Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 10:31
Static task
static1
Behavioral task
behavioral1
Sample
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Resource
win10v2004-20241007-en
General
-
Target
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
-
Size
371KB
-
MD5
c192a273a786b569df2056914faf8327
-
SHA1
87f24f470d678deae2cade1d3fd12255e796c091
-
SHA256
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced
-
SHA512
8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427
-
SSDEEP
6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+vdffo.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/F2D9B1604B5E4638
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F2D9B1604B5E4638
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F2D9B1604B5E4638
http://xlowfznrg4wf7dli.ONION/F2D9B1604B5E4638
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation ygglwxrusrlr.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+vdffo.png ygglwxrusrlr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+vdffo.txt ygglwxrusrlr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+vdffo.png ygglwxrusrlr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+vdffo.txt ygglwxrusrlr.exe -
Executes dropped EXE 2 IoCs
pid Process 4564 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\milqvmoicjku = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ygglwxrusrlr.exe\"" ygglwxrusrlr.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4828 set thread context of 1808 4828 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 4564 set thread context of 5024 4564 ygglwxrusrlr.exe 103 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\_RECoVERY_+vdffo.txt ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-400_contrast-white.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_TeethSmile.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+vdffo.txt ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-200.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\_RECoVERY_+vdffo.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-400.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\WideTile.scale-100.png ygglwxrusrlr.exe File opened for modification C:\Program Files\Windows NT\Accessories\ja-JP\_RECoVERY_+vdffo.txt ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\_RECoVERY_+vdffo.txt ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-200.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_contrast-white.png ygglwxrusrlr.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_Welcome.mp4 ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-200.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlFrontIndicator.png ygglwxrusrlr.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\_RECoVERY_+vdffo.png ygglwxrusrlr.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lt.pak ygglwxrusrlr.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_dark.jpg ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\DeleteToastQuickAction.scale-80.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-125_contrast-black.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200_contrast-white.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_altform-unplated_contrast-white.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FilePowerPoint32x32.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLookingUp.png ygglwxrusrlr.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt ygglwxrusrlr.exe File opened for modification C:\Program Files\Windows NT\TableTextService\_RECoVERY_+vdffo.txt ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-150.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_contrast-white.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_RECoVERY_+vdffo.txt ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon96x96.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-white_scale-100.png ygglwxrusrlr.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\en-US\_RECoVERY_+vdffo.png ygglwxrusrlr.