ce0a32e35b7c79e7e2ffe7bd3c7566a6fb843341268ad50f4a594e56e17a5110

Analysis

max time kernel
1050s
max time network
423s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NO-ESCAPE-main/No Escape.exe
Size

771KB
MD5

2782877418b44509fd306fd9afe43e39
SHA1

b0c18bdf782ca9c4fa41074f05458ce8e0f3961b
SHA256

56d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b
SHA512

8826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86
SSDEEP

24576:OeTrmlZGPL7NV9+VitFsQUxY8BGOdQSqZ:hT6KDrmIFsBJBG4XqZ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	No Escape.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hello.reg	No Escape.exe
File created	C:\Program Files (x86)\shaking.exe	No Escape.exe
File created	C:\Program Files (x86)\date.txt	No Escape.exe
File created	C:\Program Files (x86)\hello.jpg	No Escape.exe
File created	C:\Program Files (x86)\hello.bat	No Escape.exe
File created	C:\Program Files (x86)\launch.exe	No Escape.exe
File created	C:\Program Files (x86)\mover.exe	No Escape.exe
File created	C:\Program Files (x86)\msg.exe	No Escape.exe
File created	C:\Program Files (x86)\mypc.exe	No Escape.exe
File created	C:\Program Files (x86)\	No Escape.exe
File opened for modification	C:\Program Files (x86)\	No Escape.exe
File created	C:\Program Files (x86)\erode.exe	No Escape.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 22 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpCleanupState = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2156	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	taskmgr.exe
Token: SeSystemProfilePrivilege	2156	taskmgr.exe
Token: SeCreateGlobalPrivilege	2156	taskmgr.exe
Token: SeManageVolumePrivilege	5088	svchost.exe
Token: SeDebugPrivilege	4296	SearchApp.exe
Token: SeDebugPrivilege	4296	SearchApp.exe
Token: SeDebugPrivilege	4296	SearchApp.exe
Token: SeDebugPrivilege	4296	SearchApp.exe
Token: SeDebugPrivilege	4108	SearchApp.exe
Token: SeDebugPrivilege	4108	SearchApp.exe
Token: SeDebugPrivilege	2076	SearchApp.exe
Token: SeDebugPrivilege	2076	SearchApp.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2672	wscript.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4296	SearchApp.exe
4108	SearchApp.exe
1300	SearchApp.exe
400	SearchApp.exe
4944	SearchApp.exe
4248	SearchApp.exe
1560	SearchApp.exe
3536	SearchApp.exe
4736	SearchApp.exe
4216	SearchApp.exe
4028	SearchApp.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 2672	4152	No Escape.exe	88
PID 4152 wrote to memory of 2672	4152	No Escape.exe	88

C:\Users\Admin\AppData\Local\Temp\NO-ESCAPE-main\No Escape.exe
"C:\Users\Admin\AppData\Local\Temp\NO-ESCAPE-main\No Escape.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\55A.tmp\56B.tmp\56C.vbs //Nologo
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2672

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2156

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:4132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4248

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPREBA6O\microsoft.windows[1].xml

Filesize
97B

MD5
6ec502d49d33ab71433317ebed214076

SHA1
f0dd1e01fe36a3354836f2b0e00c6d031d294fe1

SHA256
c2c9b7d7c6f83a79a0c171030c8856b221c9868cefb8433acd06e93f9c3dc58c

SHA512
9be4cfaa14ed944c7099310613ea5b1a0170e15fd76ae39bf911be77623e74c1f626169758f6638b6b9dc7869cc5f6616993162c49d4c757fa39b43b7b1d9b96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

Filesize
2KB

MD5
0ee666b91df1f40184c5ebbb5de0fc6b

SHA1
b58f870d491d25776a1a42992ba1977c9e49b058

SHA256
1d81cf6385388d80905840b5bd158590a5b589807c1391e16ac6d04afcb4ed9d

SHA512
c22cd1add8a4a2f99d29c2970ca4b4dc6815decf4729da2a6585f4070cd598bc0f07aec97ba4c6cf6885fb714544729d309f077f955e95e2aee4cafd2044c02e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Shell_RunDialog

Filesize
36KB

MD5
bad093419be1135cfe9694ea77088c78

SHA1
76204c7ca72cf666add9c9931389d635c82e8af0

SHA256
136808af50ee73df9befd76f7aca21765782565b0095227c5a287f3be0b5ef3c

SHA512
3b5cb7f80d7cbc557b5a32a995cd607257ac8e56af935ce6f64c54ba1f311a65ef00c69c69047b6eb7bb678c2b1bc0a3c37548aef417ea49e414e1a34bcf651d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc

Filesize
36KB

MD5
5e2da008f38c7ad813d9fe8e669dddd6

SHA1
3f4ed852167cfb251cce13be4906a0cbea58f021

SHA256
0cf904a532ac487f6b4c080fd01406529ad26ae559128b0aff170f389c278c28

SHA512
8d295af13fa38384923e0db043ef7196ae3cdddc9dc1e765217494461c6c6f24704eb984985c45159cae06e81ca857c4f406b1ec80bc9c8fbccad535a1f77d72

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{03eecc51-bdf0-4fac-9563-34a06d2e7d4b}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{03eecc51-bdf0-4fac-9563-34a06d2e7d4b}\settings.csg

Filesize
454B

MD5
411d53fc8e09fb59163f038ee9257141

SHA1
cb67574c7872f684e586b438d55cab7144b5303d

SHA256
1844105bb927dbc405685d3bf5546be47fa2fc5846b763c9f2ba2b613ec6bc48

SHA512
67b342c434d8f3a8b9e9ac8a4cbd4c3ef83ddfc450fe7e6ad6f375dba9c8a4977a15a08b49f5ad7644fbde092396e6da08865aa54d399836e5444cb177a33444

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{03eecc51-bdf0-4fac-9563-34a06d2e7d4b}\settings.schema

Filesize
162B

MD5
ac68ac6bffd26dbea6b7dbd00a19a3dd

SHA1
a3d70e56249db0b4cc92ba0d1fc46feb540bc83f

SHA256
d6bdeaa9bc0674ae9e8c43f2e9f68a2c7bb8575b3509685b481940fda834e031

SHA512
6c3fcce2f73e9a5fc6094f16707109d03171d4a7252cf3cb63618243dbb25adb40045de9be27cad7932fd98205bdaf0f557d282b2ba92118bba26efcf1cd2a02

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{03eecc51-bdf0-4fac-9563-34a06d2e7d4b}\settingsconversions.txt

Filesize
520KB

MD5
721134982ff8900b0e68a9c5f6f71668

SHA1
fca3e3eb8f49dd8376954b499c20a7b7cad6b0f1

SHA256
2541db95c321472c4cb91864cdfa2f1ed0f0069ac7f9cec86e10822283985c13

SHA512
5d1c305b938e52a82216b3d0cee0eead2dc793fac35da288061942b2bd281fb48c7bd18f5fdaa93a88aa42c88b2a0cce1f0513effb193782670d46164d277a59

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{03eecc51-bdf0-4fac-9563-34a06d2e7d4b}\settingsglobals.txt

Filesize
43KB

MD5
bbeadc734ad391f67be0c31d5b9cbf7b

SHA1
8fd5391c482bfbca429aec17da69b2ca00ed81ae

SHA256
218042bc243a1426dd018d484f9122662dba2c44a0594c37ffb3b3d1d0fb454a

SHA512
a046600c7ad6c30b003a1ac33841913d7d316606f636c747a0989425697457b4bc78da6607edd4b8510bd4e9b86011b5bd108a5590a2ba722d44e51633ed784f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{03eecc51-bdf0-4fac-9563-34a06d2e7d4b}\settingssynonyms.txt

Filesize
101KB

MD5
003ece80b3820c43eb83878928b8469d

SHA1
790af92ff0eb53a926412e16113c5d35421c0f42

SHA256
12d00eee26e5f261931e51cfa56e04c54405eb32d1c4b440e35bd2b48d5fcf07

SHA512
b2d6d9b843124f5e8e06a35a89e34228af9e05cbfa2ae1fe3d9bc4ddbebda4d279ce52a99066f2148817a498950e37a7f0b73fe477c0c6c39c7016aa647079a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7168584a-2b16-48b0-937f-743c4346ea46}\apps.schema

Filesize
150B

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7168584a-2b16-48b0-937f-743c4346ea46}\appsconversions.txt

Filesize
911KB

MD5
f1ae7199f564e1adf7187a8c8e2c98bb

SHA1
1f926f893f2b3a25919b4add876bee286b5b4ee5

SHA256
5445d1a1b85d5748ce9531a580aac7f58a5937e9c27d94f0f7febc465c2da6a5

SHA512
b52ab9a4c7d70a14269bca2e67e7efa15b9e6a606a4972890b2514a6cf03b98e9b415498cbe1f53d0e69dfc74fd3706f6d259d5cd29a95cafb6cbdf2fe1f8de9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7168584a-2b16-48b0-937f-743c4346ea46}\appsglobals.txt

