Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe
-
Size
316KB
-
MD5
1f9d9c8b17bc4e6ab42217e4ca879273
-
SHA1
ebbaefabffef6eac50f8c52c84a51cb7442ecaea
-
SHA256
c2f389b2ee29d7b7d23ba7f1d248b0e9fc9d8c8a60e77cd75b6bd8dd2b38db00
-
SHA512
9ff77d473a0cbaee33d576aea49cfde04946353c2334d18587ee732c90eb656eef35485996934385b32f94729999c6f2bf83ae572541f4adb56f4659cc9c848e
-
SSDEEP
3072:sP36v0ABWbDFp7yz5dwjtYjt+XOCGNjYQMhLwZil6hdZrz5ZbJnCgo5QTRpALo3:IhKjjtxVYQuwFhdZrz5ZC5aXALo
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECOVERY_+fgimh.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/27FD571078EE1D87
http://tes543berda73i48fsdfsd.keratadze.at/27FD571078EE1D87
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/27FD571078EE1D87
http://xlowfznrg4wf7dli.ONION/27FD571078EE1D87
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (877) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ssyxddomtoqv.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+fgimh.png ssyxddomtoqv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+fgimh.png ssyxddomtoqv.exe -
Executes dropped EXE 1 IoCs
pid Process 2816 ssyxddomtoqv.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrmwubydnxmf = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ssyxddomtoqv.exe\"" ssyxddomtoqv.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-80.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_40x40x32.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileWide.scale-100.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png ssyxddomtoqv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_RECOVERY_+fgimh.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-colorize.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-100.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x64\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\10px.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-200.png ssyxddomtoqv.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\_RECOVERY_+fgimh.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\19.jpg ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\_RECOVERY_+fgimh.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\Common Files\System\msadc\_RECOVERY_+fgimh.png ssyxddomtoqv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-150.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer10Sec.targetsize-20.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-100.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\_RECOVERY_+fgimh.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\_RECOVERY_+fgimh.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-400.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-400.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-150_contrast-white.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-lightunplated.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-400.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100_contrast-white.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-125.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-125.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\_RECOVERY_+fgimh.html ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\microsoft.system.package.metadata\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_RECOVERY_+fgimh.png ssyxddomtoqv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\_RECOVERY_+fgimh.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-48.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlInnerCircleHover.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-200.png ssyxddomtoqv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\en-us\_RECOVERY_+fgimh.txt ssyxddomtoqv.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ssyxddomtoqv.exe 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe File opened for modification C:\Windows\ssyxddomtoqv.exe 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssyxddomtoqv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings ssyxddomtoqv.