ouroboros | e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6

Analysis

max time kernel
70s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-03-2022 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
Size

1.3MB
MD5

310c70d59334868d4831f9f9cdb879ab
SHA1

7b522bbde3dce99de92fcfb952d672a3923e00c1
SHA256

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6
SHA512

da1b987065a39c1b83dd1b245550292b6038d34c9113eb720381404d681717593321028fe00f5d835cc99fd0606d65fc3525c8ce218c19eb2e459a8d7603e993

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 6 IoCs

Processes:

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 15 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	15	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d9.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\measure_poster.jpg	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\deploy.dll.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-60_altform-unplated.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_altform-unplated_contrast-black.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateY.PNG	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-125.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\msvcr120.dll	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner.svg	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-125.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-200.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\ui-strings.js	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es.pak	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32_altform-unplated.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_altform-lightunplated.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\CIEXYZ.pf.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-lightunplated.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-16_contrast-black.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_32	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\1.jpg	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\SoftLandingAssetDark.gif.DATA.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_contrast-black.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-125.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\management.dll.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.scale-125_contrast-black.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-100.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\ui-strings.js	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_contrast-white.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-100.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3900	2456	WerFault.exe
2576	3380	WerFault.exe	SearchApp.exe
1852	1972	WerFault.exe	SearchApp.exe
3324	2540	WerFault.exe	SearchApp.exe
3496	3192	WerFault.exe	SearchApp.exe

NTFS ADS 3 IoCs

Processes:

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\Ư8:箰ù	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\Ԁsk8:紘ùȀ	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\꙰úsk8:꘨ú	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

pid	process
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 3104 wrote to memory of 2360	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 2360	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 2360	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 2360 wrote to memory of 3164	2360	cmd.exe	net.exe
PID 2360 wrote to memory of 3164	2360	cmd.exe	net.exe
PID 2360 wrote to memory of 3164	2360	cmd.exe	net.exe
PID 3164 wrote to memory of 3028	3164	net.exe	net1.exe
PID 3164 wrote to memory of 3028	3164	net.exe	net1.exe
PID 3164 wrote to memory of 3028	3164	net.exe	net1.exe
PID 3104 wrote to memory of 1656	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 1656	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 1656	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 3628	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 3628	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 3628	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 2768	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 2768	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 2768	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 1488	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 1488	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 1488	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1488 wrote to memory of 2244	1488	cmd.exe	net.exe
PID 1488 wrote to memory of 2244	1488	cmd.exe	net.exe
PID 1488 wrote to memory of 2244	1488	cmd.exe	net.exe
PID 2244 wrote to memory of 3844	2244	net.exe	net1.exe
PID 2244 wrote to memory of 3844	2244	net.exe	net1.exe
PID 2244 wrote to memory of 3844	2244	net.exe	net1.exe
PID 3104 wrote to memory of 3808	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 3808	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 3808	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3808 wrote to memory of 3852	3808	cmd.exe	net.exe
PID 3808 wrote to memory of 3852	3808	cmd.exe	net.exe
PID 3808 wrote to memory of 3852	3808	cmd.exe	net.exe
PID 3852 wrote to memory of 2584	3852	net.exe	net1.exe
PID 3852 wrote to memory of 2584	3852	net.exe	net1.exe
PID 3852 wrote to memory of 2584	3852	net.exe	net1.exe
PID 3104 wrote to memory of 1504	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 1504	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 1504	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1504 wrote to memory of 2164	1504	cmd.exe	net.exe
PID 1504 wrote to memory of 2164	1504	cmd.exe	net.exe
PID 1504 wrote to memory of 2164	1504	cmd.exe	net.exe
PID 2164 wrote to memory of 1856	2164	net.exe	net1.exe
PID 2164 wrote to memory of 1856	2164	net.exe	net1.exe
PID 2164 wrote to memory of 1856	2164	net.exe	net1.exe
PID 3104 wrote to memory of 640	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 640	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 640	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 640 wrote to memory of 3004	640	cmd.exe	netsh.exe
PID 640 wrote to memory of 3004	640	cmd.exe	netsh.exe
PID 640 wrote to memory of 3004	640	cmd.exe	netsh.exe
PID 3104 wrote to memory of 1996	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 1996	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 1996	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1996 wrote to memory of 2688	1996	cmd.exe	netsh.exe
PID 1996 wrote to memory of 2688	1996	cmd.exe	netsh.exe
PID 1996 wrote to memory of 2688	1996	cmd.exe	netsh.exe
PID 3104 wrote to memory of 2980	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 2980	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 3104 wrote to memory of 2980	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 2980 wrote to memory of 3596	2980	cmd.exe	net.exe
PID 2980 wrote to memory of 3596	2980	cmd.exe	net.exe
PID 2980 wrote to memory of 3596	2980	cmd.exe	net.exe
PID 3596 wrote to memory of 4044	3596	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
"C:\Users\Admin\AppData\Local\Temp\e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
PID:364

