Analysis Overview
SHA256
fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864
Threat Level: Known bad
The file fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864 was found to be: Known bad.
Malicious Activity Summary
Conti Ransomware
Modifies extensions of user files
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-02-24 04:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-24 04:34
Reported
2022-02-24 04:37
Platform
win7-20220223-en
Max time kernel
4294129s
Max time network
70s
Command Line
Signatures
Conti Ransomware
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe
"C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D1149DF3-AE54-4EE9-BCEE-CE511C27908A}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D1149DF3-AE54-4EE9-BCEE-CE511C27908A}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BEC0EF7A-E108-4EFA-9AF4-5483F01575F0}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BEC0EF7A-E108-4EFA-9AF4-5483F01575F0}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{86B2E83F-5949-43E7-8D5C-02E5DB9A2597}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{86B2E83F-5949-43E7-8D5C-02E5DB9A2597}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{876B2646-8203-4180-991B-357E0680BCA5}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{876B2646-8203-4180-991B-357E0680BCA5}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3DB70D32-1A0A-45BA-84D9-86717033C8AA}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3DB70D32-1A0A-45BA-84D9-86717033C8AA}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5BF16496-D54A-4C83-A621-7D085F197E64}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5BF16496-D54A-4C83-A621-7D085F197E64}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{01BBE0F8-B189-4267-BD9E-6F9EA279C313}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{01BBE0F8-B189-4267-BD9E-6F9EA279C313}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D06E5EDB-EE72-4D11-ABAA-3B9C8FF4EC49}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D06E5EDB-EE72-4D11-ABAA-3B9C8FF4EC49}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{60BD1EFE-0BC5-43B4-84EF-6930D143E4D5}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{60BD1EFE-0BC5-43B4-84EF-6930D143E4D5}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C59C3E0-4497-4E68-9426-EAFC92BD201B}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C59C3E0-4497-4E68-9426-EAFC92BD201B}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A3E2EA4-9B2A-42D1-AD09-4586ABF7C3C6}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A3E2EA4-9B2A-42D1-AD09-4586ABF7C3C6}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3D81C57E-336D-4EBC-9B80-FE8898FB2D56}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3D81C57E-336D-4EBC-9B80-FE8898FB2D56}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D8F658FB-FC15-4500-BDCA-AAB9C7CFFD2D}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D8F658FB-FC15-4500-BDCA-AAB9C7CFFD2D}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9BC8246D-5143-4ECC-B0F6-AF03E83988E0}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9BC8246D-5143-4ECC-B0F6-AF03E83988E0}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5BE46B25-37D2-4E84-9CA3-8F996320A598}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5BE46B25-37D2-4E84-9CA3-8F996320A598}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D9115636-BA17-4414-AFA8-58247E4D1427}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D9115636-BA17-4414-AFA8-58247E4D1427}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84665CE5-6D4D-4B10-A8C6-89E1FE7FD410}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84665CE5-6D4D-4B10-A8C6-89E1FE7FD410}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5A99DEE-33FD-49D4-8F16-70AF77C9CB3A}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5A99DEE-33FD-49D4-8F16-70AF77C9CB3A}'" delete
