Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 12:21

General

  • Target

    006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe

  • Size

    553KB

  • MD5

    f7030b13576de49beebb29da2d5c8890

  • SHA1

    26ccbc9c36c030258d5e38d59bf09423e5204750

  • SHA256

    006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786

  • SHA512

    a29d7264c3040a04ca036641295670ca7c6678ad8b2092153c51acbf9cd91e05f273d0c7926f07f05d8569eb4e49d64bb3d2d31dd7741aea49aa5c2f5c9b38c6

  • SSDEEP

    6144:oGyrwsYlcsaBx6ukx409hRpC75c7bx7+AeEgYXuRrPXCWvFza:bqwsYlc9jQ4cRA7W7bxqAeEgY+Zzvda

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+iipfp.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1326466A3AF4F51 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/1326466A3AF4F51 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/1326466A3AF4F51 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/1326466A3AF4F51 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1326466A3AF4F51 http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/1326466A3AF4F51 http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/1326466A3AF4F51 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/1326466A3AF4F51
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1326466A3AF4F51

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/1326466A3AF4F51

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/1326466A3AF4F51

http://xlowfznrg4wf7dli.ONION/1326466A3AF4F51

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (880) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\fhcwurslrloi.exe
      C:\Windows\fhcwurslrloi.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:660
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4276
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1840
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3096
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff982246f8,0x7fff98224708,0x7fff98224718
          4⤵
            PID:4664
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
            4⤵
              PID:4636
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
              4⤵
                PID:3140
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
                4⤵
                  PID:3652
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
                  4⤵
                    PID:3864
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
                    4⤵
                      PID:2952
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
                      4⤵
                        PID:3668
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
                        4⤵
                          PID:4720
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
                          4⤵
                            PID:2624
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
                            4⤵
                              PID:1364
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
                              4⤵
                                PID:1992
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
                                4⤵
                                  PID:1432
                              • C:\Windows\System32\wbem\WMIC.exe
                                "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4720
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FHCWUR~1.EXE
                                3⤵
                                  PID:3920
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\006CB9~1.EXE
                                2⤵
                                  PID:1324
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3632
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2996
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2948

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+iipfp.html

                                    Filesize

                                    11KB

                                    MD5

                                    8a0fdba458ef191d24bf5553b1923911

                                    SHA1

                                    32443d754b426c5e823558becb2fa67d174c76ed

                                    SHA256

                                    51d3dbc0a3859f3826803c6809497c95baf6885e9e0387ec44f05a965c2415b9

                                    SHA512

                                    40b9a5b4707459d5163f2073d7837e1c6d565bfc0c54b8529ad9354197b3690b76b6747a3e3879ef096ef66aa3a287354698d8e92586cc186a2a8b09c5bff726

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+iipfp.png

                                    Filesize

                                    64KB

                                    MD5

                                    1e4cb858c9bf8e40a61171eae6fc76b7

                                    SHA1

                                    e995e31738e25cd74137b67545e48d5cf52ec3fe

                                    SHA256

                                    3e5b7c2d2abf752a00c8f7e385ec4dd4d7892c04e34e0ec73bb4cd667f60a3cb

                                    SHA512

                                    6db3aeada4b5a15c962fd1c723ef12863892c8e2d4d11fa1f998c14d6c4ce4d39dc3a9eab6f0d8f91b0b2a792e18bcbafe48b4797d8d46d08c14d891147ca1f3

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+iipfp.txt

                                    Filesize

                                    1KB

                                    MD5

                                    8883a2c4ae14ad49bd926071ee132aa2

                                    SHA1

                                    728154cbfa4d362037723764115eb5ff9bcaaca8

                                    SHA256

                                    3a0e8075ba66df33a00f3006983626e89aade6e1708b8cc404ae042e0a0eeddf

                                    SHA512

                                    3ef73f1e8f4cb9ad3bd0c7780408bfdcf3b944bf5c8a140f1bc2b1db2ec81b40a22059c7eec230a3ac5cc025bd412052b4a818bf6f35703f39dd35045f79a0bd

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                    Filesize

                                    560B

                                    MD5

                                    6623567ad7201ffed2d4e47f46a39c28

                                    SHA1

                                    30a82d1d1e7cefa7dbb67617d92b3277bb5b2734

                                    SHA256

                                    679b0c0f6093c1833dbd578081bb5e8a633910a5260d1ceb7c3d1fe7bb03910e

                                    SHA512

                                    217cb46242cecd8aa8d688960ad373e55ed0a2c4bfb00123794a966f2c726392f415be6774389159f946da33a2bf87ca5596dfeb20b94076c1bdc23c6d9ac7c0

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                    Filesize

                                    560B

                                    MD5

                                    52d0560986d23505822475d59d255715

                                    SHA1

                                    d911f7b03e98076cb81d4391851ab8a2ff66e288

                                    SHA256

                                    9aecce0347902f42bac9bbf9c07e88915435814b4e3ca1ecc5667f1c53fc7325

                                    SHA512

                                    5e3e27337cd9640389069aeea139dc5189c47b3ed3c8f58110a7e17de2b33d2d45c6dbc44fd0905f22ff17532983a5179267e245cb715519cef45d7a6832cfa0

