2ba2c20a826f51ed753f4f4dd78118d6f371a2fd5b4b0a2ff640c8f046d4fb55

Analysis

max time kernel
149s
max time network
153s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

2.7MB
MD5

5a4135a79283d211cf21820a67e01a4f
SHA1

fd1a1709b4346a4ca307d01cb85b5d6beb633733
SHA256

2ba2c20a826f51ed753f4f4dd78118d6f371a2fd5b4b0a2ff640c8f046d4fb55
SHA512

c6aa36b7326a461179dc0c8c14dc3552ccbf22d72490ee1d7ca90b3c9177538eff8e16258a2e42ab59b4c5999c25e420981dfc9e2fb6d4a1cc509c2c9534813b

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\How_To_Decrypt_Files.txt

Ransom Note

All Your Files Has Been Locked! Finding a way to decrypt the file makes us happy but all your files are protected by strong encryption with AES RSA 256 using military-grade encryption algorithm This is a private ransomware developed by our team and there is no decryption file for it In our view it is not possible to decrypt without a key Your (Unique decryption file) For Trust You can Send us Test Files And We Decrypt That And Send To You. The time of our country may be different from yours, so be patient, we will answer you as soon as possible. Email addresses are blocked quickly, so contact us sooner The first email may be blocked, so contact all of the following emails Your unique Id : WDHJFRVD Contact us : [email protected] [email protected] If you do not receive a reply from us, please contact us via Telegram Secure Messenger Telegram ID : http://t.me/yourfile2020 Short video on how to decrypt files: https://streamable.com/7h914 What are the guarantees that I can decrypt my files after paying the ransom? Your main guarantee is the ability to decrypt test files. This means that we can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business. You Have 24 hours to Decide to Pay after 2 Days Decryption Price will Be Double And after 1 week it will be triple Try to Contact late and You will know Therefore, we recommend that you make payment within a few hours. Those who get in touch with us faster We also mention your security issues and how to get hacked so that you won't be hacked again by others. It's just a business

Emails

[email protected]

URLs

http://t.me/yourfile2020

https://streamable.com/7h914

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

JavaScript code in executable 12 IoCs

Processes:

yara_rule
js
js
js
js
js
js
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt	js
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt	js
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt	js
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt	js
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt	js
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt	js

Drops file in Program Files directory 8977 IoCs

Processes:

1.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grouping.Base.dll.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\plugin-selectors.css.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DLL.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\Example3B.Diagnostics.Tests.ps1.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\fontmanager.dll.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\eu-es\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_uinline_warning.svg.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHIC.TTF.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Scan_visual.svg.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\vi.pak.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Excel.dll.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.INF.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar.Id-WDHJFRVD.[[email protected]].Crypto	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png.Id-WDHJFRVD.[[email protected]].Crypto	1.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

372 taskkill.exe
3864 taskkill.exe
2584 taskkill.exe
Modifies Control Panel 1 IoCs
evasion

Processes:

SearchUI.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors SearchUI.exe

pid	process
372	taskkill.exe
3864	taskkill.exe
2584	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors	SearchUI.exe

Modifies registry class 43 IoCs

Processes:

SearchUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana\ = "0"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\ = "0"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\NumberOfSubdomains = "1"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\MrtCache	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpCleanupState = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\NumberOfSubdomains = "0"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana\NumberOfSubdomains = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana\Total = "0"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0"	SearchUI.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exeSearchUI.exe

description	pid	process
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	196	SearchUI.exe
Token: SeDebugPrivilege	196	SearchUI.exe
Token: SeDebugPrivilege	196	SearchUI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchUI.exe

