Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
Resource
win10v2004-20241007-en
General
-
Target
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
-
Size
371KB
-
MD5
76b0182e3dc2f368facd1446a78d2ae0
-
SHA1
6e6f6df8ef1a845e335995fbfa48dab3526cea29
-
SHA256
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
-
SHA512
e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a
-
SSDEEP
6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+uangc.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/FEBFC37BC65753C3
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FEBFC37BC65753C3
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FEBFC37BC65753C3
http://xlowfznrg4wf7dli.ONION/FEBFC37BC65753C3
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (869) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation mqfqclwegnom.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+uangc.png mqfqclwegnom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+uangc.png mqfqclwegnom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+uangc.html mqfqclwegnom.exe -
Executes dropped EXE 2 IoCs
pid Process 2376 mqfqclwegnom.exe 640 mqfqclwegnom.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tvkopggocwer = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\mqfqclwegnom.exe\"" mqfqclwegnom.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2860 set thread context of 4896 2860 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 91 PID 2376 set thread context of 640 2376 mqfqclwegnom.exe 96 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\_RECoVERY_+uangc.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\PackageLogo.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\SmallTile.scale-100.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\_RECoVERY_+uangc.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\LargeTile.scale-100.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-100.png mqfqclwegnom.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\12.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-200.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-200.png mqfqclwegnom.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\_RECoVERY_+uangc.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\notifications_emptystate_v3.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_play_nor.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-300.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-125.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteLargeTile.scale-200.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated_contrast-white.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-unplated.png mqfqclwegnom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-200_contrast-black.png mqfqclwegnom.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_RECoVERY_+uangc.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileMediumSquare.scale-100.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-150.png mqfqclwegnom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt mqfqclwegnom.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\QUERIES\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-lightunplated.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\Styling\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-100.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-400.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30_altform-lightunplated.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\_RECoVERY_+uangc.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png mqfqclwegnom.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak mqfqclwegnom.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_RECoVERY_+uangc.txt mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\MapLightTheme.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png mqfqclwegnom.