wf7dli.ONION/1326466A3AF4F51
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation fhcwurslrloi.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+iipfp.txt fhcwurslrloi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+iipfp.txt fhcwurslrloi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe -
Executes dropped EXE 1 IoCs
pid Process 660 fhcwurslrloi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kvbdbvo = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\fhcwurslrloi.exe" fhcwurslrloi.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-150.png fhcwurslrloi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLSTART\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-16_contrast-white.png fhcwurslrloi.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-20.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Tongue.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-high.png fhcwurslrloi.exe File opened for modification C:\Program Files\Common Files\System\en-US\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_ReCoVeRy_+iipfp.txt fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Mutable\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_crop_handles.mp4 fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_ReCoVeRy_+iipfp.txt fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.scale-100_contrast-white.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\_ReCoVeRy_+iipfp.txt fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-30.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-100.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlMiddleCircle.png fhcwurslrloi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-100_contrast-black.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-125.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-100.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+iipfp.txt fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-64_altform-unplated.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-32_altform-unplated.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-100.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png fhcwurslrloi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-100.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_Wind_sm.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-100.png fhcwurslrloi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-100.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\_ReCoVeRy_+iipfp.txt fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+iipfp.txt fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Program Files\Mozilla Firefox\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+iipfp.txt fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+iipfp.txt fhcwurslrloi.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\_ReCoVeRy_+iipfp.html fhcwurslrloi.exe File opened for modification C:\Program Files\VideoLAN\VLC\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-200.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\View3d\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-60_altform-unplated.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-200.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_ReCoVeRy_+iipfp.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-400.png fhcwurslrloi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_MouseNose.png fhcwurslrloi.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\fhcwurslrloi.exe 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe File opened for modification C:\Windows\fhcwurslrloi.exe 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings fhcwurslrloi.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1840 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe 660 fhcwurslrloi.