Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
Resource
win10v2004-20241007-en
General
-
Target
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
-
Size
371KB
-
MD5
76b0182e3dc2f368facd1446a78d2ae0
-
SHA1
6e6f6df8ef1a845e335995fbfa48dab3526cea29
-
SHA256
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
-
SHA512
e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a
-
SSDEEP
6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+wmhei.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/E791D7B64ADADBCD
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E791D7B64ADADBCD
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E791D7B64ADADBCD
http://xlowfznrg4wf7dli.ONION/E791D7B64ADADBCD
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (886) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation ekmglkvkasqr.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+wmhei.html ekmglkvkasqr.exe -
Executes dropped EXE 2 IoCs
pid Process 1104 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngdhuuaukdjk = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ekmglkvkasqr.exe\"" ekmglkvkasqr.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3264 set thread context of 4876 3264 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 99 PID 1104 set thread context of 4076 1104 ekmglkvkasqr.exe 104 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-125.png ekmglkvkasqr.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-96_altform-unplated.png ekmglkvkasqr.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-20.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-150.png ekmglkvkasqr.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-20_altform-unplated_contrast-white.png ekmglkvkasqr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-100.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png ekmglkvkasqr.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png ekmglkvkasqr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W5.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\WinMetadata\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG ekmglkvkasqr.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-125.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-63.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-lightunplated.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\offlineStrings.js ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MediumTile.scale-100.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLSTART\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200_contrast-black.png ekmglkvkasqr.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-100.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\THMBNAIL.PNG ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_RECoVERY_+wmhei.html ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-fullcolor.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\CottonCandy.png ekmglkvkasqr.exe File opened for modification C:\Program Files\Internet Explorer\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-200_contrast-white.png ekmglkvkasqr.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-200.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\_RECoVERY_+wmhei.png ekmglkvkasqr.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_RECoVERY_+wmhei.txt ekmglkvkasqr.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\ekmglkvkasqr.exe 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe File created C:\Windows\ekmglkvkasqr.exe 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ekmglkvkasqr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ekmglkvkasqr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings ekmglkvkasqr.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5000 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe 4076 ekmglkvkasqr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4876 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe Token: SeDebugPrivilege 4076 ekmglkvkasqr.exe Token: SeIncreaseQuotaPrivilege 2936 WMIC.exe Token: SeSecurityPrivilege 2936 WMIC.exe Token: SeTakeOwnershipPrivilege 2936 WMIC.exe Token: SeLoadDriverPrivilege 2936 WMIC.exe Token: SeSystemProfilePrivilege 2936 WMIC.exe Token: SeSystemtimePrivilege 2936 WMIC.exe Token: SeProfSingleProcessPrivilege 2936 WMIC.exe Token: SeIncBasePriorityPrivilege 2936 WMIC.exe Token: SeCreatePagefilePrivilege 2936 WMIC.exe Token: SeBackupPrivilege 2936 WMIC.exe Token: SeRestorePrivilege 2936 WMIC.exe Token: SeShutdownPrivilege 2936 WMIC.exe Token: SeDebugPrivilege 2936 WMIC.exe Token: SeSystemEnvironmentPrivilege 2936 WMIC.exe Token: SeRemoteShutdownPrivilege 2936 WMIC.exe Token: SeUndockPrivilege 2936 WMIC.exe Token: SeManageVolumePrivilege 2936 WMIC.exe Token: 33 2936 WMIC.exe Token: 34 2936 WMIC.exe Token: 35 2936 WMIC.exe Token: 36 2936 WMIC.exe Token: SeIncreaseQuotaPrivilege 2936 WMIC.exe Token: SeSecurityPrivilege 2936 WMIC.exe Token: SeTakeOwnershipPrivilege 2936 WMIC.exe Token: SeLoadDriverPrivilege 2936 WMIC.exe Token: SeSystemProfilePrivilege 2936 WMIC.exe Token: SeSystemtimePrivilege 2936 WMIC.exe Token: SeProfSingleProcessPrivilege 2936 WMIC.exe Token: SeIncBasePriorityPrivilege 2936 WMIC.exe Token: SeCreatePagefilePrivilege 2936 WMIC.exe Token: SeBackupPrivilege 2936 WMIC.exe Token: SeRestorePrivilege 2936 WMIC.exe Token: SeShutdownPrivilege 2936 WMIC.exe Token: SeDebugPrivilege 2936 WMIC.exe Token: SeSystemEnvironmentPrivilege 2936 WMIC.exe Token: SeRemoteShutdownPrivilege 2936 WMIC.exe Token: SeUndockPrivilege 2936 WMIC.exe Token: SeManageVolumePrivilege 2936 WMIC.exe Token: 33 2936 WMIC.exe Token: 34 2936 WMIC.exe Token: 35 2936 WMIC.exe Token: 36 2936 WMIC.exe Token: SeBackupPrivilege 2688 vssvc.exe Token: SeRestorePrivilege 2688 vssvc.exe Token: SeAuditPrivilege 2688 vssvc.exe Token: SeIncreaseQuotaPrivilege 2580 WMIC.exe Token: SeSecurityPrivilege 2580 WMIC.exe Token: SeTakeOwnershipPrivilege 2580 WMIC.exe Token: SeLoadDriverPrivilege 2580 WMIC.exe Token: SeSystemProfilePrivilege 2580 WMIC.exe Token: SeSystemtimePrivilege 2580 WMIC.exe Token: SeProfSingleProcessPrivilege 2580 WMIC.exe Token: SeIncBasePriorityPrivilege 2580 WMIC.exe Token: SeCreatePagefilePrivilege 2580 WMIC.exe Token: SeBackupPrivilege 2580 WMIC.exe Token: SeRestorePrivilege 2580 WMIC.exe Token: SeShutdownPrivilege 2580 WMIC.exe Token: SeDebugPrivilege 2580 WMIC.exe Token: SeSystemEnvironmentPrivilege 2580 WMIC.exe Token: SeRemoteShutdownPrivilege 2580 WMIC.exe Token: SeUndockPrivilege 2580 WMIC.exe Token: SeManageVolumePrivilege 2580 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3264 wrote to memory of 4876 3264 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 99 PID 3264 wrote to memory of 4876 3264 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 99 PID 3264 wrote to memory of 4876 3264 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 99 PID 3264 wrote to memory of 4876 3264 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 99 PID 3264 wrote to memory of 4876 3264 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 99 PID 3264 wrote to memory of 4876 3264 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 99 PID 3264 wrote to memory of 4876 3264 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 99 PID 3264 wrote to memory of 4876 3264 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 99 PID 3264 wrote to memory of 4876 3264 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 99 PID 4876 wrote to memory of 1104 4876 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 100 PID 4876 wrote to memory of 1104 4876 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 100 PID 4876 wrote to memory of 1104 4876 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 100 PID 4876 wrote to memory of 1044 4876 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 101 PID 4876 wrote to memory of 1044 4876 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 101 PID 4876 wrote to memory of 1044 4876 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe 101 PID 1104 wrote to memory of 4076 1104 ekmglkvkasqr.exe 104 PID 1104 wrote to memory of 4076 1104 ekmglkvkasqr.exe 104 PID 1104 wrote to memory of 4076 1104 ekmglkvkasqr.exe 104 PID 1104 wrote to memory of 4076 1104 ekmglkvkasqr.exe 104 PID 1104 wrote to memory of 4076 1104 ekmglkvkasqr.exe 104 PID 1104 wrote to memory of 4076 1104 ekmglkvkasqr.exe 104 PID 1104 wrote to memory of 4076 1104 ekmglkvkasqr.exe 104 PID 1104 wrote to memory of 4076 1104 ekmglkvkasqr.exe 104 PID 1104 wrote to memory of 4076 1104 ekmglkvkasqr.exe 104 PID 4076 wrote to memory of 2936 4076 ekmglkvkasqr.exe 105 PID 4076 wrote to memory of 2936 4076 ekmglkvkasqr.exe 105 PID 4076 wrote to memory of 5000 4076 ekmglkvkasqr.exe 112 PID 4076 wrote to memory of 5000 4076 ekmglkvkasqr.exe 112 PID 4076 wrote to memory of 5000 4076 ekmglkvkasqr.exe 112 PID 4076 wrote to memory of 2480 4076 ekmglkvkasqr.exe 113 PID 4076 wrote to memory of 2480 4076 ekmglkvkasqr.exe 113 PID 2480 wrote to memory of 3224 2480 msedge.exe 114 PID 2480 wrote to memory of 3224 2480 msedge.exe 114 PID 4076 wrote to memory of 2580 4076 ekmglkvkasqr.exe 115 PID 4076 wrote to memory of 2580 4076 ekmglkvkasqr.exe 115 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 PID 2480 wrote to memory of 1636 2480 msedge.exe 118 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ekmglkvkasqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ekmglkvkasqr.