ouroboros | fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388

Analysis

max time kernel
39s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2022 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
Size

519KB
MD5

d2e5de5fde2df40aa2515e9d13b0735c
SHA1

f6ebd38d354746482db21fb989cb22c0a764f098
SHA256

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388
SHA512

9b18cd6ad5f37402be935e85df5c1e4032e16e29374de26c9aa6cfb41fc05077e16cfd89b49fe016bc34c61bf9132a44b1efb7a70c4c342278cc24733ac3e0c0
SSDEEP

12288:ggA009BmT3iiOjSXlBCq/3zn98aLAW1jI6UDymBdxgwcn6ilhbOD4:YPbcOjSieAWIg9o4

Score

10^/10

ouroboros evasion ransomware spyware stealer upx

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exe

pid	Process
1328	netsh.exe
3616	netsh.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SaveUnpublish.tiff	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockRestore.tiff	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2548-132-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/2548-164-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Public\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File created	C:\Program Files\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description	flow	ioc
HTTP URL	24	http://www.sfml-dev.org/ip-provider.php

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

Drops file in System32 directory 1 IoCs

Processes:

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

Drops file in Program Files directory 64 IoCs

Processes:

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\OcsClientImm.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_contrast-white.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WideTile.scale-100.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\ui-strings.js	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosMedTile.scale-200.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_24x24x32.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Inbox.Shared.winmd	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\kn.pak.DATA	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-400.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Beta.msix.DATA	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerpivot.x-none.msi.16.x-none.vreg.dat	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp6.scale-125.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.winmd	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\WideTile.scale-100.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\ui-strings.js	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\TellMeOneNote.nrr	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.Tests.ps1	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.IO.FileSystem.Primitives.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-125_contrast-black.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\psmachine_64.dll.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\mpvis.dll.mui	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FSTOCK.DLL.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-125.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\hr.pak.DATA.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-100.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2native.dll.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxManifest.xml	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

Drops file in Windows directory 64 IoCs

Processes:

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

description	ioc	Process
File opened for modification	C:\Windows\Fonts\Candara.ttf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\usbhub3.PNF	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design.Resources\3.5.0.0_fr_31bf3856ad364e35\System.Web.DynamicData.Design.Resources.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Boot\Fonts\meiryon_boot.ttf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Boot\EFI\kd_02_10df.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Fonts\arialbi.ttf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\kdnic.PNF	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\RS_ConnectedAccount.ps1	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\netl260a.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_it_b03f5f7f11d50a3a\Microsoft.Build.Tasks.resources.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\c_apo.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.Resources\3.5.0.0_de_b77a5c561934e089\System.Windows.Presentation.resources.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Fonts\cga40850.fon	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\ko-KR_BitLockerToGo.exe.mui	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Cursors\busy.svg	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Boot\EFI\fi-FI\memtest.efi.mui	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\tsusbhub.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsUpdate\RS_AppData.ps1	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\apppatch\DirectXApps_FOD.sdb	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\diagnostics\system\IEBrowseWeb\fr-FR\RS_DisableAddonLoadingTime.psd1	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Cursors\pin_rm.cur	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\en-US\hh.exe.mui	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Fonts\seguisbi.ttf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\wide.Globe.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\es-ES\bootfix.bin	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Cursors\beam_rm.cur	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\TS_PrinterDriver.ps1	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\7153ef0bfdd1efd38882e46b46b7745a\Microsoft.ApplicationId.Framework.ni.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\436d35a99bf0a7202eb5e431afbabaf0\System.DirectoryServices.ni.dll.aux	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Boot\PCAT\it-IT\memtest.exe.mui	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\System.ni.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\9f1384ea928c337294ff4b399659933b\System.Core.ni.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Fonts\monbaiti.ttf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Fonts\vgafixt.fon	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\mdminfot.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\mdmpsion.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\9d4fa51c0199ef8faead7b940eba2662\Microsoft.Windows.DSC.CoreConfProviders.ni.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\diagnostics\system\IESecurity\es-ES\RS_IESecuritylevels.psd1	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\ipoib6x.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\ba094d32157d7acfed89b01413f8effb\Microsoft.PowerShell.Commands.Diagnostics.ni.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-white_scale-100.png	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\amdgpio2.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\mssmbios.PNF	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\diagnostics\index\AudioPlaybackDiagnostic.xml	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Fonts\smaf1257.fon	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\netbxnda.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\nett4x64.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\diagnostics\index\BITSDiagnostic.xml	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Fonts\pala.ttf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\netr28ux.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.office.config	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Cursors\help_il.cur	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\ja-JP\CL_LocalizationData.psd1	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\c_netdriver.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\diagnostics\system\Power\fr-FR\DiagPackage.dll.mui	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\TS_DVDAudioDecoder.ps1	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\caebd127a3cf1487868f8d282898dcc1\Microsoft.PowerShell.Commands.Management.ni.dll.aux	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\fr-FR\bootfix.bin	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\INF\mdmeric2.inf	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Fonts\BKANT.TTF	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\17e8d62f031d58fe723473a6a11c4ad1\Microsoft.PowerShell.Security.ni.dll	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Windows\Cursors\larrow.cur	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1632	684	WerFault.exe	37
3240	3236	WerFault.exe	142