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5072 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe 2816 ssyxddomtoqv.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2260 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe Token: SeDebugPrivilege 2816 ssyxddomtoqv.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: 36 1496 WMIC.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: 36 1496 WMIC.exe Token: SeBackupPrivilege 3228 vssvc.exe Token: SeRestorePrivilege 3228 vssvc.exe Token: SeAuditPrivilege 3228 vssvc.exe Token: SeIncreaseQuotaPrivilege 4092 WMIC.exe Token: SeSecurityPrivilege 4092 WMIC.exe Token: SeTakeOwnershipPrivilege 4092 WMIC.exe Token: SeLoadDriverPrivilege 4092 WMIC.exe Token: SeSystemProfilePrivilege 4092 WMIC.exe Token: SeSystemtimePrivilege 4092 WMIC.exe Token: SeProfSingleProcessPrivilege 4092 WMIC.exe Token: SeIncBasePriorityPrivilege 4092 WMIC.exe Token: SeCreatePagefilePrivilege 4092 WMIC.exe Token: SeBackupPrivilege 4092 WMIC.exe Token: SeRestorePrivilege 4092 WMIC.exe Token: SeShutdownPrivilege 4092 WMIC.exe Token: SeDebugPrivilege 4092 WMIC.exe Token: SeSystemEnvironmentPrivilege 4092 WMIC.exe Token: SeRemoteShutdownPrivilege 4092 WMIC.exe Token: SeUndockPrivilege 4092 WMIC.exe Token: SeManageVolumePrivilege 4092 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2816 2260 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 82 PID 2260 wrote to memory of 2816 2260 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 82 PID 2260 wrote to memory of 2816 2260 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 82 PID 2260 wrote to memory of 1040 2260 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 83 PID 2260 wrote to memory of 1040 2260 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 83 PID 2260 wrote to memory of 1040 2260 2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe 83 PID 2816 wrote to memory of 1496 2816 ssyxddomtoqv.exe 85 PID 2816 wrote to memory of 1496 2816 ssyxddomtoqv.exe 85 PID 2816 wrote to memory of 5072 2816 ssyxddomtoqv.exe 99 PID 2816 wrote to memory of 5072 2816 ssyxddomtoqv.exe 99 PID 2816 wrote to memory of 5072 2816 ssyxddomtoqv.exe 99 PID 2816 wrote to memory of 1852 2816 ssyxddomtoqv.exe 100 PID 2816 wrote to memory of 1852 2816 ssyxddomtoqv.exe 100 PID 1852 wrote to memory of 4820 1852 msedge.exe 101 PID 1852 wrote to memory of 4820 1852 msedge.exe 101 PID 2816 wrote to memory of 4092 2816 ssyxddomtoqv.exe 102 PID 2816 wrote to memory of 4092 2816 ssyxddomtoqv.exe 102 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 2576 1852 msedge.exe 104 PID 1852 wrote to memory of 1564 1852 msedge.exe 105 PID 1852 wrote to memory of 1564 1852 msedge.exe 105 PID 1852 wrote to memory of 296 1852 msedge.exe 106 PID 1852 wrote to memory of 296 1852 msedge.exe 106 PID 1852 wrote to memory of 296 1852 msedge.exe 106 PID 1852 wrote to memory of 296 1852 msedge.exe 106 PID 1852 wrote to memory of 296 1852 msedge.exe 106 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ssyxddomtoqv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ssyxddomtoqv.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-29_1f9d9c8b17bc4e6ab42217e4ca879273_teslacrypt.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\ssyxddomtoqv.exeC:\Windows\ssyxddomtoqv.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef6ae46f8,0x7ffef6ae4708,0x7ffef6ae47184⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:24⤵PID:2576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:34⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:84⤵PID:296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:14⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:14⤵PID:1324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:84⤵PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:84⤵PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:14⤵PID:736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:14⤵PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:14⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3368351769340188843,7074550679024472054,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:14⤵PID:3488
