dearcry | 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da

Resubmissions

28/02/2024, 18:31

240228-w6jpgsah67 10

28/02/2024, 18:30

11/01/2024, 08:38

11/01/2024, 08:35

26/07/2021, 12:39

Analysis

max time kernel
54s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
Size

1.3MB
MD5

9f05994819a3d8c1a3769352c7c39d1d
SHA1

eb2457196e04dfdd54f70bd32ed02ae854d45bc0
SHA256

10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da
SHA512

32cac848f47a0096773435c6365fcbd6bdb02115aae2677aec5a86031b6def938033210fdcf0e12f735aa5ceb8cd4be5f7edb5cdc437bbca61f0d79196ec9be8
SSDEEP

24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkzVZgMCST:L7XP7P9o5QzUtl1fpxkzVZgMCA

Score

10^/10

dearcry persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 2133c369fb115ea61eebd7b62768decf

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry
Renames multiple (6935) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 60 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Public\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	explorer.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1232405761-1209240240-3206092754-1000\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1232405761-1209240240-3206092754-1000\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1232405761-1209240240-3206092754-1000\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.FileSystem.Primitives.dll	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationClient.resources.dll.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\verify.dll	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-125.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-60_altform-lightunplated.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-100.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main-selector.css.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_core.dll.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.scale-200.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\sqmapi.dll	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-24_altform-unplated.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\ui-strings.js.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\ui-strings.js	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.dll	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-100.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-high.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\ui-strings.js.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-250.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\ui-strings.js.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\ui-strings.js	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\msedgeupdateres_cy.dll.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLL	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-100.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\ui-strings.js.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\ui-strings.js	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-16_contrast-black.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-black.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-48_altform-unplated.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\ui-strings.js.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\ui-strings.js.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-100.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-black_scale-200.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationUI.dll	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-150.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\dashboard_slomo_OFF.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.CRYPT	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1232405761-1209240240-3206092754-1000\{27AF1A93-3C91-44E2-A9EE-3943D90EAB1B}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1232405761-1209240240-3206092754-1000\{687C1D26-D366-4F45-9BE1-4FFFF600A96E}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe
868	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4960	StartMenuExperienceHost.exe
3840	StartMenuExperienceHost.exe
4800	SearchApp.exe
4912	StartMenuExperienceHost.exe
2996	StartMenuExperienceHost.exe
768	Process not Found
4376	StartMenuExperienceHost.exe
3864	SearchApp.exe
3872	Process not Found

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe
"C:\Users\Admin\AppData\Local\Temp\10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:4804

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4800

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:4728

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:768

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3864

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4476

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:964

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3304

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:512

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2332

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2248

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:812

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2512

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4848

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2492

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:780

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4812

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:780

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4352

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5064

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4496

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3208

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1212

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3856

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png

Filesize
388B

MD5
1dc5d31ef9205f1034b64d635d59cb32

SHA1
c172576576c5ac5a3c2912bdfd0c8365b5365513

SHA256
676d1f912a22a12ad4c80bf552355a7e0995c56e6ef7527aaa9b77e513efc065

SHA512
bc334638acb1416787df04cbaebde99cd15d96c5b96b6f950cbdfb54177fcd2f2ecce4dc9212a9a3f2f85269ac901aef147ec6297c31c5ee6cc39ee4cdac17c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png

Filesize
552B

MD5
7d00bc0d46dcb90890a4fe6b76bc5c3a

SHA1
7159b1e1c264a6863708a971eaeca32cff864aa1

SHA256
2fcd2848cbcab1a3b8154138288cc659cd2c187412cb887eec6554b6165b8c33

SHA512
2f113cb27028aa0fa0f028b09ddcddb4a1ede6ae0823909d99763db6e5be57b1b4ae6977537ec17808cd622bc548e1ba3122e35b58de9d856400d33042234a35

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js

Filesize
1KB

MD5
6e8d259daabf1168ae5136a3de48ee80

SHA1
b015257e3ae0810ddbda53c0b12991161a863ffb

SHA256
13370a65ca7e31fbf3a133156c208bf99c01a54880d55a8a4500495683e3a47f

SHA512
cf3c564c18c6b0965a431cda1ed8fa97cbeeb839d992e48f77c073bc8054ead03b4823df381c5179d3d398877da3473b92d70ae905a2bd0c7e5fc45505340113

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js

Filesize
1KB

MD5
88151ac4ebd7f5ff2d381c65e68cece7

SHA1
f979db4063d15ef2e32db3c38890899bb87c78e5

SHA256
c1ea4ada9462abd4ec352dfaf670575e9caff1e55d303db96a2f2500d50d92e8

SHA512
326195f5176beed6cc39849b8d6e87a5136c41a04aa76f53c30bbed1ff74391e16a6114e236f39d403c7f82fda032c00a9ee1df583412dfea224047e51f4c3bb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js

Filesize
1KB

MD5
60f1a26612dc049ce3e00fe917b6475d

SHA1
05791d089cbcd759088adbbd9483433dc9a10206

SHA256
8ced84488e1ea81e8cc3ec1a25f5b849de902601bef557b6ec65f9de2982bece

SHA512
06f080a9df9081a2bfd557165f9c21cf2bce3ee161c0896a9f9a6e0f8a3ae545b1cfaaca9ce1d46757dbe0163ddd0421bdb51558ef092dd0a6e5c2052ead4706

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png

Filesize
683B

MD5
ea321d33cfeb1d029794bd01c5b78e85

SHA1
4e04b2d8f7f23f44f96f4bbf134233e1feb5e28b

SHA256
3add439f478220ce8001abf2543810144a0d80f8116bc0ca13947c9745983c55

SHA512
f574d12330a668d89402265cf5a859a76325ed548e1730e02f51dfd36e3d5dccf2c8b75a76a8c931597bfc130a42364c73eef0200523d4eefbcf4fa5ccacddea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png