NTFS ADS 22 IoCs

Processes:

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

description	ioc	Process
File opened for modification	C:\Documents and Settings\S-1-5-21-2629973501-4017243118-3254762364-1000\탐sk8:쾰	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\븰C7:<脈	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\殸cr:<㢰\톀欄RT킰	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Videos\殸cr:<㢰\㚐欄NP聀	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Videos\殸cr:<\㣐欄NP㦐ƛ	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Music\淨cr:<∠\㞰欄LN蛈	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\볰C7:<䓰	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Videos\뺀cr:<䉨\㘰承矧NP遈	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\뱐C7:<툸	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\뽰cr:<黸\፠RTᜈ	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\붐C7:<䔸	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\殸cr:<\푘欄RT쿠	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\뱐C7:<䖀	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\淨cr:<∠\欄RT	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Videos\淨cr:<∠\㠐欄NP蒸	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Documents and Settings\\㏨sk8:㎠	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Music\殸cr:<㢰\㰰欄LN聀	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Music\殸cr:<\㭰欄LN㦐ƛ	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\뺀cr:<䉨\Ꮘ承矧RTᤐ	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Music\뺀cr:<䉨\㦐承矧LN遈	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Music\뽰cr:<黸\㠐LN	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
File opened for modification	C:\Users\Default\Documents\My Videos\뽰cr:<黸\㔐NP	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

