Malware Analysis Report

2024-09-22 12:06

Sample ID 240414-pc2jwabd4w
Target 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70
SHA256 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70
Tags
troldesh discovery persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70

Threat Level: Known bad

The file 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70 was found to be: Known bad.

Malicious Activity Summary

troldesh discovery persistence ransomware spyware stealer trojan upx

Troldesh, Shade, Encoder.858

Deletes shadow copies

Modifies Installed Components in the registry

UPX packed file

Reads user/profile data of web browsers

Checks installed software on the system

Adds Run key to start application

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Volume Shadow Copy WMI provider

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-14 12:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 12:11

Reported

2024-04-14 13:21

Platform

win7-20240221-en

Max time kernel

1565s

Max time network

1567s

Command Line

"C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Deletes shadow copies

ransomware

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\CC71963ACC71963A.bmp" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\si.txt C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\common.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\service.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ja.txt C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\install.log C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe
PID 2904 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe

"C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe"

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

Network

Country Destination Domain Proto
US 154.35.32.5:443 tcp
N/A 127.0.0.1:49195 tcp
DE 193.23.244.244:443 tcp
US 128.31.0.39:9101 tcp
SG 76.73.17.194:9090 tcp
NL 194.109.206.212:443 tcp

Files

memory/2904-0-0x0000000001F00000-0x0000000001FD5000-memory.dmp

memory/2904-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-8-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-9-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-12-0x0000000001F00000-0x0000000001FD5000-memory.dmp

memory/2904-13-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-72-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-73-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-74-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-75-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-76-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-77-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-78-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-79-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-80-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-81-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-83-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-82-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-84-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-85-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-86-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-87-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-88-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-89-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-90-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-91-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-92-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-93-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-94-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-95-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-96-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-97-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2904-98-0x0000000000400000-0x0000000000608000-memory.dmp

C:\ProgramData\System32\xfs

MD5 0342554eda3a422eda9ee18514ea372b
SHA1 78af88d0c740264eb70ad2a92fbe0d1f378ff6cd
SHA256 35bd98fe2bd565c2b66aaa263fc340688e647da1866b6715096f75b5120c4300
SHA512 dda76e6b24473ff7d77b3529496f93c72c1a0d97751ef0606c5503e9ad0f700c714fe32a53938e77ce3d0b3736cef163f1ddb83f5264567f479e4358cbdd6393

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 12:11

Reported

2024-04-14 13:21

Platform

win10-20240404-en

Max time kernel

1792s

Max time network

1587s

Command Line

"C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Deletes shadow copies

ransomware

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\B24AC6DEB24AC6DE.bmp" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Hedge.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_11h.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-16.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim1.sad.scale-150.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\delete_12x12.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\PiSh_placeholder_small.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Office Word 2003 Look.dotx C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\StarClubTile.Wide.jpg C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-16.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\PiSh_placeholder.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\1d.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_48x48x32.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\sleepy.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-300.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4608_20x20x32.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\Upsell\dont_ask_check.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\_Resources\index.txt C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\badges_diamond.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_24x24x32.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\er_16x11.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-250.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6701_36x36x32.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\Jack_Of_All_Trades_.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\NavColumn_Black\Icon_Supports.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\flower.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\mo_16x11.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_11d.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\aquarium.jpg C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.smile.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\2717123927\1590785016.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
File created C:\Windows\rescache\_merged\4032412167\4002656488.pri C:\Windows\explorer.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000003853646d6c8eda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000db174a6d6c8eda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000006772bf1b8a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065551368052" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe

"C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe"

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

Network

Country Destination Domain Proto
N/A 127.0.0.1:49778 tcp
AT 86.59.21.38:443 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 243.107.17.2.in-addr.arpa udp
SG 76.73.17.194:9090 tcp
US 8.8.8.8:53 50.251.17.2.in-addr.arpa udp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp

Files

memory/2840-0-0x0000000002210000-0x00000000022E5000-memory.dmp

memory/2840-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-7-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-13-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-14-0x0000000002210000-0x00000000022E5000-memory.dmp

memory/2840-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-21-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2840-71-0x0000000000400000-0x0000000000608000-memory.dmp