Filesize
1KB

MD5
a660ce180dea34b4944d83569f4789bc

SHA1
e3ca7b90c8bd299c49585bd29bc3fb7494c0fa4e

SHA256
03ab6f2f396e0531f1b1299b61485408cff93f183942910a7d0d5f0c7a666bd8

SHA512
9de185c0e6a8cc49852ebb454a00a7a19f5382b358327d393a6952b32099036147c1eb799cc60078bf24477e9607a1b4c88288a213a8ffcafd8d60caab0f0720

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js

Filesize
1KB

MD5
cdc58b2bf0a1a34f96af8fdcb62dc30b

SHA1
69eb0d674e9830e81cecdd610792225a2a5dc265

SHA256
3b5888b652cd86408bdd59e86405d3f171d23132059228544fbe693cfcb2b73c

SHA512
d8ef3220b8984f759347a0e83eb75939c914bf865db492d28e226f113b469a97325befa008886743aeae2e0f32c74c0a1e7ce8b60eaf5949b51058a618daa502

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png

Filesize
445B

MD5
55c2b47c9aea50661a855fe91eb8ac32

SHA1
13ea23a51394ea2c13420ddac1294eae6f82f846

SHA256
ba5a59d879c1f6543b46085d02f5c90fdb22e663487d3586b6533cd887c83b72

SHA512
947da2e85f5c21e7847f10d727729915973c911a47de233ef1fb97f60ae41db05f4c8c0ee655e3aa264db2067763e4134b76279f1d3ea8ad43640a64176522a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
611B

MD5
808e7aedbb1da793b86c92816309035e

SHA1
b4a2fca53290a35ae222f2cdf80f68ec7eab51e6

SHA256
a90f0edb8324760029a5db9f641b05694f8717c25514b2d6abde7662c827e0cb

SHA512
0af4e6a83661378b618c40de02c6cb7244be544dcb02f1f14c83b6abd791fa0330b6d508c86f0ba8e345608639d8505a2f26d3a6d3ae201bb01319c10c212d4a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js

Filesize
1KB

MD5
5c1dc195043bdea8525930a9882c10d7

SHA1
17415e551255ab016f7682d7b33451cfcb91e687

SHA256
019bad9e72430b758828953e3310007695c55fed1d25fdd707c76fec561f2bc5

SHA512
e912b84e9b4856864d302154b68adf6822189aa78859265cf8f529279e77a9d7c086452b4527ebb75d9c910ad9a6a1e95e1f45498fc168628da80739acff742e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]

Filesize
162B

MD5
8db5f9dff9d857a8827ea6d66fea4880

SHA1
ef5de087109543e49ee7fe70adb49efe27e15121

SHA256
e8c6ae3d3f05d53d58200db3f31383861d434c6abbf66f82e925321029058a10

SHA512
70723910b4bf8814f848e10390378d53d9fb67e8a319edb708edc41b5c858c1d2cfc0b86a2909e33f72062df8b32e70554fa5ebe7aad7ec474ad78087560069b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js

Filesize
1KB

MD5
4e6de5201d795432e75c0628dd306b26

SHA1
80ae62145f6bc55c2a25f68ad9d6bc9fcae496db

SHA256
1265f683d27701f95b545e6201577fb4eadf5dcfbc1fc8cedb8dd39635515788

SHA512
950227253fb845bd9a4519a209d72404760492473bda8101d846ded18aef1a2f6f6ab99b1b1b2186c0eed423c151c089316e124384f214644632e6a0f4dbece3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js

Filesize
856B

MD5
fc4cdc00064f47d2eedf58bd02068fe1

SHA1
cbb7157d8c560e9b2cdffac3a2b831202d76d2e6

SHA256
0e8fb0e6e1dd239a2a1996059914a5ec5e753782527c1a07c62d808eb77df3e0

SHA512
753d312596fdd24d3ad87b7916c5d108d185b42beff7c750099aecb38c7a321ff04260c19492d18cc27cf8f8843c6b3facde0934e67a46e9ce4291c3646abbe8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js

Filesize
1KB

MD5
c5596fa17e59cbf92a2ea2e1ad5c6f8b

SHA1
4153a71b5750685afba568403ed7522e83a9894f

SHA256
5812ebbc6311c0ff9919a27137b22435cbca3cb9fd56959b44ddb82f93609b99

SHA512
762580962300f0e0501054450772ed59cdfec76d7aa6b1944f557ccd74ec2fcd171ffd67765f2b367c526d0193eabd184f0d4ac1dadb7a0d25f00f9866f670bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js

Filesize
850B

MD5
26645133c9de7799e35cee0e47b82ee0

SHA1
bb6be735f6814d765bbe6b3f3ce034d1767366c5

SHA256
1180e5728ff28a49eec43c61f15d49541419e79397ae58479db67b533d292d36

SHA512
c466dc886b25fea5a0e16aec28a4e784afe797f3937c7863788d0e5fa41414346bb17546d49178a48815debcca50aec3acabadc1f508fe0a3207008bc722608e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css

Filesize
802B

MD5
89728f1ec13231dd11d2ea20afe39d67

SHA1
b4350cd128350483be389b2c865633bd1ae0f78b

SHA256
aff85e66d5b690dc0188f4c2348ca78abdc14605286128407242a4e91a684754

SHA512
58203e9c3898367c78c6d10fa629c0bd2356b2ae54e225afbcee83be1d5d297977a5a9633e773ffc2b8079a6e2eb2aa0afc530c27d29f512af40d8c9ae539adb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png