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-100.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\[email protected] ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-125.png ygglwxrusrlr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\THMBNAIL.PNG ygglwxrusrlr.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_RECoVERY_+vdffo.txt ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-150.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+vdffo.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-150.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.scale-100_contrast-black.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-200.png ygglwxrusrlr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\THMBNAIL.PNG ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Snooze.scale-64.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-125.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-150.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-200.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\_RECoVERY_+vdffo.html ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+vdffo.txt ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+vdffo.png ygglwxrusrlr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100.png ygglwxrusrlr.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ygglwxrusrlr.exe e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe File opened for modification C:\Windows\ygglwxrusrlr.exe e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ygglwxrusrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ygglwxrusrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings ygglwxrusrlr.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2552 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe 5024 ygglwxrusrlr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1808 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Token: SeDebugPrivilege 5024 ygglwxrusrlr.exe Token: SeIncreaseQuotaPrivilege 2368 WMIC.exe Token: SeSecurityPrivilege 2368 WMIC.exe Token: SeTakeOwnershipPrivilege 2368 WMIC.exe Token: SeLoadDriverPrivilege 2368 WMIC.exe Token: SeSystemProfilePrivilege 2368 WMIC.exe Token: SeSystemtimePrivilege 2368 WMIC.exe Token: SeProfSingleProcessPrivilege 2368 WMIC.exe Token: SeIncBasePriorityPrivilege 2368 WMIC.exe Token: SeCreatePagefilePrivilege 2368 WMIC.exe Token: SeBackupPrivilege 2368 WMIC.exe Token: SeRestorePrivilege 2368 WMIC.exe Token: SeShutdownPrivilege 2368 WMIC.exe Token: SeDebugPrivilege 2368 WMIC.exe Token: SeSystemEnvironmentPrivilege 2368 WMIC.exe Token: SeRemoteShutdownPrivilege 2368 WMIC.exe Token: SeUndockPrivilege 2368 WMIC.exe Token: SeManageVolumePrivilege 2368 WMIC.exe Token: 33 2368 WMIC.exe Token: 34 2368 WMIC.exe Token: 35 2368 WMIC.exe Token: 36 2368 WMIC.exe Token: SeIncreaseQuotaPrivilege 2368 WMIC.exe Token: SeSecurityPrivilege 2368 WMIC.exe Token: SeTakeOwnershipPrivilege 2368 WMIC.exe Token: SeLoadDriverPrivilege 2368 WMIC.exe Token: SeSystemProfilePrivilege 2368 WMIC.exe Token: SeSystemtimePrivilege 2368 WMIC.exe Token: SeProfSingleProcessPrivilege 2368 WMIC.exe Token: SeIncBasePriorityPrivilege 2368 WMIC.exe Token: SeCreatePagefilePrivilege 2368 WMIC.exe Token: SeBackupPrivilege 2368 WMIC.exe Token: SeRestorePrivilege 2368 WMIC.exe Token: SeShutdownPrivilege 2368 WMIC.exe Token: SeDebugPrivilege 2368 WMIC.exe Token: SeSystemEnvironmentPrivilege 2368 WMIC.exe Token: SeRemoteShutdownPrivilege 2368 WMIC.exe Token: SeUndockPrivilege 2368 WMIC.exe Token: SeManageVolumePrivilege 2368 WMIC.exe Token: 33 2368 WMIC.exe Token: 34 2368 WMIC.exe Token: 35 2368 WMIC.exe Token: 36 2368 WMIC.exe Token: SeBackupPrivilege 3044 vssvc.exe Token: SeRestorePrivilege 3044 vssvc.exe Token: SeAuditPrivilege 3044 vssvc.exe Token: SeIncreaseQuotaPrivilege 4732 WMIC.exe Token: SeSecurityPrivilege 4732 WMIC.exe Token: SeTakeOwnershipPrivilege 4732 WMIC.exe Token: SeLoadDriverPrivilege 4732 WMIC.exe Token: SeSystemProfilePrivilege 4732 WMIC.exe Token: SeSystemtimePrivilege 4732 WMIC.exe Token: SeProfSingleProcessPrivilege 