C:\ProgramData\System32\xfs

MD5 8769b6bcb98e3d7f72409b6759449fb2
SHA1 634e431e42691d75940852b695d3b83b44e6f95a
SHA256 7915742ecfbc696d56c55d3c1e479c71693edbf91765dd11dc170bfc0dc36acf
SHA512 e974aef33755552ce0203031ab7b3443c2454c8246295b9c0c62fe8afac2f879a4314324459e1c1f94e30aedab8ecba68e36588cbe925df8ced68c946258acad

C:\Users\Admin\AppData\Roaming\B24AC6DEB24AC6DE.bmp

MD5 993cc909a89f0fb7fe90acc3703c2105
SHA1 f422cdcb426718b235a19080b0daf71c9b448768
SHA256 4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA512 5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 5a9642d459cbf1be05ca5e52a4a9142d
SHA1 24eb0bebddff4e3e58de4583a94c7453e8f89dc6
SHA256 16bafbf0aeda01f8287aae20e90f91eb85dc0f3129510d0a1da3777232a7935a
SHA512 a24fbc22be9bb5b137266d5928ac48e0e3627d88e4608351d06a8cae732ad673d529be451d19281079617669eaa8cacc3e023e3361db3a3533728fb670b03ff0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5 eec3fe6baad1a086027cdd438077289c
SHA1 7d85f86f8447d3c16d85406bf39fb3def1a8cf82
SHA256 5b4aaee1e8e08ca9dbcb68bf922d6cac5b61b0c2c7bf00a272c65dc881d50d57
SHA512 f8ea256986ba1948104e2e72f03ebd699f6a6ecac9db0642a23115e9a48c984b7fb01026bf312e6bab494b4505033a684fa19d8955bc303e30f0739cbf664ef4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 88514bed1dbd866dc5026c141d99206b
SHA1 2598fc94ee02895852843673d910c961e8dba09e
SHA256 f8bafb7d3c3608af6131c0a0c312c996b4621c7f5140686bc5a0c2b056c64666
SHA512 0e3bcb186223e0a2993d23c2a55b7c85e9e59a97f2333128ba2ada79f436eaf1f94c626ce196b4331a758620c0d1b83061077cc63b5e1d3377e28058a7d52193

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

MD5 ae6fbded57f9f7d048b95468ddee47ca
SHA1 c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256 d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512 f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GO5H5QJ1\microsoft.windows[1].xml

MD5 9a9d57ce5ae07c9a465ffe30cbf86ae4
SHA1 bddc659daeda718ad86dff1c9704c82b175c497a
SHA256 9c367bd2b12a2a3d767133956fac9619215c636639ff04eaf222f221a426b5da
SHA512 d7c81b18c7b66b8a12e0af3b47b1dbbb91a81cb1d85c70e73d2b3fd62ce8fdd4f752350c5ae4785a909d3931f59e65741cafa3bc743d58f5f2e1021611e5e033

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 8b580a54ba8510d8ea41ed3873556428
SHA1 0ef24e68c3063d5e58829a33fd15bd7ee60bf60d
SHA256 e5aab11ccc673bd490ecd29a1d86f9afce7e98db9c0d9a03158c18e217306913
SHA512 85165894b0aecca419a50f6b3f84992304590a05d66ccbd3da8d4bcc66a04d383274d67fe21a145592b2d903e0588938fecaca38da610ba8311aa07eab115dcb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 7987596ea194a1254fab7fba595996bc
SHA1 743de41c9c94e4f0cfaf676fa8d0f6168dd9d4ef
SHA256 f023811b848ad0280abeeecd8d2805721ff7e985213189c7a83128f197644b0c
SHA512 b9ee09887d142ef0938218269a7b7c42321ad52cd869c9319e1a753a0b53dd993ccab13036dfc50ac39aa39e5458948e6ae8650b43762485dd765009115bba2e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5 3aabc4bf6bdd14699294220f6a1f4729
SHA1 9a47a69b8371dc499aaf36df4949e4fd7c9c68d3
SHA256 da398c29b43f27b898b0ab0b389c98d95eb0cc95232b7bd2a320c9817708be62
SHA512 913f5746cc417e6010661a1d03ea59605e438c440b6db9c9775cc92bbf78ca61f5ab39f5cbcee2c0fcc684b941bacab8ea99ed24293212ff0065b8a69d63ffc2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5 5761d5c82649efc792b8a9afd819c383
SHA1 b666bf79772e857211f4bbfb5e1c36d3555a8d7f
SHA256 465726b90368cd8e36bb1769145444f9b946eb7a338f24e44a92005e9f4c5e3e
SHA512 b691d402fbfa0199e058a58b52380e4297721c9b0456ede1b8b3ec77121db5dc80926dbe4cfe3b4e4c18b26accdc4af2f2f05da2b6d3c3ffcea112867af2bc61