Filesize
179B

MD5
a93c09c1a326a8733b4eceb713ca7457

SHA1
90ba7a4c24bb0d424abda46b736170ea3b43e541

SHA256
d03f54aaa9216f4e32053928ce87a317341232f107140c84f73b2b6490b5a81a

SHA512
432c3400257d00391baa255d32fd03e0b8c97231d684ef35534868a38bcbf9cb70b433eacfe154c25fd3376e69592a7000a823535700f353975572c5101a56af

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

Filesize
703B

MD5
cc62ce00dfbe76fd8affad9c89fced8c

SHA1
75d64cc57ff45a50c066f882bfd8e3845f8fa323

SHA256
e324ff224bfa2baf51d4ab75f686195a76b8c984676c450ed660eb9ca2b36f4e

SHA512
028056e42f0eb02646752b351bb04a6b9f87ff27a2e1060b4fe4d4867118fe90f42f555ea8c645361963405583005ec4f3802c7c57729fc8616df1af09cc94dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js

Filesize
823B

MD5
fa904cdf440c6743078637992d58489f

SHA1
6969f407be2a1b52c5a41be256433026cabf9917

SHA256
152f6d0325802be61521bff49a8dd07063feaffeb2447d3ae6f47adf214cbffb

SHA512
c6237e56225d36d26ed594406a5bc08987bc34fac8d425dac8f909512ff19e6a27e1566651c591a38c0a5476e74dca09beb53ec15d4f08b6de2843fa064cbd3f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js

Filesize
1KB

MD5
573dd292166f86741bb965ee068c3793

SHA1
169fcf0880c7a2c5993f5bf28ff64cd9ed441dd9

SHA256
ab2b7de642b66db6e6b610dab8fb3c94c972465e07b7f681127c40a6629d8c2e

SHA512
0217d582d827a7b6faa950bc726d41c4c7644ba11b19689b9e5eb60cf54df4afaefcf4eac3649e8315dc1134988dc71abcb94bd9a640829bf9d68a6ffa17241b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
924B

MD5
bf70043c03230a91bb5b402e7ee67e63

SHA1
2ec8302c3ebe1e34abb5e0c813abceaadfc5073c

SHA256
a8b45a4c0a3adae007e8ef6b3a0e9966d2ad0c552320210a778109e2799f6c75

SHA512
ecdf54cc56de9c49dec1e9e65aefa736201904e609474b13d089f188bf35ae46b62d1ba492f4c25ad3fd7ff584a1532be18c0115598c2deaa834b22e6e52a601

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js

Filesize
931B

MD5
7adbce4bec815b574ab3fc6d85eb1937

SHA1
7d14e52fc6aa5796996988e9feab97c31eab1e0b

SHA256
efec14a7f219aff9e96c136933c0316abbabfa082b5755a86b2745c0a8423a79

SHA512
4218fc7991ef7ab93b1fab696432fc0130f07c534b2da244ce3370e6092213db657505af8380e7a07576b16b19d7c1b58f6a5498122d73061a362162b31f5b18

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js

Filesize
1KB

MD5
478f0065e127108d705114b29fb9170a

SHA1
3d954983b0594275bdbe444336baad9517129b79

SHA256
1beae6b25a652882189f27e3b52232bc3451a54eeedf3e5cb0eb827fe15032f9

SHA512
4affd4e7c23c555d99a5a1a4ff929228af723961c6cc1c320358998fbba2528e2d84d5c64a5c28fd6420ba3132fad056f2388538086d061510d80e244f7b3990

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js

Filesize
851B

MD5
661fea8b99a08e2422d8b5b9bcfd9921

SHA1
54a78f38a3599aed6d27c6fc711d7af7a205c524

SHA256
60624904ad10defbfcafa3acd5dac4c7c5040edde23bff489b6b32ea5a1403ad

SHA512
69b58c6c99f494ca1b6f2788cd17b63cc9f583b0abca870f666aedb9c504f660b03df699b69828c8ecc43a747297042eeca7e197de96dd43defb7871e2289b9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
855B

MD5
3dd77972f6558af4969a57eb4f19f2d0

SHA1
d56f6ebeaf408c667bb9491845a33ddc19d18947

SHA256
cde2dda4b1709d6591356e21717833ecf9802dc119d719e9dbbc97b090158644

SHA512
68f15867e6b29cce5415ce31203cc3f1790869f85d1b1ba8b2912e9b1b570f61485e5e9aac96d9bcc069e81d298b56d8941cd94a1df72d07c7508c7fdcc7ef1b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js

Filesize
849B

MD5
95e6ecbe44dc4ab34323c697c6568b56

SHA1
0ca5debc2a7b53245ae6b7d6594ba93b3152bdee

SHA256
d3bdbdce059d04ec6e336179e6262bc694def0fcc5fe4b006953dbf178dbb30c

SHA512
af6262bf0a2b16fbd1dff7051eb0373336781c105b63631080ed2b6d38f54adbdbd16d794917fb9ad08c9ee238e0d4df732b7ef3e4c6d521a6b347eb8c2e9804

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js

Filesize
852B

MD5
4fcc8af63d8fea1581c1e96e9436e913

SHA1
5c09be5c84dba1172a2503a3406223baed06f8bc

SHA256
bbce03b612d22d42e40207a0ac4b6492ab0ad8c2cf4690377929f4cad738954d

SHA512
4bb1df7206f7fee79df361d678cd250399efff9d13d3435448170efd515abb425fcbf3b6ad9d0c6da1b4a7860d33dfd15daaa199e96dcdd701afb3b80234f2d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js