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.255.0:445 | tcp | |
| N/A | 10.127.255.1:445 | tcp | |
| N/A | 10.127.255.2:445 | tcp | |
| N/A | 10.127.255.3:445 | tcp | |
| N/A | 10.127.255.4:445 | tcp | |
| N/A | 10.127.255.5:445 | tcp | |
| N/A | 10.127.255.6:445 | tcp | |
| N/A | 10.127.255.7:445 | tcp | |
| N/A | 10.127.255.8:445 | tcp | |
| N/A | 10.127.255.9:445 | tcp | |
| N/A | 10.127.255.10:445 | tcp | |
| N/A | 10.127.255.11:445 | tcp | |
| N/A | 10.127.255.12:445 | tcp | |
| N/A | 10.127.255.13:445 | tcp | |
| N/A | 10.127.255.14:445 | tcp | |
| N/A | 10.127.255.15:445 | tcp | |
| N/A | 10.127.255.16:445 | tcp | |
| N/A | 10.127.255.17:445 | tcp | |
| N/A | 10.127.255.18:445 | tcp | |
| N/A | 10.127.255.19:445 | tcp | |
| N/A | 10.127.255.20:445 | tcp | |
| N/A | 10.127.255.21:445 | tcp | |
| N/A | 10.127.255.22:445 | tcp | |
| N/A | 10.127.255.23:445 | tcp | |
| N/A | 10.127.255.24:445 | tcp | |
| N/A | 10.127.255.25:445 | tcp | |
| N/A | 10.127.255.26:445 | tcp | |
| N/A | 10.127.255.27:445 | tcp | |
| N/A | 10.127.255.28:445 | tcp | |
| N/A | 10.127.255.29:445 | tcp | |
| N/A | 10.127.255.30:445 | tcp | |
| N/A | 10.127.255.31:445 | tcp | |
| N/A | 10.127.255.32:445 | tcp | |
| N/A | 10.127.255.33:445 | tcp | |
| N/A | 10.127.255.34:445 | tcp | |
| N/A | 10.127.255.35:445 | tcp | |
| N/A | 10.127.255.36:445 | tcp | |
| N/A | 10.127.255.37:445 | tcp | |
| N/A | 10.127.255.38:445 | tcp | |
| N/A | 10.127.255.39:445 | tcp | |
| N/A | 10.127.255.40:445 | tcp | |
| N/A | 10.127.255.41:445 | tcp | |
| N/A | 10.127.255.42:445 | tcp | |
| N/A | 10.127.255.43:445 | tcp | |
| N/A | 10.127.255.44:445 | tcp | |
| N/A | 10.127.255.45:445 | tcp | |
| N/A | 10.127.255.46:445 | tcp | |
| N/A | 10.127.255.47:445 | tcp | |
| N/A | 10.127.255.48:445 | tcp | |
| N/A | 10.127.255.49:445 | tcp | |
| N/A | 10.127.255.50:445 | tcp | |
| N/A | 10.127.255.51:445 | tcp | |
| N/A | 10.127.255.52:445 | tcp | |
| N/A | 10.127.255.53:445 | tcp | |
| N/A | 10.127.255.54:445 | tcp | |
| N/A | 10.127.255.55:445 | tcp | |
| N/A | 10.127.255.56:445 | tcp | |
| N/A | 10.127.255.57:445 | tcp | |
| N/A | 10.127.255.58:445 | tcp | |
| N/A | 10.127.255.59:445 | tcp | |
| N/A | 10.127.255.60:445 | tcp | |
| N/A | 10.127.255.61:445 | tcp | |
| N/A | 10.127.255.62:445 | tcp | |
| N/A | 10.127.255.63:445 | tcp | |
| N/A | 10.127.255.64:445 | tcp | |
| N/A | 10.127.255.65:445 | tcp | |
| N/A | 10.127.255.66:445 | tcp | |
| N/A | 10.127.255.67:445 | tcp | |
| N/A | 10.127.255.68:445 | tcp | |
| N/A | 10.127.255.69:445 | tcp | |
| N/A | 10.127.255.70:445 | tcp | |
| N/A | 10.127.255.71:445 | tcp | |
| N/A | 10.127.255.72:445 | tcp | |
| N/A | 10.127.255.73:445 | tcp | |
| N/A | 10.127.255.74:445 | tcp | |
| N/A | 10.127.255.75:445 | tcp | |
| N/A | 10.127.255.76:445 | tcp | |
| N/A | 10.127.255.77:445 | tcp | |
| N/A | 10.127.255.78:445 | tcp | |
| N/A | 10.127.255.79:445 | tcp | |
| N/A | 10.127.255.80:445 | tcp | |
| N/A | 10.127.255.81:445 | tcp | |
| N/A | 10.127.255.82:445 | tcp | |
| N/A | 10.127.255.83:445 | tcp | |
| N/A | 10.127.255.84:445 | tcp | |
| N/A | 10.127.255.85:445 | tcp | |
| N/A | 10.127.255.86:445 | tcp | |
| N/A | 10.127.255.87:445 | tcp | |
| N/A | 10.127.255.88:445 | tcp | |
| N/A | 10.127.255.89:445 | tcp | |
| N/A | 10.127.255.90:445 | tcp | |
