Resubmissions
17-04-2024 14:30
240417-rt43faca49 1017-04-2024 14:30
240417-rt4fxade5v 1017-04-2024 14:29
240417-rtyknaca44 1017-04-2024 14:29
240417-rtsz6sde3z 1017-04-2024 14:29
240417-rtspeade3y 1031-07-2022 05:21
220731-f17w5aade2 10Analysis
-
max time kernel
1792s -
max time network
1599s -
platform
windows10-1703_x64 -
resource
win10-20240319-en -
resource tags
arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system -
submitted
17-04-2024 14:30
Behavioral task
behavioral1
Sample
94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Resource
win10-20240319-en
windows10-1703-x64
25 signatures
1800 seconds
Behavioral task
behavioral2
Sample
94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Resource
win7-20240215-en
windows7-x64
17 signatures
1800 seconds
Behavioral task
behavioral3
Sample
94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Resource
win10-20240404-en
windows10-1703-x64
25 signatures
1800 seconds
Behavioral task
behavioral4
Sample
94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
21 signatures
1800 seconds
Behavioral task
behavioral5
Sample
94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Resource
win11-20240412-en
windows11-21h2-x64
29 signatures
1800 seconds
General
-
Target
94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
-
Size
1.5MB
-
MD5
6599f79e40a26186261b58aa89194e5b
-
SHA1
0a44b71f930447d545de0f10b6f9c70d513acacc
-
SHA256
94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02
-
SHA512
9e4c8b704bdf6f69df693c40c323f069ac7b9900ab8486d7e5a8423670aa1ee686ccfb6c4026f903d0928145efeee04b0b4cded0000f918862208baba9913748
-
SSDEEP
24576:4i9CFkYBMSUkGUbDkAv0f3BIykhWmRkLhKRahLo1ChjllyzD8k20ZItIhi4Gx:4ieMSU0bD7Q3Bfkh9k1VtKChpIzD/Std
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1144-0-0x0000000000400000-0x000000000062A000-memory.dmp upx behavioral1/memory/1144-1-0x0000000000400000-0x000000000062A000-memory.dmp upx behavioral1/memory/1144-2-0x0000000000400000-0x000000000062A000-memory.dmp upx behavioral1/memory/1144-5-0x0000000000400000-0x000000000062A000-memory.dmp upx behavioral1/memory/1144-9-0x0000000000400000-0x000000000062A000-memory.dmp upx behavioral1/memory/4496-10-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-11-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-13-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-18-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-19-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-20-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-21-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-22-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-23-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-24-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-27-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-28-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-29-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-30-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-31-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-32-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-33-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-34-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-35-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-36-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-37-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-38-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-39-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-40-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-41-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-42-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-43-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-44-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-45-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-46-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-47-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-48-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-49-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-50-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-51-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-52-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-53-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-54-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-55-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-57-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-58-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-59-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-60-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-61-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-62-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-63-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-64-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-65-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-66-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-67-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-68-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-69-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-70-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-71-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-72-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-73-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-74-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/4496-75-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\9D66F3A49D66F3A4.bmp" 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1144 set thread context of 4496 1144 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 72 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-48_altform-unplated.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_11c.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\CardBack1.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\EmbossContour.scale-140.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\SmallLogo.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\Traffic.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-125.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-30.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\highfive.scale-200.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated_contrast-white.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerWideTile.scale-100.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-72_altform-unplated.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-400.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated_contrast-black.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-white.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-high.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-125.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cc_60x42.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-16.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ls_16x11.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sl_60x42.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-100.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-150.