Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2025, 23:52
Static task
static1
Behavioral task
behavioral1
Sample
MSUpdate.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
MSUpdate.exe
Resource
win10v2004-20241007-en
General
-
Target
MSUpdate.exe
-
Size
360KB
-
MD5
9ce01dfbf25dfea778e57d8274675d6f
-
SHA1
1bd767beb5bc36b396ca6405748042640ad57526
-
SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
-
SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
-
SSDEEP
6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECOVERY_+xysfh.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/69FF1965B85F437F
http://tes543berda73i48fsdfsd.keratadze.at/69FF1965B85F437F
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/69FF1965B85F437F
http://xlowfznrg4wf7dli.ONION/69FF1965B85F437F
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (863) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation MSUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation yxywcdlvmcpe.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+xysfh.png yxywcdlvmcpe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+xysfh.html yxywcdlvmcpe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+xysfh.png yxywcdlvmcpe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+xysfh.html yxywcdlvmcpe.exe -
Executes dropped EXE 1 IoCs
pid Process 4692 yxywcdlvmcpe.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbmgwtafoedo = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\yxywcdlvmcpe.exe\"" yxywcdlvmcpe.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\3px.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\kennethMarchand.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SmallTile.scale-125.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-200_contrast-white.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-400_contrast-white.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-colorize.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-200.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_RECOVERY_+xysfh.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\BC5B39E5-1464-4224-8151-D876B9C6A080\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Campfire.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-16_altform-unplated_contrast-black.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-150.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-latn-cs\_RECOVERY_+xysfh.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-150.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_contrast-white.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\_RECOVERY_+xysfh.html yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-white.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\_RECOVERY_+xysfh.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\Windows Multimedia Platform\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-100.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-125.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\LargeTile.scale-200.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\_RECOVERY_+xysfh.html yxywcdlvmcpe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-40_altform-unplated.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\_RECOVERY_+xysfh.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\7px.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_RECOVERY_+xysfh.html yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-16.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-100.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\ApplySticker.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-60.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\_RECOVERY_+xysfh.html yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-200_contrast-white.