netwalker | 16e6fc7f6bf936eda5723551ea9d0aee9d83e265c1e70cc2d66198be8e1400d8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2025 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
Size

66KB
MD5

2be2af23b313b80536e9ca3c12704d6c
SHA1

5ce36159fb34f79df9bd8ba43afb8c21a059052c
SHA256

16e6fc7f6bf936eda5723551ea9d0aee9d83e265c1e70cc2d66198be8e1400d8
SHA512

384b55e59933ca35a4f6db970e6ac1169e016b40739c7b15f4a592e11fff8c7d4afa730cd2b0b78ad1ea18e29c881028228683b55742be76bbae65102be08853
SSDEEP

1536:Tn2v0CaaFjJn/zk4XHnnzxLhOZ3w4qwiDKKVqmfeL:TIK+N/44XHnzthOZ37qwiDo

Score

10^/10

netwalker defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\MF\E524DE-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .e524de -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e524de: dc3uoVUcTpCmkPQJDwf23eL2VgB1KZTvX5ZklS55FykZ4NtkPf vsstlzQ27ySEwnYCxXNB64HSJMaibM7G33C6UU+teVmvJF0o4I +G4XUlirXKCXUyUbrec+NP872cwttuPfF6sWMWOBi4K9yNEHQS WPYvNlyL0y2eB3fFkig4qZM2iS8x+LGrv3VUXywQjlxEJOZwBB DvJnN77tIj8nm52bJZIbdrebqK2pNnKrsMkve8r/Kth2P19Lrt FpwXPWepqmeV7PTSJifxsSXCKuE+hqYBYJjHIEsw==}

URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Netwalker family
netwalker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6800) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Stop.m4a	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_altform-unplated_contrast-black.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-200.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\E524DE-Readme.txt	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\ui-strings.js	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\46.jpg	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\MedTile.scale-200.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\ui-strings.js	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-200.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_contrast-white.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_nopic.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-64_altform-unplated.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\ui-strings.js	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\E524DE-Readme.txt	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\DismountWait.tmp	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-200.jpg	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-150_contrast-black.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ur.pak.DATA	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\officons.ttf	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\resources.pri	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-256_contrast-black.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyVideoProjectCreations_DarkTheme.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-400.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-125.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutImage.layoutdir-RTL.gif	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-125_contrast-black.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\ui-strings.js	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\E524DE-Readme.txt	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-125.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_dark.jpg	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\E524DE-Readme.txt	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\iw_get.svg	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Pay.Background.winmd	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-100.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\file_icons.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsBadgeLogo.scale-100.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-100.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-36_altform-unplated.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-20.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\logo.png	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3972	vssadmin.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2704	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
Token: SeImpersonatePrivilege	2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
Token: SeBackupPrivilege	2220	vssvc.exe
Token: SeRestorePrivilege	2220	vssvc.exe
Token: SeAuditPrivilege	2220	vssvc.exe
Token: SeDebugPrivilege	2704	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 3972	2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe	100
PID 2196 wrote to memory of 3972	2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe	100
PID 2196 wrote to memory of 5584	2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe	108
PID 2196 wrote to memory of 5584	2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe	108
PID 2196 wrote to memory of 5584	2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe	108
PID 2196 wrote to memory of 9952	2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe	109
PID 2196 wrote to memory of 9952	2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe	109
PID 2196 wrote to memory of 9952	2196	2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe	109
PID 9952 wrote to memory of 2704	9952	cmd.exe	111
PID 9952 wrote to memory of 2704	9952	cmd.exe	111
PID 9952 wrote to memory of 2704	9952	cmd.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-29_2be2af23b313b80536e9ca3c12704d6c_mailto.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3972
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\E524DE-Readme.txt"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\546.tmp.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:9952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 2196
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\AppXManifest.xml.e524de

Filesize
3.3MB

MD5
0105f9b4bd18319c4b0a1604ed7ee985

SHA1
d53e71649d128e8e492946f3fb7321a19145971a

SHA256
7744fe4948be78c53ae289589e3e873ad2b35e4793478a48f3b74601faf2056b

SHA512
bcc75dd7c9d98807ec200aadec65888fd5af339d14d4db1d7938882f2c0285dcb688334ccf1e436f395b69c922148242f823a97cd60a13c89403ba1a8ed8a1a2

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BC5B39E5-1464-4224-8151-D876B9C6A080\en-us.16\MasterDescriptor.en-us.xml.e524de