pid process

196 SearchUI.exe

pid	process
196	SearchUI.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

1.execmd.execmd.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1304 wrote to memory of 3172	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 3172	1304	1.exe	cmd.exe
PID 3172 wrote to memory of 3864	3172	cmd.exe	taskkill.exe
PID 3172 wrote to memory of 3864	3172	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 3176	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 3176	1304	1.exe	cmd.exe
PID 3176 wrote to memory of 2584	3176	cmd.exe	taskkill.exe
PID 3176 wrote to memory of 2584	3176	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 360	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 360	1304	1.exe	cmd.exe
PID 360 wrote to memory of 372	360	cmd.exe	taskkill.exe
PID 360 wrote to memory of 372	360	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 200	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 200	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 648	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 648	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 96	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 96	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 1864	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 1864	1304	1.exe	cmd.exe
PID 1864 wrote to memory of 3680	1864	cmd.exe	attrib.exe
PID 1864 wrote to memory of 3680	1864	cmd.exe	attrib.exe
PID 1304 wrote to memory of 2648	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 2648	1304	1.exe	cmd.exe
PID 2648 wrote to memory of 808	2648	cmd.exe	net.exe
PID 2648 wrote to memory of 808	2648	cmd.exe	net.exe
PID 808 wrote to memory of 3296	808	net.exe	net1.exe
PID 808 wrote to memory of 3296	808	net.exe	net1.exe
PID 1304 wrote to memory of 728	1304	1.exe	cmd.exe
PID 1304 wrote to memory of 728	1304	1.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3680 attrib.exe

pid	process
3680	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlservr.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlservr.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3864
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlceip.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlceip.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlwriter.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlwriter.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Admin\AppData /s /q"
  2⤵
  PID:200
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Default\AppData /s /q"
  2⤵
  PID:648
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Public\AppData /s /q"
  2⤵
  PID:96
- C:\Windows\system32\cmd.exe
  cmd /C "attrib +h +s Crypto.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\attrib.exe
    attrib +h +s Crypto.exe
    3⤵
    - Views/modifies file attributes
    PID:3680
- C:\Windows\system32\cmd.exe
  cmd /C "net stop MSSQL$SQLEXPRESS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:3296
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\$Recycle.Bin /s /q"
  2⤵
  PID:728

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#125 S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
1⤵
PID:2128

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt

MD5
ef867c61111ea268a3ac8dfa375d10c6

SHA1
e0d019ce22c2e0a11d00a8f68a7d517a31cfae92

SHA256
a29d313816fd07da735f14760a02046601695ae0a477868b4f8eb0f721964ea3

SHA512
10c2bd71fe5013123a5cd7d00f477fa4491f828c3f558d20e231b3bbb073abced9930a659fa55511836124a8be9a9c50dbff0bf96509e510d84d94d9dfe91c32

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt

MD5
167f183623ab9fa9bf39fdd7a2782707

SHA1
8b8e29691151f084081ee70b981dd44a55c57e62

SHA256
7957ca08670f5fa74ba7e1a301a2741b04f40be4e178c1aff8e237b32b63d0f2

SHA512
c73331a29be736fd823a55e5bd9e239278b210634c029df4a0a39800fd97bf0a1f221bdf111d46cf366c068f60a2276d63f88648356d6c9ce25331f09e448fae

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt

MD5
5ac4872fa8f6e8e5360d4e3c25491674

SHA1
cc07ff5fe28b5c110ea353a013896d98f409a1a4

SHA256
b322893f9969ba4542801dd0ccb8ccfef5ebd3ab1d793ed1a9c750ea9fc46a24

SHA512
309ba62da63e91f39b90575a832c17aa4f5722351588fd1e67a166e4091817d8fa70004d14fdda0c124a4decdc23becc6ca1667cdb014292c105411be2ecd4dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt

MD5
2bc7ae066adf7fe93cfc4a549d54acab

SHA1
4e043f6d9e38f6e159ba8d100ea0adcc548dc1f1

SHA256
1ab316d6d4778bcac2ea85679d64f54a53049a4eea7d65eec29aa9b189a285e0

SHA512
031ae3fd2407bdf10edd5de2ab03744e0c24603b515a47787a0bc4d08ad27ac3a6a049ffec227d0c496ed37865dc6d25d408a07a3603ad36d5db3a12e46f5650

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt

MD5
fb75bd06b15938ee9adda3644a0f70c4

SHA1
6fe44127dd98150c7f0956cd7f48e147d7af4921

SHA256
02d6558f0d4311ad511aeda3366837f04cf8ae564588cdb79e402c9dd58bb4f0

SHA512
182c7d157a61a0b16e372f3a31f7c28b1f2748f701dce93ddd6bc55fbadd616d3601ec14e65541d3e4d6feb7f0f74c50a3b4857d9e57cbec17ab809cfce9f308