Filesize
1KB

MD5
21a5d65fbcf76ed1b8e9489d3bb051f7

SHA1
dcfde89bb81642e0b1bcb2b4d8c0fe574e912950

SHA256
f054ff5e3f41e79c647bd03dc9ad1bad42f8292c7e7b839088faeb8abc182ff4

SHA512
566bc1f2c5f4b2b9888c8e414552c25609d2562e10a8abddf6f036a6cbe2bc7644cbe850311224c25db96380c0e11fb07800f965305f41e068968bee530c320a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
1KB

MD5
0e038344281f0aa0a74103dd77048888

SHA1
163a5a2d3888eb23ecc17b53865742f3eb7aa3c1

SHA256
f3a76de64a79cd7afa5438bb0a4f4330a97497246fe00f7b29fb690e2ffe32cd

SHA512
5988b04142669c005728510cc0a0c7507a9b8561b9d3178e3ef06b77a725e5e3ab7c13faf2998522c601285e823d3f72edbe7b93ba6b14a9c5afefbacb974560

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js

Filesize
1KB

MD5
c4b091c93a4910ecfc619efdf3c56111

SHA1
4147f571dfd1d77b6a6943c57784820bd0cba24c

SHA256
d30e4139d68728b1c0b7c0fdccf649fc98c269f0d57c08e1d2033c13f162c29a

SHA512
b276ec16ba3a0737c8958a7373c3b5b53d384432535e65ee5651dce90da0eaf7dad1a02479243efb0b5ea78234c0f423ebc10c82b6e28db557106b8a21db1964

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png

Filesize
289B

MD5
65afdbfd57a964a5525ef68ca68cb5f4

SHA1
986fd9886e54eaa35b90561c94b00f85eb758711

SHA256
322fa7539ee1552758dbb051fe1199a7b4b247ec8335fb35cabf043d8947466d

SHA512
88b2d9c205d6fa4fb7823fa118fb95c651977cbaf1b54445ced380d34541e5367a218de4335a341b3994839386b487fcc33718b749ab2e05678ae87e0da1dbd7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png

Filesize
1KB

MD5
2870d12e27e8a50bf66493145c06939a

SHA1
f4319fc28ae1f99e359b5cfbd4c8c69af67dc03e

SHA256
dd6fda1bd17d115065254a8af134a7906d8e15e2725b01223582c3add3240272

SHA512
39b2281464998cd9f3d87659cdf7f3f2690a82bb8093ac64d5141d837dd4f951514cf0fcbfc02a0102f3d8ce780805886a361c649d6df2347db60b383442e5d0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png

Filesize
1KB

MD5
d1dfee6d7b14e63f64c349b2cae8ad27

SHA1
fd382215ff99c0993d8924f18ff7912b4835f4ad

SHA256
b63bba00ed3b7a86b6ed36ab7d6eede57656454e0a583b875d34ee19466714e4

SHA512
220e189bc67b20bef3f92da6dd063b12fd53436c6fa9e728553669e4d42dbe595c52801e68a929797c48dc56fa4ff47919aa3d065363ce881e207abc83f7de77

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
2KB

MD5
598b166da1d843121d50f9593073a15e

SHA1
e41c87d8fa9aa263dfe783bdd692556fb8e24f43

SHA256
c46d21ff4c32097f172b4e99b5794374ed4a1cb025040d157f611f43929e98d5

SHA512
107ceb56129c1baade5930cea77fdc9c53264ff06b92936a5823c483235ffce8ab4ca3efef5001c5cc16eb3351b663877e1e4184749ba33d785b4927fe2f2db1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
2KB

MD5
48a2c150eaa7d9fe84e7e31163e67495

SHA1
cfd5375b61328af47b784d2e1229c95c9355ce06

SHA256
ff1d90818c6ec24ad8dc4334bed7e72b3ceb9460cdfe3b25ec24d2b31b4c9288

SHA512
e6abeeb5ed043270c9148b58fa359d8536e0a9606aaed86446f3cc3ef14a855b711a86869d02fe27f50ef79b91895c77bc970c6ccf962caeb8311984c4778410

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
385B

MD5
34300ee4cd847a5329747c2294699c1f

SHA1
5e1086c8ebeaf9205517c82d8ae1711931ec48e1

SHA256
122650bd6eea6dc3c3cde5c472c78fe200967b33c6e3f3d2f394d8fb66c3acfe

SHA512
ecea239cb49cc1b9018e9d5bc34fa0d501cd9dc6bd7a8c01b8a2bfe9cb8d9baf805081d3705f0f986903a93a35a3ddcb852463bc2698606b556999cd0608ad6e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
1003B

MD5
d82b1439dcd0ea62ce3edcf6d36eac1e

SHA1
f5216b9a0c6b294584b24a5fd50b43e79d46310e

SHA256
44f25bfcbff16b8e7c81ac93d6dcbc312035c81ba6d62e61d4177e23ef62dbff

SHA512
bc789786f1261ce50116190f56ce7da3063fb944af6e5da17fd0a61e51d3d25b11fc09a83d2fd1805e16f33c2c469bd28d05366b8fff7faa85d3dd498e5e3d1a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
2KB

MD5
7d1b0ec51595563c9214ddfdec36f303

SHA1
bbb988973a8281943b5bfacb8ab03d97c0f0f398

SHA256
c915635ac032617e1acf87810abd8e8d9825c7e40a74245bc9efcf31d6da9da9

SHA512
709deed649d6062cf8c1ada7207b9c871d51a69a4bc7dc3c1408bd6a38d211ff53ce19a091cc4bb68a62eb00aa512afd07a33d314393812716391f04faea93d3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
840B