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-36.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-100.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\poolparty.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Perfect\ribbon.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\MedTile.scale-200.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\de_60x42.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\smoking.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\smirk.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W7.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\BuildInfo.xml 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-20_altform-unplated.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Star-Club-button_gold.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-400.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPage\mainPage_more_themes.jpg 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-100_contrast-white.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-150_contrast-white.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\LargeTile.scale-100.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-200.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5606_24x24x32.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PeopleMedTile.scale-100.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8041_24x24x32.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-125.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4583_32x32x32.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\MedTile.scale-200.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-125.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_altform-unplated_contrast-white.png 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\ 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4104 vssadmin.exe 3820 vssadmin.exe 4116 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies registry class 33 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fcc000000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000005a76b4ae0691da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000e27a95ae0691da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80703004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000005d34c43a127ada0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133553356506901188" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4496 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 4496 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 4496 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 4496 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 1144 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe Token: SeCreatePagefilePrivilege 1144 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe Token: SeShutdownPrivilege 1144 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe Token: SeCreatePagefilePrivilege 1144 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe Token: SeBackupPrivilege 3392 vssvc.exe Token: SeRestorePrivilege 3392 vssvc.exe Token: SeAuditPrivilege 3392 vssvc.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe Token: SeShutdownPrivilege 2500 explorer.exe Token: SeCreatePagefilePrivilege 2500 explorer.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3184 SearchUI.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1144 wrote to memory of 4496 1144 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 72 PID 1144 wrote to memory of 4496 1144 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 72 PID 1144 wrote to memory of 4496 1144 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 72 PID 1144 wrote to memory of 4496 1144 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 72 PID 4496 wrote to memory of 4104 4496 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 74 PID 4496 wrote to memory of 4104 4496 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 74 PID 4496 wrote to memory of 3820 4496 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 78 PID 4496 wrote to memory of 3820 4496 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 78 PID 4496 wrote to memory of 4116 4496 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 80 PID 4496 wrote to memory of 4116 4496 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe 80 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe"C:\Users\Admin\AppData\Local\Temp\94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exeC:\Users\Admin\AppData\Local\Temp\94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe2⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows3⤵
- Interacts with shadow copies
PID:4104
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3820
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows3⤵
- Interacts with shadow copies
PID:4116
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2500
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD54f8ed68a1863e3de221ca90c9db96a37
SHA10effcbe7e22b3a3856830a47b66f5e833e79d209
SHA256332e18f95250354a2ac9a397ab2791b3688ef1119425aebe4210c5f41313cbe6
SHA512a6332f6eb959bba060da0779e497715351e5fa25a881db18b09c0b3862808cc2d9489bf1032540964f73ca0651049843aaa60b1a27354614626ca0abf3c55996
-
Filesize
7KB
MD5d90d90938ab6328d256eeabf24ff8429
SHA1f67a912f32c7cb54b51841accd6b31c13f2e0520
SHA256fc92671a3f41f3db17c84cfea9ffb78cd7d39bc5b7dc0b5109833d686f28ca9d
SHA51254d2a82246a711560d569d499e5f71364e9ae6c49f82e5c4ad03dcf2aa3e0ef7bf77fc5dc4b582d65dc73d82480823293350481a37adc3c1c70fd653225ebe15
-
Filesize
1024KB
MD5b445395f1aa641fbc3815509a2abe933
SHA10c9b55d1746a04f3bf36da6e77fa464d34cc5ce4
SHA2560ae20207259bc0ffcf68260fed844944bd47e07fa405a77dc5c8762cef734b1d
SHA51281c15259d644bdc6996fecab1c65ca99cba0eee706188e81bf2a40cef55c9ce9e1c27ac6a0606d8fedbc079110e59ba827ff70cdd942e46f12dad1c80b660351
-
Filesize
1024KB
MD5a1732749e4de326d153f0ee6b566ebe8
SHA10599976e7e9f044880513808adf860d635bbeaf6
SHA2566ba5e1679843c3843f7ad66ff95993f11229dbd257e75aaa2b4ab984c8382b64
SHA512bb9e376c00be79f0a36546e42646145524424d94b30a909cc9863b70eb0b669e240fab68d48be79ee23d934b1d3ae41adb003d0fbd9cf32fe9a4dba065f2c5b5
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD5d236233d47fa01235b56a7c25133a1bc
SHA1ac8abb682a58d9590f4eea0ada8cc2acf982b3f0
SHA2560ee876910cc6665097f66f1f49f09b4de336967279a2f557099def6d971bcc1f
SHA512bbe44642f7002b654fc245308076ec73b240944a49b2dc4374849e68c8259c783180138414df52fee1fcecc6b478452e70780eabaaab87324f428984a3b15c65
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Q7R4L46I\microsoft.windows[1].xml
Filesize97B
MD5ec5f7f7d3ba6a617bcc377c82512e849
SHA15b8b713146e2b2e813b6bf3b141faa8ff97eaacf
SHA25625bc6b4c838de26effb79b0b84ec497fe6be27ddfb085c6d16ce687b94a84c2c
SHA512a5625890e82a965790bfd4e909d4c9a1acae2d21baac9c0bdb51e642c3331c74fbc80b792e78b12a9fa738785246fd97318e79a16b0136b841cea5f648f1c545
-
Filesize
2.6MB
MD5993cc909a89f0fb7fe90acc3703c2105
SHA1f422cdcb426718b235a19080b0daf71c9b448768
SHA2564aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA5125ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762