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-14 12:11

Reported

2024-04-14 13:22

Platform

win10v2004-20240412-en

Max time kernel

1792s

Max time network

1552s

Command Line

"C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Deletes shadow copies

ransomware

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\91F86AE391F86AE3.bmp" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_WorriedEye.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\179.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_fi.json C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\ShellPreviewConfig.json C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\wordmui.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\splashscreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\DeleteToastQuickAction.scale-80.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\PreviewCalendar.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_ro.json C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_zh-HK.json C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-400.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\logo.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2177723727-746291240-1644359950-1000\{37AA486F-F6C5-4933-A354-2BCDAEB6CE4D} C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe

"C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe"

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
SE 171.25.193.9:80 tcp
N/A 127.0.0.1:49683 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
SG 76.73.17.194:9090 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
AT 86.59.21.38:443 tcp
NL 194.109.206.212:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
NL 23.62.61.186:443 www.bing.com tcp
US 8.8.8.8:53 186.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/876-0-0x0000000002400000-0x00000000024D5000-memory.dmp

memory/876-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-8-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-13-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-14-0x0000000002400000-0x00000000024D5000-memory.dmp

memory/876-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-21-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/876-71-0x0000000000400000-0x0000000000608000-memory.dmp

C:\ProgramData\System32\xfs

MD5 f5273120c807a296beb393c3a0b3a976
SHA1 e00a972d381e96b67c81fe402ab8622dc8baa57d
SHA256 b685eeacefd187391069a038a2ad59328f16dc74441d986f3104419abc9489b8
SHA512 3fcc5ad10e95072b55c8923020b2d29f0f62a6c0c24e1f12603022554b842a528b5a09f9e0abce5d7da54243e568deab4dd80120bc950388eba62045b9b73430

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-14 12:11

Reported

2024-04-14 13:22

Platform

win11-20240412-en

Max time kernel

1792s

Max time network

1556s

Command Line

"C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Deletes shadow copies

ransomware

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\80C8ACDF80C8ACDF.bmp" C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardPreview.types.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\KeywordSpotters\es-ES\Cortana.bin C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DetailsList\ShimmeredDetailsList.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-lightunplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\spacing\DefaultSpacing.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCardLogo.base.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DetailsList\DetailsHeader.base.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page1.jpg C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ShareProvider_CopyFile24x24.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\NOTICE.html C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardLocation.base.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-60_altform-lightunplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-amd\ObjectOnly.js C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square150x150Logo.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-400.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-125.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleBadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c2006020004002c0010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133574038085668999" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070400420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000f1e03b93e18cda0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-834482027-582050234-2368284635-1000\{03784C7C-C2E6-4776-A3AC-D79BCE44FB97} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-834482027-582050234-2368284635-1000\{BF86C761-1D87-422C-B4AD-3C64449EE85D} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe

"C:\Users\Admin\AppData\Local\Temp\629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70.exe"

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe /LOADSAVEDWINDOWS

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

Network

Country Destination Domain Proto
N/A 127.0.0.1:49753 tcp
AT 86.59.21.38:443 tcp
US 208.83.223.34:80 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 130.136.73.23.in-addr.arpa udp
SE 171.25.193.9:80 tcp
DE 131.188.40.189:443 tcp
NL 23.62.61.160:443 r.bing.com tcp
NL 23.62.61.137:443 r.bing.com tcp
NL 23.62.61.137:443 r.bing.com tcp
US 8.8.8.8:53 137.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.137:443 r.bing.com tcp
NL 23.62.61.137:443 r.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
NL 23.62.61.137:443 r.bing.com tcp
NL 23.62.61.137:443 r.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
NL 23.62.61.137:443 r.bing.com tcp
NL 23.62.61.137:443 r.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
NL 23.62.61.137:443 r.bing.com tcp
NL 23.62.61.137:443 r.bing.com tcp
NL 23.62.61.88:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/920-0-0x0000000002490000-0x0000000002565000-memory.dmp

memory/920-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-6-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-7-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-13-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-14-0x0000000002490000-0x0000000002565000-memory.dmp

memory/920-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-20-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-21-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/920-71-0x0000000000400000-0x0000000000608000-memory.dmp

