netwalker | 8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc

Analysis

max time kernel
157s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winbio.exe
Size

69KB
MD5

2edbacd070d1949bb5d97d3a6e4e23f6
SHA1

761168968a1d951848a36ad428ee4d05153f1e01
SHA256

8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc
SHA512

a4b282b8c91124a6dc465573842a03b5fcf346af6e561eef66ea405fcb784251044e2f8a2c0a61cbb0e29f7efc02a71d131930b70e2c021978d00c0b3c38f344
SSDEEP

1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+MEYTb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3+

Score

10^/10

netwalker ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\A79260-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .a79260 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_a79260: e06eu9Szu5ukxqCwevVyrYFPjjxRUuu9XAVPALfB47me2ntG9h ux0o+/AeKVmuCU7GcvcVhF3DXQ2u14yhWoYPHdCVftUr5Zq/a6 0vihK6z+p54eEJ8ZhnELx2x77Q2Xqt01xhkpnKzPreX4Gahm9S jxdlkIyzZ3nY3QmmoxP7BUmJXs5rMUilciu3gRA/DWBbbzl7Dw 1P4vvzEh8M/kMDB1lCFpduAWgIqNmWKhLjQPxYJSjYqgkUkUVD D33OToIKy2lSiQW9drtJDDYDhfMy8r+NcI3VYWlw==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (6790) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\SphereGeometryShader.cso	winbio.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\A79260-Readme.txt	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-100.png	winbio.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72.png	winbio.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-36_altform-lightunplated.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-400.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p1.mp4	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js	winbio.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\A79260-Readme.txt	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-24_contrast-black.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-64_altform-lightunplated.png	winbio.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\A79260-Readme.txt	winbio.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-125.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\id_get.svg	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-200_contrast-black.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_contrast-black.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\MoveToFolderToastQuickAction.scale-80.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\platform_format.lua	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\ui-strings.js	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\officons.ttf	winbio.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-400.png	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\ui-strings.js	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\5px.png	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\ui-strings.js	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\data-80bd83b592567d50f84a26711cad1cf82f4057f1.archive	winbio.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-72_altform-unplated.png	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\ui-strings.js	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-200.png	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\ui-strings.js	winbio.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_altform-unplated.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\VungleSDK.winmd	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\34.jpg	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png	winbio.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-125.png	winbio.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	winbio.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\A79260-Readme.txt	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\2.jpg	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-200_contrast-black.png	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	winbio.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osmux.x-none.msi.16.x-none.vreg.dat	winbio.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\A79260-Readme.txt	winbio.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg	winbio.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\ui-strings.js	winbio.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\A79260-Readme.txt	winbio.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms	winbio.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3516	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe
5000	winbio.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	winbio.exe
Token: SeImpersonatePrivilege	5000	winbio.exe
Token: SeBackupPrivilege	7724	vssvc.exe
Token: SeRestorePrivilege	7724	vssvc.exe
Token: SeAuditPrivilege	7724	vssvc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
8820	SearchApp.exe
5736	SearchApp.exe
7244	SearchApp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 3516	5000	winbio.exe	87
PID 5000 wrote to memory of 3516	5000	winbio.exe	87
PID 5000 wrote to memory of 11588	5000	winbio.exe	105
PID 5000 wrote to memory of 11588	5000	winbio.exe	105
PID 5000 wrote to memory of 11588	5000	winbio.exe	105
PID 5000 wrote to memory of 636	5000	winbio.exe	106
PID 5000 wrote to memory of 636	5000	winbio.exe	106
PID 5000 wrote to memory of 636	5000	winbio.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\winbio.exe
"C:\Users\Admin\AppData\Local\Temp\winbio.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3516
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\A79260-Readme.txt"
  2⤵
  PID:11588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\D884.tmp.bat"
  2⤵
  PID:636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8820

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
0a7f91ebf3b4082c21d14b59dd9d29d8

