Resubmissions
17-04-2024 14:56
240417-sbg1madb74 1017-04-2024 14:56
240417-sbaljsdb64 1017-04-2024 14:56
240417-sbaasadb62 1017-04-2024 14:56
240417-sa9n9aef2v 1017-04-2024 14:56
240417-sa9dgsdb59 1006-04-2024 14:44
240406-r4b5eadc29 1006-04-2024 14:43
240406-r3xpqadb95 1006-04-2024 14:42
240406-r29b5ace9x 1006-04-2024 14:41
240406-r2spdace8x 10Analysis
-
max time kernel
1192s -
max time network
863s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
17-04-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
19 signatures
1200 seconds
Behavioral task
behavioral2
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
1200 seconds
Behavioral task
behavioral3
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win10-20240404-en
windows10-1703-x64
24 signatures
1200 seconds
Behavioral task
behavioral4
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
19 signatures
1200 seconds
Behavioral task
behavioral5
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win11-20240412-en
windows11-21h2-x64
26 signatures
1200 seconds
General
-
Target
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
-
Size
1.1MB
-
MD5
1fc2e4c5ff5844410fc7b78c6987cddf
-
SHA1
52f676fcbfda7f0929385da963df25eb4638d4a4
-
SHA256
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38
-
SHA512
31efba9acfe4b4bfab315a8d2d15b1b7a5ef83f26fc5de17ec37044bb6b61269f291ddb9e20ad90f2e91fff5221360b34bcf1e36e447d369e0d5333de42681fe
-
SSDEEP
24576:fDbt4YcxdNDjJQqRTE0cZLx4bcWS5PcQV3D14EAKXtRutF3dFJt8:f1yDNXS2T+4c9cQVxnXtIr3f8
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral3/memory/936-1-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-2-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-3-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-4-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-6-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-5-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-7-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-11-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-12-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-13-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-15-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-16-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-17-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-20-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-21-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-22-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-23-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-24-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-25-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-26-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-27-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-28-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-29-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-30-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-31-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-32-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-33-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-34-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-35-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-36-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-37-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-38-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-39-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-40-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-41-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-42-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-43-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-44-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-45-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-46-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-47-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-48-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-49-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-50-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-51-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-52-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-53-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-54-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-55-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-57-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-58-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-59-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-60-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-61-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-62-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-63-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-64-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-65-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-66-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-67-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-68-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-69-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/936-70-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\7BF7DFFE7BF7DFFE.bmp" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10393_36x36x32.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10912_40x40x32.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-400.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_PigNose.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\dk_16x11.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WideTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\SelectAll.scale-140.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\computer_white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-colorize.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ug_60x42.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\jumbo.jpg 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Save.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-250.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_20x20x32.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Java\jdk-1.8\jmc.txt 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\au_60x42.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\13s.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\re_60x42.