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                    Filesize

                                    416B

                                    MD5

                                    67f5519cf41d492178d503f866742090

                                    SHA1

                                    8af1086dd8b620c450c0be1617362881bf435231

                                    SHA256

                                    19083659c7c2fbb9179547ec714e4fdccc1fe5391e0cb06203dbcaef8bf0774d

                                    SHA512

                                    3951d7f427dccc279b21db980ddff99fb462a22ca4d1a81ec2df3b6078634d9a0693bf193dde6d95bf014f53fe9cf29a74773925664e5b714b88d01a43ae9b48

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    439b5e04ca18c7fb02cf406e6eb24167

                                    SHA1

                                    e0c5bb6216903934726e3570b7d63295b9d28987

                                    SHA256

                                    247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                                    SHA512

                                    d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    a8e767fd33edd97d306efb6905f93252

                                    SHA1

                                    a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                                    SHA256

                                    c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                                    SHA512

                                    07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    2379742edf5438dfc13ed6945769995d

                                    SHA1

                                    c17434fe88589732a7d0c3e38e8d78e87a934e2a

                                    SHA256

                                    84013cdd1a0042629794a301e24703e95df17848dd98819299556877b72d420e

                                    SHA512

                                    05636fe275e5ad276c69e4b284fe60bf93d32d2d1135bea37778c0011f3ee0085a26e759db85aa8a15f14915644b2c12f46f4ef21b7e39989ff37d77220f8cbe

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    50ae1e1e5746493520970436d77da620

                                    SHA1

                                    f772a6008c95433c6f52a5de9e583c86073873b4

                                    SHA256

                                    dfa533fe4042a6eb0ac6699fc4fbf8471aa45ee95de07d0c6392f87858370b84

                                    SHA512

                                    c2e035b658e4c32130fdea0b3a7ee9f91a8a9a419997052bbdbb3f8d439a931aba033c5ae7a418d57f72f0c4350f5d358b2ea1834253cd83961fffd1581961a9

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    d66b9036226884495df4f61896f0553f

                                    SHA1

                                    0ebb74cc676837c650cb29c594ad781797fa645c

                                    SHA256

                                    4836b64171430ddfc4d1dc0bb475071664574fceab591f44a9f1d8abf6475ba8

                                    SHA512

                                    19f95b22a79d085169ca9dc29515a32e735615353fdf84bece27837f5050cfb936b326f9ec4d3623016f6ffbbf54116ce9d3c1fd5d5f640e4432d12f4db0ce97

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449526171674.txt

                                    Filesize

                                    75KB

                                    MD5

                                    eb5e5fc5972350827db89f16664559e5

                                    SHA1

                                    acf7c525be117755c7b5b33b79fd8acdc590c589

                                    SHA256

                                    592d64964a85c44daa23a015d5734a77cf3ce4a92a345b079214ef549b704aa9

                                    SHA512

                                    29c214091be86a64d4790c67006ea3ff478b450d29a083985ca934f50c4ee09d24268ccfa43eba16ae01812abaac9e59e549b0a9ac3fcb38eb37f41710856b4f

                                  • C:\Windows\fhcwurslrloi.exe

                                    Filesize

                                    553KB

                                    MD5

                                    f7030b13576de49beebb29da2d5c8890

                                    SHA1

                                    26ccbc9c36c030258d5e38d59bf09423e5204750

                                    SHA256

                                    006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786

                                    SHA512

                                    a29d7264c3040a04ca036641295670ca7c6678ad8b2092153c51acbf9cd91e05f273d0c7926f07f05d8569eb4e49d64bb3d2d31dd7741aea49aa5c2f5c9b38c6

                                  • memory/64-1-0x0000000000400000-0x00000000004D5000-memory.dmp

                                    Filesize

                                    852KB

                                  • memory/64-9-0x0000000000400000-0x00000000004D5000-memory.dmp

                                    Filesize

                                    852KB

                                  • memory/64-10-0x00000000006A0000-0x0000000000726000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/64-0-0x00000000006A0000-0x0000000000726000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/660-5009-0x0000000000400000-0x00000000004D5000-memory.dmp

                                    Filesize

                                    852KB

                                  • memory/660-10378-0x0000000000400000-0x00000000004D5000-memory.dmp

                                    Filesize

                                    852KB

                                  • memory/660-10422-0x0000000000400000-0x00000000004D5000-memory.dmp

                                    Filesize

                                    852KB

                                  • memory/660-8440-0x0000000000400000-0x00000000004D5000-memory.dmp

                                    Filesize

                                    852KB

                                  • memory/660-5889-0x00000000021A0000-0x0000000002226000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/660-11-0x00000000021A0000-0x0000000002226000-memory.dmp

                                    Filesize

                                    536KB

                                  • memory/660-2455-0x0000000000400000-0x00000000004D5000-memory.dmp

                                    Filesize

                                    852KB

                                  • memory/660-10479-0x0000000000400000-0x00000000004D5000-memory.dmp

                                    Filesize

                                    852KB