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-72_contrast-black.png mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\_RECoVERY_+uangc.html mqfqclwegnom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_RECoVERY_+uangc.txt mqfqclwegnom.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\mqfqclwegnom.exe 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe File opened for modification C:\Windows\mqfqclwegnom.exe 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mqfqclwegnom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mqfqclwegnom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings mqfqclwegnom.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 272 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe 640 mqfqclwegnom.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4896 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Token: SeDebugPrivilege 640 mqfqclwegnom.exe Token: SeIncreaseQuotaPrivilege 1148 WMIC.exe Token: SeSecurityPrivilege 1148 WMIC.exe Token: SeTakeOwnershipPrivilege 1148 WMIC.exe Token: SeLoadDriverPrivilege 1148 WMIC.exe Token: SeSystemProfilePrivilege 1148 WMIC.exe Token: SeSystemtimePrivilege 1148 WMIC.exe Token: SeProfSingleProcessPrivilege 1148 WMIC.exe Token: SeIncBasePriorityPrivilege 1148 WMIC.exe Token: SeCreatePagefilePrivilege 1148 WMIC.exe Token: SeBackupPrivilege 1148 WMIC.exe Token: SeRestorePrivilege 1148 WMIC.exe Token: SeShutdownPrivilege 1148 WMIC.exe Token: SeDebugPrivilege 1148 WMIC.exe Token: SeSystemEnvironmentPrivilege 1148 WMIC.exe Token: SeRemoteShutdownPrivilege 1148 WMIC.exe Token: SeUndockPrivilege 1148 WMIC.exe Token: SeManageVolumePrivilege 1148 WMIC.exe Token: 33 1148 WMIC.exe Token: 34 1148 WMIC.exe Token: 35 1148 WMIC.exe Token: 36 1148 WMIC.exe Token: SeIncreaseQuotaPrivilege 1148 WMIC.exe Token: SeSecurityPrivilege 1148 WMIC.exe Token: SeTakeOwnershipPrivilege 1148 WMIC.exe Token: SeLoadDriverPrivilege 1148 WMIC.exe Token: SeSystemProfilePrivilege 1148 WMIC.exe Token: SeSystemtimePrivilege 1148 WMIC.exe Token: SeProfSingleProcessPrivilege 1148 WMIC.exe Token: SeIncBasePriorityPrivilege 1148 WMIC.exe Token: SeCreatePagefilePrivilege 1148 WMIC.exe Token: SeBackupPrivilege 1148 WMIC.exe Token: SeRestorePrivilege 1148 WMIC.exe Token: SeShutdownPrivilege 1148 WMIC.exe Token: SeDebugPrivilege 1148 WMIC.exe Token: SeSystemEnvironmentPrivilege 1148 WMIC.exe Token: SeRemoteShutdownPrivilege 1148 WMIC.exe Token: SeUndockPrivilege 1148 WMIC.exe Token: SeManageVolumePrivilege 1148 WMIC.exe Token: 33 1148 WMIC.exe Token: 34 1148 WMIC.exe Token: 35 1148 WMIC.exe Token: 36 1148 WMIC.exe Token: SeBackupPrivilege 3864 vssvc.exe Token: SeRestorePrivilege 3864 vssvc.exe Token: SeAuditPrivilege 3864 vssvc.exe Token: SeIncreaseQuotaPrivilege 4688 WMIC.exe Token: SeSecurityPrivilege 4688 WMIC.exe Token: SeTakeOwnershipPrivilege 4688 WMIC.exe Token: SeLoadDriverPrivilege 4688 WMIC.exe Token: SeSystemProfilePrivilege 4688 WMIC.exe Token: SeSystemtimePrivilege 4688 WMIC.exe Token: SeProfSingleProcessPrivilege 4688 WMIC.exe Token: SeIncBasePriorityPrivilege 4688 WMIC.exe Token: SeCreatePagefilePrivilege 4688 WMIC.exe Token: SeBackupPrivilege 4688 WMIC.exe Token: SeRestorePrivilege 4688 WMIC.exe Token: SeShutdownPrivilege 4688 WMIC.exe Token: SeDebugPrivilege 4688 WMIC.exe Token: SeSystemEnvironmentPrivilege 4688 WMIC.exe Token: SeRemoteShutdownPrivilege 4688 WMIC.exe Token: SeUndockPrivilege 4688 WMIC.exe Token: SeManageVolumePrivilege 4688 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 4896 2860 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 91 PID 2860 wrote to memory of 4896 2860 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 91 PID 2860 wrote to memory of 4896 2860 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 91 PID 2860 wrote to memory of 4896 2860 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 91 PID 2860 wrote to memory of 4896 2860 