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-100_contrast-black.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-125.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\_RECOVERY_+xysfh.html yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sv-SE\View3d\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-200_contrast-white.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-125.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-100.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_store.targetsize-48.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\7-Zip\_RECOVERY_+xysfh.html yxywcdlvmcpe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_RECOVERY_+xysfh.html yxywcdlvmcpe.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_RECOVERY_+xysfh.html yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\_RECOVERY_+xysfh.txt yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square71x71Logo.scale-125.png yxywcdlvmcpe.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-300.png yxywcdlvmcpe.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\yxywcdlvmcpe.exe MSUpdate.exe File opened for modification C:\Windows\yxywcdlvmcpe.exe MSUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxywcdlvmcpe.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings yxywcdlvmcpe.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 448 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe 4692 yxywcdlvmcpe.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4412 MSUpdate.exe Token: SeDebugPrivilege 4692 yxywcdlvmcpe.exe Token: SeIncreaseQuotaPrivilege 3972 WMIC.exe Token: SeSecurityPrivilege 3972 WMIC.exe Token: SeTakeOwnershipPrivilege 3972 WMIC.exe Token: SeLoadDriverPrivilege 3972 WMIC.exe Token: SeSystemProfilePrivilege 3972 WMIC.exe Token: SeSystemtimePrivilege 3972 WMIC.exe Token: SeProfSingleProcessPrivilege 3972 WMIC.exe Token: SeIncBasePriorityPrivilege 3972 WMIC.exe Token: SeCreatePagefilePrivilege 3972 WMIC.exe Token: SeBackupPrivilege 3972 WMIC.exe Token: SeRestorePrivilege 3972 WMIC.exe Token: SeShutdownPrivilege 3972 WMIC.exe Token: SeDebugPrivilege 3972 WMIC.exe Token: SeSystemEnvironmentPrivilege 3972 WMIC.exe Token: SeRemoteShutdownPrivilege 3972 WMIC.exe Token: SeUndockPrivilege 3972 WMIC.exe Token: SeManageVolumePrivilege 3972 WMIC.exe Token: 33 3972 WMIC.exe Token: 34 3972 WMIC.exe Token: 35 3972 WMIC.exe Token: 36 3972 WMIC.exe Token: SeIncreaseQuotaPrivilege 3972 WMIC.exe Token: SeSecurityPrivilege 3972 WMIC.exe Token: SeTakeOwnershipPrivilege 3972 WMIC.exe Token: SeLoadDriverPrivilege 3972 WMIC.exe Token: SeSystemProfilePrivilege 3972 WMIC.exe Token: SeSystemtimePrivilege 3972 WMIC.exe Token: SeProfSingleProcessPrivilege 3972 WMIC.exe Token: SeIncBasePriorityPrivilege 3972 WMIC.exe Token: SeCreatePagefilePrivilege 3972 WMIC.exe Token: SeBackupPrivilege 3972 WMIC.exe Token: SeRestorePrivilege 3972 WMIC.exe Token: SeShutdownPrivilege 3972 WMIC.exe Token: SeDebugPrivilege 3972 WMIC.exe Token: SeSystemEnvironmentPrivilege 3972 WMIC.exe Token: SeRemoteShutdownPrivilege 3972 WMIC.exe Token: SeUndockPrivilege 3972 WMIC.exe Token: SeManageVolumePrivilege 3972 WMIC.exe Token: 33 3972 WMIC.exe Token: 34 3972 WMIC.exe Token: 35 3972 WMIC.exe Token: 36 3972 WMIC.exe Token: SeBackupPrivilege 1700 vssvc.exe Token: SeRestorePrivilege 1700 vssvc.exe Token: SeAuditPrivilege 1700 vssvc.exe Token: SeIncreaseQuotaPrivilege 1108 WMIC.exe Token: SeSecurityPrivilege 1108 WMIC.exe Token: SeTakeOwnershipPrivilege 1108 WMIC.exe Token: SeLoadDriverPrivilege 1108 WMIC.exe Token: SeSystemProfilePrivilege 1108 WMIC.exe Token: SeSystemtimePrivilege 1108 WMIC.exe Token: SeProfSingleProcessPrivilege 1108 WMIC.exe Token: SeIncBasePriorityPrivilege 