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt

MD5
ab7f43e498bdcf60a63880683998c713

SHA1
87f8e0b68be1c8e9b993582ab80d4cc82c0e659c

SHA256
121fd3f8f7fb9c243d5483daae235bde35f64bbff571000f51aed7c2d63f1a32

SHA512
820ba7ac37065da7a1a75487ce2cfd6ede4a967c46a294dd45f28d5f409e168a7cecdcff9a2deb2d831cdc00e372db561d9073f269f29367b236eb49c3ff7854

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt

MD5
467c637b05a74df2c58e23364fb8c4d8

SHA1
e1c4f1a3143fda846a2c919883f5552c12dbf443

SHA256
f789a3487cd7b3c0743f92cf3a0d0956a3a1c4acbcf7ba700831b482fb6abbcc

SHA512
4026bff259bdc8da9b8c9571a8bb9b93102ab8e19c3b4dc01c371846b9ac6de1d441214b9d57a73eb3028ae5517b39cee8d8f5436d104d422f76fb29acdc04fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt

MD5
2624b223b3e7839c523a59aa7bfee1c3

SHA1
8783f52ad578ab6b5b01e06bcfe95f3b756c659c

SHA256
58bc36d5ddb8c33152bf8d5d4859d074c7cfdaf5087cdf51d1a892d4ddd4871a

SHA512
f3f14dfdb02fd8549180b98d9b9b64797e42c4fad25d6d3ead174370d8899a43e129655fe5b0b470407a4443f3d3dc53b563334916493d7154c8d5e0466649ae

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt

MD5
6a7ab2670721e1961b0842f27591f5dd

SHA1
bb6477850014a0ae02b82e346c45fc179e81244b

SHA256
e785f8da1bd3368b5a8cba9dd0fcc449833a0704844f5c13ffcfe53f032bc5a9

SHA512
6b89ff9ec6f46a7b7ba56ad356efcdb2f0c22af1eb0fdbfa797bb46496304e7d62442ab8310db6e9305ea6bd64c18898b0386c53845c789538d85af4ff3af6a4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt

MD5
3e1b90364c15950e0caa9b57f6b048e9

SHA1
65303f738d794f4e73c9583e66cf720d073c11cc

SHA256
cebb695d7f3cf245e743ce2f425edb910df799caafef44755ea4ded07ff9a1b1

SHA512
b2071384c1bb7f534a1c4156724f7a72185d0dd6e30ef8369cac00193accdffebc3a2d759909dd8f1c9bc9b40727cbd1e4c2f97fda2995c2d328467025a699a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt

MD5
1658c9c86a02c1b59b82f00e9990ae52

SHA1
e69ad7c7a549135e7a205ea029cd9fd0b99fc7ab

SHA256
8a615507ed80c57b5379ec515e4236f7e70333d3ee35f4a4fb22d0c42e6103df

SHA512
302f9f7a38afd3d37207f389ea6bc50f21c5ba68e948a070fbb3535ed5b220b03c39ef272f9e1a93cfb8c9b0b3cb81687f2697a44a45f91513bce4846495e7fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt

MD5
1bad99900776399b0fd9eee722e0f26c

SHA1
6003232991179a2c56b2f3e1b1695edc263d5f59

SHA256
bb4b52e3e0ae81d04f1459e2369da28a193a11e56cf484162d755d457f72ae49

SHA512
389faeae834cceb19d75a12f0c25b3ecc38cf1351a76d2d971604d915dbd872c65788d48a82ab79d8d82f82baf222623871634bd63ad10d91627890ea3d64e06

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt

MD5
14f88bc898f91181808e3cd552304985

SHA1
7889b068b6c1261dc30bdcab58b429e63b5aad3d

SHA256
28d672594d86bf716a39ea90d53e92aaa7caf532c3dd1368d604a57038f6fb08

SHA512
ff3e6e619c06d7a92213ba3ad76926627f286da42d14aaa49e9ee4b39ff2d382c9844f65e1b9924fe60ab955a5a4115356455380532ce99f205355f5f8aa8160

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt

MD5
a6a2978395740f3ed0f9bf13134dab0b

SHA1
e30ac6e18ded7a45234c500196e919cfec26a0df

SHA256
3976d1f98b85b8a8e41ff267dc558e385d0f5ed5c9706896e0701daa2600ce9b

SHA512
4f4e05a6a6c95abdf21565d798db1a04b40f80484965e5d2b14c60ace16d38b14b9a4dd09fec004cec15b72e7e52530828d3d78773fc0df2754cf671f36b6ff9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt

MD5
9cdf7a969a64d01a09b5c6c0bfb3c489

SHA1
24d5da26f03158122ee9ce42640c0c40e65578d7

SHA256
f9041b6f076e322c3f20a7875bb3ae14e6471639981f7fb39d210c00fed17454

SHA512
b987d62ba837ec555dfd4b29db1ba183e4169f62a02ae7bae9da0c6446f2921d53674d626ba3e8953281d78cb384450ed9131f37729eda32665ca1a3ab42f68c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt

MD5
6f5b4fd6554ac915a258bbaaaff913df

SHA1
a543411007d85c7a9be01ca96280a5eb80298385

SHA256
95737bd3b5b8b97377f9fc6d07f756fd68c682fbace80bc2de73b1f235ff49cc

SHA512
c4c31224f699eadfbf5f2f38eb1ee16018f77c2e56b17d3e81de0f0451f2f1eb254d0a5fe426c86d3ac4906972749cd4f16cc7d800b705850a910cd8189629ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt

MD5
2a3da615dba698efb7a3d8f31393a27c

SHA1
b124c510d71ff2e119cecfda4cafa867a43298a1

SHA256
9fca18462d1a9110e0d9d67d251a3398c83e275b5a45686e5f966a277a95c895

SHA512
399a73b9091492672b0a1e42eafa7eea9ebbcfd263f558dec768c2b70d1f53c7fd57e508db402ffbfa20bc5e96fb8c8ccf5d6e75117c8741605bf21373a4eac5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt

MD5
2531e43c16c851d0aa23579700394593

SHA1
315cd998dd5992198920bd9b2421c1ee4ffcef04

SHA256
0d029ed38f90e201ca610ee44c7bc0e0ad2b846744d4707b08d4ed2e93209a1c

SHA512
6e37442f130f48a7330d9053a8efb46964e03765d4cf5d47cbcc9fc1d793c41c77fde10c4b9688dbbbf26bb63ec91a3a00353e53786006e8f4c4f88b5c8f25d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\3S7JUIIC\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt

MD5
fdf374d81bede8de373d72e70b92895c

SHA1
6601b0a422536c42fc3c3123816f019052f0f38a

SHA256
90c1808d379219f04747841ea57b804ee51a0af145acc9906c0eeef20d42b34d

SHA512
595ba07517c60fdf954e34ac7a3398c31f2f7abb12648f0edfc93b64d9c5d5ec91ef712d5ca9908cfcf6fbe01f189dcbd62ae91209de561b433fffbefc46f54a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J5D3G53M\microsoft.windows[1].xml

MD5
a1b083533acf1b24c6a2276f6decf7ef

SHA1
8994e4e0bd4b8541be88b38ebf63aaccec8f5c2c

SHA256
3b5d92ed40e8127b347f15a8e509e174a4d96d1f1c4e82758f8c39814881e66f

SHA512
b7e59804f2c7a38abd8d4f2f6caf23f10b86f7e71874be651bb9330cf510b306810068c48978cbe16b610c42a7c1cd508f58716d02c3b7848ef33b638318e6ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{17e562eb-652d-47f7-b2b1-1616391f3545}\0.0.filtertrie.intermediate.txt

MD5
23f1867e036b2c032078375a420ae1f1

SHA1
439e3ec19fab87c7b879c2973bf550dcc500f6c2

SHA256
a7834c8e5094dcc34af42f55c9ed1860fe8c7c03dcfa0c9f2de42fbddcae22d6

SHA512
ef34151790da91c52d1c587e2af2b3ff46449ae1d8953d3088ec449c02c0763d489ab170113831b9fe8e277723d1f870676d9688717df78e606a1e12d75196d7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{17e562eb-652d-47f7-b2b1-1616391f3545}\0.1.filtertrie.intermediate.txt

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{17e562eb-652d-47f7-b2b1-1616391f3545}\0.2.filtertrie.intermediate.txt

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{17e562eb-652d-47f7-b2b1-1616391f3545}\Apps.ft