Filesize
28KB

MD5
e7a38d16e349ab61626895ed04609d50

SHA1
afed91514cd0eb26032acb562898b8c9bf746dfb

SHA256
7697e71fd24db7a8d8f1409aa7defe7a6bfd273fed522191f064aa928170bdf0

SHA512
43debd9ffbcf623e83039ccaa4fac9e1cea0da97a6d54420abe31009d2b8bac80cfdc92600ef6828dff3c3f048f3d05436fca4b27bd1a09b0fe6a3e558a077aa

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man.e524de

Filesize
412KB

MD5
8acf8779c3b56c56caa3a6a6cd1f72a4

SHA1
3e65967add84d084a0525504b73cb1d879c93140

SHA256
333adf1fa1fbbe439c1168935aa80a0baefc6a95f779e14724fa739c31feea04

SHA512
fec4159bce4fa105379ff296123e6fb08b920483104c3406a484bf29c85a1dff6168d9046a182f0303619be8d74e8884d44d5161050f8ec6d8b3de6c16b0df36

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.e524de

Filesize
16KB

MD5
6bb4e0361fad0294969f84aad0275fd0

SHA1
319be6f10a4ac237871be5071452c5d774ab7c8a

SHA256
62ea9e31d0acfa75acae7c774a1a2f85e9a96ecbbc4faa104758725f134bffbd

SHA512
4d07531b10e49f80c109f4d9d4bcde5a8a01988943ab114b452fb47457ae24d4bca488be23ad995ebb15e329498b16e211e17eed70b4f7f659195e297a60256e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.e524de

Filesize
150KB

MD5
ee69caee93660f47e6cb96bd2812f7cd

SHA1
c797475008bc46f9a366cee893d7a7e4b839559f

SHA256
d5b72553bc4e392e41aa9e63889c1e1c4453fe48d0fd070fc80d72e769459ffe

SHA512
1ea31991e3612d10b391fb376c548964d54a11755828b3f459dc5163ceae2a0bb2e619ac6788584563864b30876dcc0ef7273220f302ab4c18060df8753f8856

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.e524de

Filesize
1KB

MD5
d220977933cb5f987cbde7aa0fda8339

SHA1
705c225b1868b31d2c49c7cdd1b92c2ac012ec45

SHA256
6f8c90b985bd1618507d6814d444cdf9b5448b5d7784e18f1e020f5edc08e0d7

SHA512
508f56da85007a88683389f730e4b4a57bbd3b5c7e69a4c8069ad128485f9b4faa96aeca50e84c8bcc75f3967f2470ae80425a126d312691a619edc4d51b1f5d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.e524de

Filesize
98KB

MD5
71d686aaa57b738b90b1b9099969dc56

SHA1
86828ea00c32ad30c2736d604b7998d2a870e3ca

SHA256
bfa8085177c623702092249227def4e145dc7cd4146020697ab9159754da07f8

SHA512
a990f9cdcb8cb0f0441d008cafd50782fa6c1596f091a7c8feb6ad2f6fa10612a9a01a8343c419700aa901696bd2be6fd95b1dc41b423edf003e01fa7389cfb4

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml.e524de

Filesize
9KB

MD5
8e4e0c342d5593a7b9999274ee3e9f6e

SHA1
ec0f74c9ccee5c20a17064ccae2264b207911c90

SHA256
2ba63d0f4358e419cecf6099dcd1a64e053769a9d24ca6c82d349d7f8fafc9b6

SHA512
ccc10c9ad5de9163d7dca90a89930f98653ce127afb34ca20e1daf726c7ce6a2d9cdf1b3ed100f0025f3caa20e58b5762fa20eaffcdf6b5c757f6369d3fe2ba1

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.e524de

Filesize
39KB

MD5
479fc9a3d98ec99337a17ff692c329e0

SHA1
5dc6e001dcf3a1b901d17481bf3f58b97dae903d

SHA256
1f789f4ab206903a99a5189c57fad77342bd592d9f685f8fe9478fffbfa0e008

SHA512
c20df34186974d92bbba19f56f312daecf3e0ff922f97d1b96568f436156069769a6945501f5cfa1f741dd114ec76f17fc902aed1e76b3b1890a0d2576178556

