Overview

overview

10

Static

static

1

3d4d462dbc...f4.exe

windows7-x64

10

3d4d462dbc...f4.exe

windows10-1703-x64

10

3d4d462dbc...f4.exe

windows10-2004-x64

10

3d4d462dbc...f4.exe

windows11-21h2-x64

10

Resubmissions

17-04-2024 15:08

240417-sh9dfsdd79 10

17-04-2024 15:08

240417-sh8rxseh9s 10

17-04-2024 15:08

240417-sh76dsdd78 10

17-04-2024 15:08

240417-sh7vmaeh8z 10

17-04-2024 15:08

240417-sh684aeh8y 10

15-04-2024 11:51

240415-n1dx2sdg29 10

15-04-2024 11:51

240415-n1cd8aga41 10

15-04-2024 11:48

240415-nygadsdf57 10

15-04-2024 11:48

240415-nyfnvsfh8x 10

15-04-2024 11:48

240415-nyfc4adf55 10

Analysis

  • max time kernel
    1792s
  • max time network
    1536s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-04-2024 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe

  • Size

    1.2MB

  • MD5

    c722f0a20113bb1488382daefda9a358

  • SHA1

    4d269f0ec76a564f952c348b32a3b59c34bab2b4

  • SHA256

    3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4

  • SHA512

    534a1acdd94846138086a9912f8c2bcf154e0765f80d0a8432004687c76909fa9ab95adef24b8ec67b10cdff2aa59c50d0bf086e034e3b12f4ea484c7605e991

  • SSDEEP

    24576:IIvEq8jlEBPkNShzxh7QjO+NhXh1l/JFfnE88smv:najiNOsbQjOuXh1lvESw

Score
10/10
troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 58 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
    "C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:4036
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2972
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:2992
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3296
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2700
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2960
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2268
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3624
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4960
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5084
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4384
  • C:\Windows\system32\werfault.exe
    werfault.exe /hc /shared Global\48146dc772214cfd83f0d4666ccc17d6 /t 4604 /p 4384
    1⤵
      PID:4668
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4824
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4924

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Defense Evasion

    Indicator Removal

    2
    T1070

    File Deletion

    2
    T1070.004

    Modify Registry

    4
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    6
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    5
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\System32\xfs
      Filesize

      64KB

      MD5

      b2f7ec8c551bcf3bcf6eafd1044fd760

      SHA1

      7952264cf672065905c7c90f5fe6e8cc93cf1b30

      SHA256

      67343efa5330882210b405d8ba9b283c025f4e9a9bbfce3005534d9303150585

      SHA512

      28a8d4adb81e6c448e0cef9661e8119cfc9b82461bdbe77799caae5bf510b1a9397eba71d0762503f03cdae85f85bedfde46d99fd9ecb74f2bdcd7874929c4e4

      Download Submit
    • C:\ProgramData\Windows\csrss.exe
      Filesize

      1.2MB

      MD5

      c722f0a20113bb1488382daefda9a358

      SHA1

      4d269f0ec76a564f952c348b32a3b59c34bab2b4

      SHA256

      3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4

      SHA512

      534a1acdd94846138086a9912f8c2bcf154e0765f80d0a8432004687c76909fa9ab95adef24b8ec67b10cdff2aa59c50d0bf086e034e3b12f4ea484c7605e991

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
      Filesize

      1024KB

      MD5

      667bbb4bfacf8c66a84c22e10c86d711

      SHA1

      13e5d62d049146c1cccace681e10882a4f23917f

      SHA256

      cbaf5fb5208ba9a7e0855eee54b14b3b47d03b6d7992b8da3b6bdd0ef1ebd253

      SHA512

      c366afd80d952de824e81e08764a3d25f55ac6bb893c7e9f089d6fc435b7520c8f2f4ffa6690043169cc0e071a8403aee8dda02b8b76919c688eddbe6348d2cd

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
      Filesize

      1024KB

      MD5

      11ae612cb19da75ad54549a9690db99a

      SHA1

      b44f9fc4ce5684300868a1611f64f71ea514865f

      SHA256

      751bb02ddffafce04230550655eb738d861ee4787fe7971a3757516fee41773a

      SHA512

      0abb1ff83e5e3c28a58a9b6bc6f98987573679be8c82a96b27db490c11a3e0f1f47aef4ef65d41d8bd3c4d53ec48bfa61787998dc25534c1f2276a733853ee78

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
      Filesize

      1024KB

      MD5

      841db9b9d54a8d060e166fdf3f63b88c

      SHA1

      d04dddaf7b9bddee9e3ae206b518707afebeccb0

      SHA256

      61e41c35eed023524811de3f3aa12421a65f4cbf57da9797983b305299c9bcc6

      SHA512

      80ac18bad2a85a40226f17f18758a4054219f0c7d71ca14e33bc6a5495693b9e2ffd3e7ebd345de7da1ac81fb3681a2adb9c9d7d0ec9edf210f2e37a08e2be06