pid	Process
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exe

description	pid	Process	procid_target
PID 2548 wrote to memory of 2840	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	82
PID 2548 wrote to memory of 2840	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	82
PID 2548 wrote to memory of 2840	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	82
PID 2840 wrote to memory of 4916	2840	cmd.exe	84
PID 2840 wrote to memory of 4916	2840	cmd.exe	84
PID 2840 wrote to memory of 4916	2840	cmd.exe	84
PID 4916 wrote to memory of 4596	4916	net.exe	85
PID 4916 wrote to memory of 4596	4916	net.exe	85
PID 4916 wrote to memory of 4596	4916	net.exe	85
PID 2548 wrote to memory of 4896	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	86
PID 2548 wrote to memory of 4896	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	86
PID 2548 wrote to memory of 4896	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	86
PID 2548 wrote to memory of 4280	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	88
PID 2548 wrote to memory of 4280	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	88
PID 2548 wrote to memory of 4280	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	88
PID 2548 wrote to memory of 3740	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	90
PID 2548 wrote to memory of 3740	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	90
PID 2548 wrote to memory of 3740	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	90
PID 2548 wrote to memory of 1972	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	92
PID 2548 wrote to memory of 1972	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	92
PID 2548 wrote to memory of 1972	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	92
PID 1972 wrote to memory of 3840	1972	cmd.exe	94
PID 1972 wrote to memory of 3840	1972	cmd.exe	94
PID 1972 wrote to memory of 3840	1972	cmd.exe	94
PID 3840 wrote to memory of 2008	3840	net.exe	95
PID 3840 wrote to memory of 2008	3840	net.exe	95
PID 3840 wrote to memory of 2008	3840	net.exe	95
PID 2548 wrote to memory of 844	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	96
PID 2548 wrote to memory of 844	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	96
PID 2548 wrote to memory of 844	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	96
PID 844 wrote to memory of 4032	844	cmd.exe	98
PID 844 wrote to memory of 4032	844	cmd.exe	98
PID 844 wrote to memory of 4032	844	cmd.exe	98
PID 4032 wrote to memory of 320	4032	net.exe	99
PID 4032 wrote to memory of 320	4032	net.exe	99
PID 4032 wrote to memory of 320	4032	net.exe	99
PID 2548 wrote to memory of 4756	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	100
PID 2548 wrote to memory of 4756	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	100
PID 2548 wrote to memory of 4756	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	100
PID 4756 wrote to memory of 3860	4756	cmd.exe	102
PID 4756 wrote to memory of 3860	4756	cmd.exe	102
PID 4756 wrote to memory of 3860	4756	cmd.exe	102
PID 3860 wrote to memory of 1928	3860	net.exe	103
PID 3860 wrote to memory of 1928	3860	net.exe	103
PID 3860 wrote to memory of 1928	3860	net.exe	103
PID 2548 wrote to memory of 1600	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	104
PID 2548 wrote to memory of 1600	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	104
PID 2548 wrote to memory of 1600	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	104
PID 1600 wrote to memory of 3616	1600	cmd.exe	106
PID 1600 wrote to memory of 3616	1600	cmd.exe	106
PID 1600 wrote to memory of 3616	1600	cmd.exe	106
PID 2548 wrote to memory of 1092	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	110
PID 2548 wrote to memory of 1092	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	110
PID 2548 wrote to memory of 1092	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	110
PID 1092 wrote to memory of 1328	1092	cmd.exe	112
PID 1092 wrote to memory of 1328	1092	cmd.exe	112
PID 1092 wrote to memory of 1328	1092	cmd.exe	112
PID 2548 wrote to memory of 2276	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	113
PID 2548 wrote to memory of 2276	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	113
PID 2548 wrote to memory of 2276	2548	fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe	113
PID 2276 wrote to memory of 2924	2276	cmd.exe	115
PID 2276 wrote to memory of 2924	2276	cmd.exe	115
PID 2276 wrote to memory of 2924	2276	cmd.exe	115
PID 2924 wrote to memory of 2316	2924	net.exe	116

C:\Users\Admin\AppData\Local\Temp\fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe
"C:\Users\Admin\AppData\Local\Temp\fc925828184414ad44912fc6ca35af25aa6bbcff505026b1fc208b4064bdd388.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:3616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:4072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:4316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:3868
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:4856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:4160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 684 -ip 684
1⤵
PID:2536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 684 -s 4636
1⤵
- Program crash
PID:1632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2864
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:1868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1144

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3236
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3236 -s 4760
  2⤵
  - Program crash
  PID:3240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3236 -ip 3236
1⤵
PID:1288

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos

Filesize
289KB

MD5
f455ced496299cf30244f7ed2ce61598

SHA1
94ae4b4074a0c19c57d40f0aba83968932dacd6e

SHA256
a70cd7e4ebe44f6ffb15663283d8e8fab9d052beba2d9d5c3c8b6d376f08839e

SHA512
d214923a93c03ef0a29d98dd62a81bb11b84de3277b31f12be86cc0d6846688b600853154d94701a267e76f9f0ffda92603a3539ca67c2ff1e59507d7a2d23be

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos

Filesize
623KB

MD5
77ac286765e812425751485c5d5617bf

SHA1
90ee190adbb1c01a3a814d739c100a794c3ffd76

SHA256
a3d2c66dc8cd009536d3ce60cbfee4f2e93a978c2199ca4196e7cf2838997baa

SHA512
4809a65ad99a779c14669e30cd213d0f5674d021522f421d14e753cc77d2e1539a1c2efe8e7b83050ea6328088a95c7c542f80aa80cc4d3ccb08ff78dd8103b5