| N/A | 10.127.255.91:445 | tcp | |
| N/A | 10.127.255.92:445 | tcp | |
| N/A | 10.127.255.93:445 | tcp | |
| N/A | 10.127.255.94:445 | tcp | |
| N/A | 10.127.255.95:445 | tcp | |
| N/A | 10.127.255.96:445 | tcp | |
| N/A | 10.127.255.97:445 | tcp | |
| N/A | 10.127.255.98:445 | tcp | |
| N/A | 10.127.255.99:445 | tcp | |
| N/A | 10.127.255.100:445 | tcp | |
| N/A | 10.127.255.101:445 | tcp | |
| N/A | 10.127.255.102:445 | tcp | |
| N/A | 10.127.255.103:445 | tcp | |
| N/A | 10.127.255.104:445 | tcp | |
| N/A | 10.127.255.105:445 | tcp | |
| N/A | 10.127.255.106:445 | tcp | |
| N/A | 10.127.255.107:445 | tcp | |
| N/A | 10.127.255.108:445 | tcp | |
| N/A | 10.127.255.109:445 | tcp | |
| N/A | 10.127.255.110:445 | tcp | |
| N/A | 10.127.255.111:445 | tcp | |
| N/A | 10.127.255.112:445 | tcp | |
| N/A | 10.127.255.113:445 | tcp | |
| N/A | 10.127.255.114:445 | tcp | |
| N/A | 10.127.255.115:445 | tcp | |
| N/A | 10.127.255.116:445 | tcp | |
| N/A | 10.127.255.117:445 | tcp | |
| N/A | 10.127.255.118:445 | tcp | |
| N/A | 10.127.255.119:445 | tcp | |
| N/A | 10.127.255.120:445 | tcp | |
| N/A | 10.127.255.121:445 | tcp | |
| N/A | 10.127.255.122:445 | tcp | |
| N/A | 10.127.255.123:445 | tcp | |
| N/A | 10.127.255.124:445 | tcp | |
| N/A | 10.127.255.125:445 | tcp | |
| N/A | 10.127.255.126:445 | tcp | |
| N/A | 10.127.255.127:445 | tcp | |
| N/A | 10.127.255.128:445 | tcp | |
| N/A | 10.127.255.129:445 | tcp | |
| N/A | 10.127.255.130:445 | tcp | |
| N/A | 10.127.255.131:445 | tcp | |
| N/A | 10.127.255.132:445 | tcp | |
| N/A | 10.127.255.133:445 | tcp | |
| N/A | 10.127.255.134:445 | tcp | |
| N/A | 10.127.255.135:445 | tcp | |
| N/A | 10.127.255.136:445 | tcp | |
| N/A | 10.127.255.137:445 | tcp | |
| N/A | 10.127.255.138:445 | tcp | |
| N/A | 10.127.255.139:445 | tcp | |
| N/A | 10.127.255.140:445 | tcp | |
| N/A | 10.127.255.141:445 | tcp | |
| N/A | 10.127.255.142:445 | tcp | |
| N/A | 10.127.255.143:445 | tcp | |
| N/A | 10.127.255.144:445 | tcp | |
| N/A | 10.127.255.145:445 | tcp | |
| N/A | 10.127.255.146:445 | tcp | |
| N/A | 10.127.255.147:445 | tcp | |
| N/A | 10.127.255.148:445 | tcp | |
| N/A | 10.127.255.149:445 | tcp | |
| N/A | 10.127.255.150:445 | tcp | |
| N/A | 10.127.255.151:445 | tcp | |
| N/A | 10.127.255.152:445 | tcp | |
| N/A | 10.127.255.153:445 | tcp | |
| N/A | 10.127.255.154:445 | tcp | |
| N/A | 10.127.255.155:445 | tcp | |
| N/A | 10.127.255.156:445 | tcp | |
| N/A | 10.127.255.157:445 | tcp | |
| N/A | 10.127.255.158:445 | tcp | |
| N/A | 10.127.255.159:445 | tcp | |
| N/A | 10.127.255.160:445 | tcp | |
| N/A | 10.127.255.161:445 | tcp | |
| N/A | 10.127.255.162:445 | tcp | |
| N/A | 10.127.255.163:445 | tcp | |
| N/A | 10.127.255.164:445 | tcp | |
| N/A | 10.127.255.165:445 | tcp | |
| N/A | 10.127.255.166:445 | tcp | |
| N/A | 10.127.255.167:445 | tcp | |
| N/A | 10.127.255.168:445 | tcp | |
| N/A | 10.127.255.169:445 | tcp | |
| N/A | 10.127.255.170:445 | tcp | |
| N/A | 10.127.255.171:445 | tcp | |
| N/A | 10.127.255.172:445 | tcp | |
| N/A | 10.127.255.173:445 | tcp | |
| N/A | 10.127.255.174:445 | tcp | |
| N/A | 10.127.255.175:445 | tcp | |
| N/A | 10.127.255.176:445 | tcp | |
| N/A | 10.127.255.177:445 | tcp | |
| N/A | 10.127.255.178:445 | tcp | |
| N/A | 10.127.255.179:445 | tcp | |
| N/A | 10.127.255.180:445 | tcp | |
| N/A | 10.127.255.181:445 | tcp | |
| N/A | 10.127.255.182:445 | tcp | |
| N/A | 10.127.255.183:445 | tcp | |
| N/A | 10.127.255.184:445 | tcp | |
| N/A | 10.127.255.185:445 | tcp | |
| N/A | 10.127.255.186:445 | tcp | |
| N/A | 10.127.255.187:445 | tcp | |
| N/A | 10.127.255.188:445 | tcp | |