MD5
af865f5bdedbd658f1a0011057d5a8ed

SHA1
a54db6b8ea45f097e610c56345f23c855e2c8152

SHA256
a7f483dcbff0365f77411e45d7554a7c256ffe0797550fdd3a3b88a0685233ed

SHA512
952e8615032bf69c5cded79d8e594c07460166eaaf8ea0624f5bd503b0ba65e06ec88bcded73dad7bbedb022897eea3e8f114219e2d68f8eeb1fa93a5d9de0ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{17e562eb-652d-47f7-b2b1-1616391f3545}\Apps.index

MD5
936ab83d10c35521f3e80588c9fe8a4e

SHA1
758774e3e660686565d7c53bd204c8bda5829d70

SHA256
9d2462e671796ded2d817ce02b0bb74601106e6e18af3757e392f49bd3be0842

SHA512
008298c192dddbac223fef36b81c95471f1edccf57c378f4c3cc66cddf2de5efa27a946a912a5b46f56bd165f93fa479e7a29e5936787e429ea4740e6a228617

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5da28ad8-3fa0-402d-bf26-7aa402a98e31}\apps.csg

MD5
fb7202f6d377fd89c7b261e34d680d33

SHA1
6716e0e62e45483340ca0d7f6abec532034b1a22

SHA256
839d24f509ca8bf8737074bf42e83a88a32ee3760bd34bba2a7cf6cf482a1c0b

SHA512
0bc895c775b0153dc0472639b9a18e100a880711b8d01778faa5a3d0c434693d244a6db3dca5c539390dcd9d1d542d2a41f4428e8c7fc1222c97f3a6635312f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5da28ad8-3fa0-402d-bf26-7aa402a98e31}\apps.schema

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5da28ad8-3fa0-402d-bf26-7aa402a98e31}\appsconversions.txt

MD5
f21f68ab0fd9bf5b4255eddde72be816

SHA1
abea6564790813e12784c8fabd43eddbec334bf2

SHA256
9034fbd5f370a37a2e43cae5d482b84d3ed9b6c62c6ddbc4bee25b0526ad25ee

SHA512
3b75d817d4f5361a05148fd7e62f5c54b97e685d8db046d73bf4889cca3fb5080da0d8e52b4d0d34b31e927bcb9f2a073411c4597a1f9528c419aadbb2663472

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5da28ad8-3fa0-402d-bf26-7aa402a98e31}\appsglobals.txt

MD5
5925e930562da940101de785c1cbc5b3

SHA1
d228f4dda31c76cb486fd6e1dbb33ef98d6fa2cd

SHA256
b6c3c8b85cecb5743e5a62c706152f83606b5690f0926b5cc16d29cbfe3ed39b

SHA512
737ee5b511218e72233f1fb215c299b4d9e5e164fddba2d26f8b202afd4d43bde8b8e111b18f5bb94e31a5ef0d838f6ee500686887017128ba3ea69b25e91305

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5da28ad8-3fa0-402d-bf26-7aa402a98e31}\appssynonyms.txt

MD5
0159fa2fcdf8f84db30198b1b3f95415

SHA1
60b03a6e77c970f1aca547b063fa76a7466fb7cf

SHA256
4123d6b7736c9764973415c8f03f58e76fb2fb0a08e8f55ce9165c0c631c955e

SHA512
c70cc582b4d50a8dc19b24919afa1fb7876595fb9882149c845bc3161c08ba58af1c9a7e228a1182c845183f9b1ed9fd6766ce65834760d1ab3402a2a517b939

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5da28ad8-3fa0-402d-bf26-7aa402a98e31}\settings.csg

MD5
a97fd910eccb1049b949df2b6d0ea605

SHA1
0911c52e218a51eb3dccc54657351a58affbe948

SHA256
b84b14439ad5607b15a96b922cd63ea6c8cb1281bf3b84037c5ce90fbeb29766

SHA512
7fd602258ca1b316cf546e1cfafe6e733471d66d4ab8542370d725684e6927a8c68aa629369dd1e30df9047d13b4589a3f3f1d736efa7934a5469596588d8379

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5da28ad8-3fa0-402d-bf26-7aa402a98e31}\settings.schema