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:2952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:2776

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:3980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
PID:2648

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
PID:764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 2456 -ip 2456
1⤵
PID:3868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2456 -s 1448
1⤵
- Program crash
PID:3900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3380 -s 4420
2⤵
- Program crash
PID:2576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 3380 -ip 3380
1⤵
PID:2700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1972 -s 3880
2⤵
- Program crash
PID:1852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 356 -p 1972 -ip 1972
1⤵
PID:1200

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2540 -s 4260
2⤵
- Program crash
PID:3324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2540 -ip 2540
1⤵
PID:2580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3192 -s 3952
2⤵
- Program crash
PID:3496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 3192 -ip 3192
1⤵
PID:3664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.[[email protected]][LOCWPNU2B4XJSDF].legend
MD5
06d96f03b3ac8d1b390a0b13b2c89de0

SHA1
86c56a38d20aec7615e86b5e26aa23e63b37dffc

SHA256
88f711c7f250cfaed5a0bb8d49c466f2737d6f7703b485000456aef88a9b9f9e

SHA512
518ecfb9505ca4e52a75f498153541b4b15e72a397ba61c030adc409b0b07016025e805269c3c1bd4940bcd0bc4dd77acea91437a21e04eefc7a3d74dc00b525

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.[[email protected]][LOCWPNU2B4XJSDF].legend
MD5
621ad78e817a4856771f2701c22ecfec

SHA1
0dad2a1084349e2b48a499d5ce674ae926260425

SHA256
d51d1ff4522aaf135e2acaa2ada9b48377cb31e2314e3d5618d3e096a042eb72

SHA512
ccee656dc9803b7e19e2dee6ccc2b496758ce3ae3734f099e0ada24081c7a6eb9bdb32a8c25111d2a761598cf45d8f49f6ef8006c139848cf681c8324a29b760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
MD5
2350b47261040b1ee32f7df427ab30fc

SHA1
e656cced405e01b6a60b7444b2c9e1b31ed7c63a

SHA256
612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db

SHA512
a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.[[email protected]][LOCWPNU2B4XJSDF].legend
MD5
ec8ae0dfe45672d58b6c7784840d7c0f

SHA1
ae27513baf2e1a66e449a058bbbd6669c4d04db9

SHA256
fa44af4eb39a3c27dc7279cc29be7795e60011b10ca39d1cd3fc4ad14cca66da

SHA512
f25bb4fc35c231da9d30ab1c9aed8bf9b98b3a4c0902e105be05992747175a801eb71b630227becb2a8350875d32e80721f51be23747a0c81d67b9f437d0c5b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002a.db.[[email protected]][LOCWPNU2B4XJSDF].legend
MD5
06a6d92bb26448efce9569090d3521cc

SHA1
54e61a9d3063bab56011bcf8d35f380529fc89a4

SHA256
772e55d66d968e49f793b21c5103ae8a33d0eef98119bc597a23a0b7bdd6bb44

SHA512
b48389365ac4646fc856be7998d4d257385e9aa6006d1085d804db2c946d9c6c57e2dccf7b871590c8d76cabcce75d1305fd1e9a9cf98ecec158ac10b0748b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
MD5
69023f90599215e1af5bf4895cba5506

SHA1
d64c20ebd80ebab8b7887093298a1cf4cf02bf71

SHA256
718be53ab2351a67b3c83a533f4133cae0328439560ba1bada33d02c7e6c1f89

SHA512
828bc071e9c1433199a6892a34b44fb9c93e7fa1c0d93fb23e01bdbaaa310565e043892782c2f69ff105780db4f4411f1b0d9ad916c9d15df3d8e04372020aa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
MD5
294c2f2a5da386db2ce00be817a17c93