SHA1
8843969f861f074705c36012ad7e3c23030d5071

SHA256
ed5fc7bd4d5e19651c11712a9bb0517f16a98928c940cdca3e97df8a9c59a913

SHA512
4594c02f18832ece739c14e0663d795ef2076cbef58b164d4fa109c43c246979961349572199acc768bece2591a4deced97c17560a4d8d906a4ca5a643211ad0

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.a79260

Filesize
150KB

MD5
eb01d281fdb423af53be0ec14e03fe0a

SHA1
6d89a1e5c094d7cd1bfddaf7cbe20592aea1a478

SHA256
9277638c013e2f34cdb1707981fac09f846f21bb495466370372429dc7e5adbc

SHA512
33eea23ab485a34e05606e6cc8cdf2f2d1f4cbb9da19b22f393feda9ebb6008c75bd8707c6b9f3bac74d23c7fb19d2df6078f695e8cb53e07e173ffb2d156e14

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.a79260

Filesize
1KB

MD5
c6f6b64684551c9ba598e7b78a484b38

SHA1
9de16e77a2c40986dbec4e9c904aff09c05c7115

SHA256
fccd71b0da4d6a8f45e3ee7445506ac66797ae94ef6fb06f1c5e445ad953cff2

SHA512
8f24da56eb289884c10352ff5c6ad3b73ed2a51e37566d1843959375b6f1d26f7444f06a1f76f3e6f04504762eee2bd385b444e48373e96cb968235d0892b689

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.a79260

Filesize
2KB

MD5
9ec93669f97df7f8a3db4c1cce5bfec9

SHA1
b83aad60c6077d9812daed3c8844e9a190f022f7

SHA256
50c9c1284053203bc0d06f68a20618363a8e230522eccdfeb977de4118c3ba28

SHA512
21c4a04dac25d189dca9b5588f3d989ad752a7e729e070b287d1e2a36627b75c44110cea69e920f793923a998f62fb7f10fb882fbef0e4cc157305ad06fffef5

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.a79260

Filesize
98KB

MD5
ba2bda8edb43d86bcb43f6a0ac87651c

SHA1
4a39b42ff5c3e88d546e406ff39f2e5be5e63dd2

SHA256
2d35d63c6de46d09be95ce6eea27c14c14b96568a9f94d103f5a00dfa474e5fe

SHA512
4ffce4707a8866a9048602a355a0108751151f22c04b9bb329c5ac6c80e0e8d3f3201dba7569f8b2d78744163e3c00c123582391c020f5901c723f4bcbf41e27

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.a79260

Filesize
31KB

MD5
edd43c787ebe72e2073a7569e2db61ba

SHA1
5d23828c3d44c15b389ed90a286636e3d3a3a35f

SHA256
a28fd37816c55c5b4e21830029057962221b5221437fd6d22a8538c0b1e8ef0a

SHA512
d98c91050116f3383c3db86ea3446ec8dffa600c9db9b29f917b07baad15dcf01bb8cd6851cc92d13a5b56a7aec4be34858bd2e9517279f89fe135e7c1d1534e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.a79260

Filesize
109KB

MD5
fd6d70defac86552ee38c209957d8245

SHA1
95aee593196a42e092f4dccdb526596a2da5e3c0

SHA256
049973830b5a11b4d6847c5fcaf67333e9471804e057a22c2b5455001d70e3f8

SHA512
cd96f08f73fef37cbc9dccec51cc2a94299a1a18b8865445422ce808ba49165910c21b361e866315423c0734d5d065013ff12e7033eedb5a4f6f0da71a78de3c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml.a79260

Filesize
9KB

MD5
6e91918239ca5aa6d190efb44279979b

SHA1
75988ea7d3cecb7a64ca9e8dedaaa6727d7eaec1

SHA256
29701b2ff4026694f3cd372f97976200a115d6fb0cd73d99980da400841b049d

SHA512
e6b1fd0aaf122f625f0e9ca55c7d447c5ef288bbf3d6cf0c2d4869cd1ad28ff9df3c75b509db83c8be66c921543727153cf58584916f8e0a214e580f5e7eec88