MD5
ac24e253ff384d8523af43f5a93688f7

SHA1
beb4ffa972185300803e9a1f6a16ec062cec1015

SHA256
f49327d72a4888fee8721962d13a94571e349ba666a0e1354c4f49331e858cff

SHA512
9c559a1bdaae9172fbe9e6a9b907390041fd16d0382a202423e0d9d19bb0f2c06a7228d6bc17df943d4e927c0420f302982e0463755bfd5c0d6e4ecb65504a61

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
1KB

MD5
cb05ff26ffcb30838de16f659f8d93c9

SHA1
f9e977e1f60be49be8a17cf75d31f4a7620827ab

SHA256
ef97178fce43f78773e1c57cebaadd55904a1e5d810f8f75219b23e92c00687d

SHA512
26fc3838e5ef5b638d974be02b6d8f76f7f4778b1b612ea9031c5a5b1cf4a421e48c7a667a1f8db55270c1c86c4e1ec469c8078dd0edaeec2df02fddff27a999

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
544KB

MD5
4f170e3fa138b516b7e0778b7d03bf87

SHA1
f3d508c7adf5d801a01af328fc7522934c7e5d34

SHA256
402f192b22b38490830300cc707b8afa145fa6b3ffd7f0775e020e69df02e00b

SHA512
f222cc4e79ea8c6f5f019fbdd611678647ff2e3d4027612a05d4837a13617fb85eb3c594132ede4c580ee1f4050b8fa1d852248fdc3d7cb6c1e1470a1b0593f5

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
190B

MD5
f0be99f92d8b8ad3d79c9aa580fc2f08

SHA1
a9ab5160208575c2c19277491406d5c95690a5f0

SHA256
e290cb91a6aaf54bb397c8f72d0bf5e8a70935ca00abde862e3d13fdf75fdbb0

SHA512
c9c2002d0f14f1d92924f80105c4b092bcb8de5bcb838179f2129b125fbcdf83f78ee80f44b0e26bab451c6fa5d6a29547a4933a92858e310dfbbdcee32f8cae

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
950ac8e007b49ed7acf1646758393817

SHA1
3a795f27aac36ba92f33165a6550cc7f201b3254

SHA256
4ab0585ac1cc953813901847e774a0a6e2542bedd0e5964cacf31e421455223e

SHA512
6bf7c6bdc1f802cdc8cea1d5a22de2e2cdf307411504499351fa5e9bdb7d1826c1968c4cc8bbb2fc17ea69850d69e0e2d77b76d29ad991813b598fc18ea0982e

Download Submit
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

Filesize
744B

MD5
c181d62d13f055127f354bb60cdfa03b

SHA1
6cbfcbcdb417807d7ce1ffeeaa2eaaf9b548885a

SHA256
d8dc1b9aa2aefd658fae2d9b6bf36318bdda72fcecba0538a1f121592b44e3b6

SHA512
62dd4c375f5e3299843c78dc86026da551a8a66c2c4cfac4003b8e4774ddd1cc36c130611c15182b61a472169305b75c845f17ec899e53250461867cc82abd36

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\readme.txt

Filesize
223B

MD5
b393beeec90b2f392c7987a7f551daf0

SHA1
2f95f7a7f381818f6c1b490214754cc8b7e1e753

SHA256
975a34d6df880cd3b15597806a20b9f295d27d237b7d045a5d31c42e30a6e4c3

SHA512
58434ac475e48053cd8aca9c51e55e9d76fe05ea3e346869400021dff8bb832f38ebac4dc76f9325a6e2293f06494805b5618ee8073c5ea78b2355b6e9c4a9d1

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{B470BA0E-EF94-46B1-81D3-A0DC338FD5FB}.2.ver0x0000000000000001.db

Filesize
1KB

MD5
8b836d8d3ea988668ddae3311f514a57

SHA1
af3199496b831b74bde630f871615ce5848f9857

SHA256
ac944397bb7351bf439ea8b7e6cf5863fed078383f3da0b7c92b53408fe680d5

SHA512
f205183db25237a58c6a33b9c83af86df3210fc7cc411d4638af9c856fb39a2795c99d612601bdf183101402ed6455b7949a9deabfb2b2262afe47dff0c17cc2

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8cfc804a-d777-2361-1670-4569e516397e.xml

Filesize
2KB

MD5
29eb0301f92bda0d67f79582acadf847

SHA1
2c2ac90238793f699322833c2f8bd043cc29ddec

SHA256
221ce3a8c269f4dff433a9a8a9807f65d8fa7b302e640b245f7293a0998363d6

SHA512
61f47426e5dff09a432a7848f3d07cfb5f85cab6b327fb416c31223e6a5ecaaf3a3f065a6c4bf0a352fb4fd3c7199ae481c929c43da3d596000f87d7f6bd52c1

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\bb26a0e5-d235-0ee6-0c36-6d5e185fa5b1.xml

Filesize
2KB

MD5
31434364acba2fa351fc9715db743df4

SHA1
1c2e77b236cfdd14960e90c9a48e59532d1a255b

SHA256
a94fc52f4840aa6390d47765d3fce16ab6d1c1978441156ef607a4b6f63fc317

SHA512
b069a65226c5aea8d50da2a179a351051a6680cf42a117d5d5b98e97bdcdd12e412f698b89039bd3464550e5794d3b95d97c6ee6931dc72e1bb060daa08e40b4

Download Submit
C:\USERS\ADMIN\DESKTOP\DESKTOP.INI.CRYPT

Filesize
568B

MD5
4064f25caa0e165966ac54fcd673fe9a

SHA1
8f00503b960215489e51c2f8a2ef12e59828464f

SHA256
f21cfc647b8c035004a94d84debb78ca2bdb1bff2ea6d416a5fddd4e0f08d884

SHA512
547a818a6b92f7326bc7cd2f6d285c0508280dab6d68378098325c7d3224ef4e258cfe099db9b81cf1a6cc3e9e0af15bc78a1db4a54fca17a8636c570588f474

