Analysis
-
max time kernel
31s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 09:22
Behavioral task
behavioral1
Sample
entry_1_0/ep_setup (1).exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
entry_1_0/ep_setup (1).exe
Resource
win10v2004-20240226-en
General
-
Target
entry_1_0/ep_setup (1).exe
-
Size
2.4MB
-
MD5
253012a62bc1d805c8c0b1bbf936c6f0
-
SHA1
33728ba8f5ad3a4f0e1a5d6890022c377c0c00f8
-
SHA256
a25e2487bb4b638d6333d652db58532f3f29dd5ddb7711f70f52e0e61e8d3f51
-
SHA512
06842aab184f35c855dbf450534f9de7d66bb5923d0119c3ada19a08dc9f5c2b287321c571cf8b4727927517c6dabe37130e7b9a6eed4892159112ab6e45f57f
-
SSDEEP
24576:j+G047epooYKZYzX1HWvWKz4E+hhf4udB2mMmsZJlrA9yoiO2V0KcJx3UnpLco7r:B047epoC8cWKssZfM9m1AJxUFr
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exeexplorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ep_setup (1).exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation ep_setup (1).exe -
Loads dropped DLL 6 IoCs
Processes:
regsvr32.exeregsvr32.exeexplorer.exeStartMenuExperienceHost.exeexplorer.exepid Process 2880 regsvr32.exe 2880 regsvr32.exe 4296 regsvr32.exe 2764 explorer.exe 3580 StartMenuExperienceHost.exe 3908 explorer.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exeexplorer.exedescription ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Drops file in Program Files directory 9 IoCs
Processes:
ep_setup (1).exedescription ioc Process File opened for modification C:\Program Files\ExplorerPatcher\ep_setup.exe ep_setup (1).exe File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll ep_setup (1).exe File created C:\Program Files\ExplorerPatcher\ep_weather_host.dll ep_setup (1).exe File created C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll ep_setup (1).exe File created C:\Program Files\ExplorerPatcher\WebView2Loader.dll ep_setup (1).exe File created C:\Program Files\ExplorerPatcher\ep_setup.exe ep_setup (1).exe File created C:\Program Files\ExplorerPatcher\ep_gui.dll ep_setup (1).exe File created C:\Program Files\ExplorerPatcher\ep_dwm.exe ep_setup (1).exe File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll ep_setup (1).exe -
Drops file in Windows directory 2 IoCs
Processes:
ep_setup (1).exedescription ioc Process File created C:\Windows\dxgi.dll ep_setup (1).exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll ep_setup (1).exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid Process 3416 sc.exe 220 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe -
Modifies registry class 47 IoCs
Processes:
StartMenuExperienceHost.exeexplorer.exeregsvr32.exeexplorer.exeregsvr32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{887FCDFD-D57C-43DF-9BED-EDA7B4B3A55C} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32\ = "{CDBF3734-F847-4F1B-B953-A605434DC1E7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "IEPWeather" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods\ = "28" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} regsvr32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\DllSurrogate regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PromotedIconCache = "{7820NR83-23R3-4229-82P1-R41PO67Q5O9P},{7820NR82-23R3-4229-82P1-R41PO67Q5O9P},{7820NR81-23R3-4229-82P1-R41PO67Q5O9P},{7820NR75-23R3-4229-82P1-R41PO67Q5O9P},{7820NR74-23R3-4229-82P1-R41PO67Q5O9P},{7820NR73-23R3-4229-82P1-R41PO67Q5O9P}" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{72C17435-7AD1-4F71-B271-51028B20F76C} explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PromotedIconCache = "{7820NR83-23R3-4229-82P1-R41PO67Q5O9P},{7820NR82-23R3-4229-82P1-R41PO67Q5O9P},{7820NR81-23R3-4229-82P1-R41PO67Q5O9P},{7820NR75-23R3-4229-82P1-R41PO67Q5O9P},{7820NR74-23R3-4229-82P1-R41PO67Q5O9P},{7820NR73-23R3-4229-82P1-R41PO67Q5O9P}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\AppID = "{A6EA9C2D-4982-4827-9204-0AC532959F6D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