SHA1
04638d442e2237b40a2a534a1fb85abe8c851f9f

SHA256
74b0687657ff79dbe7ba767ab0b84a7ea39e6c5e76346e18eba372c87b762d02

SHA512
d65e81e15cb7f2cefd566cbfb0fa51dca28f5a330897807ea758b0d0f41dad61958685340e384df60d016c9570c52d174ac47a7f84c62ddd9a4b890864f7a981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
MD5
cf45b331788e098a4e25d98c3f1eb7ac

SHA1
cc761856d08c644d79fe67f7269e978e581b42cd

SHA256
8ee9bb49991dfee6c0a85cb099bce01a7f3140068e6d67df8aedae1e61d87040

SHA512
ad4caeab54db9c5554082d9eec966696284eb8bca483c05963a3f3f81dba2df0a0f356acb313decdaa8fcbba2aeb2c75b5a66a313d2a94abf986e23a0344ec08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\9YV04B6U\zEQqhwKoETyGdQapOnP2uL1FFF0.br[2].js
MD5
30f68a3ea9f8fe63101e59ced32fa3e7

SHA1
0450964533a5363f20fd7a7ae16821cdfc1fcc1d

SHA256
90fccf6342d5bcfde3f69f88b80253ec694b9b901cc55fd84a2e0c6e0ff05caf

SHA512
f994377757539611fe2781b6aeedcfe2b2c7073516c0f3887c0fd836e1ed69066daabe7065dae1fc4aa071f8f5080939591b3ebd4642b1eaa42c7b25c2003349

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RU1N0LOI\www.bing[1].xml
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_ScreenSketch_8wekyb3d8bbwe!App
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\88IOIF55\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css
MD5
77373397a17bd1987dfca2e68d022ecf

SHA1
1294758879506eff3a54aac8d2b59df17b831978

SHA256
a319af2e953e7afda681b85a62f629a5c37344af47d2fcd23ab45e1d99497f13

SHA512
a177f5c25182c62211891786a8f78b2a1caec078c512fc39600809c22b41477c1e8b7a3cf90c88bbbe6869ea5411dd1343cad9a23c6ce1502c439a6d1779ea1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\88IOIF55\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js
MD5
8c82fd065b817078dd8befefd90db935

SHA1
3e92d13ea6a8f09419f52253a3af06d007620898

SHA256
c5af42879c3d89b2d309c0f30a1bc8231da6fe4377528133f219923654c9b177

SHA512
8837a5f5a661fea36697e8e62347cce6256ab884e5c1ac5ca474a3aba1d9ff8ffeb31da982e3febd54fde37ac206a0a60946c32e0d465c019a08a63eba584829

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\5C6Y35wFCJ-8USK_QYy6-0Tpjxo.br[1].js
MD5
8b2d92541a7744a334ad6a2471b37f1f

SHA1
626291635bfe9e55156313fba19b461e239e7ab2

SHA256
c6a8ff887000a5ddd53cd69f559329d0e1b4742d22929efbad1f741f9fe28dc8

SHA512
551124075d59fd3a66dbc3feba7b458e003133c3cecf0e85bcc92c069fa4efb806248cffa24dd619b90b88c1aa203b7cd33e50bcad7ac2edae4a2c3ae67a05c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\7Y7GIdHwvb_FHuCBnybcAmLO7GY.br[1].js
MD5
90d86fb0a928bb7c9a01d80461d47ece

SHA1
6a99eab11457b7a260116fee80e159e415cc5c8f

SHA256
57d8d759bd33872fbe7f8befb4c78215d2a7530d278ee683f6981ad5dd4a87d7

SHA512
057d156845a8be99d048c02a98138baa68a2e3947bea8b3881570986925cd98010227549f6de58c9c9581d55c5ec5cb50297638baab21cbea85ce723c65f5487

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\NFfTaQvGh5-TFwoFp82RmsC7Sl8.br[1].js
MD5
357a8dac7ca90a9c9a35cbe76da54d59

SHA1
0ab1c6034cb4f793edf3c692569753ecd3867909

SHA256
b5183f9136cdb14995a5c5c8985bfcc8d67f84831c23dff00f43abe139a556de

SHA512
ae891eb726000f46d8adc04635c467168bd060c494a21b84ec67cbf7c1a37809be5940ad3767757f6118a16d90a08e954e0b184a74c16e1d2451820f319f9030