Download Submit
C:\USERS\ADMIN\DESKTOP\FORMATUNDO.ZIP.CRYPT

Filesize
135KB

MD5
903abd67f19fd322d3cee2fe10b31b4c

SHA1
30acc133c1808b0a08e19576fc0118283078dbda

SHA256
5d2c88d5e6cd20264bb9d125875b6e0a7513b4d2da627f540025629b571eda76

SHA512
3bb9d1d61c2ebf1fdb99f0a00569cfc215305dc27c906bce2d07506e5c483ef1faf028f66adbea9d4c3204571440f7dd00961cff4f3a9edc970ec0d23b58ed6b

Download Submit
C:\USERS\ADMIN\DESKTOP\REPAIRRENAME.XHT.CRYPT

Filesize
135KB

MD5
1b3c7ae33f648d1280ac2fab7dca1489

SHA1
1eb105133f1701fb7ca09cfe78fcf06918f3d6b9

SHA256
08a466f534868818a89c0996a3be7668f40b78e16358cead640955a66396d5c6

SHA512
57b6b342598e6ca0dd87d7198992508538dbfa24ce235a5d9471c94cff0374090a212ec09eab6150ac3dfd4f66a9db103048064f07213ef8ac6f0847f5355046

Download Submit
C:\USERS\ADMIN\DESKTOP\RESETINSTALL.PPT.CRYPT

Filesize
135KB

MD5
bb7cd4b1b64261acc4ee354b63a2427f

SHA1
98d5e287f22e8f64951b41acc24a7cbc54ea8c27

SHA256
b332c92172c9b66b0a6b0df25d7c95a1dc0f953266c56047cec0639507eaeb78

SHA512
772b9c2e0ddfc99c7bd7317a305a93eb0786e6b9d34b803f32977052f8be0ec962b9230c42b7a326e99d699dec50931c605b22968a961d3d8d13a886d341adb6

Download Submit
C:\USERS\ADMIN\DESKTOP\SKIPWRITE.XML.CRYPT

Filesize
123KB

MD5
ef6df602bc1d930f2bf53f5c3cb492e4

SHA1
a31b406ab6f9aab41581a5dbd5ea9996938dc3bd

SHA256
18790ea3d6a1cb7844ca84b60d538b0f96eadeffae632465d2bb0e96474fd53d

SHA512
f1c3dce4083cf976728f00cf4423f2e2acb7de2efd46b82de6f1dee5dd43e679280657d65fe754dc577ac2515c49e1849b832ea568064a9a09e72771fdd71c1c

Download Submit
C:\USERS\ADMIN\DESKTOP\UNBLOCKCOMPLETE.INI.CRYPT

Filesize
109KB

MD5
ee28cb850509ec10440b06bca916d6f3

SHA1
846cdabb7cae99b42cc470dbd1a91154208ed76a

SHA256
abc1700eb304aaf3cf8a67aefdef8a768662eb4bce506271ceaeaf49801a8ec8

SHA512
1368e7a12c7ee9f7be865f3fb88e7a62dd89bcae14ff284ea1011410c30d7056c3609b38cbadba46dc121789e89d75683f2ec7390fb678e781726753382244fa

Download Submit
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI.CRYPT

Filesize
456B

MD5
8e7ac0378036ed5381db6e1713fe87d3

SHA1
61b936eb3144edbf6b2c29ca11e301e37c033fd3

SHA256
bc2f8b92de74e931cd425b8c72163c93f3ba4556705c02b198b9cb3bfce58d56

SHA512
4c46b6b30cbd8f9df28b0094d4cb8fb4252921318c49f8a9a3c692982733c184cea9585ee90a73bb41edc1b08a7b1085e75dc507720905fe2d490515ecacf70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini

Filesize
174B

MD5
ace3165e852adb8aedbeda2aa3be570b

SHA1
4577ff7e92850e2723008f6c269129bd06d017ea

SHA256
237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f

SHA512
cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

Filesize
174B

MD5
e0fd7e6b4853592ac9ac73df9d83783f

SHA1
2834e77dfa1269ddad948b87d88887e84179594a

SHA256
feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

SHA512
289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

Filesize
16KB

MD5
4534f12102d235344cf8dda748f0cabf

SHA1
7db67baceeecb3a420bf37a7beca4a45185f8f3c

SHA256
1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

SHA512
7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.CRYPT

Filesize
414KB

MD5
c370b29c122a3bb4d8dfe659fe76a5d2

SHA1
e0cb8bf8614e9b38a1ea005869d171ea11b79fbe

SHA256
dc25857d0ca342659c91232d6759f1de45e494d0225e4a07874eb55ac902bd00

SHA512
a2d02cc65a9fbe3f5bffdedf00d119402097bca37da3f176cd80b4a104a704b047e48623465146cf94e59e87a5d73a96704138f9380e778826ee9b9e64090281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
f5fef41e3d9b7053177844b3f94d8b61

SHA1
c0c6384f2e0b56c6ac0b999d8584a2bc9509d20e

SHA256
68431ab4b4a76a1a635df107e402a68d272c88729c157e5de0fbdf84523b879e

SHA512
7039fbe40f264b4a79df4219fbee8952ad0d05a2501cf9ca5cfd28adc86558dc6df1a2568e486d06b6f50566f1ce74b7b9d0796891b5d1dbabcf077fa7dbd885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
51d6605f2314326dba27417b72ee30ac