ep_setup (1).exepid Process 4480 ep_setup (1).exe 4480 ep_setup (1).exe 4480 ep_setup (1).exe 4480 ep_setup (1).exe 4480 ep_setup (1).exe 4480 ep_setup (1).exe 4480 ep_setup (1).exe 4480 ep_setup (1).exe 4480 ep_setup (1).exe 4480 ep_setup (1).exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
explorer.exeexplorer.exedescription pid Process Token: SeShutdownPrivilege 2764 explorer.exe Token: SeCreatePagefilePrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeCreatePagefilePrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeCreatePagefilePrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeCreatePagefilePrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeCreatePagefilePrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeCreatePagefilePrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeCreatePagefilePrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeCreatePagefilePrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeCreatePagefilePrivilege 2764 explorer.exe Token: SeShutdownPrivilege 3908 explorer.exe Token: SeCreatePagefilePrivilege 3908 explorer.exe Token: SeShutdownPrivilege 3908 explorer.exe Token: SeCreatePagefilePrivilege 3908 explorer.exe Token: SeShutdownPrivilege 3908 explorer.exe Token: SeCreatePagefilePrivilege 3908 explorer.exe Token: SeShutdownPrivilege 3908 explorer.exe Token: SeCreatePagefilePrivilege 3908 explorer.exe Token: SeShutdownPrivilege 3908 explorer.exe Token: SeCreatePagefilePrivilege 3908 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
ep_setup (1).exeexplorer.exeexplorer.exepid Process 4480 ep_setup (1).exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
ep_setup (1).exeexplorer.exeexplorer.exepid Process 4480 ep_setup (1).exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe 3908 explorer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
explorer.exeStartMenuExperienceHost.exeexplorer.exepid Process 2764 explorer.exe 2764 explorer.exe 3580 StartMenuExperienceHost.exe 3908 explorer.exe 3908 explorer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ep_setup (1).exedescription pid Process procid_target PID 4480 wrote to memory of 3416 4480 ep_setup (1).exe 91 PID 4480 wrote to memory of 3416 4480 ep_setup (1).exe 91 PID 4480 wrote to memory of 220 4480 ep_setup (1).exe 93 PID 4480 wrote to memory of 220 4480 ep_setup (1).exe 93 PID 4480 wrote to memory of 2880 4480 ep_setup (1).exe 95 PID 4480 wrote to memory of 2880 4480 ep_setup (1).exe 95 PID 4480 wrote to memory of 4296 4480 ep_setup (1).exe 96 PID 4480 wrote to memory of 4296 4480 ep_setup (1).exe 96 PID 4480 wrote to memory of 2764 4480 ep_setup (1).exe 97 PID 4480 wrote to memory of 2764 4480 ep_setup (1).exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe"C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB2⤵
- Launches sc.exe
PID:3416
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB2⤵
- Launches sc.exe
PID:220
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2880
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4296