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml.e524de

Filesize
16KB

MD5
540770ecf4e5a538212597f99737c4cc

SHA1
af1358090eddc7554ad48bd73e7a3d87d9cd0ccd

SHA256
3ba50e1336d4ef94e48c5c3a63bf640676cb35497d6d5141829066578f1c6159

SHA512
b56bcee7fb503ab2a0d09d667b06369db9094554c1bc244b340b60e9013861380184302afc8e120440d824053079b4081b67bb2834d031bfedb0016d0ab072ac

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml.e524de

Filesize
331KB

MD5
a15a091923e848044840a653e0434a90

SHA1
2c4824fe845aef5b979a1f8cf3b09b37d992250d

SHA256
16a3ae39fce16de468815d61ccd1d406f8decbf61dffbc9b7008b58b259a1f1a

SHA512
2078437e7c8e1e7d700ea856007a16569a572faf70455d8dbdec6a005ada1298b4280ee568dbaf9ab03f51794894a49fae9ab9c276a43978029c8256e4e22b3e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.e524de

Filesize
122KB

MD5
6152002ff7e3a163613c93a3b1af16fa

SHA1
5202a90a782f194b5b1e467d9bbb3a46ac635c97

SHA256
cf6ec9732c5af0a3e241a9e8f638a431640b8d2e60b79b3f9ddca209e094bee8

SHA512
b9f35be36b49e91cf3d7d9e105cc251f47d60fd91daa35ba2e3480a4f5e0c8b573cd41d5b591984c18dd5f135dfce38430a1382adaed7a777484cf1a0732c813

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml.e524de

Filesize
2KB

MD5
a3496a85b5bd6dc4d5c4ed0f0acab66e

SHA1
1656edd5ae97cda5f28354bcaa1b0086ad2948ef

SHA256
e0173386b65d6dd2a288e68a1bd182f42d079a76ac1b1e0aa17f22e95bb7358e

SHA512
ff8d3c8ee68abd43f7725a4f633a040623004ee3dbc4cbd43be216ed0dc9deeecc26b58a2d8814ff4964b79d3e9fd318505e7ac887e7c611992d8cb3bcafd679

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml.e524de

Filesize
18KB

MD5
6954f66d96e28b888c89358b457021b5

SHA1
e20352dcd697ad4f367635f000bf849255634a63

SHA256
f463e83a89107adfa78b1a0151fd9e4132adda73df663e29fa11b5b9d5029c2b

SHA512
785e1677945827f53669b64ccebb943279116b39c12670e81620f12d529d34dd1c1e0b477cd79e7719ecd3e630112181a7dedc848a1c475eea889b0a94fcc3ed

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml.e524de

Filesize
11KB

MD5
90adcd9a6ab228637b74960c25cab5eb

SHA1
7ee9f65797d128a2b2d29123e1c36cdc51295316

SHA256
53f760d52ddc9bd78241e31e933dec4fcae1e564ea6f4abce4612f9a21007cb8

SHA512
db61e78e8af339758b36f7abb387e293d39919da5bb17b715eb39ef63bb327104a2efb9c5642d65cbf834dc3b81c9295d136e51c9211d2bee8eef29e84564c6e

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\8ff310a7548bcb2c4956ce6c0fec220b_755b0f1a-bb38-4bb2-bc7e-240c892146ee.e524de

Filesize
1KB

MD5
b0d36b9d6cdb942bdbf672d38e340854

SHA1
4442c70481922784794790273f7346cba0cac215

SHA256
8b4950b74bb2b5cd1da15f4886a619c26ad3d745b49f555a27b5098803108be3

SHA512
e83e36719abf5534e30341de6bcc315c6f5a32ed9e1db6212873c4346748380ac11dc2ea30ef142b958b97dbda22930eabac3b536bfeae7debd225bf47c09923

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.e524de

Filesize
32KB

MD5
9dc5e80843e7b42ee0df63b935ce95e5

SHA1
42674367c5572dd1667119ff10a9f7e9a609a0bd

SHA256
3c897abe1397b965a3948b4c33b55af54c1eefaeabf29a86a6fcf7e66d4d4db4

SHA512
6e9cfc234db59471d6910abbb56a1b4bf9be6e96f404f992507ba4a1b61ebd53c29f977f44d8226747899b00fbd20998a8efc18d971a017675a6a3da22d79adb

Download Submit
C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.e524de

Filesize
20KB

MD5
c737488dbc4fe87fc5cad16dd5f49ebc

SHA1
3c96eff0adaa79520ab0208e7500546686e7e8d1

SHA256
db55b8b8092755d7409e3f42eb907726b91b8b43f7d7ce3090bdfdc9fc6cd58b

SHA512
3f46bace24e073d28504673b1f84f916033231b2b1a0e47bfd99f1e175be965acc3d66c069ff54727bdb838795f63625dc4e36d4e3ed3fc9fa458d59adb630eb