4732 WMIC.exe Token: SeIncBasePriorityPrivilege 4732 WMIC.exe Token: SeCreatePagefilePrivilege 4732 WMIC.exe Token: SeBackupPrivilege 4732 WMIC.exe Token: SeRestorePrivilege 4732 WMIC.exe Token: SeShutdownPrivilege 4732 WMIC.exe Token: SeDebugPrivilege 4732 WMIC.exe Token: SeSystemEnvironmentPrivilege 4732 WMIC.exe Token: SeRemoteShutdownPrivilege 4732 WMIC.exe Token: SeUndockPrivilege 4732 WMIC.exe Token: SeManageVolumePrivilege 4732 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4828 wrote to memory of 1808 4828 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 4828 wrote to memory of 1808 4828 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 4828 wrote to memory of 1808 4828 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 4828 wrote to memory of 1808 4828 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 4828 wrote to memory of 1808 4828 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 4828 wrote to memory of 1808 4828 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 4828 wrote to memory of 1808 4828 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 4828 wrote to memory of 1808 4828 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 4828 wrote to memory of 1808 4828 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 1808 wrote to memory of 4564 1808 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 99 PID 1808 wrote to memory of 4564 1808 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 99 PID 1808 wrote to memory of 4564 1808 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 99 PID 1808 wrote to memory of 4920 1808 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 100 PID 1808 wrote to memory of 4920 1808 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 100 PID 1808 wrote to memory of 4920 1808 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 100 PID 4564 wrote to memory of 5024 4564 ygglwxrusrlr.exe 103 PID 4564 wrote to memory of 5024 4564 ygglwxrusrlr.exe 103 PID 4564 wrote to memory of 5024 4564 ygglwxrusrlr.exe 103 PID 4564 wrote to memory of 5024 4564 ygglwxrusrlr.exe 103 PID 4564 wrote to memory of 5024 4564 ygglwxrusrlr.exe 103 PID 4564 wrote to memory of 5024 4564 ygglwxrusrlr.exe 103 PID 4564 wrote to memory of 5024 4564 ygglwxrusrlr.exe 103 PID 4564 wrote to memory of 5024 4564 ygglwxrusrlr.exe 103 PID 4564 wrote to memory of 5024 4564 ygglwxrusrlr.exe 103 PID 5024 wrote to memory of 2368 5024 ygglwxrusrlr.exe 104 PID 5024 wrote to memory of 2368 5024 ygglwxrusrlr.exe 104 PID 5024 wrote to memory of 2552 5024 ygglwxrusrlr.exe 110 PID 5024 wrote to memory of 2552 5024 ygglwxrusrlr.exe 110 PID 5024 wrote to memory of 2552 5024 ygglwxrusrlr.exe 110 PID 5024 wrote to memory of 1448 5024 ygglwxrusrlr.exe 111 PID 5024 wrote to memory of 1448 5024 ygglwxrusrlr.exe 111 PID 1448 wrote to memory of 3516 1448 msedge.exe 112 PID 1448 wrote to memory of 3516 1448 msedge.exe 112 PID 5024 wrote to memory of 4732 5024 ygglwxrusrlr.exe 113 PID 5024 wrote to memory of 4732 5024 ygglwxrusrlr.exe 113 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 PID 1448 wrote to memory of 3048 1448 msedge.exe 115 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ygglwxrusrlr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ygglwxrusrlr.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\ygglwxrusrlr.exeC:\Windows\ygglwxrusrlr.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\ygglwxrusrlr.exeC:\Windows\ygglwxrusrlr.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5024 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeed5a46f8,0x7ffeed5a4708,0x7ffeed5a47186⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:26⤵PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:36⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:86⤵PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:16⤵PID:1352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:16⤵PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:86⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:86⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:16⤵PID:2644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:16⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:16⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:16⤵PID:3252