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3580
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4104
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1760
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2244
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3432
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3844
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1664
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1292
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3732
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4408
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1936
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2524
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4456
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3624
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1324
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3328
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4244
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5c44baed957b05b9327bd371dbf0dbe99
SHA180b48c656b8555ebc588de3de0ec6c7e75ae4bf1
SHA256ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef
SHA512ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35
-
Filesize
702KB
MD550fac6e71b1693c8601e5edfe2314c0c
SHA1ffc45bf1c9a5b0f2ca59d5057335ae79c84306d4
SHA2563c362868f6740606f86b38c5d492f714265ef67bb9b29f64882bdc4a5519621e
SHA512800700b79f227131a76d32e4e8c4073e0906ffe28f1e4d67e7f964747280faf56eabb72bf1520f42abc1a28869d35c956eb094eaf4ce6ed96ab4d4d314ccf391
-
Filesize
238KB
MD574d2a253680034bfc1c8b24f3bd777ac
SHA11a00fb3b4628002149fe560a7e231f0bc4a6e97b
SHA25652a99a4d45e8847decea13d49ef9aea5ebb629d6f810b6d529df344b9f632299
SHA512f3351fb54790e01cf69b66c824a934d9beb8866140a97823d79c18400b8ece845ed71070c5ec2cb21c6f17560fb462794e66b4bc3354e79ef552094c22944063
-
Filesize
109KB
MD5578479c0c09270e357ca9a9320a2540a
SHA14e0fe7abb9b760004995e95103e28796e986cceb
SHA256f5a33582ac070a90d214d26e70d05f72df1885a8626a837bbe6ff731cd22ed82
SHA512d0ce12ea49e268bfd55c9d72a380ad7c5c23d406124cc917c0d745979f19ff7688fad7c094d118c1d9efdaf66cd66f17daea03e7eb122d24d8571a79620e9954
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_D222662A57BAA60D2F5EA0D2CC7B2F1C
Filesize313B
MD526b77e57ebe090ac4524f51dcad8fb5d
SHA1bf847577c8c0bc93fa659e2ea88436efe30be676
SHA2563e335beb569fa77f3b3927abda1b9bdbfa7fd57176c888d822f90bad02b817e1
SHA512994c3042a2582987bb33b7939a165d834b2a0a37bbc238c7a651a09c68653566d8b04c975dcdbdd6dbe2ad92309fd73bed342a1f0e91335d8fd646b5c887dd11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize1KB
MD56f69c33a55b1b55c335a3d3c87fd840b
SHA12536b9842697e768448c67244bc7aa4d6c4545a6
SHA256defb6657e0e0ba3f06a92b8097c9e7f5c9ed640824c364ec10ccf2292a3bc0ca
SHA51260ec69626f194327f22804d38c6c34196a3be6e5b97e243d0ade3cb87c592662f24551b684780b4e06b34009e1fd8f18d77f5a775972409105479ce63fa3b365
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD5572ea307898c8c6eaa8dc4985a77e177
SHA107f16d7a86f8b799364a5c654253e9a2058667af
SHA256a0af8a9e91c0c0e591be7382e2e875d6ad52eb6fa86dbba599704a5d5189e298
SHA51201f77c6cd80e50006476a66170dcf4238b6b8d5173a20c071605411dc49610d88950b52d6d8935e07301dd69a42c84c713fa50f7d6bc75686b452f77a5a6d191
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize471B
MD5b92c0ede7cfafda116cc6cfb1a941c87
SHA1581610fd1b36673a8d9535ac808e0204606465d5
SHA256a354422bd21ba3acc4ad592ced854a0d0093d6e98d4760025005bd3e3f00d577
SHA512ad0b8fcb4b7221b257d4196952e08ee877f0f8fe4306678fa6288442c2abf2d2241421b8c89c82fb70f65050ce4209d92be9452d92e8b70820776cc754584efe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_D222662A57BAA60D2F5EA0D2CC7B2F1C
Filesize408B
MD5e3c96567e633b1cf8c503c4724db6fd0
SHA1430fe9269775f5769facc35f4d19b1ee5090717a
SHA256c69b306906cdd958cd32d917a15fcb3b54f35cad55e8d8ba4e447e999f8a712c
SHA512f5c7d6289b2fc345ac343f425465619e6bab46a9a35a529f278e7e955edf95fd38630d4591afc2584e4bb7b32a856598136fee3eb83430c2aebf05c3a91be8f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize404B
MD5aff6a63aca4e4f7acc38306a0f6375dd
SHA1c23dae70c23e80278698aa68735116f7f0b30abb
SHA256c4fc78d2bb677a0c1602832a1ee8fb355ce12142642d9498c064d1aae6011a5b
SHA512596d5b12b0838b630a5274ae57ba818829d4e1a8db3046ac4eda6424a3f5d230894e4b7108259f29adcbebd46c1970c1b413b43393f44b7dc2577084d2b94e4a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD5fdd8bc387977849b6f87aab262904294
SHA1337e9a12b2e84bff676059a31319fd0ac1d22553
SHA256096f11e26931cf3838cb75a24e0cd2344c776ff46da0a312b8095152648230a9
SHA512b910a2706f918468a744dc1ef02efee41b8ffef74a19bcc6c3cab59376aee4c0ce03f43590f1dd01c600cc64a37ca1837064ef60ce75cd72d30a37182bb893d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize404B
MD5c5b14f7020722b6c9bc7b531cd4912e7
SHA191d81369cc903f45514058cbb6cb4da07025d42d
SHA2567592249dccca253458b6877a74716009251652dbb8f9ed29c195a2fa4f23b836
SHA51229f61590bb549648e299647d014ff7846aee3bb54f03cbb68ec432b7fff59c2857d1452a639956c887c10762e48bcdcdb59ec5a8ad506d12164f0f0b214a8188
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize22KB
MD5ce724509ddcb97da29efb2a13f41b3f2
SHA1f02145ece51e0ba99056e2275fc33d89867d95e5
SHA2568a4bf3b55021808df2316da3b429001ee4946bc161e35ca25a981dfd69410387
SHA512772a41d2bf44771ed164d869cf57111959e3e0031f09d78d138e4403e3dc96fa1a0fb70a56894124130fd3d4bee7d840a8013c37f0378a70aca8d9ce52c978fa
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1HCECE5V\microsoft.windows[1].xml
Filesize97B
MD56583a2f89cc3c90f77ffa922acf7ee63
SHA1eccd205c1bb4764f160e86cfd0d860976c32708f
SHA25634cbdb325cf0420e4bfbc19da431b639890b153b6ac0635ce79ba37ffc677ac2
SHA5120c7daec9157074607177f75d7ccf190027d9e1830d832cbf16426bfcf221258db4fba74ee35f20c85a9bd6022a1db0409a2f3ec84ecc7317142cf9759eead021
-
Filesize
956KB
MD543e1e762002934d5a977d230e303e1a8
SHA1437f743dc2a41164d8be1521df35cadd69be5905
SHA256ac18b5a5de8734ce5d944ef9ee269de58a07ab7c540233404c5266265f649a40
SHA512349f9905cd5036792cb8bf8382d1bd5e09ae701de023ec7b41a555782c1619e27f52163a53fbe5bd1fc0b5f68146227dc06a4551f75e4509baa4041cfa9a1bae
-
Filesize
480KB
MD5d1876a4fe1849914b95578d22607091a
SHA1a0608475469e29a9901080cc9dcd9eb3bf9a5e53
SHA2568b1a8fe646f9c6cf080ba144d706072c9c8f293b7d69cfbd655ab7ba5006fc1d
SHA512b7fe77f468ec8dc4f2028b52da46407e0d57fcfce95541b575a21a051d7b51ff5ab8d637f01bd8c42a724131fecf1f5509391a51f7d1efc1d506b109c87dd401
-
Filesize
2.2MB
MD50c3519dacafb7c08d95c7b1615c669a6
SHA1eccef2c11bd7f492c8cc3cab331cdd33f30f7b59
SHA25670d6d337d8f3e7e7927ddd2f718350cd5194815ccbe3399c54bc38d3bc35dfc5
SHA512f7bc729e58c9d1ce36335f0657b1f154bd5542e2319fd409e24779cd984a6ebb7f28ab0d16e6c8d21b2bb607206040ea0f4b79e9478e5a9f273dc39af9480d7a
-
Filesize
627KB
MD538fa7926c879b55635a697a6f49cb034
SHA1539cfcee9654ed2a7b04236d3cd907224e1f6d87
SHA2568c1c2a374dc65a688837c3fc1c689b66bc9c2cd57209e576084710aa00c44ea3
SHA5125b8d9cc0e8ef425263aba02b1c539517c16d596ecd31f4c647bc4d6eea86211312527c92be486bb8f739ae114704467467e71dcf68ef2f10ae1909e185a494d4