Download Submit
C:\USERS\ADMIN\DESKTOP\REQUESTSET.WMA

Filesize
884KB

MD5
86e8ab5aebeaa278d0d289fb4c40bbd1

SHA1
3c01e7cb80aff7231aaa630f976be26e6074a9a6

SHA256
f78326a56b54ec80e27c73e41ed0dffecbc0021add75d96a3018612403fc89eb

SHA512
e60290ff39aecbf6ace7e0da4e5aef22872c0f8a4ca18d228185485a4372af825c9a40cf1fc899ad0eb83ba981af2c36b638206f7c070bda32c3c4be57482af2

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
413KB

MD5
2350b47261040b1ee32f7df427ab30fc

SHA1
e656cced405e01b6a60b7444b2c9e1b31ed7c63a

SHA256
612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db

SHA512
a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.[[email protected]][A7Q8ZLBSW6ITKUP].Sophos

Filesize
414KB

MD5
71f7ddc7074f90ea31935b7e484aea63

SHA1
0436394161b00343013ec21ffe3396fa87f67981

SHA256
c24cdaa4e91c40901fd559ab90c744d978d457eb9cf44a0426bc6554a82dcae8

SHA512
a0873c5acf3a60710d1b8b1709e1c5ecfc44baa8bce586c457023248bd2305293bc717d197b39635e4ce120c43cbbd445f22afeed2ddb636eb65d3eba27eecad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
a21fa4b170d93f97425db1666bbfede6

SHA1
ec2114df9c9ebfac70ee101f72ba9fb60253adcf

SHA256
3d04c0c75da799f7af5a29e009d9c40e0b95a554d8a5bc1b7377cfe780907fe1

SHA512
5e969447a1b854847640bd7d9c2c6bd659b1c4bc1586898bf86b4039e4536583a0fb09c148138488aa83360d1bea3b0f80beb18c2d6226f55a3a1d12be108969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db

Filesize
1024KB

MD5
55ef06625eda024ea85d3e30bd6de9e2

SHA1
da7b956f3370c4bcbbf77148bd15853ee9816940

SHA256
dab32176a0db31ead81a63b014a1fbb07908b7a75fb84d066afb7a4849cd3fa6

SHA512
5f8ffc08f580d3b7b1096a90b94653ca5124e8080602d6e0d9d5b58f44879a3348f618f3eaff921d2998caaf13fc0122024e579ee5bd2194f64eb73a55f4c9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
f9ade030e204313e77bbe2940815c8dc

SHA1
2b15c2c697f6f91f6bca63ea1934c41d479636a6

SHA256
344c7a8f0123d22020cea07a7dbadac9b889e41a76985b788628fe6ca277c858

SHA512
62059e377b9b8cdcf37188a6c76e8742442b50ce90a75aea84103453b6bffc17633d7bbe57a77deb2445df677957fe02d4c150baae923ada9a1d64ec20251d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
52e7277ff253c1616b3139062dd24043

SHA1
799d2961c6b1c87c0217fe426f7a524abde521b2

SHA256
e34459d4ac3227f580342fbc41ae151318cacafd2338c3b173c6821a58ace4cf

SHA512
4a01462a2a40dfc602b525363d7242364a4975affa20909bd57546aa94898c84ddfe1c6cea769c7529867451b04426782f3a3d4471a97085ce50809b4c6b48a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
844ba3169585869933fa9ad324b2935e

SHA1
19c63698644ae06d0f7c8184790cf2b35aaa5237

SHA256
919872afeb2e2b01b99d06dc73b98f5e762ac75831c8c08e1739f8220e960e70

SHA512
38bbbf9b1d4c579e1a6f85a706e42e6ee80a6fbb6fca80d19a76b1f2f02c773df308abfe519461ab0b2be81eec5c976ddabc7d79070034dc530e5974ee2838ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
1024KB

MD5
4fe5e2e740ad86be0dcb13c0d0d8a355

SHA1
4792249da9838387777be7247358b319dfb78549

SHA256
4c6396e18483f008b26df230ef6888196b013b91288f6f96ca5563e958404d28

SHA512
b75e8fcf6c0ccfc2aa08f075e9236e7520222a0770df6930e00ee21ce2a97d13613b9d60ba303bbc5b8e6d47bbbec596cad1771bed9b5ad7d8fa461ee10309df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Filesize
1024KB