SHA1
3a34d9b02fb3b90f5d035bfb833783d9701e9c76

SHA256
d22757fa626b4ee7559c42cfd5970d76ab3fa6fe5ad43e43299225c4cfd8cb29

SHA512
838f3817ac6a34e07b7df1e1731759cee2a6e374c37f739b9cdccca2da4ac7b0a88e0d8c607028911d09404fa7bdf753aa24449503e3d6772de7e84354b7b276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Filesize
24B

MD5
c7c6abfa9cb508f7fc178d4045313a94

SHA1
4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

SHA256
1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

SHA512
9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
e342f339c251a79743ed175f3cb21856

SHA1
f6a07d6b153a80787f4c554012ae7cf9226bdb29

SHA256
ce54b9c530ea7c3baebbc23880879425c0337f59c7c2e9964659c52013b8c629

SHA512
1ff48a5734ff18fe64ea2e3f0496694f5c08cd13b9291e60f4edf8ef1dfca3513f6d8cec9ebe3f2c71831f3aab9881ab4c05761dc5b353951899fca6f41260ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
042900df8c6d9b4b8274edfe44c95c86

SHA1
4fe7c284f6c0de84cf80b1a68f5edd55591bfe16

SHA256
d4455cb0a218444b3c2ced5b0baca317160928911575f88b73a0020245443f9b

SHA512
b488560625a73a4f7f47fab2ebbfe308352bc363b2096037cbc999a7223553d36bd540f3ad373e6b1eacfdcd716e7512018c57f214a4784d08ad753f1e687cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
1024KB

MD5
c14c61f43a6c580b39841618be028cc9

SHA1
d89e12937e88bff3cd9ea9c35d858ed2e3bbcdeb

SHA256
42b4d5f7523caaea16371573a9ef06fc586211a8fb80314aed83de93a7b1810a

SHA512
5352220753dbd9595c7427e31c8159c853ce899dbd1326d883a36fe14baca99cda3653df9dd597fa39d7f185b5c4c13e563786a2c81015a11e986f739a148a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
94c48f306db3a1a8132bb7e2dfa60316

SHA1
87a4ec19dc09318d380f374600168306fec52904

SHA256
52e6bd78b9a2d8586b15c6cb425b916a9362b090f02e7ffb9f26064217883b48

SHA512
82125c64bfff366a8296f9546c0c62b81b1abd3a7a42f0bdfa197d81c4c53891e57fb7ba35f2b8346eed655ee092f2ef06ca094b205595f7816d26a5035ffe57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
60177dd05f5f837abc002c536b5c79ad

SHA1
300d980bf12d954859d14eafa5f00c75cfaf1e62

SHA256
3c8653b1665e42de4205eb68c370a8c04ac0b8d8ed7edb411193aeff89d93312

SHA512
29ae79da29d64869afa86b4787678747b67aceff41118c42305c7e04703f27967abba0a75b2199496704f62b3594ea55b823b46d78d8a8ebfe1c431069cec1f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{dac54c0c-b187-46b4-9b96-e557e80b23b8}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
f6a6263167c92de8644ac998b3c4e4d1

SHA1
c1fe3a7b487f66a6ac8c7e4794bc55c31b0ef403

SHA256
11770b3ea657fe68cba19675143e4715c8de9d763d3c21a85af6b7513d43997d

SHA512
232d43e52834558e9457b0901ee65c86196bf8777c8ff4fc61fdd5e69fd1d24f964fed1bf481b6ef52a69d17372554fecb098fb07f839e64916bdd0d2abf018a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
5KB

MD5
87982190105340e48ca62db5c963eacf

SHA1
016f6b5c3f4beac64ae04a68b71f23d92d769535

SHA256
d272fcf15d948fc938697efc3c7da5b4f90387e641ac6c09776824c203de51e1

SHA512
7d39168af50c3164ba683106ab5de1bc9bc1a54824c808524c9a29cc157ee747a378af2378062b337b659ad8bb729e6b9821691109d3177f1145ab11ef3ca06e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4ITSFV1T\microsoft.windows[1].xml

Filesize
97B

MD5
defa12a3b7327495a9ab074b7ff74976

SHA1
0372fd80a4e457dde06620473f5291eb126b023c

SHA256
61655e0a46d19375269c9d560e1b1b77ca519fea86c8eee70963b443b70f16f8

SHA512
fb651d86c5608cddda1b2fa3592f6cfa72d5b698491f9d8574ce00a60f73688a1e046983bc2476c7ee3d4d777c7fb4469aa5c28cb04ed4138e31823a75b584cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{01D62A60-CF50-4438-A4C9-FE12F3548857}.png

Filesize
5KB

MD5
00e5fcfd833151f7cbde607e2f7afeb4

SHA1
55839875c0947aafebff53d22ccc5dad29fe3563

SHA256
b80192aaabe007baecd0603e3ce183e9d554b8a6b0411d20716acfa086ae3035

SHA512
f056777a1987c3becdc217bdc2d82e6aa41086d38fddaa45c42f1726b6f7b7616a10918081650e825a724464ef148b669bc258d38a62e0de8642e2607a0b0de7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1232405761-1209240240-3206092754-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/216-21206-0x0000024A42C00000-0x0000024A42C20000-memory.dmp

