Malware Analysis Report

2024-09-22 11:57

Sample ID 240414-nzp9pagd53
Target ca13f4913d90017fd5cd552b30c25349
SHA256 25c3a5bf8a33e941286f5f271843a480e4f8669086eac047abdfd6f8d5f96a06
Tags
troldesh discovery persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25c3a5bf8a33e941286f5f271843a480e4f8669086eac047abdfd6f8d5f96a06

Threat Level: Known bad

The file ca13f4913d90017fd5cd552b30c25349 was found to be: Known bad.

Malicious Activity Summary

troldesh discovery persistence ransomware spyware stealer trojan upx

Troldesh, Shade, Encoder.858

Deletes shadow copies

Modifies Installed Components in the registry

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Enumerates connected drives

Checks installed software on the system

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Checks SCSI registry key(s)

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Interacts with shadow copies

Suspicious use of UnmapMainImage

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-14 11:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 11:50

Reported

2024-04-14 12:11

Platform

win7-20240221-en

Max time kernel

856s

Max time network

845s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Deletes shadow copies

ransomware

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\292933C5292933C5.bmp" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\service.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ta.txt C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\settings.css C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe
PID 1708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe

"C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe"

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

Network

Country Destination Domain Proto
N/A 127.0.0.1:49211 tcp
AT 86.59.21.38:443 tcp
US 208.83.223.34:80 tcp
SE 171.25.193.9:80 tcp
NL 194.109.206.212:443 tcp

Files

memory/1708-0-0x0000000000230000-0x0000000000305000-memory.dmp

memory/1708-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-8-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-11-0x0000000000230000-0x0000000000305000-memory.dmp

memory/1708-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-13-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-72-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-73-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-74-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-75-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-76-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-77-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-78-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-79-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-80-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-81-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-82-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-83-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-84-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-85-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-87-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-86-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-88-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-89-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-90-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-91-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1708-92-0x0000000000400000-0x0000000000608000-memory.dmp

C:\ProgramData\System32\xfs

MD5 ce7bbb0196c3978edd4506c524d41af0
SHA1 320a80e6428ade150f0de562f34ebc4dc4248b2c
SHA256 88ec5c20513ff83874617f9b70d4c43403a47f20858282b951aa2dfb9f41dc30
SHA512 33d84dfe9cd69467224a67707249d5fa7004cd5a26d6e3312dd3ded7c74e9f7426d78cbcd013263c4e68ac2aae9b8bf92260eb6d4c8bb0fe9bf30fcce75eaafe

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 11:50

Reported

2024-04-14 12:11

Platform

win10-20240404-en

Max time kernel

1190s

Max time network

927s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Deletes shadow copies

ransomware

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\FC3E12B3FC3E12B3.bmp" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tiles\freecell.jpg C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Goal_2.jpg C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Content\Nexus.json C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\angry.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\tilebg.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\RibbonHit_A.wav C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gb_60x42.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Pyramid\Goal_2.jpg C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\SplashScreen.scale-150.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\ConnectSave.emf C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_4_Point_Star.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Lollipop.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\StickySelection.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1850_20x20x32.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bo_16x11.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\MicrosoftLogo.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nz_16x11.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Dark.scale-140.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\freecell_icon.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\2717123927\1590785016.pri C:\Windows\explorer.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe

"C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe"

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:49772 tcp
AT 86.59.21.38:443 tcp
US 154.35.32.5:443 tcp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 25.251.17.2.in-addr.arpa udp

Files

memory/3252-0-0x0000000002200000-0x00000000022D5000-memory.dmp

memory/3252-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-8-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-13-0x0000000002200000-0x00000000022D5000-memory.dmp

memory/3252-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3252-72-0x0000000000400000-0x0000000000608000-memory.dmp

C:\ProgramData\System32\xfs

MD5 f5173091f79cec8ea57c4049eed114a8
SHA1 8203cfbb8324ea0beb6e71202a5a1ccb2a0cd1e1
SHA256 55cc47e72cf18b69cad2a9883d485ad61c34111bba79e9dcab3f001d81a044bd
SHA512 50a2d301b4f1a577f1a4e6ccecfbcea28c3fcef2699cc4ccdf46120bb03d114c0b7b9a4569f6375ad6531e0c25ef9ce3512e502b034c65382b8b94425e474133

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5 419a089e66b9e18ada06c459b000cb4d
SHA1 ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a
SHA256 c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424
SHA512 bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 47a7af53d005ff297d88b1e246ff3d00
SHA1 1e5510d0ec5f09e681287931495365fdca7b7641
SHA256 48b8b4f5f58296edea6409a14e97cb71bd9bcf411016199b404e94c4c66be027
SHA512 8565143dd6e2ebbfc4534e2bfa14cb56d50f7a9cd660729b46e7b62f181c6b066d8dbd982a95e90122cb771eec0b5724978f1ec8394fb1ffb1ab6fa17bbffdd5

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-14 11:50

Reported

2024-04-14 12:11

Platform

win10v2004-20240412-en

Max time kernel

1192s

Max time network

1164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Deletes shadow copies

ransomware

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\247AB79A247AB79A.bmp" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg6.jpg C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\PreviewCalendar.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-48.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_32x32x32.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\IsoRight.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Silhouette.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_4.m4a C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.tree.dat C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-300.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Logo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Flight_Light.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_4_Loud.m4a C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_0_Loud.m4a C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3198953144-1466794930-246379610-1000\{8C8515FB-BBFE-4C28-B0F3-D986B2BDA7AA} C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe

"C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe"

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
N/A 127.0.0.1:54779 tcp
US 128.31.0.39:9101 tcp
SG 76.73.17.194:9090 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 225.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
AT 86.59.21.38:443 tcp

Files

memory/4792-0-0x0000000002500000-0x00000000025D5000-memory.dmp

memory/4792-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-8-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-13-0x0000000002500000-0x00000000025D5000-memory.dmp

memory/4792-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-21-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4792-72-0x0000000000400000-0x0000000000608000-memory.dmp

C:\ProgramData\System32\xfs

MD5 2b3666e29478742a44147f18dc272381
SHA1 7f80b76d86a160984932918225aad4a33c1a51a9
SHA256 d8c1d50059b5c232fadc576149ff269f454286274daaaef442cfd4cdb49b0a08
SHA512 2128033c7a2e750d6d79e2001a529913a78453b9ea7897cfb58a484157d8aa433245a3c6cf5a6caed4ccb3761b024280879b8bf589e3b78d6c8977726565d288

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-14 11:50

Reported

2024-04-14 12:11

Platform

win11-20240412-en

Max time kernel

1192s

Max time network

1182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Deletes shadow copies

ransomware

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\7F2267267F226726.bmp" C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-100_altform-colorful_theme-light.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\DocumentCard.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\CameraAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsLargeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\bg4.jpg C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\classNamesFunction.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\osDetector.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DetailsList\DetailsRowCheck.types.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-48_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarFirstRunLogo.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\README.txt C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\warn.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DetailsList\DetailsRow.styles.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PaintLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-400.HCBlack.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\CameraAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-150.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib\getVirtualParent.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\merge.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-72.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsStoreLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\TXP_Package_Light.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\GroupedList\GroupShowAll.types.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Spinner.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-48_altform-lightunplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\fonts\createFontStyles.js C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c2006020004002c0010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "0" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133574038085668999" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "23" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070400420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000f1e03b93e18cda0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "0" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe

"C:\Users\Admin\AppData\Local\Temp\ca13f4913d90017fd5cd552b30c25349.exe"

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe /LOADSAVEDWINDOWS

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

Network

Country Destination Domain Proto
N/A 127.0.0.1:49750 tcp
DE 193.23.244.244:443 tcp
AT 86.59.21.38:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 128.31.0.39:9101 tcp
US 208.83.223.34:80 tcp
SG 76.73.17.194:9090 tcp
NL 23.62.61.107:443 r.bing.com tcp
NL 23.62.61.107:443 r.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
US 8.8.8.8:53 170.61.62.23.in-addr.arpa udp
NL 23.62.61.170:443 www.bing.com tcp
NL 23.62.61.107:443 r.bing.com tcp
NL 23.62.61.107:443 r.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
NL 23.62.61.138:443 www.bing.com tcp

Files

memory/4808-0-0x0000000002460000-0x0000000002535000-memory.dmp

memory/4808-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-8-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-13-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-14-0x0000000002460000-0x0000000002535000-memory.dmp

memory/4808-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4808-72-0x0000000000400000-0x0000000000608000-memory.dmp

C:\ProgramData\System32\xfs

MD5 f7c9429ac2c3e2e23f37d688c4b9250f
SHA1 4333a33b6de17302c697831edc6abd6eb1968408
SHA256 60885556f2efe31d902c68c5cab7714d9dbfc87b5be6aa527dff7203963dc4df
SHA512 8f13b4236dc157d1f61bbfd8739459b51e234d8eb64edaa7de887e9510350de1548c9a19cb16df21092a8a380601a65420c6dae1a7149583498d5f125f0561ec

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5 419a089e66b9e18ada06c459b000cb4d
SHA1 ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a
SHA256 c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424
SHA512 bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 94ba4a2911c47faf1ff3d119cc33235e
SHA1 2e23fe3205ae0f413632ed4d70714e569d74135e
SHA256 e7caf249abb90245e5e6d9e5716c6359c65808326fc3a0578156f973f94ca56d
SHA512 797efe5f8fc6e10ec19a1819a7a9d41d21e0e0aa95094acd10051c47bef3f56285348efd4921bbb40990a2e8a4ca5be5844f55f12bc37ee3914a6e1b17a99a9e

C:\Users\Admin\AppData\Roaming\7F2267267F226726.bmp

MD5 993cc909a89f0fb7fe90acc3703c2105
SHA1 f422cdcb426718b235a19080b0daf71c9b448768
SHA256 4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA512 5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 83ef8c0f2146b55c4b71143c97f80db5
SHA1 c542ee3860a1f351d41fdc8b564093b03d1d333f
SHA256 08cf4cf53f874671b193bde236c9a51cf1ad25a42581372dd5023155991d608b
SHA512 5c6d23491c640ab73c0c4883ea5759d9f14543c561f075255b024e119c2062b34a292a7e9a68587e552c61a5af2a50fdd43cac13b47fa04f2785e0eb96a85a28

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5 32de370bdfc009cf22aee891e117ccde
SHA1 7ca8fd83f27485e461640fb31fd1fcae8498fa1e
SHA256 6250edbd1cd63d87502a17625d9d6d28517711c0a82e36c866d82c62b8f19e61
SHA512 c01ddf12332436b779a56ce9c7f88649241e46f3d680f6d447df13fb9a00389c9c6a11dea488cf75ac3930584a0f09b81f31e1df47f093c5076145c98b687c99

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

MD5 ae6fbded57f9f7d048b95468ddee47ca
SHA1 c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256 d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512 f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat

MD5 ce18ce56e99b0becdac1acf971555307
SHA1 a5b25803f7806d2a3f239803684bd70f65e5420c
SHA256 798187064fe76693b6d43336013ce439514fd2626290ead457e99c89dbb3607b
SHA512 e93a9ad9904bfd69c5d2a84be883326b648baed7e5b828bdbe7a1b897410eaafd2f9332c3de18d4f1ea2ab50a05aa424169f347ae495cc8b3510a26fe5c010a9

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133575702498278075.txt

MD5 65d939ef67bf440d30c8dee4eebe4890
SHA1 5aa8c724f2e458d7c7c6fe7bd6daf0f48b13fc40
SHA256 e7abcd543a39be760c610fb1cd8a101abfffc6002e47aaf7dea39b31f94a3531
SHA512 8237d8dcab2898614b13f052ca540e6f094b7eb4653a110b572967b3fd34c5d29982cb1ada9a4e38702d08cf736c684ae8269aeac55f0fcbcc2d5b04dfbb50e7

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 292034617cd36b277ecbebf75f6f51bc
SHA1 5c8b9b101a55cdff3d2ba1b96013b1aa278af71b
SHA256 2175f2f5ff32d4ca7496faf6f4eea49e73b7b935e68c08a0d7e82a9e2239cda6
SHA512 e6198a547ea322684ede292552541586c5ff29d84bf626dbbdde445f380558c0459697905e7e7e4f42119d35110c25ab8bd82137b2a30a2cdd70934971b84988

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5 c55db5f4d1b9139fc0b0a658943fb534
SHA1 0f73c92826a15c6d207e91bb8bf91bc545903e85
SHA256 31f9d6ad5fb63d94c4f14cc4defd96b1cf6e95bb386878e7f9ed789679c6dc2e
SHA512 0265d2818c40651868bb15badeb5d4166c27ddb31b4ef24c0d976569fcea9bdc14109a4e3edef18d2c0e17d2fd81e1fd65c022ca453ed9a9ad1978c6212b5981

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 17cdbfb366f2038bd60edbaefea7f2a6
SHA1 5edf3e32f3b137c35fa7be3cbe93d7b1501f0c63
SHA256 f9a35ba678da0c5210929381bb0ee1a02c1d794f66fc8336090291f8de3f3f78
SHA512 037203d3e78ea40e8f19f16b48acd1e523638976b45f7ac45c1a3206da96b1f51944d88e6bbc27abfda237545576103fd0f8dbb54e772ba8f21bbaf32dd44126

C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\OC9I7LFD\www.bing[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\INetCache\CMNF9791\s13bmMn_O0leWsDgDXskAu2MbjY.br[1].js

MD5 9e527b91c2d8b31b0017b76049b5e4e3
SHA1 86bc98423492c4ceb41277298277edbd217e2d3a
SHA256 38edf0f961c1ccb287880b88f12f370775fc65b2e28227eee215e849cdbe9bbc
SHA512 4c19a7633ea4042a5c19b0f9e4aedfe0b67eca49f7a30aae8c59d489348712da3a84c03b695e16ed50cfbe5a838d0226bd930ac6847474d6398a7ca1c5f65b98

C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\INetCache\CMNF9791\8Iupe8mQJXOTRBabUuOGzTKv2fg[1].js

MD5 d19fdc0e6ed0aee95f793d3e8518fdf4
SHA1 f28488b25c00f506455a5177913bc3875e00ecf6
SHA256 285a8fd6f01259ea9994c337828212e22367d379de53931bd6945ec17d8803e6
SHA512 40359c50ed8a159698b37be28d5e0060ac682ac22532b5742baa00756253e637ab7809796749d92fd15b62b4cce44fa3fefd0ab6ccd87cf72ace761cdadd1211

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133575702632317554.txt

MD5 09fa2c626f558226cfdbcfdcab8b5248
SHA1 de125841635f74c4b225859e163c80eb9832ad5d
SHA256 7763b4a38f77350aa9b514115b30f03f4e842e32278e013989d9addcfa5eae5d
SHA512 8330e4c5db28ce0bc05194cb3ab72adf9ed0fcb65ec82ba46aefeb9e3d3d92cfd9cd3c0f993e0f486d437998549a1d5a97aa67c91137dba5a8a6d2aa0eb4ab33

C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\OC9I7LFD\www.bing[1].xml

MD5 fc7dc904c9a23aaca94abadf0507c25c
SHA1 f08bbdbfe8bc9a2238b565a068d6cce67dfad84a
SHA256 8b7fa20c01b601101413b535643cf67301e28e4a53d2fe43e09c0108d181b05d
SHA512 d433d3a0000ca6bcca41876a33bca6b2b7b7db8cc0f875182c14078b406467ddcdf3b3bc91d33dae9bea57731452cfa32d8adbe689dc21eeb13c5547960aa450

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

MD5 904d4819f44c674b22f654c6fded86d2
SHA1 12ba00ebb35364790bd5081186d86f73f136d4bd
SHA256 505bf118f44fc36780af6415be4b7bfe8c3aa0eb0c2865ab640eaf540fa667f0
SHA512 1e242885e70aab51ea132aaec18127f547c0f377f4a72b02dbf100af3ed45b04161d1bb328927af09b89826201daf18fe47dbf18586bb72719e9bd0a85612b11

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 aa8cacd9203c6018908f6b1d3a51b073
SHA1 040b7604c3b82ebe71bac09a978d064aab82f30b
SHA256 3214b4149df9046068c5675681f198006895f9791a06986bfac45ee3d99694ea
SHA512 b3c71f99915871de7debfefac2658909c8e27ec470d041001d4e122487c0378a87458515005e31d4aadfeded08dab19a76e1a4c234fce0037ce7899edb3d4de1