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\YGGLWX~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:296
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3ED21~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:4920
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3384
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1152
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD565730126c6819946d3d0c37d14db4014
SHA16aba805319305ce2350f59df1c0f82d3cf58117d
SHA256e2b6823c1d386bff8486e19e1894f47eed60cc30ede9c825de7599493368859a
SHA512cfef1246ecac34a1775de7a306f05b9f5d2304c8c3add6d68859b56de9bada8423f5f86c6952b677883718c2548c815f7cf5dc6645648a0b966d938e8c8ce3aa
-
Filesize
64KB
MD53428de678d1dcac41e5642e3f1aa0812
SHA1b23faa4644cf2ce84b3f16388de0169f495d2519
SHA25669c6f96ef207a33b2c32e52fbbe2fbe561c6a54b0e4b31f378f0bf6f8a8f89a8
SHA5128f478fadb93d5dd2c16795db3d83780a4392f4eb4fe86f4386330c006e883850a611b5cc1bd2ac39b5e811dcbaceeba5fb1d5363aaa0f63a63cd383565252268
-
Filesize
1KB
MD57b1eb3321972afe973ff9053c93e0a46
SHA1fb71a3af633fa41d19bc04cf0b7e949147eade68
SHA256ae163809d5b438f6951731da302f8b4d8dc066595b21180631ad1189a91380c6
SHA5124fd7a04d301ff067b405b8257c2978cf955822a4d5d2a1037dc86f650b89befc627c3b13dd57652555ab9a9c23a5314fad4d4950ab87d6460746c44ea5e9bce4
-
Filesize
560B
MD5562f5067a5e6d59d264825b5be0674d8
SHA1802c22a56d57f024ba5c6e294de04191e72ac70f
SHA2563f239e5ff37979f04064ef211682d16f4266275e109ab5ccad26c0d272a65d70
SHA512e55a3ee7b5972803d33e21446174d0d78b9b59a26bdeaa9bde62338cba920aa633e3183bf437cf4b6411b786dc7156c1ea16705a28dc6dbbdb286bcf91e51860
-
Filesize
560B
MD5137e9a55b8ad9dc125ce6bea1aa267c4
SHA1b8e01ac94be647a6e8baa626c402f16189c82d7a
SHA25605f48251a2f6f769a0507320aa9fd64291490c05abb6046fe22a7e5562b2ff98
SHA5126b60940f419cdeb70870d9f56fdad882e6209e8ebe64b3e546310843a9a8d3bc5198ebf7ff362f153657bbda2ade0dca07dcdab33dd15d4a9640283a6d0712d5
-
Filesize
416B
MD51c788fa67bc7eaba828c023871e7cef8
SHA195a2560ef1c935f4dbe028d90b30a09df0a2d31d
SHA256b92f463cb9bb0d0eb1cc85e92832b6b15b3a3930d2364fd9331c34ff53ce9e09
SHA512dbd77d27d6538ce9bd4c2d9e3bfae4d65a4ad23bab4e82efb01ff5560e574910fd484073dbc75aeb1c8ae6771069cb574dc664a0af9fd15674596e5bc766472f
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
5KB
MD5d228377fbefbb4de8247ea04eb488cde
SHA146e3cbdefa68baf6f4d2acaceefd8b3dcca8853d
SHA256e5ea943ffe86e6a542e30869b9ff7297a474c5289c13abc799811dc24c120584
SHA5127fe33b7705798430464e3dbc40ce4afd76f5ecf4a3d1a3fb9a9f909f4a8cc889d1409c1b87c7745925f333b4f2fd54f3483ffbf014cc0e917733fab50b70b6f2
-
Filesize
6KB
MD58de3060b9ec728813e34cb5ecf3025a4
SHA1242706ec7b9096eb035c505cbd891fc7d0bec5d4
SHA2562a1a438e09445dd39dccca375dedef20cb3db66dddf94da6d845dbc735eb88f3
SHA512cf5989569e248a3a20bbf39fa458f98ea2ea9726a50351ef0d02de9729f4ef2b85931f6df312daab460d5269ac4d72193636e6ff5f86b4039c47f8a96ff5970e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD503d4468e047821375edaa33b7db24fff
SHA11405a0ba3191702dd5fbf41c6844cf656c8fdc86
SHA256f4537842dba7cfd6c1066974024322db5aea83695bf3de84a43b912808353fb7
SHA5121714c9f6048ae815d27cb922b4f848e0cd12642041167ff3dff4db591ff4503f63c4af75aa1bfad90fbf1b8d37b912f3d921b32c938818b4644f8fa96033fb21
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665885684530.txt
Filesize74KB
MD51409e6d6b5fde8a1f9394333086c0731
SHA19860f904c298d652629fc9883570efef9c37e1f8
SHA25648b40c79ba3ad62b45a2ceeaa83dfac2eec676fe3f79a0e83f13ebf1ae15564e
SHA512ffeeb3b5c97b177eb43c18f635d9338828bf69a4499483ddf0eaa6a8148980bdd1f52746d55fb65138914fca6ae1dd0c7bba802e88c7dc38a780184c266ca1be
-
Filesize
371KB
MD5c192a273a786b569df2056914faf8327
SHA187f24f470d678deae2cade1d3fd12255e796c091
SHA256e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced
SHA5128e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427