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_8_18.etl.e524de

Filesize
256KB

MD5
0b212807bcb3ae46d15502b08b7826d3

SHA1
23a38d74594fb6dbb4ceb79bf586d687106c8f96

SHA256
72cd348711cfeddfdc330d3ab146b022b6b39b4ac915624294b7a73efc31548d

SHA512
58256e4b01e96c05e3e5dacefe11027f36198fa933a419a56a69fb46bead7c5826aa79239f276c8f773b5e9508f4602c0ffefe4a0118640c98c130b8bf4a90d7

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log.e524de

Filesize
75KB

MD5
2ce9b942c9f1bdf75cc288d382204020

SHA1
226d93ae51ccc30ac7ceff8c8bcc774d25f9627f

SHA256
0482f8a2d99ffa92d23f22e5f41ac86b52067963b3d69c324c3213f25ebba818

SHA512
9179874df53d9b884d1932f443ff09becc2b0186a2fc520923401edf046bf75d84be935965afd3fe1838287da0e41c290ae92fc5317f69da80dca0294a99dc48

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml.e524de

Filesize
12KB

MD5
5d358c19ccd081e0bcda75129e8ed2a2

SHA1
aa23e4c77e83a493be08f3fc4cccf493c7744c69

SHA256
3c7ff34aa6ee82bfa932adb8999d9970274186170a54c56a4e01933ae1b73370

SHA512
e0225ea74eaec42486e3b07d95f0dc875a9751ec81493a92f0ea3121bffc1680a9b25bfe8ff80fffa9f5faf49d1dee310bde899200be1c58a5bfa924aec6dbab

Download Submit
C:\ProgramData\Microsoft\MF\E524DE-Readme.txt

Filesize
1KB

MD5
426d80807e2f9e3a3dfee49dedbb69a1

SHA1
10c5117e5299a23d89fc2b72c2ffe53f7345a420

SHA256
14f344b44854ea1214b6173af53f5b16e1b83307a835221e7b06d378c4b518f4

SHA512
b316dfcf88e23e4c498c2b7a02665fc51ecf02a89c2ce434f4c3f7acf80ca9afbec85f853a10684da0f2f9b5811034a9483c137115c86eff2c501a627dc45917

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.chk.e524de

Filesize
8KB

MD5
df5d539246e72b4d8b6c56a92d66a01b

SHA1
e1f28437b5344ee0a05832977365c81cc23ab2e5

SHA256
f077adfd6d0dae7142b57130013360cc6044317f7643816d6b4531bb7298ef34

SHA512
47ec1c88554750fd4e60ae21175e0923ae512cb05806af08b151d6f1aba9b880163587793308e37bb33235228003dd209e5fa915a70197080716f299c775571d

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.log.e524de

Filesize
1.3MB

MD5
a2cf34a1f951d89e67e12c61dc3822f0

SHA1
ba61c1d8b29024412339067bf6337ff09b907ab1

SHA256
0a9fec38b5d9d4d2e67dd53276797246a2c141720b57805a3f456494faa2ca26

SHA512
3118942b2239ccbaa82e9695527fe031b734d2bc5386ddcac7b10753c9c055ab2c5c7326c50108a421d9bb3adb67755e5a49f4a6b016d8e8a2f118bf454a5bb8

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.e524de

Filesize
1.3MB

MD5
2f9622c577c0fb4cab635c1a39b7567f

SHA1
df9d61046c0f584e23a65bf66306400983d98f93

SHA256
866f87f3b1adcaa97288c7c5572a35b6a9ac3d9286655984bf8a1a11221ebaa5

SHA512
d06af611b5f13be4cb11ea47ec63ae43172171f9e1019c11dc0b4da58725075f5a87fbbeb5a93692eabc89d8367608e4e7465b67193def84265274a10ee19d97

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs.e524de

Filesize
1.3MB

MD5
5c6a5d605535d68687272aa6b6eac872

SHA1
35486946109168dde8eb8001b4ad9aac04321535

SHA256
3f7a57a726f379eee0da9c2e24750bcd93d24aa015e6bf353a2a0ce69244e884

SHA512
347386862455495cafb0d71105ca407c72cbe3d22fc95c25754ecb4bfd2cd76a5dd1e479a79fc024fdd268a3961e29e628f178404a3f7fc1875f563956b36015

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log.e524de

Filesize
1.3MB

MD5
dc4c1e1378843018f16bb8fde2312d2a

SHA1
27249be2b9d44d075e46c7d820de0ae1667fc63a

SHA256
1078a74702921d3e6ec0184c8a68f25df43f649cb5b961c1a877ae14a6d1a1fc

SHA512
fe88fd0531ec9820ec9954506237de7815fd16c09a1bad1a5d6cbaa4711c965e404f09c6940999c10aaaeb0af0e1033919f6ed2b1c98d908d276f19e9561b824

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.e524de

Filesize
1.3MB

MD5
1b256ddc56d2749425547dffd394902e

SHA1
0e2391e6a293f6e0026a590f5d8014a0be175818

SHA256
7bc568dc6ce69345a595f1965ccc1191b2771c32563cc27dc116fe500b5c5fb7

SHA512
2833ad0bf55773c4d5f8e03cd7f9e12fa1ffb8796f3795d450fad65a85f2d37ffd69bfed81dbe2bda1b197623f961599ae67c2211b9e73779295899ba90bd828

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm.e524de

Filesize
16KB

MD5
5cddecaa1178cd6919e01a450e43a2a3

SHA1
e16b568aff9f0a33a5ecc9e81934d7f90772f0fe

SHA256
37944b240068bdc34300d2607a8b0256dab491b0c640d09d136091285dbcd699

SHA512
57c45bac9ee248709e337cd4283cd9e7d4708ecf065afdc1cb137713af7dd61c45d0718c0d7a73bd30d418755ada7046757a00da04da715875e85a2924fa0830

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk.e524de

Filesize
8KB

MD5
38218ba1318ace66c1b1c106a53f2030

SHA1
e3cf729a40e2b632a2c49ca4be854024ccc22e38

SHA256
6fa25e8d3231217ca1f42a26dd26ff709ca5e9f0c1f54ccff71fb00931d25d6e

SHA512
a50c3d865c77865c13c17686bb463d0803e339b03de92760a571940476528edb906273dd1d328186aff1a4e07c65f661a040fcb8262b5ee47cea8849499c0373

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch.e524de

Filesize
482B

MD5
756b3ffe8ae9d25c5d76b5fd8f0d5ea6

SHA1
35dc249c65d45ff516203c2c793f99f6cb9a5910

SHA256
2e113217e415d8410db3fb643c2ea54f5066cff50d07ccec09b4f2f0326a56bb

SHA512
74e2dfbb420918c0f4ea6097ff483736e1e80371ee930326d6930ace903e60d903f7b498b0e0c633638d42549bd35e0b8833f2e6af3b9cc8e1107f9060fdc09d

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3110b8d7-d60c-6adc-c3ce-bd22f748af91.xml.e524de

Filesize
3KB

MD5
41f7064128b5c459949f3daea2ce5425

SHA1
889deefcc5f329beb255e3eb8a83347a8fd895a7

SHA256
d4cec1c4f11df72fa40027b9d660b7f819d111f5f27f4a4d84e4d28273249872

SHA512
03639a469a64cbc22d1a7ed21c604cadd5118711b6a0f4ab49b1d48992b0b8115452b8dc2666b6469f66087610dbd0be590b81c65e921c953e0001d8f3f62779

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml.e524de

Filesize
2KB

MD5
0bcf98ae7c7dc2940f7b8563dc191682

SHA1
0cc19535c4370ffb3a70bea7d54703e2717e491d

SHA256
d0fd46150dc02f4dd1db7f091053db49e0a54eabde9c0c9a0b966d6ec8cd16c5

SHA512
b3de7ca75b69acbf0853289f9708251f5fe2461f1eb4ef00f9505ab60539f4bc345ca33821e6a563b8a6b5ff9a2af5b7d90457ef3711c99bb914d24a47e972d9

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\91a5b4c7-29a8-ec80-4321-fbecea906705.xml.e524de

Filesize
3KB

MD5
a93f49109e64c8f2fa14b93707e65ebb

SHA1
5b74c4b1ae1c2a43ccf9350fb8e965397e66250b

SHA256
5372c5dc1d9b7e3b14c49c7abfeb9641725d47677065db18fec60bc33a8201d8

SHA512
1d408d5022f83bf1184d6b0f49d82814f49e50bd5154b265b88e468535b0bef45e7c2115a0d75554724c7b5bfa5c4bd6f156f0dbf5257e2025b3af039787b6bc