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\ekmglkvkasqr.exeC:\Windows\ekmglkvkasqr.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\ekmglkvkasqr.exeC:\Windows\ekmglkvkasqr.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4076 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbc4c46f8,0x7ffcbc4c4708,0x7ffcbc4c47186⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:26⤵PID:1636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:36⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:86⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:16⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:16⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:86⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:86⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:16⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:16⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:16⤵PID:1432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:16⤵PID:620
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\EKMGLK~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:3836
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:1044
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1904
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:852
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5283c3ba175a37bb1cf396cf8978db7f9
SHA1fdd6ab098fe1d39785c5101ad3ee5fae01ddaddd
SHA256562aeb1e1cd2e1093c33525634b771b6ecfbfc81a4a24e5f4b08ef880478ba12
SHA512ec6e0864a1951ada72edec5fa3f61b6053cc79c914b6873b232746d562c3146cf379d5448e498c67632fb39eb399f7104fa3d14f1620af9a2b7843eb3fe13e49
-
Filesize
63KB
MD5c0a8be4bb16828b4ea48af66f6d5b7ff
SHA142b94d1c4573c2125a594f2a9317ae8c74bf72c8
SHA256a571b9a423707017daf6701eed7708c363cd52c4f02945ab295cf935f259a5f3
SHA512a6bb6f6e7e7f54c8017288f13895362b807c07472ee05155098b8b4fdec38d416b5cff742d15f8d3b4efa09e0dadafd09279ebdc79177409eec66c645af63230
-
Filesize
1KB
MD5605e2c7956fe9b7cacd66fe97ee456c4
SHA1da8faf7c61469b456fdd57c93122aa5a4e601f3b
SHA2560413fc5e7bef52e058b4fab567b5936d19e4445f4bd978842634daaecb0ea3cd
SHA512b08b57033600a3d515508f9844a129df0d5f9c7dc5b47ccca30027bc35c38e789a913b1be800abf1b7ea29ad494b05992ba428a10ba6a17461446aa94b4a85ff
-
Filesize
560B
MD525dd8a3af0f610707eaafca97411652c
SHA17fbd85c2e5cf853846a896d62bb6cd88f47fe0ed
SHA25668ebe278ee0f7231566e06c8e4b40b2c828980594de8764ce5df9d1ed9a317d1
SHA5124700225ee010bc61d6bd20625949b88fb188ebf3320ad63685ed31773899723ac54998b7825224c1cb51c567972b4dd8210b64dd241f8263d2c57471453110b9
-
Filesize
560B
MD5082671eb7219e1859d4177e79dfc2df7
SHA18fb226ec3bc08acfaf817826704023fa46626da6
SHA2565edfd14bf947cb139d44de7fc1361993d09fac0794f0c0abb41e58b2e45b9013
SHA512dafcb19f09ed479426ffe2ba2f17ff1a8c418ab0d7c8559970a627a4abe9f67f60fa6d532426b80d9e38ad2176d4a1e62e66283f67cc7a4225e1d5770a74068b
-
Filesize
416B
MD5945068f129954cdadcc8c07c446ab0e1
SHA10fd0e6085f4bbf8de28ddf7ea85de7b805f65e7f
SHA256286fa44de14bd5cb77e5a6eb582b33caea386a0107d6699d1f35caa0af7783b1
SHA512019fc73bf771c30d637e5d8e5be57ccf389e72dcf2574b9cb5bd472a570fdd25c49231ea20dfd8abd8136624aa13f1cc39bb22b7005c30388128636411e07594
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
5KB
MD53d1b66acd843b940eb7c6eee1de8d8e6
SHA102bb819121e650ac01c2b3e86cc3a9e39cdfde59
SHA25621827dc47fc307d14932c11622a4668d0fdfac99d53b79bdf4a32c303e3d5001
SHA5123756a9f3ce3697aca5c434f40d060034542e2ea24b7096afeb35a0090e97be0e0e5383a5eae3fb53aeeb9f13330de362a37928d13f8693d864508a608106a221
-
Filesize
6KB
MD59bdda116724c165207b22f6b6626bed9
SHA1e5b47bb748714565d75fa2c7fe9bc2b66e51e248
SHA256df4bf33977fb1cd92301928156101219b8492cdb022dac27020f1f7cf21a7895
SHA512af783467d369e1e47f513230ccde7c1e6193705d83e7165495a55b83dbf5589ad2daf2953f86c9d625bf4fbdd1d46b267b387811879acd8c562841fb587d7cd9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5fbf9319700d3cbaf3cbd68a412451b35
SHA181c3e898a85c6c0a64d8e7a634c8ba3a4ba239f5
SHA256717c54390b494b70d557a564b41da0fd630cd06d1ba81c3bf2ddb18c4ba74d99
SHA512ceef6210a8e92b0b184c5eea0d58c465518fd865880f1d2baa20ba5710372200c8845b5cb1a1f317ebade5db4d27c2c1fe0617ee3b6b03f083fcf67a19c91031
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665885684530.txt
Filesize74KB
MD5db8a0cb56c8eebc6166b108c9d0392b1
SHA143d09d0ad68e9f281e5e31e868378fd4fe1a4198
SHA25654243988cfb9dd5357cda1a92d76d4ff21de146c198bb7ae890d9a1c8a905283
SHA512da70378797cfcd4994f828b83bbbdc43b9e130097b9a70db0814683849a1773971e0ad1f278831b4d62ef0b78a0bcc9433e7626c4f3955f01b0dcab4db91eeaf
-
Filesize
371KB
MD576b0182e3dc2f368facd1446a78d2ae0
SHA16e6f6df8ef1a845e335995fbfa48dab3526cea29
SHA2563aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
SHA512e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a