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.a79260

Filesize
39KB

MD5
1582e1e726715328a64e198695d455ba

SHA1
512c0086184c15fe6da98e9c15c2f44869dad392

SHA256
6cc81529a7b5e3f203d53e18125e04a88bd71cbf2fa3cc22e6c4e144c51694c4

SHA512
51d0302c88addf40fcefb21babb246b5ab5024735c1b06bd5b1061197979bb3859957caa2f5a7c32b4b4b787ecd3b1d976f6715e4bbd87ea410a61de9e0b2150

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml.a79260

Filesize
16KB

MD5
36cfac074119682bfa5ec8bf95d0ab5d

SHA1
366bca472dd353e5c983839a5b83e7f7a2c426ed

SHA256
e8287d261ece93c4afe4d2866756c3a607ab201c7e97287fb5202a5544918b9b

SHA512
39ec931a35920a5917ac9893e0a62514d887a37a30a30e88c819db42a16cb70e2e79283f1d325b83f2b81c33ee25d3698dd04111c7d856ef3708a43bb28f692f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml.a79260

Filesize
331KB

MD5
ee8bc996cd76f3db7a4df3d5b9751373

SHA1
512e6ea150f4b2e19e0be893a9bba06ae0c5b02c

SHA256
29dc7401ee04b97913fa4d732923f54d3d478f579d78c29dc1bfd4b915b6fa36

SHA512
86b3071350c41ae30092de03558af0983ca99b1ec2af46218cac574da6cc05e9018b78cac6830a8e0c4d499bb90435046228fe1f6db5392e175e78400950d3e9

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.a79260

Filesize
122KB

MD5
589c8a94eb5eada276cce26d3618fb00

SHA1
8543d73ae692541c6dc218d7370bf7e9a2fd54da

SHA256
e85b570ca8ccf90b33e3293ab0f1cdea089be417049f1e0a832a63d9c6e08894

SHA512
1824a4ff046841b5d432e7316499154805b270c350df15b357e390320f0c3193624f4f5466449da26cdff1dd52ac2cf694186f6c82cd26bf184547c143750fe6

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml.a79260

Filesize
2KB

MD5
088cf798fc1b087a66dfa205e0d138bd

SHA1
aa2eb08551366baf73328e05bb0fbde44793c187

SHA256
07d85b5788e7a9bf32d3a5b82c20524a61b6027300c58568640a818b3522f125

SHA512
d53e9aa33cf7ced2a7f7b97eb6d9823f635caaa6b8d41a2f3498990eb8053e4a364ae0363baa1d47172f8bcaedba242df4a38e74cb794e16dc71a1d60ce02fbe

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml.a79260

Filesize
18KB

MD5
b110177c3e2e5bc8d2999bc567bc9cdb

SHA1
a4ae55d0e5334e72d769aeba04395eedeec5cb8e

SHA256
20d5f172cd044858e75e37666e9eb3c260c843bb5d6e8e6bf9f01683a17f14a1

SHA512
4b77b988b79b08117104957884e1af1ef6e0193f9c679ff96f8024f225ae2ddaacbf0a1ceb92cf5411a39542faa3f4cd74c55517ee359ae975965f633f07f6bf

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml.a79260

Filesize
11KB

MD5
2b4cf87e98dd9da8c44eca6249f892c8

SHA1
403a2b5493f23d6901e0d12ad41fb98d47ea95b8

SHA256
03dbcf36bba70020281055c8237d323ef62e42599ed999bec7adedb9b7bf4ba6

SHA512
e1b487efcd4c02703e8a062ff6d0aed79f3f3f1f24384545b2b9fcb619321f10e039c7706b576465771f16703c72c471f6637c4eac42b73579eae5f92c24199e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml.a79260

