Resubmissions
17-04-2024 14:56
240417-sbg1madb74 1017-04-2024 14:56
240417-sbaljsdb64 1017-04-2024 14:56
240417-sbaasadb62 1017-04-2024 14:56
240417-sa9n9aef2v 1017-04-2024 14:56
240417-sa9dgsdb59 1006-04-2024 14:44
240406-r4b5eadc29 1006-04-2024 14:43
240406-r3xpqadb95 1006-04-2024 14:42
240406-r29b5ace9x 1006-04-2024 14:41
240406-r2spdace8x 10Analysis
-
max time kernel
1792s -
max time network
1593s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
17-04-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
19 signatures
1800 seconds
Behavioral task
behavioral2
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
1800 seconds
Behavioral task
behavioral3
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win10-20240404-en
windows10-1703-x64
24 signatures
1800 seconds
Behavioral task
behavioral4
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
19 signatures
1800 seconds
Behavioral task
behavioral5
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win11-20240412-en
windows11-21h2-x64
27 signatures
1800 seconds
General
-
Target
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
-
Size
1.1MB
-
MD5
1fc2e4c5ff5844410fc7b78c6987cddf
-
SHA1
52f676fcbfda7f0929385da963df25eb4638d4a4
-
SHA256
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38
-
SHA512
31efba9acfe4b4bfab315a8d2d15b1b7a5ef83f26fc5de17ec37044bb6b61269f291ddb9e20ad90f2e91fff5221360b34bcf1e36e447d369e0d5333de42681fe
-
SSDEEP
24576:fDbt4YcxdNDjJQqRTE0cZLx4bcWS5PcQV3D14EAKXtRutF3dFJt8:f1yDNXS2T+4c9cQVxnXtIr3f8
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral3/memory/2088-1-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-2-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-3-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-4-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-6-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-8-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-5-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-11-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-12-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-13-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-15-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-16-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-17-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-20-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-21-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-22-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-23-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-24-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-25-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-26-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-27-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-28-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-29-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-30-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-31-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-32-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-33-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-34-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-35-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-36-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-37-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-38-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-39-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-40-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-41-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-42-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-43-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-44-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-45-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-46-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-47-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-48-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-49-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-50-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-51-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-52-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-53-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-54-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-55-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-57-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-58-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-59-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-60-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-61-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-62-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-63-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-64-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-65-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-66-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-67-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-68-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-69-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral3/memory/2088-70-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\F78E4B34F78E4B34.bmp" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-400.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Icons\freecell.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-48.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_32x32x32.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ApplicationInsights.config 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.wink.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-150.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\153.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-96.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\star-rotating-57x54.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-32_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\EssentialLetter.dotx 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gs_16x11.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\DarkBlue.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerpoint.x-none.msi.16.x-none.vreg.dat 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-150.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Effects\effects_lobby_bubbles.jpg 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\SmallKlondikeTile.jpg 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-24.