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\QzzWO8WNEVeuGs6-1Sv6FbuwNoI.br[1].js
MD5
c67ad2232a0d1d0b2d640075b5e014a9

SHA1
349733d854c9a1e5d35334588f9ac1a28a81b0b9

SHA256
bd1ecaf6e5f0681930758486beeb6c134ed2e0c79e0efa8fd005becec6aed04b

SHA512
7aee7abd96b21faf9106e72643227e24fed0c089039b028ea37688dbea57b00c297865cd82270f45484b98ce11ae0de76781713bcc1c99e74838da488abf32f4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\S54yAfnyrJ1PfO31bQG4XOMFtD4[1].css
MD5
bfff4bfdd23e1692b3d06d6ed8c45561

SHA1
e79d8c082f47c29db93941e72cf5cb35fcde2b16

SHA256
1a3fe4efe5a077fb97dfedebb82322b94bd0148c7667450dc4ac459a1aa266a1

SHA512
b4c0994265dcc77c5d887e69b3c983a3d6616c0d18810c12b7dac090864cc79fe75311f17072e8fb50340ddac0e786bd705950be19faa7ff7cfc2a14da9b83b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\U006EeMfq1iK7IAAM8DJcfY519o[1].css
MD5
17d579f86147ac3b11056da41a9d5e89

SHA1
a2b67ea1edfaa6591541d9169bdd0b91efa1efbb

SHA256
b0595825dff390fcf05e06dd2d9e52a8fd1f0fba04c53a56fd38b0faedaf1fdb

SHA512
f54c5ec8ee0d5544589880bdce0a7ac3858bab338c75231d39a13c6df1ddfbfa8868645822380fceb65c265ab85415786c9fd6a16710c2580a627f14220d702e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\UhwMiBaLI_mSjft4vTU-XPjle6w.br[1].js
MD5
8d568b9375bf8594f9817fae0b11363c

SHA1
d19baf5024c20b930902a287ab09803cc7455e38

SHA256
26a6effe76ada17c6c1aea208be50384b16e36cb9608722ed444b222eb3bae50

SHA512
d8a4a4a80cc94c5f4cb5bbf70f5c2b4b10cb03510f37cb12d2a56d9f4c2dac4fc783e60d37b1931f559193e697db35db2d6a37a78295a03539441ba313a04ffa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\_6kcejpIrJTtxudclBiss_A-0_g[1].css
MD5
5fa42803ad27f35eef70ccfb471435d5

SHA1
fe74ed39acfc0e18885dbf1c61b04d87e44bdeb6

SHA256
f611daf8888d818ab050660b581cf108816c7141f2f8d3fbff3deb7b3448c1b4

SHA512
6ad4793ae7834d9fc019f2df535a58e34fd8da2cf9d280770003690777d13ade78a3065af4a7f8fcdf8e80b880c0f9f39ea42a65a8924e2a64fed102116a13d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\_isXrNU4xPE_bFaDYgh84nizbDM.br[1].js
MD5
a75e6100b8fd64ea0e4e49903d87a281

SHA1
f3eb221e9d7ec5e72fa9c3fecc694c0d4ca2f533

SHA256
c61fe93e5ae29bcb3ad9ab4dbfd107938f8c2f32f7a8ef91427fa0ae4e00a827

SHA512
43a87fcb5db071ee31995f5eb48b52868434dc4a42b93081903430dc91e82c598fa5a5a5a1f5d7d16c4c7f507a6792e079066e55e460789afb43d01329a07118

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\is0savvzOAbwyjwLaGytoys0eYI.br[1].js
MD5
97d2b71bbb80e301fc811352f583876a

SHA1
ff7a40afd46c227394127e478aea07f8dd581ac5

SHA256
ecfe1d156cc891e2c5c3f54858c5eb6c01efab6550c76d59e62458c9de681766

SHA512
0f08d19658d7167b58066ad68dba939cece83637c80532761e1f8cf3479b4331f043e32ebcf79ebdbe728e44eb05bee49aa29351b1e04a0ee7065fffcf2d72b6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\m8ZeCfGcvSCrnVRJoGuv0MoNrJo.br[1].js
MD5
9d4c350d08bbc0fb334a451d8151cf8b