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\priidu.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\wfh.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\lobby_deck_style_autumn.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Planet.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\skype.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-200_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\friends.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Animation\crown_2.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-400.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\mp_16x11.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\CoinsFlyToBar_D.wav 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\background_gradient_2.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-60_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sb_60x42.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\phone.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10191_32x32x32.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4188 vssadmin.exe 2544 vssadmin.exe 3148 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies registry class 32 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065728993929" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000002fa390d8f190da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000352f5cd8f190da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000021f776218a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 936 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 936 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 936 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 936 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 828 vssvc.exe Token: SeRestorePrivilege 828 vssvc.exe Token: SeAuditPrivilege 828 vssvc.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe Token: SeCreatePagefilePrivilege 2012 explorer.exe Token: SeShutdownPrivilege 2012 explorer.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2180 SearchUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 936 wrote to memory of 4188 936 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 74 PID 936 wrote to memory of 4188 936 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 74 PID 936 wrote to memory of 2544 936 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 78 PID 936 wrote to memory of 2544 936 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 78 PID 936 wrote to memory of 3148 936 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 80 PID 936 wrote to memory of 3148 936 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 80 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:4188
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2544
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:3148
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:828
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2012
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5d6393535a8035a73df078a6a3676c564
SHA13e8895d96a9b736b918065a01540a95183382b4b
SHA25607a8d6c9573f4dc12675cacdccbd2184b212f5a977cea53ad11feef7d570523f
SHA5121cf925dff759f29fe7cef7e2ab76f927e10f74ae539d486a007904ca2a8e0cfef8386642d494e7979c0e4969b068270cc231ebb71679c3a78ac6cff99a12dbfa
-
Filesize
1024KB
MD5f5fef41e3d9b7053177844b3f94d8b61
SHA1c0c6384f2e0b56c6ac0b999d8584a2bc9509d20e
SHA25668431ab4b4a76a1a635df107e402a68d272c88729c157e5de0fbdf84523b879e
SHA5127039fbe40f264b4a79df4219fbee8952ad0d05a2501cf9ca5cfd28adc86558dc6df1a2568e486d06b6f50566f1ce74b7b9d0796891b5d1dbabcf077fa7dbd885
-
Filesize
1024KB
MD51f53ad11375f63965ed3d9501f79e98f
SHA17f79eb68f6d8e3759de36fc18aefa85f7d8d6a27
SHA256b4c027fa30392e46503bf470c2c3ac1130e608b3914a79ce9a7f93a3bd00347d
SHA512571c45a0c5c7e04928fb114fc99a954d7bcbd989e457217f39f5c1db43a8553788d5dd6a43ceb4cfe223d5a0f9460711d250d5bac26165b57ca85073f80017df
-
Filesize
7KB
MD575430994a9d6eb12d7d466adc7721020
SHA10f304f258fec9553341dffe96b752e9e086d265b
SHA25639a780d6a9729f61a05bec79ae999168eaab1a60ad23ba6e63387fc084f1f142
SHA5127ddda9b9d99cb59f11b079830268ad750b99c8368cffa00e552197816b829e307d2879d039023485ab6a5c21df7627376376c31a81966ea5dcad130848b18b8c
-
Filesize
7KB
MD5d97c5c7560392ba8bf5101d7a6d2d538
SHA14d9af447327d342392e03ef9628af91bde9e2b53
SHA2569321fc58a28d20b5c882f7e7b8a2fac63874e48692dd6300a369bee038220eaa
SHA512d85195faeeb261e03ad16b5d0f4dacabde9778be520013406625329cf05a8e9c8080569d4cd2fefaeb5bf7ca676174eeb70889f4de12dde830a1e42de65366a7
-
Filesize
1024KB
MD51107a8937220cfa0daaec9361a10e4ff
SHA1dcf80dea2366fbc970bd6cc19ced27818f455492
SHA256783db7ccbd54f44bcd719084a2b50a882b102f4ddecb8168ae9ff6de8d6274a5
SHA512d4986b9e8b49920dfa6c21d099ac83d16cd9f12baa357d3de4c7ab6bc5fa9b3c96d9713458106243478e116946b3ab7ff34f9e7ac35a135cbb9af58433e9c3db
-
Filesize
1024KB
MD5cd65007df038583ab37e629a90ced5a4
SHA1befc525ffda8c6341ea6aa11ff6df9474132e572
SHA2562d238a9ec3528690dedd8cef4c2e2ccb5fbca252d8a741c66c53bd960c44358c
SHA512db4a85775d72db0e5d829c339d8371faab96f12a5d79c643a7c4621cfc580f157775faa6b4dfd45c48dc6f55bd49464213bd525e169a51d1185d8af3675df74a
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD5b9550f07054a96b9d1b63297c6e3639d
SHA189a4b515b8bfb65c4687bd14d41bddb46aa5131f
SHA256799c464b6b675b7d1979a5b4ffda48faf5f95adb08d329a991832ab1d7331159
SHA5120a85d5ad22cd364fe60a4da4a978df74b9b563383a352f855d95727291b91fb800fccfabf3a3cdeadfe617e916c35e211457ddee6e135e0f061d6baf4936bd5a
-
Filesize
7KB
MD53cdb71ec197216b8ea56d8c3e4a7f965
SHA1103ca7a5a56dd81e0965255e23343f03f0705d1c
SHA256dbeced6adde3a4373a9b9a008ecc496f80e622d71837b50df3c3344c415a56dd
SHA512d589fc4289a36656c6342ecb53cebe1062c6f7b41608e38445e06a219c81d823a7d6722af50dfdf4ff7aa427d6dc32fde7a3dbcb80d13501dd9c7285a244639c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TA9PW42K\microsoft.windows[1].xml
Filesize97B
MD5a5333251e3c904b1ee33e2b9e454fdc3
SHA15065465178f2da4385d1a9b9c992f4e3e4278603
SHA2561ec2ab27e453e390ce270092f5e32ffdc1776d6a850602a47b658f7608e8d0eb
SHA5120636fb26ffca78f5e76bbdf0bf719963a43864eafd9bf71e6f9d3edb7cf1be94f0efae0e015ac8e6ca7aea0e6f42f0580a2737b47007486ccc5cc43ee100a394
-
Filesize
2.6MB
MD5993cc909a89f0fb7fe90acc3703c2105
SHA1f422cdcb426718b235a19080b0daf71c9b448768
SHA2564aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA5125ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762