| N/A | 10.127.255.189:445 | tcp | |
| N/A | 10.127.255.190:445 | tcp | |
| N/A | 10.127.255.191:445 | tcp | |
| N/A | 10.127.255.192:445 | tcp | |
| N/A | 10.127.255.193:445 | tcp | |
| N/A | 10.127.255.194:445 | tcp | |
| N/A | 10.127.255.195:445 | tcp | |
| N/A | 10.127.255.196:445 | tcp | |
| N/A | 10.127.255.197:445 | tcp | |
| N/A | 10.127.255.198:445 | tcp | |
| N/A | 10.127.255.199:445 | tcp | |
| N/A | 10.127.255.200:445 | tcp | |
| N/A | 10.127.255.201:445 | tcp | |
| N/A | 10.127.255.202:445 | tcp | |
| N/A | 10.127.255.203:445 | tcp | |
| N/A | 10.127.255.204:445 | tcp | |
| N/A | 10.127.255.205:445 | tcp | |
| N/A | 10.127.255.206:445 | tcp | |
| N/A | 10.127.255.207:445 | tcp | |
| N/A | 10.127.255.208:445 | tcp | |
| N/A | 10.127.255.209:445 | tcp | |
| N/A | 10.127.255.210:445 | tcp | |
| N/A | 10.127.255.211:445 | tcp | |
| N/A | 10.127.255.212:445 | tcp | |
| N/A | 10.127.255.213:445 | tcp | |
| N/A | 10.127.255.214:445 | tcp | |
| N/A | 10.127.255.215:445 | tcp | |
| N/A | 10.127.255.216:445 | tcp | |
| N/A | 10.127.255.217:445 | tcp | |
| N/A | 10.127.255.218:445 | tcp | |
| N/A | 10.127.255.219:445 | tcp | |
| N/A | 10.127.255.220:445 | tcp | |
| N/A | 10.127.255.221:445 | tcp | |
| N/A | 10.127.255.222:445 | tcp | |
| N/A | 10.127.255.223:445 | tcp | |
| N/A | 10.127.255.224:445 | tcp | |
| N/A | 10.127.255.225:445 | tcp | |
| N/A | 10.127.255.226:445 | tcp | |
| N/A | 10.127.255.227:445 | tcp | |
| N/A | 10.127.255.228:445 | tcp | |
| N/A | 10.127.255.229:445 | tcp | |
| N/A | 10.127.255.230:445 | tcp | |
| N/A | 10.127.255.231:445 | tcp | |
| N/A | 10.127.255.232:445 | tcp | |
| N/A | 10.127.255.233:445 | tcp | |
| N/A | 10.127.255.234:445 | tcp | |
| N/A | 10.127.255.235:445 | tcp | |
| N/A | 10.127.255.236:445 | tcp | |
| N/A | 10.127.255.237:445 | tcp | |
| N/A | 10.127.255.238:445 | tcp | |
| N/A | 10.127.255.239:445 | tcp | |
| N/A | 10.127.255.240:445 | tcp | |
| N/A | 10.127.255.241:445 | tcp | |
| N/A | 10.127.255.242:445 | tcp | |
| N/A | 10.127.255.243:445 | tcp | |
| N/A | 10.127.255.244:445 | tcp | |
| N/A | 10.127.255.245:445 | tcp | |
| N/A | 10.127.255.246:445 | tcp | |
| N/A | 10.127.255.247:445 | tcp | |
| N/A | 10.127.255.248:445 | tcp | |
| N/A | 10.127.255.249:445 | tcp | |
| N/A | 10.127.255.250:445 | tcp | |
| N/A | 10.127.255.251:445 | tcp | |
| N/A | 10.127.255.252:445 | tcp | |
| N/A | 10.127.255.253:445 | tcp | |
| N/A | 10.127.255.254:445 | tcp |
Files
memory/1828-54-0x0000000076271000-0x0000000076273000-memory.dmp
memory/1900-55-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp
memory/1900-56-0x00000000028C0000-0x00000000028C1000-memory.dmp
memory/1100-58-0x0000000002760000-0x0000000002761000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-24 04:34
Reported
2022-02-24 04:41
Platform
win10v2004-en-20220112
Max time kernel
390s
Max time network
385s
Command Line
Signatures
Conti Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\BlockResolve.tiff | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockResolve.tiff => C:\Users\Admin\Pictures\BlockResolve.tiff.RZQNV | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GroupTest.raw => C:\Users\Admin\Pictures\GroupTest.raw.RZQNV | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResolveReceive.tiff | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveReceive.tiff => C:\Users\Admin\Pictures\ResolveReceive.tiff.RZQNV | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StartResize.raw => C:\Users\Admin\Pictures\StartResize.raw.RZQNV | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FindCompress.raw => C:\Users\Admin\Pictures\FindCompress.raw.RZQNV | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatSearch.tiff | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FormatSearch.tiff => C:\Users\Admin\Pictures\FormatSearch.tiff.RZQNV | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PingExit.raw => C:\Users\Admin\Pictures\PingExit.raw.RZQNV | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PingReceive.raw => C:\Users\Admin\Pictures\PingReceive.raw.RZQNV | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
Drops file in Program Files directory
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "11.0.2016.0129" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Spanish Phone Converter" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Microsoft Zira - English (United States)" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Microsoft Speech HW Voice Activation - English (United States)" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = 4f12242f895bd461c879f1e773d97c8ee816e4b5a37737ac6216dd9bb9e3a2bb | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "SR en-US Lookup Lexicon" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Universal Phone Converter" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "{06405088-BC01-4E08-B392-5303E75090C8}" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "{14E74C62-DC97-43B0-8F2F-581496A65D60}" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "German Phone Converter" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "404" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "SR en-US Locale Handler" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 ^ 0008 1 0009 2 000a ~ 000b : 000c a 000d aw 000e ax 000f ay 0010 b 0011 d 0012 ch 0013 eh 0014 eu 0015 ey 0016 f 0017 g 0018 h 0019 ih 001a iy 001b jh 001c k 001d l 001e m 001f n 0020 ng 0021 oe 0022 oh 0023 ow 0024 oy 0025 p 0026 pf 0027 r 0028 s 0029 sh 002a t 002b ts 002c ue 002d uh 002e uw 002f uy 0030 v 0031 x 0032 y 0033 z 0034 zh 0035" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "L1033" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Microsoft David" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "CC" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Microsoft Speech SW Voice Activation - English (United States)" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "SW" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "804" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Japanese Phone Converter" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "40A;C0A" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "0" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Microsoft Speech Recognition Engine - en-US Embedded DNN v11.1" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Discrete;Continuous" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_enUS_DavidM" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Microsoft" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "11.0.2013.1022" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Microsoft David - English (United States)" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "1033" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "French Phone Converter" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "40C" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "409;9" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "Near" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "You have selected %1 as the default voice." | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "409" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "SpeechUXPlugin" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\gOKOaC3JXH3zT7 = "SR en-US Lts Lexicon" | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3044 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 2740 wrote to memory of 2156 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\wbem\WMIC.exe |