Filesize
11KB

MD5
276c46526000f3a94626f2229ce64193

SHA1
1a42d97aa2585fcadab04630ca21dc8c7891b9b2

SHA256
ec0684e39dccdab0210fb46a7c95f8fc625f917385787f4bfb2f61bcede44996

SHA512
be5cad3373da867151a4b0cdf3d7db5a351efd41b1340f7b90e287d8f4548e1186a7f11d21d6d160c1b695683e479e4e1a0e671b0355b9ae8fd32738edff4c71

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\02305155-8ac1-1189-ff55-b7119a53887c.xml.a79260

Filesize
3KB

MD5
d61eff3c79ec0bfc2d16cd3e2393b373

SHA1
1d003ae095b1a968b287c0f27f5e0106d786de5f

SHA256
bea7dc38b0da54525f42989d85053e54a4b8812d8f4cd3c9851f3ae2516a2c47

SHA512
1423fd51f1c3c34f9315a35fcccbe68b610053e18dae08346baf16dddd04815b77cb886058c728db0ef875ea3e5bb28c61bf601f8cd69e98ad5a35f186cdf376

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\03f8974b-362e-33e3-2e0b-c7bc2ea01c63.xml.a79260

Filesize
3KB

MD5
3da67caa8017d492db02b1dfb2cbb06e

SHA1
1e8a97b493a27fc3b37ffddd0a4d656abb2ea9a7

SHA256
10393646beac6e3bf371ee0631eb766231012b85ad4b480c8dba2724b56165f5

SHA512
69f79a5c420abaf5140001539cb75ab2fca654aae6da5809d2f13783419bfa1257c2e88b8790958ded0c987673d600dc28eb2eea390228eed1daa7cabea6b8d2

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0890ad2f-b74f-c384-f684-9c33f8f67924.xml.a79260

Filesize
3KB

MD5
f75b3fe6dd4a1c035bde303c4138ab23

SHA1
c994fcf236764d8d4d898e8f7321ddbdb177d0d0

SHA256
b5fbeb7710b14bfa6a5ded2343defb4fc24727e164ad7feb532ab729789fc009

SHA512
d999b2f2949e55b0d4c9054f32fe9aaf0fb9c59ad31703f61a9b3a8b25ad60ceacd4ba4b44b0481581783859a7de52cf6ce1ad17ef52fec9272037f80938ec9a

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\09ec127d-8158-a906-c12f-44a86e3e994f.xml.a79260

Filesize
3KB

MD5
a6f935059128870d7d2380501b31fc04

SHA1
d99faccc45d00d730a5d17836ff0567ce629c9d9

SHA256
67063b18775abace4353bf5634f0ceee36d0a8f538adf24de367ebcfd941b469

SHA512
b482867cb2f748453c28f8f39cc4ce97061871a8b3200bb691488dfc2d41da33a1ad1a754513077abd50be865826f71f6a970737ef75a37ce21fc120e3b5a829

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml.a79260

Filesize
2KB

MD5
e29d1d3c281a6d63b17c22385d8e7cce

SHA1
382e86c3a91e2f91ebb9de9dfd6c82aa661eeca0

SHA256
b74efb872a32008d72e6da8c6970baabd37e25693af4f6cb828885407be2e762

SHA512
90a63c532ceddd07507ac98f257220d81249e8462f60a76087f1908701303f8bc3881d7e9d901ecde904d2d81f87c09b79c1dbbc0380e18f1efd0cab0844b0df

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0ddcc52c-d523-1b86-16b8-3a7ee4100d61.xml.a79260

Filesize
3KB

MD5
2cb00daba2d7e4ae1de0c52e4f25f0b0

SHA1
0842ee7fb566057e2b1ad772dee7246e6d567881

SHA256
5438d1b133e38832306e325b6fab3be76c0aac7d648c717ebcae509493f19a1c

SHA512
a9ce4643294eed0cde13ac6b9bfcf1974481c2a08e9f7d43157012b39e4eb916241ea3f499366c4d263780707eaa34b167d2fb1c2d630f2a4380f1bc0e41d23d