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
      Filesize

      7KB

      MD5

      fcd9c071663797458ddd588e3955490b

      SHA1

      4699a3e531e03953718496ae04a70355710d756a

      SHA256

      876e87ae2d94ec57b5080030439ab5bb55b3a41ea2224430a25e1f31aadef6e1

      SHA512

      3523423e469524a69cc3c2a20dc82a4c5e301cb957052d1e519a60e1d4d6a818f361a758549e5fe95e78caffbe338cab0721c5a522ad4fceef985061beab1b1e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
      Filesize

      7KB

      MD5

      369652b04c9fff690621d5d0c35a9ab3

      SHA1

      7b84730856d41f68f7181e586e2e015b45b00e48

      SHA256

      d44770a10bf5ce3ee5e217267b7930720e44a853fb7f2c073de1e18eaa619272

      SHA512

      48b42bb4175c3cc48eb59219dd40bfcb5f6e2fb7a56d383bbd6f753dc1e6956af1ed69bcfe37602df77a347998a972e16bccc60f275b98e31146c8b0014d5d6f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
      Filesize

      24B

      MD5

      419a089e66b9e18ada06c459b000cb4d

      SHA1

      ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a

      SHA256

      c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424

      SHA512

      bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
      Filesize

      1024KB

      MD5

      ebe50b0da13f01df32581598f9606f59

      SHA1

      b93fa1cbae838c277a37d4a59376556fc689aefe

      SHA256

      f4a411130c812707c65617946dd92772c2f6fe9945497e73e0e8474bb61ba8fa

      SHA512

      cacc42184b0a54e83d342019bca2af306cba803dd7f1ed4720a6cdaed6659481ea53b1180dfc44170facab50021294427a63dae17c20520cd6c1440623eb3ff0

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
      Filesize

      1024KB

      MD5

      18aeb72178d3100ce440222b5712e764

      SHA1

      b774f14f7084de5470f183cec8099ced1d66d390

      SHA256

      93ab5826042c2829bfc8735f7cb81262e31ffc5f546ef2004984ca062fe9a758

      SHA512

      8b9908a07d16ad45c4c74ea6bb43144c155389a5c5bddc025062f17190fe5a511c463bbe4a7b82eb227e346d8c159d2538712bfe8764c49798c59f7de00fb9f0

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
      Filesize

      24B

      MD5

      ae6fbded57f9f7d048b95468ddee47ca

      SHA1

      c4473ea845be2fb5d28a61efd72f19d74d5fc82e

      SHA256

      d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

      SHA512

      f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
      Filesize

      7KB

      MD5

      5e654a5b94d8bd3712cc361adf122482

      SHA1

      1f89fee499995d781342e92250eed407e33f14a2

      SHA256

      93013c9daba885c1283a51c5f0ea20436407770237f8b90ebd95ab60ccf26366

      SHA512

      4827ce70cd580120360b10bee39cdd91116f1c37cb6801e92fbad78beb7c4f0bfdfde4ced7e01891f92b5c54731e5862f17d74e58a0ff87d8dd354a2bf21d32f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
      Filesize

      7KB

      MD5

      ea96c795efbe68acda042de662427828

      SHA1

      6070f13a69862473bbdac8b2ccae0c39fe2d1f5f

      SHA256

      d88a19d8aeb12f71ae7a0c631573feafce5f90ede96f7436d318a2b5a559d05d

      SHA512

      32294af7c2cdfdb67b7713be7f95913a8b3939726436ce1829611c02011483e6579e44be9bc0c574c101603be0e361ce5207eb208d5a5e8729a4343c23197c37

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
      Filesize

      7KB

      MD5

      ee6b990a2fba120bdbb4d7eebb5e2b81

      SHA1

      15bafb28af9f2bd753f1c0ab0cea81ab750b425e

      SHA256

      7fd375a7013f42b6ccd42837ee41778840252e3579434b4bd07db55d4d97dcd5

      SHA512

      31f6c19d7f5f2bf4b5763e97b28d428fd8687a3b2815ad9dd2419c363212986cc53ecd2514c3a143c855b791a1035357cd928102732b92b434eec458c23f91ac

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
      Filesize

      6KB

      MD5

      05cabb9643aeaa7b9ccf2ea941a7fddd

      SHA1

      c22c10d8240736d047458b0a9357bde4d2419d70

      SHA256

      171a1becbc4ea463e907ef371e007fb62862f2c59657637abf528a416380301c

      SHA512

      93c2f85d7a9a7a89e8664bff5bd4bc53eaaf6f14d825195aa8b21959ccb822db6bcf419fa92af4b4f213ac099a36fbfe381f23671b8539a49648129c0af2a6a9

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      75636812e170936fc329866bfd49596e

      SHA1

      5bd0bac8554e8a470c4f89799e64ef52f5399681

      SHA256

      f0b79bf8632668be72d4569bfe71feabb47cf3cfc94fc00f9477b7350968941f

      SHA512

      dd46b5067f8f7f6d31c0faaa0a7b18ffc0677c3b60d1b9baaaa574033372fded56dad8ec20ed915c38683350096f1fa68c140cf9444901c5a340a89ef1af11e8

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\000F49EC-9C26-46C0-A082-DCE2A9663ADA\Zrtu2hQ08VU_1.bytecode
      Filesize