| PID 2740 wrote to memory of 2156 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\wbem\WMIC.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe
"C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D84F5DF-167E-44BC-B65F-610B82C3B339}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D84F5DF-167E-44BC-B65F-610B82C3B339}'" delete
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\readme.txt
Network
| Country | Destination | Domain | Proto |
| US | 72.21.91.29:80 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| US | 131.253.33.203:443 | api.msn.com | tcp |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.137.102.105:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| N/A | 10.127.255.38:445 | tcp | |
| N/A | 10.127.255.53:445 | tcp | |
| N/A | 10.127.255.3:445 | tcp | |
| N/A | 10.127.255.0:445 | tcp | |
| N/A | 10.127.255.60:445 | tcp | |
| N/A | 10.127.255.39:445 | tcp | |
| N/A | 10.127.255.41:445 | tcp | |
| N/A | 10.127.255.19:445 | tcp | |
| N/A | 10.127.255.51:445 | tcp | |
| N/A | 10.127.255.247:445 | tcp | |
| N/A | 10.127.255.27:445 | tcp | |
| N/A | 10.127.255.29:445 | tcp | |
| N/A | 10.127.255.34:445 | tcp | |
| N/A | 10.127.255.62:445 | tcp | |
| N/A | 10.127.255.45:445 | tcp | |
| N/A | 10.127.255.4:445 | tcp | |
| N/A | 10.127.255.2:445 | tcp | |
| N/A | 10.127.255.56:445 | tcp | |
| N/A | 10.127.255.40:445 | tcp | |
| N/A | 10.127.255.8:445 | tcp | |
| N/A | 10.127.255.43:445 | tcp | |
| N/A | 10.127.255.10:445 | tcp | |
| N/A | 10.127.255.37:445 | tcp | |
| N/A | 10.127.255.47:445 | tcp | |
| N/A | 10.127.255.21:445 | tcp | |
| N/A | 10.127.255.30:445 | tcp | |
| N/A | 10.127.255.64:445 | tcp | |
| N/A | 10.127.255.66:445 | tcp | |
| N/A | 10.127.255.7:445 | tcp | |
| N/A | 10.127.255.48:445 | tcp | |
| N/A | 10.127.255.14:445 | tcp | |
| N/A | 10.127.255.16:445 | tcp | |
| N/A | 10.127.255.50:445 | tcp | |
| N/A | 10.127.255.26:445 | tcp | |
| N/A | 10.127.255.35:445 | tcp | |
| N/A | 10.127.255.23:445 | tcp | |
| N/A | 10.127.255.54:445 | tcp | |
| N/A | 10.127.255.58:445 | tcp | |
| N/A | 10.127.255.28:445 | tcp | |
| N/A | 10.127.255.59:445 | tcp | |
| N/A | 10.127.255.20:445 | tcp | |
| N/A | 10.127.255.15:445 | tcp | |
| N/A | 10.127.255.248:445 | tcp | |
| N/A | 10.127.255.22:445 | tcp | |
| N/A | 10.127.255.46:445 | tcp | |
| N/A | 10.127.255.65:445 | tcp | |
| N/A | 10.127.255.13:445 | tcp | |
| N/A | 10.127.255.36:445 | tcp | |
| N/A | 10.127.255.17:445 | tcp | |
| N/A | 10.127.255.18:445 | tcp | |
| N/A | 10.127.255.55:445 | tcp | |
| N/A | 10.127.255.61:445 | tcp | |
| N/A | 10.127.255.1:445 | tcp | |
| N/A | 10.127.255.11:445 | tcp | |
| N/A | 10.127.255.6:445 | tcp | |
| N/A | 10.127.255.57:445 | tcp | |
| N/A | 10.127.255.173:445 | tcp | |
| N/A | 10.127.255.31:445 | tcp | |
| N/A | 10.127.255.32:445 | tcp | |
| N/A | 10.127.255.24:445 | tcp | |
| N/A | 10.127.255.33:445 | tcp | |
| N/A | 10.127.255.12:445 | tcp | |
| N/A | 10.127.255.42:445 | tcp | |
| N/A | 10.127.255.5:445 | tcp | |
| N/A | 10.127.255.63:445 | tcp | |
| N/A | 10.127.255.9:445 | tcp | |
| N/A | 10.127.255.25:445 | tcp | |
| N/A | 10.127.255.49:445 | tcp | |
| N/A | 10.127.255.52:445 | tcp | |
| N/A | 10.127.255.44:445 | tcp | |