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-80_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Strive_for_Perfection_.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\MedTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsStoreLogo.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\3.jpg 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-400.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_40x40x32.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ky_60x42.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\brokenheart.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1d.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-16_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\LargeTile.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_12d.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_contrast-high.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\LargeTile.scale-100_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bz_16x11.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Icons\spider.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\rcypaper.jpg 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\paperbag.jpg 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditRichCapture.contrast-high_scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1124 vssadmin.exe 4520 vssadmin.exe 4104 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000d07d9cf10c91da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000ed5776f10c91da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000003631b1288a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065867241975" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2088 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 2088 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 2088 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 2088 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 4412 vssvc.exe Token: SeRestorePrivilege 4412 vssvc.exe Token: SeAuditPrivilege 4412 vssvc.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe Token: SeCreatePagefilePrivilege 4772 explorer.exe Token: SeShutdownPrivilege 4772 explorer.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1060 SearchUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2088 wrote to memory of 1124 2088 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 73 PID 2088 wrote to memory of 1124 2088 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 73 PID 2088 wrote to memory of 4520 2088 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 77 PID 2088 wrote to memory of 4520 2088 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 77 PID 2088 wrote to memory of 4104 2088 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 79 PID 2088 wrote to memory of 4104 2088 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 79 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:1124
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4520
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:4104
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4772
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5bbc0ccca47dbc4aeddd0f4f85f068f78
SHA18f1401e27a14fe6640b94d9a6ed191c012fcccad
SHA25645dc327df19bdec7008b12203695dcb5ebbad0d02c6c6243b673f8735df3db44
SHA512b7fa24736ea10f19d758abc47c939b593328808eb2aa177f0b6b360498fd3ffa6b9f4425dd9f623a542205b39e2140d2318072b6786b4d5341573c48d176abbe
-
Filesize
1024KB
MD5c54cde3ceede65db57e1ef09429038d6
SHA1d40df43ca2538ba8f23eb8d5e6ba48c6cd1a29a7
SHA25680a0bcaaf774d79edb86f7cf3793bb8d584f3b74a67112b7b7b651aa762240eb
SHA5121677ee5d05e7357550bf0b45d5f077557e3835d066ac930692112c69c4719a4f618af33f8531b9b99f202d3e69716e2f53faa7da0c8092ffa22a43b585777f2b
-
Filesize
1024KB
MD5ee3c7361f7eb54a6e494d70438c8f15c
SHA1d5c1c352c04cdb8526edee6495f52554baafbec4
SHA256523d5a8802490ba64457a7a479e6b1c42e93907058e0d9b099ed7b5ac5ae3d20
SHA51267816e75327cec6a28655dd347695f5af3bb8595324609bdfc422318ca23241ed8e4adeaabe9dcb7cd01015ac6bedfc27df30ebf372439eb06707f364c1d6c58
-
Filesize
7KB
MD553a1264b64e3b5b0d8f3c913e97524e2
SHA185a684869f8721cb327cf7f6fb3ce8f2b39e80e9
SHA2569353985c11ae4085208fcd8527fe754bf3feda7bc1c93efe0ba0bcf98f37594a
SHA512c50ee6e14cae24769d211e46bebd7bebfc684132baa1f67930434709505acbd1b74885efc28acd8c3c43885f12599e135594dcca89c96ccbd6b7a11689da945a
-
Filesize
7KB
MD591558993db22a43265c1b60e08393f62
SHA1639d84f56daa93a36852f8036b7a24ef94c55d9c
SHA25623e0c153c2fed6564748ee8b43ac4655d233ef4255308cda1bba5e3581e1d243
SHA512822cd6a8496ec2180abb237606b49b2e93e3562f52fa26b0ca85001c5a03d59952d51b3f7d9a8d1db11b89304226b56b26280c5d94a671fe4b5841317d50266c
-
Filesize
1024KB
MD56ae36b6de5c5f1eeac5f49dc48641c04
SHA1f0b4e0f67da9a245423eea527cdeb3fa400538c0
SHA25658d96a1665603ea8aaa0b7833b99709c5e117602b2bbb9fe49cd86f3c98977a3
SHA512a4c302cefd2f8522482a64927fe3459e2c81e52b0019a1358a68e2cce5c5d8953d1743d38ad74729f943790946f7b8e7f51589fa3668d28b10aee4b80f7c5180
-
Filesize
1024KB
MD512f2dd1d6f24e356a0d998aaaa689c06
SHA166c63cf80595ea470a326a3bf117c660b5b9b886
SHA256a70a224f49ce8542a62417f912647a95160332b0837cd73ea2ee666758bdce64
SHA5129e38f3a8307ce219d62051747148513b9784e22c032f5191bfa4f78cce4f765654aa3339757b421e808f9118ced9e6a61f8b98d75fcb0d953adfe79d32d0ebfb
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD511d3d2d2147fc99d983b349e198eea0e
SHA1076df9e59d45d1d26f479ecd65fa5c2fd60a1dc4
SHA256fe87a65850d9a20cdc91b28b9a87a1e38bd4125a5ed44f3f62a11b56fd9c0ccd
SHA512dfd55cce79d5aaaca66aa220bf9ba8b426dc267e25cb8bf6d5b9991c2b7b8a5198e9d792c0a3fad76ffb6c4dbeb528d2d7ea1ddd472703faa7e2735b2d40ea78
-
Filesize
7KB
MD5a319d2b62f21010c557bb7a9fe4d30c4
SHA1e746027131a46bdcdbb96ec0c0532ffe50d4ccbc
SHA256804c84389665c80b016743444f7f10578fb9a8e6ca5b01911e5263c13f23eec2
SHA5123cae67a081d2984962309cf849a266eade80ff35de31f968b49b46e6c2603b3889f3bc1d06708f27f926a5619057b0e140e0b0e0125892d78f4a243f909c234e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NZ8O90T\microsoft.windows[1].xml
Filesize97B
MD550323ba67d963c363ef60e6aeab84f86
SHA1ddd2f4c27709bd6d1b9b5013ff7131e201a7a5d4
SHA256dda3064131e00d7f5353cae85c17a613960b1b1ebc14d47a4a8562d0f1856992
SHA5127bee6b20726b6c7d90b782466b154bf1204f060fac75d2adf2706b907ae178eba3ac3e846aa86eb2cba55b3f2303dbaf92c84cad64bbaa7bc4f6dfee97c38e4f
-
Filesize
2.6MB
MD5993cc909a89f0fb7fe90acc3703c2105
SHA1f422cdcb426718b235a19080b0daf71c9b448768
SHA2564aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA5125ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762