C:\ProgramData\System32\xfs

MD5 b027a290ca8fd5e9196ab2dd5db46427
SHA1 41c88f5005317f65481e2f121344a9b0af733a03
SHA256 19b7175670966f0ec95febf4e8b5c49b530ed9fd7631523d2dc4501781e6761e
SHA512 30b7efa575da226c84917e38d0bad4a9640662a29e3fdc41adc6c999157fe1d7fbd816941b2751c1915f7d831bf52e182aeaac8eb1cb5d8508e974719badfdaf

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5 419a089e66b9e18ada06c459b000cb4d
SHA1 ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a
SHA256 c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424
SHA512 bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 94ba4a2911c47faf1ff3d119cc33235e
SHA1 2e23fe3205ae0f413632ed4d70714e569d74135e
SHA256 e7caf249abb90245e5e6d9e5716c6359c65808326fc3a0578156f973f94ca56d
SHA512 797efe5f8fc6e10ec19a1819a7a9d41d21e0e0aa95094acd10051c47bef3f56285348efd4921bbb40990a2e8a4ca5be5844f55f12bc37ee3914a6e1b17a99a9e

C:\Users\Admin\AppData\Roaming\80C8ACDF80C8ACDF.bmp

MD5 993cc909a89f0fb7fe90acc3703c2105
SHA1 f422cdcb426718b235a19080b0daf71c9b448768
SHA256 4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA512 5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 83ef8c0f2146b55c4b71143c97f80db5
SHA1 c542ee3860a1f351d41fdc8b564093b03d1d333f
SHA256 08cf4cf53f874671b193bde236c9a51cf1ad25a42581372dd5023155991d608b
SHA512 5c6d23491c640ab73c0c4883ea5759d9f14543c561f075255b024e119c2062b34a292a7e9a68587e552c61a5af2a50fdd43cac13b47fa04f2785e0eb96a85a28

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5 32de370bdfc009cf22aee891e117ccde
SHA1 7ca8fd83f27485e461640fb31fd1fcae8498fa1e
SHA256 6250edbd1cd63d87502a17625d9d6d28517711c0a82e36c866d82c62b8f19e61
SHA512 c01ddf12332436b779a56ce9c7f88649241e46f3d680f6d447df13fb9a00389c9c6a11dea488cf75ac3930584a0f09b81f31e1df47f093c5076145c98b687c99

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

MD5 ae6fbded57f9f7d048b95468ddee47ca
SHA1 c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256 d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512 f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5 c55db5f4d1b9139fc0b0a658943fb534
SHA1 0f73c92826a15c6d207e91bb8bf91bc545903e85
SHA256 31f9d6ad5fb63d94c4f14cc4defd96b1cf6e95bb386878e7f9ed789679c6dc2e
SHA512 0265d2818c40651868bb15badeb5d4166c27ddb31b4ef24c0d976569fcea9bdc14109a4e3edef18d2c0e17d2fd81e1fd65c022ca453ed9a9ad1978c6212b5981

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat

MD5 ce18ce56e99b0becdac1acf971555307
SHA1 a5b25803f7806d2a3f239803684bd70f65e5420c
SHA256 798187064fe76693b6d43336013ce439514fd2626290ead457e99c89dbb3607b
SHA512 e93a9ad9904bfd69c5d2a84be883326b648baed7e5b828bdbe7a1b897410eaafd2f9332c3de18d4f1ea2ab50a05aa424169f347ae495cc8b3510a26fe5c010a9

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133575738723867117.txt

MD5 65d939ef67bf440d30c8dee4eebe4890
SHA1 5aa8c724f2e458d7c7c6fe7bd6daf0f48b13fc40
SHA256 e7abcd543a39be760c610fb1cd8a101abfffc6002e47aaf7dea39b31f94a3531
SHA512 8237d8dcab2898614b13f052ca540e6f094b7eb4653a110b572967b3fd34c5d29982cb1ada9a4e38702d08cf736c684ae8269aeac55f0fcbcc2d5b04dfbb50e7