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0f8e2cd5-b8eb-7a22-b9e9-9b1183fa0a84.xml.a79260

Filesize
2KB

MD5
5081a4f9cfdb6cfc4cf1c0536b575366

SHA1
67e258ca7235a4f85d5eee512136218edece082a

SHA256
e3074bda934d3ac72bf76bdf231bf41348225b7a3ed2fc8fa29e5cda8174a265

SHA512
09daa9011b0fbfb8ced47c17698694eb4300be336ac441aa5a571668e2d5d84bc832d974dc94872917bcea4ffe06130db542fac95890b76472c1a2c48ee5ce98

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\13ba8772-845b-29a1-ae9e-fb2793ccf4ea.xml.a79260

Filesize
3KB

MD5
3821b18873528f9cbe5f6189d8ebc98b

SHA1
771c66bdceb5c6e9963d5df90d1e1b7a22f04a58

SHA256
71a64fd50f9af0ee2b05dd7cae5bda169bea66fa6ee491e8903652cffdab91a2

SHA512
93e04c59e7e2b8ec9e0cdfbae5b11de162b55e74cf37ef9e10d6c1bf2bad28cde7270d4e5f91913dd1b1f0e89f5df98bd4e990dbb3ca0f4ad9ad2ecf834c55d9

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\18549a9c-bedc-b855-f0e6-0787d8b3300d.xml.a79260

Filesize
2KB

MD5
769858a129e24c006de97706c83af059

SHA1
a4bc1e0f23851e7321b46e590bec1e558af3263b

SHA256
d90c75781a0c2989f8243214c698b212c94729c1991a426523c0c01d1ac9eecb

SHA512
0128df82f304cee3d2d243b77c457047016157dcb8a4bce641b28aad0b325e0933ba8e24aa9a2675f075fe97d41e89419d174b1f45c90cd6aa9761615dd91225

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\1e225998-faa0-5fd4-4db7-5e7686ee3b47.xml.a79260

Filesize
2KB

MD5
8e735115dc159c6390bc286d6c6aff8a

SHA1
38cd8996f9fb68e8f6d2373afc01f994489ef585

SHA256
86c4d5a6a5791e2389c38a76699108d3717b897421c55bc7a3827865d9fd1a10

SHA512
7ca8c80ab601354ae5e310cf29bfc49832915165df0853f1f6357a70f3eee4dcb2d65aa7517b95b100d73991b65ae326373262ecbff0681ff8aead54f920067d

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\1faf63f7-f387-4522-1175-68c9652d968a.xml.a79260

Filesize
2KB

MD5
2397fa978215893f82c35701f85d0203

SHA1
9c10eb573754e0cd1a2033264d7ee1630d415638

SHA256
67124039ed280407b271dea4992a7fc889d8a491731f4ba490c6b07e4c77d5db

SHA512
e6a4fab030159c6340c745a1879989687c7a85763b526b9cd7329be1d2b82ec542565bad6dc21b1cc068b20e530dc8ff0fbd0e04ec3ef8eaaafe3a690f1158be

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\215f9712-9fca-a3f8-5b11-660eefc73b96.xml.a79260

Filesize
3KB

MD5
c429c80f359b7b3137b124ab99d80f80

SHA1
02d886c3f094af21f3d87e970730dcfb768da029

SHA256
df8b73a6328e8fb44cdf47b0e83e67bb8e00f7d737ac49ff41881c9ce06fa852

SHA512
44fa11ce58a8da997c0ea082083222248d09558712209178eada9f1287d1855c3fd7a53acf307e40d09e6e2fdc48d1202a77ad51c4e9681cba557caaa97de171

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2657f7c0-8294-58c3-f394-15fe18ba174a.xml.a79260