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 91 PID 2860 wrote to memory of 4896 2860 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 91 PID 2860 wrote to memory of 4896 2860 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 91 PID 2860 wrote to memory of 4896 2860 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 91 PID 2860 wrote to memory of 4896 2860 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 91 PID 4896 wrote to memory of 2376 4896 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 92 PID 4896 wrote to memory of 2376 4896 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 92 PID 4896 wrote to memory of 2376 4896 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 92 PID 4896 wrote to memory of 2192 4896 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 93 PID 4896 wrote to memory of 2192 4896 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 93 PID 4896 wrote to memory of 2192 4896 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 93 PID 2376 wrote to memory of 640 2376 mqfqclwegnom.exe 96 PID 2376 wrote to memory of 640 2376 mqfqclwegnom.exe 96 PID 2376 wrote to memory of 640 2376 mqfqclwegnom.exe 96 PID 2376 wrote to memory of 640 2376 mqfqclwegnom.exe 96 PID 2376 wrote to memory of 640 2376 mqfqclwegnom.exe 96 PID 2376 wrote to memory of 640 2376 mqfqclwegnom.exe 96 PID 2376 wrote to memory of 640 2376 mqfqclwegnom.exe 96 PID 2376 wrote to memory of 640 2376 mqfqclwegnom.exe 96 PID 2376 wrote to memory of 640 2376 mqfqclwegnom.exe 96 PID 640 wrote to memory of 1148 640 mqfqclwegnom.exe 97 PID 640 wrote to memory of 1148 640 mqfqclwegnom.exe 97 PID 640 wrote to memory of 272 640 mqfqclwegnom.exe 102 PID 640 wrote to memory of 272 640 mqfqclwegnom.exe 102 PID 640 wrote to memory of 272 640 mqfqclwegnom.exe 102 PID 640 wrote to memory of 4668 640 mqfqclwegnom.exe 103 PID 640 wrote to memory of 4668 640 mqfqclwegnom.exe 103 PID 4668 wrote to memory of 4248 4668 msedge.exe 104 PID 4668 wrote to memory of 4248 4668 msedge.exe 104 PID 640 wrote to memory of 4688 640 mqfqclwegnom.exe 105 PID 640 wrote to memory of 4688 640 mqfqclwegnom.exe 105 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 PID 4668 wrote to memory of 2860 4668 msedge.exe 107 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mqfqclwegnom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" mqfqclwegnom.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\mqfqclwegnom.exeC:\Windows\mqfqclwegnom.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\mqfqclwegnom.exeC:\Windows\mqfqclwegnom.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:640 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb9b146f8,0x7ffeb9b14708,0x7ffeb9b147186⤵PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:26⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:36⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:86⤵PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:16⤵PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:16⤵PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:86⤵PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:86⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:16⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:16⤵PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:16⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:16⤵PID:2008
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MQFQCL~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:4308
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:2192
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2780
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2924
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD505d77e54a1571b42539ef97cda213742
SHA199766833dda1220f4aa1789cfad4b976fc5de97f
SHA2565cd1e34379331f9c32ae13ab3ac71851ecbbe4227de8687003c8be1224b5eca3