| N/A | 10.127.255.100:445 | tcp | |
| N/A | 10.127.255.74:445 | tcp | |
| N/A | 10.127.255.109:445 | tcp | |
| N/A | 10.127.255.82:445 | tcp | |
| N/A | 10.127.255.131:445 | tcp | |
| N/A | 10.127.255.81:445 | tcp | |
| N/A | 10.127.255.125:445 | tcp | |
| N/A | 10.127.255.89:445 | tcp | |
| N/A | 10.127.255.94:445 | tcp | |
| N/A | 10.127.255.95:445 | tcp | |
| N/A | 10.127.255.98:445 | tcp | |
| N/A | 10.127.255.99:445 | tcp | |
| N/A | 10.127.255.70:445 | tcp | |
| N/A | 10.127.255.101:445 | tcp | |
| N/A | 10.127.255.114:445 | tcp | |
| N/A | 10.127.255.67:445 | tcp | |
| N/A | 10.127.255.68:445 | tcp | |
| N/A | 10.127.255.69:445 | tcp | |
| N/A | 10.127.255.71:445 | tcp | |
| N/A | 10.127.255.72:445 | tcp | |
| N/A | 10.127.255.73:445 | tcp | |
| N/A | 10.127.255.75:445 | tcp | |
| N/A | 10.127.255.76:445 | tcp | |
| N/A | 10.127.255.77:445 | tcp | |
| N/A | 10.127.255.78:445 | tcp | |
| N/A | 10.127.255.79:445 | tcp | |
| N/A | 10.127.255.80:445 | tcp | |
| N/A | 10.127.255.83:445 | tcp | |
| N/A | 10.127.255.84:445 | tcp | |
| N/A | 10.127.255.85:445 | tcp | |
| N/A | 10.127.255.86:445 | tcp | |
| N/A | 10.127.255.87:445 | tcp | |
| N/A | 10.127.255.88:445 | tcp | |
| N/A | 10.127.255.90:445 | tcp | |
| N/A | 10.127.255.91:445 | tcp | |
| N/A | 10.127.255.92:445 | tcp | |
| N/A | 10.127.255.93:445 | tcp | |
| N/A | 10.127.255.96:445 | tcp | |
| N/A | 10.127.255.97:445 | tcp | |
| N/A | 10.127.255.102:445 | tcp | |
| N/A | 10.127.255.103:445 | tcp | |
| N/A | 10.127.255.104:445 | tcp | |
| N/A | 10.127.255.105:445 | tcp | |
| N/A | 10.127.255.106:445 | tcp | |
| N/A | 10.127.255.107:445 | tcp | |
| N/A | 10.127.255.108:445 | tcp | |
| N/A | 10.127.255.110:445 | tcp | |
| N/A | 10.127.255.111:445 | tcp | |
| N/A | 10.127.255.112:445 | tcp | |
| N/A | 10.127.255.113:445 | tcp | |
| N/A | 10.127.255.115:445 | tcp | |
| N/A | 10.127.255.116:445 | tcp | |
| N/A | 10.127.255.117:445 | tcp | |
| N/A | 10.127.255.118:445 | tcp | |
| N/A | 10.127.255.119:445 | tcp | |
| N/A | 10.127.255.120:445 | tcp | |
| N/A | 10.127.255.121:445 | tcp | |
| N/A | 10.127.255.122:445 | tcp | |
| N/A | 10.127.255.123:445 | tcp | |
| N/A | 10.127.255.124:445 | tcp | |
| N/A | 10.127.255.126:445 | tcp | |
| N/A | 10.127.255.127:445 | tcp | |
| N/A | 10.127.255.128:445 | tcp | |
| N/A | 10.127.255.129:445 | tcp | |
| N/A | 10.127.255.130:445 | tcp | |
| N/A | 10.127.255.132:445 | tcp | |
| N/A | 10.127.255.133:445 | tcp | |
| N/A | 10.127.255.134:445 | tcp | |
| N/A | 10.127.255.135:445 | tcp | |
| N/A | 10.127.255.136:445 | tcp | |
| N/A | 10.127.255.137:445 | tcp | |
| N/A | 10.127.255.138:445 | tcp | |
| N/A | 10.127.255.139:445 | tcp | |
| N/A | 10.127.255.140:445 | tcp | |
| N/A | 10.127.255.141:445 | tcp | |
| N/A | 10.127.255.142:445 | tcp | |
| N/A | 10.127.255.143:445 | tcp | |
| N/A | 10.127.255.144:445 | tcp | |
| N/A | 10.127.255.145:445 | tcp | |
| N/A | 10.127.255.146:445 | tcp | |
| N/A | 10.127.255.147:445 | tcp | |
| N/A | 10.127.255.148:445 | tcp | |
| N/A | 10.127.255.149:445 | tcp | |
| N/A | 10.127.255.150:445 | tcp | |
| N/A | 10.127.255.151:445 | tcp | |
| N/A | 10.127.255.152:445 | tcp | |
| N/A | 10.127.255.153:445 | tcp | |
| N/A | 10.127.255.154:445 | tcp | |
| N/A | 10.127.255.155:445 | tcp | |
| N/A | 10.127.255.156:445 | tcp | |
| N/A | 10.127.255.157:445 | tcp | |
| N/A | 10.127.255.158:445 | tcp | |
| N/A | 10.127.255.159:445 | tcp | |
| N/A | 10.127.255.160:445 | tcp | |
| N/A | 10.127.255.161:445 | tcp | |
| N/A | 10.127.255.162:445 | tcp | |
| N/A | 10.127.255.163:445 | tcp | |
| N/A | 10.127.255.164:445 | tcp | |