MD5
76295040b0193e1d60b0c3a6c7f07674

SHA1
1c25bccc094e83ba6267df9d66fce11ccc2618f5

SHA256
82163c09761bca5445596d6663f3e84996d0689665e9794b0dc68a7b3c726455

SHA512
9a097abc80daabf62ffc24560bca3466bef56a50de8e5394ea210c64ceff6bd9ea71f690119c226f47a8027dbd7dcaf423bdc64c2746d8b55136553a41a00c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

Filesize
1024KB

MD5
8f7ededa06eedaa765ef69ac9bd6ec69

SHA1
8fc17b1e62264c3da0db13f8a48dee1e34f8e24b

SHA256
53ab1a4ee6d4825c1bd90fd79c90efb25aeedaea1292fe227de9e333336a9342

SHA512
fff56bc16edcee72439ec92bb1f8aeedad2c8f51b1cca2161ac4eae19e55bcaf81391cfba94da0d2a268a384abdab20a7524bb8a6067d836cedd6fb6b5a309b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
06afaa844005bf21b25a8c99ea21630a

SHA1
5aada31126aca71b06ceb7b622ed1070479edf3e

SHA256
2e91f17ffa15fd18c702aeb61bd4e4b4f2502f22b19e9fe4ad0d6266d145e76d

SHA512
4b28b12dc7180c3ef9c90c852c9e4b9598ff7b43d3a53e0100f9cfbef07d51a9c6655a27bcb1fc157b520ff99378ac42a3b3f604207cb12f61eba7638c5c12d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt

Filesize
197KB

MD5
d5b99a96b5d53ad3d64c1c8d1e73f69d

SHA1
14eb8f849600bbb4d7a810e539f43cafd3d9165f

SHA256
61e3c2c222847577beb8cfba9e1686ca52e2796df9ffbce688c3fcd8db9692de

SHA512
708624dc6d2b613f3ea5bcc89b82bf9d4ae57fd1b779d3a0f3b859104359c352b8099d785aeb7d1c2448ea8c8ee61d6160228b6953be0085a3910d4bac34bef2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt

Filesize
221KB

MD5
e3047eabfdda0b0027926144df5c7add

SHA1
404083cbe1fb9e7226ad8b290ac0d7e758bd9be1

SHA256
e7680410ecf01f3ca8234f97f10199d51238ae07278304bb9649cdbbf2ff2f8c

SHA512
cd35d96e53850952321dad5fbb6653925dab9ce69d2d3c462cf90d00b325b5e74670fc46a7c23b2d65d76b56f5e2f4ffc34c0c715e4173f890baabab666946f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_14[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_17[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt

Filesize
197KB

MD5
f602c53f71cdb284adeb4270fe9129e5

SHA1
6f3341eb4dd1a2f3c99fb30edbae4adb51758edb

SHA256
f78bbdd219e377060d9d9304fb3f4aa7c66dc3c3fc10d9c2a21cfb9dbc71f774

SHA512
1deca1dee9f9d49344eba61d98bcc212fe70483dc8f401fa630d9cfc36567c8962279af722d668663c9bbbcb8c3467718a2de59b64b763711f28f244c47792a6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_23[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt

Filesize
780KB

MD5
ad086e31d153f7e436a12081c597e03c

SHA1
076fe1482ec0187cbd1de024fe8fe92c4327f400

SHA256
b822ae3d39c88e23c11e337590ecfccbf84ea14508d87816fc8726fdf0d1b5c9

SHA512
725a663dce1c0bc24d520947a0f8b3c5d9d945a0acff91d037bf16396a3a2038d40ac759425b3afa2d5d19fd75763cd7e033f8730a016a9420ed835e160f82c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt

Filesize
181KB

MD5
68dcec5946a9689e9fbf45820154f05c

SHA1
2ed52ac603b6e73ec7446d5d618a747846be0af7

SHA256
4d9ed2d1c782e54b7249d0551fa3b9134861dc977aa9fc3fb6ffb62e04f0d0d0

SHA512
395db62f8429bb6dd4fd853a2081da2affcd1fb76e317d6a8b4f4aa63e544ec30071a5de039fc0b688cb2a8c0075cb4eaaba3ddb1ac8c02f1ab715dd34d9f79f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_29[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_3[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\A5CR8ILR\3\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_5[1].txt