1108 WMIC.exe Token: SeCreatePagefilePrivilege 1108 WMIC.exe Token: SeBackupPrivilege 1108 WMIC.exe Token: SeRestorePrivilege 1108 WMIC.exe Token: SeShutdownPrivilege 1108 WMIC.exe Token: SeDebugPrivilege 1108 WMIC.exe Token: SeSystemEnvironmentPrivilege 1108 WMIC.exe Token: SeRemoteShutdownPrivilege 1108 WMIC.exe Token: SeUndockPrivilege 1108 WMIC.exe Token: SeManageVolumePrivilege 1108 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4412 wrote to memory of 4692 4412 MSUpdate.exe 83 PID 4412 wrote to memory of 4692 4412 MSUpdate.exe 83 PID 4412 wrote to memory of 4692 4412 MSUpdate.exe 83 PID 4412 wrote to memory of 4852 4412 MSUpdate.exe 84 PID 4412 wrote to memory of 4852 4412 MSUpdate.exe 84 PID 4412 wrote to memory of 4852 4412 MSUpdate.exe 84 PID 4692 wrote to memory of 3972 4692 yxywcdlvmcpe.exe 86 PID 4692 wrote to memory of 3972 4692 yxywcdlvmcpe.exe 86 PID 4692 wrote to memory of 448 4692 yxywcdlvmcpe.exe 108 PID 4692 wrote to memory of 448 4692 yxywcdlvmcpe.exe 108 PID 4692 wrote to memory of 448 4692 yxywcdlvmcpe.exe 108 PID 4692 wrote to memory of 5004 4692 yxywcdlvmcpe.exe 109 PID 4692 wrote to memory of 5004 4692 yxywcdlvmcpe.exe 109 PID 5004 wrote to memory of 3012 5004 msedge.exe 110 PID 5004 wrote to memory of 3012 5004 msedge.exe 110 PID 4692 wrote to memory of 1108 4692 yxywcdlvmcpe.exe 111 PID 4692 wrote to memory of 1108 4692 yxywcdlvmcpe.exe 111 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 284 5004 msedge.exe 114 PID 5004 wrote to memory of 1828 5004 msedge.exe 115 PID 5004 wrote to memory of 1828 5004 msedge.exe 115 PID 5004 wrote to memory of 464 5004 msedge.exe 116 PID 5004 wrote to memory of 464 5004 msedge.exe 116 PID 5004 wrote to memory of 464 5004 msedge.exe 116 PID 5004 wrote to memory of 464 5004 msedge.exe 116 PID 5004 wrote to memory of 464 5004 msedge.exe 116 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System yxywcdlvmcpe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" yxywcdlvmcpe.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MSUpdate.exe"C:\Users\Admin\AppData\Local\Temp\MSUpdate.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\yxywcdlvmcpe.exeC:\Windows\yxywcdlvmcpe.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4692 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e20846f8,0x7ff9e2084708,0x7ff9e20847184⤵PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:24⤵PID:284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:34⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:84⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:14⤵PID:2768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:14⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:84⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:84⤵PID:2384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:14⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:14⤵PID:1656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:14⤵PID:324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:14⤵PID:4900
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\YXYWCD~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:4820
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\MSUpdate.exe2⤵
- System Location Discovery: System Language Discovery
PID:4852
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5048
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3964
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5d6377730ed5a65068541a72b23dc5e6d
SHA1c2ae903ec50cada472020647bf14bd1c932e1715
SHA256ee27410f69176d1eabe0b5da6951d532c7951ee0a2417b7348c61fb4b335e9e0
SHA5120e9fcc38e8116d530b5f14150a7b16fdc01ad154f660ae17ab67575f7e907f6006755651eac4f32b1988968ab5081a66409a43dd1e903134fb3c701921458bfe
-
Filesize
62KB