Filesize
3KB

MD5
2c01935ca9edb3e64eec5c29392ccfca

SHA1
ef203bed678617e2c1741b39eea7ed7d75fe0dd2

SHA256
057d19c6f12104a0155d789adbdb49ff0326fc86fda086b2e9ea587878e645ee

SHA512
06d20adc7834ace53a0ee44992c583346f52bbd09257850cfd4bce5aefebc2c8bc7088d4bff2bab869c84505b5b07f68f50b25b9b47db9114ba4f39a27aa6993

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\26943e1f-42ed-f190-2895-3bc2b8c4176d.xml.a79260

Filesize
3KB

MD5
baa2582dfeefaf78134d20f595e1971b

SHA1
abba2b6809c7f6baf39ea71a37de8f45fca09697

SHA256
462d3f61292a785c78cd745fe113826bc0494dd90d077a03b8d26d06c70c47b6

SHA512
bab1c2bcc39697438e7d2aed3be93b4d5b23b3412013ec2fb2384e6ec748e674913091ef7d31af0b41794e9108777684e85bab6a653e64aadbdcc5f16be3f9f4

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\28502d06-9d29-8514-1e5d-64447116d798.xml.a79260

Filesize
2KB

MD5
d81f4bf0632e10f843095328211b4365

SHA1
2f46eba7a82bbc187b6a236ed0abc9e92205183c

SHA256
2863a26c2e8acce6e66d5d3a07d373f90c170a1b263c00931fb30c30591c5c45

SHA512
ffd17ed82bf14304828abc77a8add0bec67179353cebe55c829cb8c361a5a913a373418707268fd9803c1f152b06754758624cec53b579eb4f40ca33759c306a

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\28748306-9f02-a5d7-6ded-4459fddadc31.xml.a79260

Filesize
2KB

MD5
e65afa1c88ebcd7ffc66ed53039763c7

SHA1
305da4cbb01d2f54863fe7cfd0795b12a51572ca

SHA256
13d7bbc5d2a1e77ebed21b9a4a5ca2f0c8d7bdce71e5726c9fe7ea7893aeee84

SHA512
a13b92456431f1bac905721867b3dad94586fec89e33baebd0c174e2589a62829e648d1f088079ae93412ed766649c4a4ddcd3f47ed6a6d78cb46e21270694f6

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2b5d0f60-d93b-1629-f3e5-4167231c7ee6.xml.a79260

Filesize
2KB

MD5
fc231285ea69aff0454660ea882181af

SHA1
dc83e5f9fc7f2d17eb92c6b3c9bf85a903a6addf

SHA256
ebc2fa25e8194b9a2a3322865246e1800f7ef24a77b010f887650bb39665738c

SHA512
3b75b52ae85f523d188c34e5cf89a4cf399f4439fb8daa9c08a899dfd88a2b288ed6e0ded07a5954864a38a945567d9f6a69e77ee3b3b373470780488d4e056b

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2c47903d-15ab-20db-6020-db5206c59481.xml.a79260

Filesize
3KB

MD5
2ceea869dddd018d25daab00f668aad5

SHA1
c3649fee737efa866c2433d0af1adcfcec1f716f

SHA256
45b75da7ec4911bc4d1ab3f4cbc90160939d8f5e7a29c9e1330c26052160d574

SHA512
929951fb35f847d83323bbc2a45f7aa1460a5a90c162a0e00d9bb4c82af408f6c75d684d764fb54532923ef1d167828b3340ce06716bc3d552945261e6d8711e

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2c6fb1ca-7f49-06d3-3080-e7811bdac4b5.xml.a79260

Filesize
3KB

MD5
fac3b018129a294ffae5f65f4f9f25a7

SHA1
979f94172763dee513c87ececce859714219e6cc

SHA256
c4052c13e079ce2ac748b9e6b188bc49b1ddc1626dd07a0630fa9ea37d87f252

SHA512
891e2bc4c307dc9896f2229c8385b41f4b3240c0a044c4189ef56ea4d436c3610f1c2bae622ad18e4a049c807d51d21d2c751c0feaa635a861434efe82bdcdcb