      62KB

      MD5

      202cc33b5bf47c988165c7bd484540a3

      SHA1

      cbae1cd9b1d8a298ea5d7980ef456ec7cbe203c7

      SHA256

      d528622a097c6a5c307667da06e726ca734f083b296cc820833958ae2f8f6bb8

      SHA512

      f9f526acef844fc8a8fdb3392bcf729d151d3e7bd1f333fbba3260482270db475612632bffd3b20105822d482d0e3c935ee7065e51b020d897bbaaf0f09f6711

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\000F49EC-9C26-46C0-A082-DCE2A9663ADA\Zrtu2hQ08VU_1.metadata
      Filesize

      192B

      MD5

      0c5084a77391377c1f39541812466343

      SHA1

      c17a64ac907a18ab3625c7d4d702f6c5cd4000ea

      SHA256

      4e6d5e6cf1236526150fdb7f37cebdbcbc13024bc9ddeb5c35171eb484fe9065

      SHA512

      5d384bf0a504622a52af5d2f5d837c00ba716bce4cdcc3d2a20fbc44cedd0447c901e04c2d5cf8eb8c9ca5976171cfe693534e43a3205f1f185347383ccede8c

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133576568182186384.txt
      Filesize

      2KB

      MD5

      65d939ef67bf440d30c8dee4eebe4890

      SHA1

      5aa8c724f2e458d7c7c6fe7bd6daf0f48b13fc40

      SHA256

      e7abcd543a39be760c610fb1cd8a101abfffc6002e47aaf7dea39b31f94a3531

      SHA512

      8237d8dcab2898614b13f052ca540e6f094b7eb4653a110b572967b3fd34c5d29982cb1ada9a4e38702d08cf736c684ae8269aeac55f0fcbcc2d5b04dfbb50e7

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133576568306668367.txt
      Filesize

      67KB

      MD5

      09fa2c626f558226cfdbcfdcab8b5248

      SHA1

      de125841635f74c4b225859e163c80eb9832ad5d

      SHA256

      7763b4a38f77350aa9b514115b30f03f4e842e32278e013989d9addcfa5eae5d

      SHA512

      8330e4c5db28ce0bc05194cb3ab72adf9ed0fcb65ec82ba46aefeb9e3d3d92cfd9cd3c0f993e0f486d437998549a1d5a97aa67c91137dba5a8a6d2aa0eb4ab33

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
      Filesize

      2KB

      MD5

      617feddf99d3d78594d34918b66d92b0

      SHA1

      e0b6ec0e6cbb1f5e6ffb43fe48dd75315ff25012

      SHA256

      ccdd6c984c73c7aeee7dff94d38fd62e12faad5cb2d3a45eb3bcb3b796c00d45

      SHA512

      dadace5c4a4b8604c73e69a951f93586d97f0be57d7aaecdfab20ebc77ff124e8bb5ac2dd29a38053a121a11d728a357f6bb6d2d24f11d4ec30580b9229386e0

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\INetCache\H4VRNQLL\s13bmMn_O0leWsDgDXskAu2MbjY.br[1].js
      Filesize

      20KB

      MD5

      9e527b91c2d8b31b0017b76049b5e4e3

      SHA1

      86bc98423492c4ceb41277298277edbd217e2d3a

      SHA256

      38edf0f961c1ccb287880b88f12f370775fc65b2e28227eee215e849cdbe9bbc

      SHA512

      4c19a7633ea4042a5c19b0f9e4aedfe0b67eca49f7a30aae8c59d489348712da3a84c03b695e16ed50cfbe5a838d0226bd930ac6847474d6398a7ca1c5f65b98

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CIXZDPR2\www.bing[1].xml
      Filesize

      13B

      MD5

      c1ddea3ef6bbef3e7060a1a9ad89e4c5

      SHA1

      35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

      SHA256

      b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

      SHA512

      6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\A04B9997A04B9997.bmp
      Filesize

      2.6MB

      MD5

      993cc909a89f0fb7fe90acc3703c2105

      SHA1

      f422cdcb426718b235a19080b0daf71c9b448768

      SHA256

      4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8

      SHA512

      5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

      Download Submit
    • memory/892-28-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-62-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-31-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-32-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-33-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-34-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-35-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-36-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-37-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-38-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-39-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-40-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-41-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-42-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-43-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-44-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-45-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-46-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-47-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-48-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-49-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-50-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-51-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-52-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-53-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-54-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-55-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-56-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-57-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-58-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-59-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-60-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-61-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-30-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-63-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-64-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-65-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-66-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-67-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-68-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-69-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-70-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-71-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-72-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-29-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-0-0x0000000002480000-0x0000000002555000-memory.dmp
      Filesize

      852KB

      Download
    • memory/892-27-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-26-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-25-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-24-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-23-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-22-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-19-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-18-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-17-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-16-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-15-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-14-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-13-0x0000000002480000-0x0000000002555000-memory.dmp
      Filesize

      852KB

      Download
    • memory/892-12-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-11-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-8-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-6-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-5-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-4-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-3-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-2-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/892-1-0x0000000000400000-0x0000000000608000-memory.dmp
      Filesize

      2.0MB

      Download