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SSYXDD~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE2⤵
- System Location Discovery: System Language Discovery
PID:1040
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2272
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1640
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5ca6b0f5c9d9764586f9355557fde79d3
SHA16e6012d2807997ffb17146be88193cc0a4bf7010
SHA25679fea7ebbcc63312e554a948532f43e7345ac4044db45b3ba046ea58201fb8dc
SHA5129518a1d6a7174e1d9f4386072fa8dfdac50c99e7947daf6099307dfbded07da67f73d5453b68d94e55e345fd88864550755ab0f752180ee7e7d03e45fd1c5458
-
Filesize
62KB
MD5a783dd38bad2a009eee6c2224a013fa5
SHA13661ab04c6b87f9f215f0b1f01888caacf75d70c
SHA256fa227f976c1bae45782c7af38f4280fcb9645780c3dce917ab1b761b16ff8258
SHA5123578736f2e4118f9809e174ec8700299ea703f4f0e22e16f1e74e50c59ed0fc328e733a3f800ddfe60510a62df37440a9b633e202c30394405febc715941dce6
-
Filesize
1KB
MD5c2a47dac699e920a1aaf60867bf4f384
SHA1c7b1aae1a714a62a4edf67f3398d7696196f4c9f
SHA2565312256a58932e9df252dd7653877395e27276dc4f51f93e09c6d4e2c502cc7c
SHA512e2bdd12d8a1571d1c0294a984c9360e3d15a1d0529e37748b21faf026a2a15ec891780fcf27190d41ea2804eed3bf14a7159f40251ff77cd8625a7e5d7996dc6
-
Filesize
560B
MD5bebe9d2358c07430c5496d87fc756219
SHA11215f45e5d6def23f48c02ad6872852597c542ea
SHA2567e31461ee517da37331df16488915af6ddaa1683bd919568c6dfbec741be231a
SHA51289ba79378edf48fca2cb12b88f02b8266041e5b2aeeded733d84e073ced4a8b030f111157bfbfd3e0cc5cf79f4656598b75ed54258252793fa880674228c8a26
-
Filesize
560B
MD5d6add115ae31f6ac4462624dd24a03e1
SHA1286c351f499545c810a94485f2824bae9b051295
SHA256612e39a64bd4445ad94176ebb9d113060c56591af8822cbce4f72fa7f132cb5f
SHA5126e6d05ea3fb169a3038303e895e61a1efd3ba81dfb1efa6f2939815565b779221a76cb2e69e1797d9dfc814f7402264c8f68e29098f1e2e8fbc38fbc7abd70e9
-
Filesize
416B
MD54077d9e6d770876588efffd31212e1d3
SHA1cc0b4d381ce39442ee4c62705a3006b78e61ca9d
SHA256bd7f47355f027749c004381c4a292046dee1648b65b996eb4eb577ecbdcf953a
SHA512711127462de8cd15f83cebbeaff7b5cf303ea8465a093567c1d104d4830aeab05950164aed52ae3cda4e86132c8f939761ce39edb094415c37cef464d9f8f15d
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
5KB
MD5db5888e4e8aa285511fdb1d4c940b569
SHA1a50b044c7f07f4fbe47b6c4452ef5b20bfff9982
SHA25640231e6c7cfdd6b41dacd9a6655d532022e29ef59e7be424b8ed6e53fd2af8bf
SHA5121288055fa60d0ebe96990360a4ef39c5a33572342a5a68861c2501c800c9d5ebd19d302ec9f9e967b1395ad29d73a3ff6fb9a90166885e24185595a101a0b8f5
-
Filesize
6KB
MD5ff9f898b28a3255dc1270d85696baa89
SHA135e2b9cd708e2d2bea4a9eb6b64551d53d92570e
SHA256ece32c1259f1442e8442160e9c2378195905e2e2d1ff8c53bd37097dff9c9c67
SHA512df7fff2b1cee05d7f999b1efa51681d3bf67d103fd36e7281c4cc07010aeda7b27a0054ef1beceba7875ffc55818c047d44a42f9b19b97b9fff9429679b1b515
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5dbc15e0d71cf554a08082c62e5864e3a
SHA1a15752902e11f49ace6dd221ebb46033dd818725
SHA256984c082651066d7e8f89a4a92389758eddb9ce702eea869e1a6de2f59c32c23a
SHA5124b9881282cd2e11ac308b32e336c73af6435281e1a1bd43d439ba36332ffa6f2cb32ef0f6bdc8adf150542d24b7aac876dd8814d69fd3960fccd6d8cd3743165
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665766873969.txt
Filesize74KB
MD533e5dfe53a63c6dfae1b2063d1fc0bad
SHA1fb7768ffaa8bb21b12482a431ed7074c65ebb4b7
SHA25649c90e5810309141b050ffaf147cc720ef4d6ac57e6f207d975a1ee5c9a6eab9
SHA512fd4b8678b857fd3964107423cd2d7f30ef33bd34e520a6866510ff876bef01d7ac01d85293bdad2e6ceedd3f00e620ce87f54bc13d9e3eb7f0029e98e3f74ac6
-
Filesize
316KB
MD51f9d9c8b17bc4e6ab42217e4ca879273
SHA1ebbaefabffef6eac50f8c52c84a51cb7442ecaea
SHA256c2f389b2ee29d7b7d23ba7f1d248b0e9fc9d8c8a60e77cd75b6bd8dd2b38db00
SHA5129ff77d473a0cbaee33d576aea49cfde04946353c2334d18587ee732c90eb656eef35485996934385b32f94729999c6f2bf83ae572541f4adb56f4659cc9c848e