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2e267d1c-9ef4-8ee3-57be-e11f61eb9d03.xml.a79260

Filesize
3KB

MD5
578e8e19d3beabc400e15e69120666f4

SHA1
7fa417d4c799e0e721c5b36243d7002632d298b5

SHA256
22731d98321b94944d04cc6b48eda40ae301564ac0817e8a4ee4c763e88aa36f

SHA512
a163bd06c16b9bfe05d94989d028c7b3133effbed1d9848570c0044f420a668dacb9123c6ab187f23bc879932d07ca77003f3206eff3fe3076f021bea24cdff4

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2fce5472-3348-97e3-7dd8-2df4a43fb8f1.xml.a79260

Filesize
3KB

MD5
3393ed9b3c227bb2aa3f9a6f61ec317c

SHA1
a374eb3deb934b78148b00de82b7505c5ec3ee36

SHA256
5c21c3f54d737023fc80d1be41de3f88fd8c0e023145e7ebcbb3a6de781f6147

SHA512
58d2d8cf7016107169e0b59a8324607c831ba3d4be810776ed967003f00880053441277cf164d92825b40675030583c500bafc3032ad75de1827f86947215ca8

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\306e67c8-9a1d-38de-8654-054bd8a6e6d6.xml.a79260

Filesize
3KB

MD5
aafe1eae83fa52ed4184ce8bd140e403

SHA1
4d08d577de695bd19e394c4c5068b59420176de7

SHA256
a5ebbde2cc0d83b6fbca80fe7df55aa7d0a640eb3864d53ced56291b6631e888

SHA512
418e71b392ffecad76bf194339169ecac660234bacc6ee5a5352fa1b19b479253e00088b766ad411862d8db150545ac1d3fea6b204656a384d2052574bc47ce8

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3110b8d7-d60c-6adc-c3ce-bd22f748af91.xml.a79260

Filesize
3KB

MD5
e217ec75ae18e36367fe055d7586b1f3

SHA1
130dcad46e5720323892371c59b20e5203e53c0d

SHA256
f80b1d232dab6c5064e6b4e067b49758724c0d0e5148ccf377f1c6fade27882b

SHA512
7d47ecf331035bf00f1caf98eec0bb41044e7fb48784006aac8f98ce543227956f1081239679d524a1058219361bd8507513c0aa66a83a8bcb8c5022644cd895

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml.a79260

Filesize
2KB

MD5
3daccb3ba27e9b629f60b30f8fb15a85

SHA1
67a5b533eaf3faf54ce1cfe92c10f4fed8860581

SHA256
60ade2e55d9a141f06ff2aacca6c874bc606360c40be76bcadcdef7944d9c05e

SHA512
da9eb080aac3726df4415ac1bf61959db7784444bebd5c258bdd67bfc4653eb6822d8ca1cf1ed319493c6a2b4f9b779def6c3b4163c19986c2e40262982b4aa9

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.a79260

Filesize
1KB

MD5
c79114aa150853f65ba03a84fa8d8213

SHA1
ba32e99da283bd5796ec19dd8c879c24d3836afe

SHA256
022a4abd19b3832de748fb5f34856918320885b6dd64b5d9dac104135871374d

SHA512
caeb0ba5f65f4cf756b9445c7840c980d19e9e51df559c88efb35171369defa43481def145cecd7cff7b3c834f3d083f89b0c9afb394a7dd50fd9b122cad2ecc

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.a79260

Filesize
1KB

MD5
2a67b1ae76d6d4db0ccf0160a7fa01bf

SHA1
df5a303cc24d9332f546fb8f19008efdd8b4dfc9

SHA256
cea245fa06f10c32b1ab50f2eb4d811ff28a40926a863c86c2cfee2634da30bd

SHA512
766f8377199460a0ded81deb3bb8abfa2fb70551f8728d60fefd4c208ebab14533d88cfccecb21fcc170e28c6364865786a448c9158204b51358fd7650c81f5f