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 64 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe Token: SeDebugPrivilege 660 fhcwurslrloi.exe Token: SeIncreaseQuotaPrivilege 4276 WMIC.exe Token: SeSecurityPrivilege 4276 WMIC.exe Token: SeTakeOwnershipPrivilege 4276 WMIC.exe Token: SeLoadDriverPrivilege 4276 WMIC.exe Token: SeSystemProfilePrivilege 4276 WMIC.exe Token: SeSystemtimePrivilege 4276 WMIC.exe Token: SeProfSingleProcessPrivilege 4276 WMIC.exe Token: SeIncBasePriorityPrivilege 4276 WMIC.exe Token: SeCreatePagefilePrivilege 4276 WMIC.exe Token: SeBackupPrivilege 4276 WMIC.exe Token: SeRestorePrivilege 4276 WMIC.exe Token: SeShutdownPrivilege 4276 WMIC.exe Token: SeDebugPrivilege 4276 WMIC.exe Token: SeSystemEnvironmentPrivilege 4276 WMIC.exe Token: SeRemoteShutdownPrivilege 4276 WMIC.exe Token: SeUndockPrivilege 4276 WMIC.exe Token: SeManageVolumePrivilege 4276 WMIC.exe Token: 33 4276 WMIC.exe Token: 34 4276 WMIC.exe Token: 35 4276 WMIC.exe Token: 36 4276 WMIC.exe Token: SeIncreaseQuotaPrivilege 4276 WMIC.exe Token: SeSecurityPrivilege 4276 WMIC.exe Token: SeTakeOwnershipPrivilege 4276 WMIC.exe Token: SeLoadDriverPrivilege 4276 WMIC.exe Token: SeSystemProfilePrivilege 4276 WMIC.exe Token: SeSystemtimePrivilege 4276 WMIC.exe Token: SeProfSingleProcessPrivilege 4276 WMIC.exe Token: SeIncBasePriorityPrivilege 4276 WMIC.exe Token: SeCreatePagefilePrivilege 4276 WMIC.exe Token: SeBackupPrivilege 4276 WMIC.exe Token: SeRestorePrivilege 4276 WMIC.exe Token: SeShutdownPrivilege 4276 WMIC.exe Token: SeDebugPrivilege 4276 WMIC.exe Token: SeSystemEnvironmentPrivilege 4276 WMIC.exe Token: SeRemoteShutdownPrivilege 4276 WMIC.exe Token: SeUndockPrivilege 4276 WMIC.exe Token: SeManageVolumePrivilege 4276 WMIC.exe Token: 33 4276 WMIC.exe Token: 34 4276 WMIC.exe Token: 35 4276 WMIC.exe Token: 36 4276 WMIC.exe Token: SeBackupPrivilege 3632 vssvc.exe Token: SeRestorePrivilege 3632 vssvc.exe Token: SeAuditPrivilege 3632 vssvc.exe Token: SeIncreaseQuotaPrivilege 4720 WMIC.exe Token: SeSecurityPrivilege 4720 WMIC.exe Token: SeTakeOwnershipPrivilege 4720 WMIC.exe Token: SeLoadDriverPrivilege 4720 WMIC.exe Token: SeSystemProfilePrivilege 4720 WMIC.exe Token: SeSystemtimePrivilege 4720 WMIC.exe Token: SeProfSingleProcessPrivilege 4720 WMIC.exe Token: SeIncBasePriorityPrivilege 4720 WMIC.exe Token: SeCreatePagefilePrivilege 4720 WMIC.exe Token: SeBackupPrivilege 4720 WMIC.exe Token: SeRestorePrivilege 4720 WMIC.exe Token: SeShutdownPrivilege 4720 WMIC.exe Token: SeDebugPrivilege 4720 WMIC.exe Token: SeSystemEnvironmentPrivilege 4720 WMIC.exe Token: SeRemoteShutdownPrivilege 4720 WMIC.exe Token: SeUndockPrivilege 4720 WMIC.exe Token: SeManageVolumePrivilege 4720 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe 3096 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 64 wrote to memory of 660 64 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe 82 PID 64 wrote to memory of 660 64 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe 82 PID 64 wrote to memory of 660 64 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe 82 PID 64 wrote to memory of 1324 64 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe 83 PID 64 wrote to memory of 1324 64 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe 83 PID 64 wrote to memory of 1324 64 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe 83 PID 660 wrote to memory of 4276 660 fhcwurslrloi.exe 87 PID 660 wrote to memory of 4276 660 fhcwurslrloi.exe 87 PID 660 wrote to memory of 1840 660 fhcwurslrloi.exe 99 PID 660 wrote to memory of 1840 660 fhcwurslrloi.exe 99 PID 660 wrote to memory of 1840 660 fhcwurslrloi.exe 99 PID 660 wrote to memory of 3096 660 fhcwurslrloi.exe 100 PID 660 wrote to memory of 3096 660 fhcwurslrloi.exe 100 PID 3096 wrote to memory of 4664 3096 msedge.exe 101 PID 3096 wrote to memory of 4664 3096 msedge.exe 101 PID 660 wrote to memory of 4720 660 fhcwurslrloi.exe 102 PID 660 wrote to memory of 4720 660 fhcwurslrloi.exe 102 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 4636 3096 msedge.exe 104 PID 3096 wrote to memory of 3140 3096 msedge.exe 105 PID 3096 wrote to memory of 3140 3096 msedge.exe 105 PID 3096 wrote to memory of 3652 3096 msedge.exe 106 PID 3096 wrote to memory of 3652 3096 msedge.exe 106 PID 3096 wrote to memory of 3652 3096 msedge.exe 106 PID 3096 wrote to memory of 3652 3096 msedge.exe 106 PID 3096 wrote to memory of 3652 3096 msedge.exe 106 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fhcwurslrloi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" fhcwurslrloi.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\fhcwurslrloi.exeC:\Windows\fhcwurslrloi.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:660 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT3⤵
- Opens file in notepad (likely ransom note)
PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff982246f8,0x7fff98224708,0x7fff982247184⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:24⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:34⤵PID:3140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:84⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:14⤵PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:14⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:84⤵PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:84⤵PID:4720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:14⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:14⤵PID:1364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:14⤵PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:14⤵PID:1432
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FHCWUR~1.EXE3⤵PID:3920
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\006CB9~1.EXE2⤵PID:1324
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2996
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD58a0fdba458ef191d24bf5553b1923911
SHA132443d754b426c5e823558becb2fa67d174c76ed
SHA25651d3dbc0a3859f3826803c6809497c95baf6885e9e0387ec44f05a965c2415b9
SHA51240b9a5b4707459d5163f2073d7837e1c6d565bfc0c54b8529ad9354197b3690b76b6747a3e3879ef096ef66aa3a287354698d8e92586cc186a2a8b09c5bff726
-
Filesize
64KB
MD51e4cb858c9bf8e40a61171eae6fc76b7
SHA1e995e31738e25cd74137b67545e48d5cf52ec3fe
SHA2563e5b7c2d2abf752a00c8f7e385ec4dd4d7892c04e34e0ec73bb4cd667f60a3cb
SHA5126db3aeada4b5a15c962fd1c723ef12863892c8e2d4d11fa1f998c14d6c4ce4d39dc3a9eab6f0d8f91b0b2a792e18bcbafe48b4797d8d46d08c14d891147ca1f3
-
Filesize
1KB
MD58883a2c4ae14ad49bd926071ee132aa2
SHA1728154cbfa4d362037723764115eb5ff9bcaaca8
SHA2563a0e8075ba66df33a00f3006983626e89aade6e1708b8cc404ae042e0a0eeddf
SHA5123ef73f1e8f4cb9ad3bd0c7780408bfdcf3b944bf5c8a140f1bc2b1db2ec81b40a22059c7eec230a3ac5cc025bd412052b4a818bf6f35703f39dd35045f79a0bd
-
Filesize
560B
MD56623567ad7201ffed2d4e47f46a39c28
SHA130a82d1d1e7cefa7dbb67617d92b3277bb5b2734
SHA256679b0c0f6093c1833dbd578081bb5e8a633910a5260d1ceb7c3d1fe7bb03910e
SHA512217cb46242cecd8aa8d688960ad373e55ed0a2c4bfb00123794a966f2c726392f415be6774389159f946da33a2bf87ca5596dfeb20b94076c1bdc23c6d9ac7c0
-
Filesize
560B
MD552d0560986d23505822475d59d255715
SHA1d911f7b03e98076cb81d4391851ab8a2ff66e288
SHA2569aecce0347902f42bac9bbf9c07e88915435814b4e3ca1ecc5667f1c53fc7325
SHA5125e3e27337cd9640389069aeea139dc5189c47b3ed3c8f58110a7e17de2b33d2d45c6dbc44fd0905f22ff17532983a5179267e245cb715519cef45d7a6832cfa0
-
Filesize
416B
MD567f5519cf41d492178d503f866742090
SHA18af1086dd8b620c450c0be1617362881bf435231
SHA25619083659c7c2fbb9179547ec714e4fdccc1fe5391e0cb06203dbcaef8bf0774d
SHA5123951d7f427dccc279b21db980ddff99fb462a22ca4d1a81ec2df3b6078634d9a0693bf193dde6d95bf014f53fe9cf29a74773925664e5b714b88d01a43ae9b48
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
5KB
MD52379742edf5438dfc13ed6945769995d
SHA1c17434fe88589732a7d0c3e38e8d78e87a934e2a
SHA25684013cdd1a0042629794a301e24703e95df17848dd98819299556877b72d420e
SHA51205636fe275e5ad276c69e4b284fe60bf93d32d2d1135bea37778c0011f3ee0085a26e759db85aa8a15f14915644b2c12f46f4ef21b7e39989ff37d77220f8cbe
-
Filesize
6KB
MD550ae1e1e5746493520970436d77da620
SHA1f772a6008c95433c6f52a5de9e583c86073873b4
SHA256dfa533fe4042a6eb0ac6699fc4fbf8471aa45ee95de07d0c6392f87858370b84
SHA512c2e035b658e4c32130fdea0b3a7ee9f91a8a9a419997052bbdbb3f8d439a931aba033c5ae7a418d57f72f0c4350f5d358b2ea1834253cd83961fffd1581961a9
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5d66b9036226884495df4f61896f0553f
SHA10ebb74cc676837c650cb29c594ad781797fa645c
SHA2564836b64171430ddfc4d1dc0bb475071664574fceab591f44a9f1d8abf6475ba8
SHA51219f95b22a79d085169ca9dc29515a32e735615353fdf84bece27837f5050cfb936b326f9ec4d3623016f6ffbbf54116ce9d3c1fd5d5f640e4432d12f4db0ce97
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449526171674.txt
Filesize75KB
MD5eb5e5fc5972350827db89f16664559e5
SHA1acf7c525be117755c7b5b33b79fd8acdc590c589
SHA256592d64964a85c44daa23a015d5734a77cf3ce4a92a345b079214ef549b704aa9
SHA51229c214091be86a64d4790c67006ea3ff478b450d29a083985ca934f50c4ee09d24268ccfa43eba16ae01812abaac9e59e549b0a9ac3fcb38eb37f41710856b4f
-
Filesize
553KB
MD5f7030b13576de49beebb29da2d5c8890
SHA126ccbc9c36c030258d5e38d59bf09423e5204750
SHA256006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786
SHA512a29d7264c3040a04ca036641295670ca7c6678ad8b2092153c51acbf9cd91e05f273d0c7926f07f05d8569eb4e49d64bb3d2d31dd7741aea49aa5c2f5c9b38c6