MD51495b337229bf13492b99797b474bf52
SHA1d441770d650b056d06cab821fe01fc6d8a32b172
SHA256bc7ab9f466acebd6a7b15b8793c48777095bf5173ff3b4d516631401e76d103b
SHA5124c3a2624dfd7df002b278d579de38b09ee1250d018484f0f1247f0d43958aa06812094aadd7ecfd39e16b87069880752ac6cd0951c36cb379bba25a542d56f06
-
Filesize
1KB
MD5fde04aa3d3b08764684c5741d40feaee
SHA1108c44870e8887a6ed2671610c26aba4addfb9a0
SHA256f9332da4c2072589becdc864e90e25d10b4ef7e2680099c0bdf9faaccee6644b
SHA512689a78f81d015763b62f2469a622ce6500ad3e84a2772c69b9ac78799004401f8846dc868fd2489497820f71231fc92ecf3f2c0ff4b290b90aee7c436f839a53
-
Filesize
560B
MD513bdd3ac91a12f38eadf02a2224c4e05
SHA1795a19675f1efbe1f75d27af0fded03bd64153aa
SHA256998dbd2bd47bef16bb2929514de1efa0d08830764808e89acf28f46b23876ed5
SHA512c71f2d3a76d6caa554231287f1a02d86fd05f31e04a11b694d7917f09573be2bb9c799ce1b59edb7c59d4d917d0ce2d447e518764500e45a531bdd5e64cc132d
-
Filesize
560B
MD553f7088551c8cafaef02389e040d9974
SHA1cabe490b4e97789583f56f8027f2cf49bf8f650d
SHA2564d51b3289740ec260d92fcb72fe31813da09b98ae3e4bcdfa590a57b0ba34d35
SHA5125fa83b98965def059c2902c22e31180b701b71e572526e2fd6a18f811b6b0a6d1378c5f9be82dbec1bb27afe3ddb631e9f6b2febd2f07652411af12c26bb11fa
-
Filesize
416B
MD54f04e5c85660889480ca0d1303a207ae
SHA11cd060c430badd3e391671caf035b4da6b0737cf
SHA2565c456d2481e90336588d9f7dc81041a71a95ff99b1572c94cb4dad9b86350c19
SHA512b7bb6e473ca19ca22177a8fb45606e43393b4cb94039714b39a681bed64cfba7745d6e5394da2306328285f83b6df72f92aed636b719e5be9bc9da336975efc5
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
5KB
MD5f5bf74137cf460620c72d0655b94115d
SHA118f0bac2d4ee54ea8f8cc1d734fcd7bfd0531ba4
SHA2568d8c4d86220f8a0eeeabd6c01d8c605935a201af4c7739af64a0036d992143bb
SHA512e49936d444f797afdfb56b9e37c9ce9b49c569cf257daf8a29d2e0c48f2e58f465e06e5a6a3b030cc26608d33e7a139cf820dba6c6fd98d22db5d660e7e59731
-
Filesize
6KB
MD5a4d44f1ee9e5aa7ef9be5b6cc7e1c997
SHA159faf2c94899bd52fb255268abafc8eb04ad0241
SHA256a39417e0c664e137000a09f7407be2bf3fd16d0e8b79e2e6affc03cabfaaf568
SHA5124a0cbe81c3d94162f9d2c2f7a972e7c622b98d38ffba86fc451d518da99c8a7a12e1ffc6ff918f46a428a72544c02948717927496f5b917a2e5a6caf3f20a48a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5b322d455cfd14acbf6915c549f702cca
SHA1ade99d6c9765890352d8f7c97ee5cef73c1772f1
SHA2561087d058766a6aef60a9f02c782f6bd8963c79e05e3bce7d54935ddd5ed2d311
SHA512b530f41a61666a01d5eccdfdd45119d303aa01816fe45e9835ec06ca7ce610b445d3b4a7a84e079a8432eeeb26c5f4f9581bb83cb0f4d9cb1f6d2a75516b6cb7
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt
Filesize77KB
MD5d706e56d1c0fc90e7c34bb227727009f
SHA182bada2e63da5723b13abc229a6696a81b37327a
SHA2565259f8e03d5a6563104e620999c7f6e246ab852d50b364dbec4fa790d0ddbadd
SHA512f61c7934043985131fa4b3561ba6a3ca17762f1e7e2a2bfd5a64b07ce1e8a943d7dd2005afcc210d39a86729b2adb54f83142645726c633c1e7f01bc6d2cc2c7
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt
Filesize47KB
MD53cab405fdf57d96e02310bf3f4ef390f
SHA1142af4b729aa05ecd22b9ab58343baf3655fb55b
SHA256066964166d65c57eea65076e3dcb64013542751f731544dc25b38d20183f9ad9
SHA51269329ad549ce975be905eadd634e873bd24cd1c5355f3b1d543fe6873b1517cf25eb4fffb345316d09a681a6318d30f996efecd7647342afcccc1608a88d6c4e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt
Filesize74KB
MD5ad9d0729e9505b4a924c53ec24a0f6f8
SHA14e6c554a7f86e78a534b54c6e1f9af88b0490e5a
SHA256c1fee6b2ec9ad41fc691d1fd942351a937e2fdf6ebf6418bd74258b1b1d448de
SHA5124bf20a969ddbdcad03c7b56c4aa468f8141c40f7cb621166c55e3ba3913a9539dea5e9fe09206c9bbe28915ce823c2a044587f9516011c01f4df152822024ab9
-
Filesize
360KB
MD59ce01dfbf25dfea778e57d8274675d6f
SHA11bd767beb5bc36b396ca6405748042640ad57526
SHA2565343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
SHA512d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b