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.a79260

Filesize
910B

MD5
162c852853f6de5e0760a90718f2a1f7

SHA1
88e20ce6cdc1c03428c4a2c8bc8e458cf0aa719d

SHA256
8bbef0730f34b325aa83b21663e3d2a1d1dc23d877502f6b622e54c10e9bb7fc

SHA512
b5432c10b5ce58c34499c63e2f5b275faf4b1fa7b8e5dfa3fb43c4df414b3969b83c8e83d420e36857412bb36d735a587723a3079330f54d71d0176598637f6d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.a79260

Filesize
894B

MD5
1bbf6712bce188ac0c608b3648ab39af

SHA1
e7cc438f2432e6d88d178cfe0c322f01509d8a75

SHA256
37a0045e5a963a400ef918e701cb5551628eb625ea02977b74a7a5905d3d1536

SHA512
21ee243ea23a81fd89fe593554ea4bc8e3a1d312459f25e0ccc95d58f6536da21b76d3616e006644a62879bef708e239f59bb053492d7408a72ee9cd03c443c5

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.a79260

Filesize
910B

MD5
81e9eba1222a522890cd5e53a7130334

SHA1
d1187976ce1d8f307056a9992dbcb16fa16e9807

SHA256
09ce3a125aa68ecd26fbda4493afc053265fff9a388c76fc270460731545886c

SHA512
caa32e6223e6a572620a956fb10d2c5b6e78e1ddef473be4fb4b308f3bd931ab74daa318a115d664bab88a87a4ed25e6c8e8888bd9c220c33e8f13e880ce38f3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\A79260-Readme.txt

Filesize
1KB

MD5
98538bdcacb13765e647721a782b95a3

SHA1
6170e7461f125b5003e5829bc1d32c99790a2150

SHA256
c8cfddb902b0a8b341cc0323926e6d141f36e7a563d1822bb593a34aa7808463

SHA512
58d57f8ed02ee636f2177ed22cf34e4143e21bb140a32a70eed39f92eb84f08d86a07063ad527ff274868448c6c3ff0cf12632fc7fb680cbd8279128fee7723e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133533386677284843.txt

Filesize
72KB

MD5
689c53722bea6b8518732e0a47032dc7

SHA1
b338039fe22513a239e872dcf413a425c5365016

SHA256
178b99a86740d4c71b6d98459b284fcc16efcee7001fbf6d3be6eaaf83a3e055

SHA512
b1fe7dc90b754ed75013d1b8f6082aa96ba03e270644b932327b54ede6e1bb80e3925248e579e97b391f5c3d44b17ad7bc7f7c4a8e31d100a991e51e27f4940a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDGQY6WS\microsoft.windows[1].xml

Filesize
97B

MD5
208a32b5ef1c9a688ee8a81ccab092b2

SHA1
c3070e0c2ef2be25df900290884fe30344a2c787

SHA256
71f2e4a1a1e031fa5225a2c026d7f8780ff8000b7bd95f74e550c78871b4b334

SHA512
d5117fb04cf103b09628000eb90139a025aa756b768fa159c80f1abbb4783946347f860b3c663ec211514d5ac840e4c5f0a55f5091e0d397742fb42a67497197

Download Submit
memory/5736-9472-0x00000220D3640000-0x00000220D3660000-memory.dmp

Filesize
128KB

Download
memory/5736-9475-0x00000220D3600000-0x00000220D3620000-memory.dmp

Filesize
128KB

Download
memory/5736-9478-0x00000220D3A10000-0x00000220D3A30000-memory.dmp

Filesize
128KB

Download
memory/8820-7703-0x0000020172F90000-0x0000020172FB0000-memory.dmp

Filesize
128KB

Download
memory/8820-7701-0x0000020172B80000-0x0000020172BA0000-memory.dmp

Filesize
128KB

Download
memory/8820-7649-0x0000020172BC0000-0x0000020172BE0000-memory.dmp

Filesize
128KB

Download