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
302B

MD5
4fc0b6381beb93812bac9dea3f172d03

SHA1
cf251e320eeb59acd9d5b4bfbdd3bfc260e57bf5

SHA256
76baa723ca2a247acaa99458e47957ba00a8a7f9ec268dc23b5e99f8c8fbe0dc

SHA512
f313df089af698d9d3a4311cc7e86727b9e320b4cd199f8bde72265295e18c9cb7e80dbda94b4f436ee5ca81b351e6c08d2b5eadf0b23209107aeafec0a97b6e

Download Submit
memory/320-144-0x0000000000000000-mapping.dmp

Download
memory/844-142-0x0000000000000000-mapping.dmp

Download
memory/1092-150-0x0000000000000000-mapping.dmp

Download
memory/1224-157-0x0000000000000000-mapping.dmp

Download
memory/1328-151-0x0000000000000000-mapping.dmp

Download
memory/1528-158-0x0000000000000000-mapping.dmp

Download
memory/1600-148-0x0000000000000000-mapping.dmp

Download
memory/1860-160-0x0000000000000000-mapping.dmp

Download
memory/1868-186-0x0000000000000000-mapping.dmp

Download
memory/1928-147-0x0000000000000000-mapping.dmp

Download
memory/1972-139-0x0000000000000000-mapping.dmp

Download
memory/2008-141-0x0000000000000000-mapping.dmp

Download
memory/2276-152-0x0000000000000000-mapping.dmp

Download
memory/2316-154-0x0000000000000000-mapping.dmp

Download
memory/2548-132-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2548-164-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2840-133-0x0000000000000000-mapping.dmp

Download
memory/2924-153-0x0000000000000000-mapping.dmp

Download
memory/3184-247-0x000001806C00D000-0x000001806C011000-memory.dmp

Filesize
16KB

Download
memory/3184-251-0x000001806C020000-0x000001806C023000-memory.dmp

Filesize
12KB

Download
memory/3184-253-0x000001806C020000-0x000001806C023000-memory.dmp

Filesize
12KB

Download
memory/3184-249-0x000001806C00D000-0x000001806C011000-memory.dmp

Filesize
16KB

Download
memory/3184-248-0x000001806C00D000-0x000001806C011000-memory.dmp

Filesize
16KB

Download
memory/3184-252-0x000001806C020000-0x000001806C023000-memory.dmp

Filesize
12KB

Download
memory/3184-246-0x000001806C00D000-0x000001806C011000-memory.dmp

Filesize
16KB

Download
memory/3184-254-0x000001806C020000-0x000001806C023000-memory.dmp

Filesize
12KB

Download
memory/3184-245-0x000001806C00D000-0x000001806C011000-memory.dmp

Filesize
16KB

Download
memory/3184-183-0x000001806A770000-0x000001806A790000-memory.dmp

Filesize
128KB

Download
memory/3184-184-0x000001806A730000-0x000001806A750000-memory.dmp

Filesize
128KB

Download
memory/3184-185-0x000001806A7D0000-0x000001806A7F0000-memory.dmp

Filesize
128KB

Download
memory/3616-149-0x0000000000000000-mapping.dmp

Download
memory/3740-138-0x0000000000000000-mapping.dmp

Download
memory/3840-140-0x0000000000000000-mapping.dmp

Download
memory/3860-146-0x0000000000000000-mapping.dmp

Download
memory/3868-161-0x0000000000000000-mapping.dmp

Download
memory/4032-143-0x0000000000000000-mapping.dmp

Download
memory/4072-156-0x0000000000000000-mapping.dmp

Download
memory/4160-163-0x0000000000000000-mapping.dmp

Download
memory/4280-137-0x0000000000000000-mapping.dmp

Download
memory/4316-159-0x0000000000000000-mapping.dmp

Download
memory/4524-155-0x0000000000000000-mapping.dmp

Download
memory/4596-135-0x0000000000000000-mapping.dmp

Download
memory/4756-145-0x0000000000000000-mapping.dmp

Download
memory/4856-162-0x0000000000000000-mapping.dmp

Download
memory/4896-136-0x0000000000000000-mapping.dmp

Download
memory/4916-134-0x0000000000000000-mapping.dmp

Download