SHA512984d87ebd6a605df11e0b0ca52cc9ab3d1106976d64c52c0a7d8fd6e1a2b3e4320534fbf0e4e163d2d45290458421bd1fb1193cd09cafaee8ca52e5b5a4e684a
-
Filesize
63KB
MD5d949ebe0b29eaf708c9d938cc822a493
SHA18b7459054658c63bff7fa0c6b0a49f37b25b9d85
SHA256fc11cdda1070e43cc05582ce14013412b12944f781afe408f73e8a9c6e21ec54
SHA512b82eff9ce00b4795fb41b229520b8e6f3251c1d3b6f61246f42ac2f1191d74f3334183c3bdeeda0605e2753d7089381a9150c47d636494543df9b7c472d227c1
-
Filesize
1KB
MD5af824c96f3a52fb28202b68e4f188eba
SHA169fae9d9ffe0541c58a13b06396a98fe981676ac
SHA2564e57543bb1f63e9a6b61745aaba8abd193025db28747753b62dc1b337d87d36d
SHA51270a8ac1697158125361a42c0c137b19aed239ba9c5620ec2854727285d7dbe5faa4ec1ccb0a966a6259b3be8175ae80c81015cdcddf3999a26456888ae6096de
-
Filesize
560B
MD55e907d2993f30ce9abdf6494edaa13cf
SHA19c5bf1c091135e0e849b437944e9aa9f5ac5c414
SHA2565a61ff2a33758e5d395be953dacb7724314051c56ab7d1eb013b5a6e955a1864
SHA512c203f9fc9e64e1c89f08cdf116584aba10e45e7762de8264b94675bd752feb5005ff02f8531cb13c538886d25d3bcc0e1574f1f6433a9a8386631696136fe3d6
-
Filesize
560B
MD510385de3d57b197f50fd8a56b7f453c8
SHA1a43566044f688c25daba10fd729b466b5ea42fd0
SHA2561ea42b3029dff87370f6264c1faa746bf0f6a8c400f05a82acdb8f757a58608d
SHA512183c7c15fc5d29ca343cc0286b70a92915a6033ab7efee177537741b53b607aebaa50c68111d7fa2acd296291dd891b2f9e83914b83a30d25799eac095fd5b15
-
Filesize
416B
MD5e580f1808aa099371e50bf6270f054cb
SHA136185fd3b24477bf7cde529a0b764993a442f161
SHA2566ddf6199f67a73932f676116e637e22ee36ab22d0c057979c0f9784ccf2fdbfc
SHA512470ca0536bef4920dbf4b88b1b7c8fb53e6736e724f59d0fc6689cd59cb2d4597e8a4e0023cc3f615145de7d14fde6579bd088d70891ef8bbb2a364f312809d8
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
5KB
MD5331ea3189495200d7dfdbc4450fc60ce
SHA1b7483ecfd9fcc8ad4150328fe327d948a669099b
SHA25636ca6869219c5026748f7a454c9c7ad5345978f9d2b92a402c91dbacbd831aed
SHA5127b85c13e97821c85a8680718103fae8d3d1a45b1df56a546ac7247d4674efc4c3628ebf89a8a46bba0f7effa32697b747e45ae6a7e7af389943f0e5eb42e0475
-
Filesize
6KB
MD5e2ada8b54849a4a145689ce206ce63be
SHA12540c7895e5c92ed8cf2e67aacd0ff0cbdfb7c98
SHA25656d294d00e91c93e0c2bbf96d837933dfbff0a1b017b519d0a813791e5a30e54
SHA512eef1c8346d121f0be94d8807bebc69a3315e089a4d598d17c08a5cbeaccae1488e696b7a0e94c7881317fdff834865c2e03906d3917652476ead30a63f76a9f6
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5ff71b5c2e4a1c4acb7d61ae0e795fa47
SHA1d2ae4befb022f7a852e822850489112f6ddc0ee7
SHA2563ea8fcfd12bedfad13dd5ec207168de355323f6af444ae6283c2c15c475536cd
SHA512268f308d450c28ff8bebfdce01e991ad58eb88623f5f2038ebcefc143527981d19b09fea3a02f7bd987501dbf364b20f1d2e87b816666c1a47c5074ae0391d67
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656325443828.txt
Filesize77KB
MD51ae6736ed2671b317f27bd7dcd75bd7c
SHA184310fc1120bfbfe0e508689e7f2c48075c2a572
SHA2566e0ad91ad26a92af5d2ba1b1087ab7c7a443a27c818f6d5c2b25b84c02b7be28
SHA512f268a0c564332c80ce8e85d2aff1f1f9309c1f7933087144a7f17da3e6be1f28f123cd7a43342b0f8f9bbec010c23cb0126b8dcbcbc960ba38da59b488eabc45
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657695736094.txt
Filesize47KB
MD546f0cd9796d51f6f9f735b8e53826922
SHA1450331631cbec7aacf329facc0af7edbffb95f09
SHA25679d2aaf69e8f2be4360b2b7cf9300e124fe71fde43cd6201574808cfce56ce28
SHA512d5f46d57f29951add194105af0942ab87fb9dfa821e829957872da8173ebe41214f3a1f7dae4e8ceaa22266f1134d767c7ecd5a67a75fb303d0210815355c29e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666235612999.txt
Filesize74KB
MD578c90621b8dfb530fc3bf2a3601599bb
SHA175658829e52320fd11860dbd54a39395ffe4857f
SHA2560e83d529c3dba1aff5c51d43e6e0e5a580b93e753f4b54e6e605d8abafe48959
SHA512fc01731cf288dec3e52a31b60d1b588afc2a6a87a2c75d6eccb78a677394fd055a2e6fbdb94dbe62f00c5fc23ee12a8e3e14fe9b550f8d535fa5992b9937614e
-
Filesize
371KB
MD576b0182e3dc2f368facd1446a78d2ae0
SHA16e6f6df8ef1a845e335995fbfa48dab3526cea29
SHA2563aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
SHA512e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a