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 292034617cd36b277ecbebf75f6f51bc
SHA1 5c8b9b101a55cdff3d2ba1b96013b1aa278af71b
SHA256 2175f2f5ff32d4ca7496faf6f4eea49e73b7b935e68c08a0d7e82a9e2239cda6
SHA512 e6198a547ea322684ede292552541586c5ff29d84bf626dbbdde445f380558c0459697905e7e7e4f42119d35110c25ab8bd82137b2a30a2cdd70934971b84988

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 17cdbfb366f2038bd60edbaefea7f2a6
SHA1 5edf3e32f3b137c35fa7be3cbe93d7b1501f0c63
SHA256 f9a35ba678da0c5210929381bb0ee1a02c1d794f66fc8336090291f8de3f3f78
SHA512 037203d3e78ea40e8f19f16b48acd1e523638976b45f7ac45c1a3206da96b1f51944d88e6bbc27abfda237545576103fd0f8dbb54e772ba8f21bbaf32dd44126

C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\OC9I7LFD\www.bing[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133575738821722264.txt

MD5 09fa2c626f558226cfdbcfdcab8b5248
SHA1 de125841635f74c4b225859e163c80eb9832ad5d
SHA256 7763b4a38f77350aa9b514115b30f03f4e842e32278e013989d9addcfa5eae5d
SHA512 8330e4c5db28ce0bc05194cb3ab72adf9ed0fcb65ec82ba46aefeb9e3d3d92cfd9cd3c0f993e0f486d437998549a1d5a97aa67c91137dba5a8a6d2aa0eb4ab33

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 7aceb50f10c6f16b5ff03581d36c0666
SHA1 fcc3b723a1c4683d302769cc925be1954933b58f
SHA256 52f9837e7db722658a33a663fee505f8e4067adb45f59ac811cd89af58871efd
SHA512 07e08da193c0d84d272a4cbaa7407bca7fcb4afe4005bd8ff93580e3d958ba31dbeaf2d584cdd8010b660dc4cd5f5918535c7aeaf9fea37916061bc477a2f01e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

MD5 904d4819f44c674b22f654c6fded86d2
SHA1 12ba00ebb35364790bd5081186d86f73f136d4bd
SHA256 505bf118f44fc36780af6415be4b7bfe8c3aa0eb0c2865ab640eaf540fa667f0
SHA512 1e242885e70aab51ea132aaec18127f547c0f377f4a72b02dbf100af3ed45b04161d1bb328927af09b89826201daf18fe47dbf18586bb72719e9bd0a85612b11

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 a790f1677a81eff7cbceff249fc590ee
SHA1 445d3205d72623773e9be27387e16dfe416ca6e2
SHA256 3e49b1394af69f9b0fe2d1b436b707327c39133d1d5e5d5600343da42ce8ffa5
SHA512 e9241b6783376488004fbb382a100da689f2dfa30b71be251acd60250e6b0367ec1c9c6b5c0714fa943af064127730c386e59b6ce9cef17dec179888f08b18a5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5 ed124122c16eac29dd4ade55e4fc018b
SHA1 9bf196fd5c9016f288204670ab467c7df1beb1a5
SHA256 d7a88819e62d3750ac3fb6f5abc4740d0ddf29de1945fd76627256112565c049
SHA512 814b4dc8cb5ebd62d54a9154c718bbfab8e81d5f40317d2743a2e0aada9c3f2edb7601c19f3d767417a40bafcd74de291e71954f35d3b23b1380e8f5239dbfc2

C:\ProgramData\Windows\csrss.exe

MD5 969305f9f01a46e8eee82885d9bde2bd
SHA1 a5cf52711faec6b7ec152ac074496a7a6e825765
SHA256 629491cb1f88530240f9260810ab2abe16b8152900bffae4068a6565a2ac7a70
SHA512 a916a1ef2bc9c77e9cb3476def54747dcf9c6819c9dd436d8e7ec4f9c3046ce850db7727fc97f820aba070015e06975540f5cacbf6e7341a3ffb787560590ba2