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\b81d7e70-84e7-b16a-e3d0-1e7aa2f1232d.xml.e524de

Filesize
2KB

MD5
31b8c9401e97541a884e3b8e7a381d8a

SHA1
a6c9a90a8c286630bf2273a1585344116a0d218e

SHA256
01ffe0971e219283c298e1ee35f59598a88be9d0d4088524390ecccecc1d5e2f

SHA512
a211c5720f99387496c50271075be18e6c9e42069ceb14702e6c9b38b56e3931a3d105749e23ef359508b6c8c715a56f5e9935c78b8e3d1fa35dc1df25f16bf4

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\bcda97bb-bfd0-2a72-3c90-c8518f3d09ee.xml.e524de

Filesize
2KB

MD5
e21041bd4e8f490ab13466ce66ace85c

SHA1
154adad81d6ee8da6046837f86e42ed08afba7bf

SHA256
9ce35d5ca4194823b4f75a54bfd5b2e91425fbd1d9a57e8e94e4360712a07ebb

SHA512
0f724a7d5eff758ee497b8bdd1e4dfbd3fca24b2b680dd005b3bb0d01869d476a18dcb725feccd7a5f1b4a88adbf4683cb3324f435d5d30476fccd1779a24bce

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\c94a6c18-d496-da1c-8a02-fc6976e0145e.xml.e524de

Filesize
3KB

MD5
b9eb9117b22763a36054fc4b1e24e240

SHA1
8dfb54954900a0016baf3c36a758c0f31411e91d

SHA256
9dcb5540bd3b050ee48b002d76b496b22ebac05065739941304031a9db14a7f3

SHA512
eb8ae33aaeb24e63edab412015713076ed8d55ea38141c10de87594fe68d97c68bfb17e6b5b74fd2168946c4e497317a2e7abb71b9b2430bb461d246a805b681

Download Submit
C:\ProgramData\Microsoft\Windows\OneSettings\ASAP_CloudPolicy.json.e524de

Filesize
2KB

MD5
b72d0ce3a1bf6c8167a25fcdd5f582c1

SHA1
1187629fabb3bdeb48c8fd0f99521cf03d9c069e

SHA256
bd175959784b5b732356ec9093d36ac40392ca75b911ca734bb9205df1c60edf

SHA512
fe347630341299a207abd9a4e667255751f55175e11eb01332d09ba56cf23fc30eebdd96e95e6e60dc547bb759c26402aaf6fc0d98fca07c4770dc22bc45be0b

Download Submit
C:\ProgramData\Microsoft\Windows\OneSettings\StorageGroveler.json.e524de

Filesize
695B

MD5
d9dedecb9986372c055554377a585d29

SHA1
ea5d9d17e46b5e52669dfb4998e423916b884ef5

SHA256
a2012461cfc49baa13086828497aceff54a7c09d8ed5703185ea7c3b2fa3e720

SHA512
8d6eb32bc97883744b7a73b1155b198d5ac8716d1a7c14c8fc8dc60484f0c61a455b04a31d5bc15ca62c1760bc62df0df665b2216facfefd94d1297e2e8bcff7

Download Submit
C:\ProgramData\Microsoft\Windows\OneSettings\TroubleshootingSvc.json.e524de

Filesize
341B

MD5
8f44ac1acdbb63f4600130f9a13e2f00

SHA1
158eb500047a4e4ce0fe45c7cc6ba3461b900e38

SHA256
6e3df6138e3f917f0a08d3a77bac6a81c5d0f91d05d84dc79890dba6294c98c0

SHA512
abf225c1102865c36e7433fb421321013c6f509505250027c411ef8bb1ef40731059f233ade87ab176c3831c404cd8904d0b795ed0fd893fa763eeb6fb72c99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\546.tmp.bat

Filesize
127B

MD5
18f4fdcc32160fb7d187817b5ebf55e4

SHA1
c689c1a89724b8b99ca964c4f44129f19299340e

SHA256
ec0688588d4018e0d65ee95099a89bd73cb22dd26477de6d37c40e41a632078e

SHA512
fe347a7eaa9e45db77dd86d1168d10f0a2a7e93797e3799fd43d1dbc5ad9611a12e269a82ac934562a8461d163e3b204a098cbee2cf22c38b9bcda45af604f96

Download Submit