SHA1
348d47acb5e582a74a1a932255a33f131bce3269

SHA256
39eed966ac875b9e8100bd4d56f8c5e6c83c8fc321356a2785d8bbcbf8f98923

SHA512
b44fae8177f76f2e0afcfbaea56306a07cb3e6c55e9763ece589174236f50aa9df34e8597fe848976a272b35b7d3752a351ad9432c1d255b2e4987aaf1e58b99

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\o3B8xuieIQmkMJPWlwYh5DxkeP8[1].js
MD5
31cefcb444a0695172432c919034ec51

SHA1
3b20547c24f5409f010e4e8212c29bdd35517c2f

SHA256
d93cf40ccb66e1a745c64a9173db1bcdf5486ad926048a435e8a56dce2206d34

SHA512
a1e06154d12f2fd2d7e731dd06394b29135a16c56b0551b8e539617e82a800982aa1839ad947dabdb9e672c5f24688f22ebd60c989ed67b2cc53f3bf6d6a97cc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\onra7PQl9o5bYT2lASI1BE4DDEs[1].css
MD5
d167f317b3da20c8cb7f24e078e0358a

SHA1
d44ed3ec2cde263c53a1ba3c94b402410a636c5f

SHA256
be2e9b42fc02b16643c01833de7d1c14d8790ecc4355c76529a41fa2f7d3efad

SHA512
afc65b0fa648d49a5eb896be60331aa222301894e228fe5684399e9276342f6510773dffa3e7e75b8d6197bc51c732bc7fd7518e593ecd20c4884c47058d46d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\CU387W9N\zAN6YAdWcHnBLUKlGrpwpXM9V8s.br[1].js
MD5
651ebd1d2b6628890531b85b0bdd41fe

SHA1
b74ee411fda04626c8d0b81950c48669d4523d49

SHA256
d43edee20ca8ed47473191593256ae4e34f51dd14f9a263a7b86db245cafe0a1

SHA512
7ad7a5a1625491040bb9ae9c34a22a56a5517b8303a2bd1a4bccbba866897e4ae059222202f01e78725653154a6077c0e5d32d15dffbb99b547053f60df7d2fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
f97ab3d4f10bd00e5aa4225a589a15b0

SHA1
93213ab4d7a2848a547b3c198b8e8239de614752

SHA256
3aa2950c2df5b121c75131ce29e009f60d36a4f5e609ee4fc6a61640338db0d7

SHA512
9cf729eecb7760d3927f459cc03d6c271591b435c6353f90f92479e96db74ff2c667e53a8ee6e4de1c9003b0fe83b91ac17272eb4361cdb338ccd8d5a672daee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
58b4aa5111fb6212520499fea7348881

SHA1
b3d0280e70fe8561b1caf6715ab0bd5f35a0a103

SHA256
2db9a5dd2fc44d86304d1f7ecd35a0db90370d7a808708db365c298059b0ce37

SHA512
591543102651ab791d99d0a009d03f0cc474d4306d9e9e686ecb867f4f239bf331ac6502daaa26e1d48400b48f5a9fd09e9b7f200443de0e33bf07754a535874

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RU1N0LOI\www.bing[1].xml
MD5
81d8f8172352aef679791d91b723ba60

SHA1
9056eb60399aaf7240b1bb850c75105b9d334181

SHA256
b8b04c6ca370b4ba0acfbbd24258ee1c38db55585a1a5244ffb249859aa4300e

SHA512
2e05c6d850a25cdd73329361e541e2b6374831fb5c2dcda4a26fcc526c3cdbf072ab3af0395dd07ef2fb77e1bfd5b7f1d6f6d04ae4b6fe6dbfa3920be1ccb5d7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RU1N0LOI\www.bing[1].xml
MD5
2d4c32acd5f062f6c6c6298eb06a9b7b

SHA1
33ff5a73720165f8b5008215afe88190ee159120

SHA256
10267618f3b6e86ee606f5505d67e6692cce55af5775f7442c25d377e523e8e8

SHA512
ac423982d2525988e9524b1e356edd20e4ed06e0df1388a4060e1babbccb82b919be486f9cdcc3bd82c9551ad961bd5d17a4868d5557803637d37bee7c8aeb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74868105-7894-4474-9A9B-987E2C5534E4}.png
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2540-215-0x0000024341D00000-0x0000024341E00000-memory.dmp

Filesize
1024KB

Download
memory/3380-144-0x000001EF50750000-0x000001EF50758000-memory.dmp

Filesize
32KB

Download