MD5
ac68ac6bffd26dbea6b7dbd00a19a3dd

SHA1
a3d70e56249db0b4cc92ba0d1fc46feb540bc83f

SHA256
d6bdeaa9bc0674ae9e8c43f2e9f68a2c7bb8575b3509685b481940fda834e031

SHA512
6c3fcce2f73e9a5fc6094f16707109d03171d4a7252cf3cb63618243dbb25adb40045de9be27cad7932fd98205bdaf0f557d282b2ba92118bba26efcf1cd2a02

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5da28ad8-3fa0-402d-bf26-7aa402a98e31}\settingsconversions.txt

MD5
f21f68ab0fd9bf5b4255eddde72be816

SHA1
abea6564790813e12784c8fabd43eddbec334bf2

SHA256
9034fbd5f370a37a2e43cae5d482b84d3ed9b6c62c6ddbc4bee25b0526ad25ee

SHA512
3b75d817d4f5361a05148fd7e62f5c54b97e685d8db046d73bf4889cca3fb5080da0d8e52b4d0d34b31e927bcb9f2a073411c4597a1f9528c419aadbb2663472

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5da28ad8-3fa0-402d-bf26-7aa402a98e31}\settingsglobals.txt

MD5
d2d6b108ed635b192276f2e13160bb9f

SHA1
75e91420534c293fe5e0535826a97a9523139849

SHA256
598a2674be811c1256b0e18311ce5cba2a542d0965ff4a0ac96173ce78a4c575

SHA512
0715c0099b8ce08e75d4ef7247590fed3d24212ff7a22f0b0fbfb6b832594509ef1dde22743c4eee9e53cde218eafcbcc4afd769bcb39a68fcf6ad32cb5d58f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5da28ad8-3fa0-402d-bf26-7aa402a98e31}\settingssynonyms.txt

MD5
9239d33bcc9c55c4d97dcae64a7e2f5b

SHA1
79371ce0302da220e22458b77e3a9bff329c3669

SHA256
d147c9b76acc226324def206d680c3368109018be254fd1399c8e2ed2c3d77e8

SHA512
848d70906b57c77940ee91341d7023ee65952b59402e5b6c9d1dad05346841398c0ba69ff65682d42fa00d422f73d36d9ba1cd31a23da4b26c0ff1c9ec120940

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132495201572564645.txt

MD5
aab2db638d1fd7e3954f2445fb1ed26c

SHA1
8789f3dc44fcc5f6ad6d9129e8ba2f49dc65d8bd

SHA256
eb5a620dbc596ff4b551fb5910f94250c0cdf6ebb6e1eb25a211018eec2a3db4

SHA512
4e3b795a01a0a455fa8effec58a94877980c292d76d2c0bef92b9b00d9574821f5288707c3a1cb51dc5bc567e002905785c6195e57ca486922af7605727fc7fa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132495201585747643.txt

MD5
aab2db638d1fd7e3954f2445fb1ed26c

SHA1
8789f3dc44fcc5f6ad6d9129e8ba2f49dc65d8bd

SHA256
eb5a620dbc596ff4b551fb5910f94250c0cdf6ebb6e1eb25a211018eec2a3db4

SHA512
4e3b795a01a0a455fa8effec58a94877980c292d76d2c0bef92b9b00d9574821f5288707c3a1cb51dc5bc567e002905785c6195e57ca486922af7605727fc7fa

Download Submit
memory/96-9-0x0000000000000000-mapping.dmp

Download
memory/200-7-0x0000000000000000-mapping.dmp

Download
memory/360-5-0x0000000000000000-mapping.dmp

Download
memory/372-6-0x0000000000000000-mapping.dmp

Download
memory/648-8-0x0000000000000000-mapping.dmp

Download
memory/728-15-0x0000000000000000-mapping.dmp

Download
memory/808-13-0x0000000000000000-mapping.dmp

Download
memory/1304-0-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/1864-10-0x0000000000000000-mapping.dmp

Download
memory/2584-4-0x0000000000000000-mapping.dmp

Download
memory/2648-12-0x0000000000000000-mapping.dmp

Download
memory/3172-1-0x0000000000000000-mapping.dmp

Download
memory/3176-3-0x0000000000000000-mapping.dmp

Download
memory/3296-14-0x0000000000000000-mapping.dmp

Download
memory/3680-11-0x0000000000000000-mapping.dmp

Download
memory/3864-2-0x0000000000000000-mapping.dmp

Download