| N/A | 10.127.255.165:445 | tcp | |
| N/A | 10.127.255.166:445 | tcp | |
| N/A | 10.127.255.167:445 | tcp | |
| N/A | 10.127.255.168:445 | tcp | |
| N/A | 10.127.255.169:445 | tcp | |
| N/A | 10.127.255.170:445 | tcp | |
| N/A | 10.127.255.171:445 | tcp | |
| N/A | 10.127.255.172:445 | tcp | |
| N/A | 10.127.255.174:445 | tcp | |
| N/A | 10.127.255.175:445 | tcp | |
| N/A | 10.127.255.176:445 | tcp | |
| N/A | 10.127.255.177:445 | tcp | |
| N/A | 10.127.255.178:445 | tcp | |
| N/A | 10.127.255.179:445 | tcp | |
| N/A | 10.127.255.180:445 | tcp | |
| N/A | 10.127.255.181:445 | tcp | |
| N/A | 10.127.255.182:445 | tcp | |
| N/A | 10.127.255.183:445 | tcp | |
| N/A | 10.127.255.184:445 | tcp | |
| N/A | 10.127.255.185:445 | tcp | |
| N/A | 10.127.255.186:445 | tcp | |
| N/A | 10.127.255.187:445 | tcp | |
| N/A | 10.127.255.188:445 | tcp | |
| N/A | 10.127.255.189:445 | tcp | |
| N/A | 10.127.255.190:445 | tcp | |
| N/A | 10.127.255.191:445 | tcp | |
| N/A | 10.127.255.192:445 | tcp | |
| N/A | 10.127.255.193:445 | tcp | |
| N/A | 10.127.255.194:445 | tcp | |
| N/A | 10.127.255.195:445 | tcp | |
| N/A | 10.127.255.196:445 | tcp | |
| N/A | 10.127.255.197:445 | tcp | |
| N/A | 10.127.255.198:445 | tcp | |
| N/A | 10.127.255.199:445 | tcp | |
| N/A | 10.127.255.200:445 | tcp | |
| N/A | 10.127.255.201:445 | tcp | |
| N/A | 10.127.255.202:445 | tcp | |
| N/A | 10.127.255.203:445 | tcp | |
| N/A | 10.127.255.204:445 | tcp | |
| N/A | 10.127.255.205:445 | tcp | |
| N/A | 10.127.255.206:445 | tcp | |
| N/A | 10.127.255.207:445 | tcp | |
| N/A | 10.127.255.208:445 | tcp | |
| N/A | 10.127.255.209:445 | tcp | |
| N/A | 10.127.255.210:445 | tcp | |
| N/A | 10.127.255.211:445 | tcp | |
| N/A | 10.127.255.212:445 | tcp | |
| N/A | 10.127.255.213:445 | tcp | |
| N/A | 10.127.255.214:445 | tcp | |
| N/A | 10.127.255.215:445 | tcp | |
| N/A | 10.127.255.216:445 | tcp | |
| N/A | 10.127.255.217:445 | tcp | |
| N/A | 10.127.255.218:445 | tcp | |
| N/A | 10.127.255.219:445 | tcp | |
| N/A | 10.127.255.220:445 | tcp | |
| N/A | 10.127.255.221:445 | tcp | |
| N/A | 10.127.255.222:445 | tcp | |
| N/A | 10.127.255.223:445 | tcp | |
| N/A | 10.127.255.224:445 | tcp | |
| N/A | 10.127.255.225:445 | tcp | |
| N/A | 10.127.255.226:445 | tcp | |
| N/A | 10.127.255.227:445 | tcp | |
| N/A | 10.127.255.228:445 | tcp | |
| N/A | 10.127.255.229:445 | tcp | |
| N/A | 10.127.255.230:445 | tcp | |
| N/A | 10.127.255.231:445 | tcp | |
| N/A | 10.127.255.232:445 | tcp | |
| N/A | 10.127.255.233:445 | tcp | |
| N/A | 10.127.255.234:445 | tcp | |
| N/A | 10.127.255.235:445 | tcp | |
| N/A | 10.127.255.236:445 | tcp | |
| N/A | 10.127.255.237:445 | tcp | |
| N/A | 10.127.255.238:445 | tcp | |
| N/A | 10.127.255.239:445 | tcp | |
| N/A | 10.127.255.240:445 | tcp | |
| N/A | 10.127.255.241:445 | tcp | |
| N/A | 10.127.255.242:445 | tcp | |
| N/A | 10.127.255.243:445 | tcp | |
| N/A | 10.127.255.244:445 | tcp | |
| N/A | 10.127.255.245:445 | tcp | |
| N/A | 10.127.255.246:445 | tcp | |
| N/A | 10.127.255.249:445 | tcp | |
| N/A | 10.127.255.250:445 | tcp | |
| N/A | 10.127.255.251:445 | tcp | |
| N/A | 10.127.255.252:445 | tcp | |
| N/A | 10.127.255.253:445 | tcp | |
| N/A | 10.127.255.254:445 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
C:\readme.txt
| MD5 | 35c0e8aacd17e72c2b25418a0bcf8db4 |
| SHA1 | 5696937d407e02ec0c54c4fb0c226ca829850c0e |
| SHA256 | 1bf3c7a175f42b83f4ee18b1f66a5657424f10bd1422204742ea75eff593a9d6 |
| SHA512 | 24f9424537b0e1fcfc7012fd6c23d632874bc673c745ada672007e5c0d0caccd2c0e137da5d658ccd582a498b0bc777f45a23eae9c06a8c72eef8d4b061c2ada |