Filesize
128KB

Download
memory/216-21208-0x0000024A429C0000-0x0000024A429E0000-memory.dmp

Filesize
128KB

Download
memory/216-21211-0x0000024A42FD0000-0x0000024A42FF0000-memory.dmp

Filesize
128KB

Download
memory/768-20982-0x000002C24E1D0000-0x000002C24E1F0000-memory.dmp

Filesize
128KB

Download
memory/768-20984-0x000002C24E190000-0x000002C24E1B0000-memory.dmp

Filesize
128KB

Download
memory/768-20987-0x000002C24E5A0000-0x000002C24E5C0000-memory.dmp

Filesize
128KB

Download
memory/780-21290-0x000001A99FD00000-0x000001A99FD20000-memory.dmp

Filesize
128KB

Download
memory/780-21292-0x000001A99F9C0000-0x000001A99F9E0000-memory.dmp

Filesize
128KB

Download
memory/812-21185-0x0000027E91F40000-0x0000027E91F60000-memory.dmp

Filesize
128KB

Download
memory/812-21187-0x0000027E92550000-0x0000027E92570000-memory.dmp

Filesize
128KB

Download
memory/812-21183-0x0000027E91F80000-0x0000027E91FA0000-memory.dmp

Filesize
128KB

Download
memory/868-20967-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/964-21054-0x0000023FFA840000-0x0000023FFA860000-memory.dmp

Filesize
128KB

Download
memory/964-21050-0x0000023FFA470000-0x0000023FFA490000-memory.dmp

Filesize
128KB

Download
memory/964-21052-0x0000023FFA430000-0x0000023FFA450000-memory.dmp

Filesize
128KB

Download
memory/1220-21241-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1368-21064-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1368-21129-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/1376-21164-0x000001C3BB0A0000-0x000001C3BB0C0000-memory.dmp

Filesize
128KB

Download
memory/1376-21162-0x000001C3BAC90000-0x000001C3BACB0000-memory.dmp

Filesize
128KB

Download
memory/1376-21160-0x000001C3BACD0000-0x000001C3BACF0000-memory.dmp

Filesize
128KB

Download
memory/2056-21260-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/2076-21217-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/2248-21141-0x000002304B2F0000-0x000002304B310000-memory.dmp

Filesize
128KB

Download
memory/2248-21139-0x000002304ABE0000-0x000002304AC00000-memory.dmp

Filesize
128KB

Download
memory/2248-21137-0x000002304AF20000-0x000002304AF40000-memory.dmp

Filesize
128KB

Download
memory/2256-21073-0x00000229FDBD0000-0x00000229FDBF0000-memory.dmp

Filesize
128KB

Download
memory/2256-21075-0x00000229FDB90000-0x00000229FDBB0000-memory.dmp

Filesize
128KB

Download
memory/2256-21077-0x00000229FDFA0000-0x00000229FDFC0000-memory.dmp

Filesize
128KB

Download
memory/2504-21105-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2672-21151-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3216-21084-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/3304-21097-0x000002CE45430000-0x000002CE45450000-memory.dmp

Filesize
128KB

Download
memory/3304-21093-0x000002CE45060000-0x000002CE45080000-memory.dmp

Filesize
128KB

Download
memory/3304-21095-0x000002CE45020000-0x000002CE45040000-memory.dmp

Filesize
128KB

Download
memory/3376-21226-0x0000022B14F90000-0x0000022B14FB0000-memory.dmp

Filesize
128KB

Download
memory/3376-21228-0x0000022B14F50000-0x0000022B14F70000-memory.dmp

Filesize
128KB

Download
memory/3376-21230-0x0000022B15360000-0x0000022B15380000-memory.dmp

Filesize
128KB

Download
memory/3720-21197-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3816-20924-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/3864-21010-0x000002715B920000-0x000002715B940000-memory.dmp

Filesize
128KB

Download
memory/3864-21007-0x000002715B310000-0x000002715B330000-memory.dmp

Filesize
128KB

Download
memory/3864-21005-0x000002715B350000-0x000002715B370000-memory.dmp

Filesize
128KB

Download
memory/3944-21114-0x000001FD43B50000-0x000001FD43B70000-memory.dmp

Filesize
128KB

Download
memory/3944-21118-0x000001FD44120000-0x000001FD44140000-memory.dmp

Filesize
128KB

Download
memory/3944-21116-0x000001FD43B10000-0x000001FD43B30000-memory.dmp

Filesize
128KB

Download
memory/4080-20997-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/4256-21271-0x000001D019E40000-0x000001D019E60000-memory.dmp

Filesize
128KB

Download
memory/4256-21269-0x000001D019E80000-0x000001D019EA0000-memory.dmp

Filesize
128KB

Download
memory/4256-21273-0x000001D01A250000-0x000001D01A270000-memory.dmp

Filesize
128KB

Download
memory/4352-21281-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/4368-20973-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4464-21174-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/4476-21030-0x0000026BF7140000-0x0000026BF7160000-memory.dmp

Filesize
128KB

Download
memory/4476-21028-0x0000026BF7180000-0x0000026BF71A0000-memory.dmp

Filesize
128KB

Download
memory/4476-21032-0x0000026BF7750000-0x0000026BF7770000-memory.dmp

Filesize
128KB

Download
memory/4552-21020-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4728-20972-0x0000024FF2440000-0x0000024FF2448000-memory.dmp

Filesize
32KB

Download
memory/4800-20955-0x000002F0F7670000-0x000002F0F7690000-memory.dmp

Filesize
128KB

Download
memory/4800-20949-0x000002F0F7320000-0x000002F0F7340000-memory.dmp

Filesize
128KB

Download
memory/4800-20953-0x000002F0F6FE0000-0x000002F0F7000000-memory.dmp

Filesize
128KB

Download
memory/4848-21254-0x000001E2C52B0000-0x000001E2C52D0000-memory.dmp

Filesize
128KB

Download
memory/4848-21251-0x000001E2C4EA0000-0x000001E2C4EC0000-memory.dmp

Filesize
128KB

Download
memory/4848-21249-0x000001E2C4EE0000-0x000001E2C4F00000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads