Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
29/01/2023, 18:20
230129-wy2v4aab6s 10Analysis
-
max time kernel
1196s -
max time network
1164s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14/04/2024, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
1200 seconds
Behavioral task
behavioral2
Sample
629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe
Resource
win10-20240404-en
windows10-1703-x64
24 signatures
1200 seconds
Behavioral task
behavioral3
Sample
629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
19 signatures
1200 seconds
Behavioral task
behavioral4
Sample
629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe
Resource
win11-20240412-en
windows11-21h2-x64
24 signatures
1200 seconds
General
-
Target
629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe
-
Size
1.2MB
-
MD5
969305f9f01a46e8eee82885d9bde2bd
-
SHA1
a5cf52711faec6b7ec152ac074496a7a6e825765
-
SHA256
629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70
-
SHA512
a916a1ef2bc9c77e9cb3476def54747dcf9c6819c9dd436d8e7ec4f9c3046ce850db7727fc97f820aba070015e06975540f5cacbf6e7341a3ffb787560590ba2
-
SSDEEP
24576:U0Xy5spQBcumH3iA537SEHKa3RoMF/tM7duvJkdV4KL:U0iupecuYSAt2E53WMF/+duvJIV4S
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3636-1-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-2-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-4-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-3-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-5-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-6-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-8-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-11-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-12-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-13-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-15-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-16-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-17-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-20-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-21-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-22-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-23-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-24-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-25-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-26-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-27-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-28-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-29-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-30-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-31-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-32-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-33-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-34-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-35-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-36-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-37-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-38-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-39-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-40-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-41-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-42-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-43-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-44-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-45-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-46-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-47-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-48-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-49-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-50-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-51-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-52-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-53-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-54-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-55-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-57-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-58-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-59-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-60-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-61-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-62-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-63-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-64-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-65-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-66-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-67-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-68-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-69-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3636-70-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\AB4AF5A6AB4AF5A6.bmp" 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-150.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-125.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-colorize.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6584_32x32x32.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sv_16x11.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Glasses.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\1c.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\keyboard1.jpg 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\oliver.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-100.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-200.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\pageBackground.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-150.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\WideTile.scale-200.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\LargeTile.scale-125.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\LargeTile.scale-125.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4608_32x32x32.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-white_scale-200.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-400.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-200.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\178.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated_contrast-white.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\wait.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-150.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-150.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\klondike_menu_icon.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Tips_5.jpg 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xml 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_contrast-white.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\WideTile.scale-100.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-400.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-125.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ad_16x11.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-100.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\StarClubTile.Small.jpg 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated_contrast-white.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sg_60x42.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\23.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\183.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-100.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Gimme_Five_.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg4.jpg 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\fo_16x11.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\XboxControl\Internet_icon.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIF 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-100_contrast-white.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-400.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\649_20x20x32.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\12s.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-200.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-125.png 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4732 vssadmin.exe 3180 vssadmin.exe 3680 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000049d07652678eda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000c95c4252678eda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000007fe99f2e8a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065951487163" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3636 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe 3636 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe 3636 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe 3636 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 1472 vssvc.exe Token: SeRestorePrivilege 1472 vssvc.exe Token: SeAuditPrivilege 1472 vssvc.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3668 SearchUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3636 wrote to memory of 4732 3636 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe 74 PID 3636 wrote to memory of 4732 3636 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe 74 PID 3636 wrote to memory of 3180 3636 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe 78 PID 3636 wrote to memory of 3180 3636 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe 78 PID 3636 wrote to memory of 3680 3636 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe 80 PID 3636 wrote to memory of 3680 3636 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe 80 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe"C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:4732
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:3180
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:3680
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD5f8c6f1a2aaf065c71100fce4581a245b
SHA1778f5319003c53c6c40497f63a2e6d75eb20d77a
SHA2564f2e2e2b7942f2f6cb54b1febb90efae67e52f3da53d22c3146d6ac9f98940fd
SHA51244c65a3a2e589f0dafbda60d21ff1b3d594cb017f2df83f667398c195ba233aea2a01742530489eceedbb7a422385e3c265724457ce2f0dc47bb60ff6a864de5
-
Filesize
1024KB
MD546e05c055d0133fa7f0cff39ff3d9cb9
SHA126c73e09bd432874c7090f6966a6b491b9052599
SHA25639d32cdc639d4024c8716ff95a032b42e331a46bdcec2d8287e94e7b65c57736
SHA51218cefebe5edbd2006f460769c992b6ef15ec0a963f32f99faae613cfc9d24eccf3179978dd587110823ea837c2d06d1d79665242010a77d4179f424eec380db2
-
Filesize
7KB
MD5a525bf7ee848eb0b525a4ad60a49a01f
SHA1d160a288dba24a6305aacc5df1e6507d15078b03
SHA256610674197ee571b7f129461e71f2dfe2527e93fd0186d9ae0a74125404f289a6
SHA512c9b9f2865a45a0d286a16508056a3bf0b4c28d5c08643edbb2b6422ed83676d183f8fa19b8c87ee99039c423cfd41e362e7c3d78cfd12404a95622ca6dc6a197
-
Filesize
1024KB
MD500962796e8e6a67848fe922af39dab36
SHA15c6ef18bee17287befd41bd8d963b1ff9c06a768
SHA2564244481bf9223510abb20c966740da6b6cdf71e927812b71d72ec1521d04cd3f
SHA512e1c699041911cb6b04997bd2c24aee1dc79c3a05196b4565adaf829e38b87d0ca79482e845c08aa0aea8e4564c3c90824f99c2aec76eac18e1bbeac5d1eebe26
-
Filesize
1024KB
MD526d861c6988cb478c573e3fff56d13f0
SHA105fb8403f842c0b222f80972f9168fb1e2e33dbf
SHA2562ae98b086b1bd71a33e73176052788132ebece623b7fcc126641a14187790a7a
SHA512912946adcd25e85cbf64604968c0f38dde5fcab00298c095dc5838239268ef7cff44c1fce9f89c79b4b10a360e0c23a8ef83e562d88f66cc4d0e58d7a10828e0
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD5612647ab3768a5c0527bbe2367b06b8f
SHA1c3081d90599de8dd1982a9c1749e438ba31ecec2
SHA25620186be403f663c1c19a61b040d49f199747b5a0de9010699bad10071071ba38
SHA5122c6c2fe53df99c83b5115dbf626edfd68416e6b55a8de72505dc8a417bcc47c8533fbdc789fcf4959b0878a0dee542ac2da8552fc0a7156da7a65ea708859a6a
-
Filesize
7KB
MD58f8b8d856c7e28ad4cb6d33c904007db
SHA1c2dc3ac85202381bf1783cbcc9e0f241e0336eac
SHA256e18c06e46e12cfd92bba9a13a590fdfcc72de51c83a5118e55ef39f98b876714
SHA512bd7270e1edb30739a76f0bfae41fa956b0f49a0ee6f0afa92bf79a44ddc2d502b1d7908301971c85a71011f96c260e2892a5b0aa7a52aedb2fbef770b723dad1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\D1ASO0I0\microsoft.windows[1].xml
Filesize97B
MD520187d336f3faca6c96b99f44e76a02f
SHA1f0f3b6ea7edc26f718017c4c4268d01ade195cfa
SHA2567dd8c6c6a1922a5195a09a8a84764f1b0c1d3a3c528771e5bb4228fce1278d62
SHA512bb464b0050983b33b437d4ceba0ec19512b3087bd3bf8ab6acca14192229cb5e81f359957ef0163458fa934fa67e5d42e2743a1e5a7d459c32420ebd26e72ae7
-
Filesize
2.6MB
MD5993cc909a89f0fb7fe90acc3703c2105
SHA1f422cdcb426718b235a19080b0daf71c9b448768
SHA2564aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA5125ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762