Filesize
343KB

MD5
931b27b3ec2c5e9f29439fba87ec0dc9

SHA1
dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

SHA256
541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

SHA512
4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7168584a-2b16-48b0-937f-743c4346ea46}\appssynonyms.txt

Filesize
237KB

MD5
06a69ad411292eca66697dc17898e653

SHA1
fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

SHA256
2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

SHA512
ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133532506596914367.txt

Filesize
72KB

MD5
5b4b9d0df8b6dfd821c5d714018057d2

SHA1
737572ed9a2e31b9c70be6b89a69c1cef3b9fa5a

SHA256
c8fe9454e3257e33e2aa62872f4e7686f19e5ef84f161fdafb59e364e764e069

SHA512
dc55427a58a5a84f3daed54eec79f47ad6278ca640ddb39d1c346006b2455347a94d41b7184afda1e9f34c9d848f478a1b55a70594afb5f500458bac4ed1ec29

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
191KB

MD5
b454d8a64c16f0a482f16bc8918b0fea

SHA1
dd191571da3ce35115a7e05d3ff7942759b88bbc

SHA256
64a8741244a8f4e4d08ba1abf3c7af8c5625811dc453e64526f591f22fedd7af

SHA512
760441f0c12e6ef02b58a1509ecb8681f35778f351d7c3bad80883560c2c78bb816c8b4a24ff15c87b1cfe75a4772252f7587a206197756b24e891cab563e99d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
195KB

MD5
6734ef36415c237713a659d0f88eb646

SHA1
5d677700e061147f09a7757e797b5fa170ae545c

SHA256
d95e137caea38a80c4ef798c6265daa0ed4a30dae7f0f777b6b22ff45591736f

SHA512
8b521fe69bb1332cb7603e3efbad886105a47e5fda785ec08c0119fc49f205b80426ea248599504a33e80cf34c9505d121f7675f7ee74dee071718a78504ab5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
178KB

MD5
a91f09115ec0a5af0624cf8acbd0c206

SHA1
ab9cc7360f1d64f6e847cf570255c238851a3282

SHA256
86535985d26bae8d6aa3b853a485d90af7cdd4a8429384d41906743c4775fa37

SHA512
01e3f13d988860a1591618edb82829e5a4e506c4edc2bd523b1a7b5c77eadd081e3fc0b8db46dbedb7fa1ed06ec89727e7f70f551e0691e969bc86627a5229b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
192KB

MD5
6c45a93c898592adc2896c2a6a4e46cb

SHA1
99da617275b42def9244eff24046857c32da704d

SHA256
563ac91da2f34606291cb53a4540f1d01b72d914e93e7d9e44538fa7017f2660

SHA512
4c6e38ec4d765cfd5517f2d8a875deb6f7ce976d5998b8a63be6a4b783a5918d57aa9aa63e3db409a1351e722c391236723b0f9e89f8728641b9d9ee722dbd8b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
162KB

MD5
614c66408bae7bccfac125a3f9585f5f

SHA1
a8c4dab2fca5691b8c864e7261eb20d55109dc6c

SHA256
8d98461b4ac4a0eae3ee541b13b2c98e7a6617e4ae9f8c3480c2244b56c2bd92

SHA512
4bb5172b75709372091b8d42742f79f27677013696eb2706236bea2679d51eaa99bd862b408b34d0bdc438a01bf410957537e753c4c2c26d52dfe8e4bc9a9158

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
179KB

MD5
28fa6886689d04dd9ad6b51860cc909f

SHA1
a3426a5e2060d51f014f5d66518d832066db8b4e

SHA256
a6d89fd261fa93f6609f67ba756323a6dfc389c8df21ca0c38e146e2032eaa38

SHA512
e42689e1539d0495ecdd92e34c1ba78d7f51450a1445dda3adbf2d456beb1e1976011aa3673089da0677592d78d862496ed971e32754d371719234d3597c42cd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
179KB

MD5
189272ae8f3a321d467305aa65ed6fb5

SHA1
66f6088153fbf1bf58a1f526b824fb81cf6b9977

SHA256
7a8e9623899e44891aa086d129daa74935ccb4a4e604171d4513c0d6b96dab72

SHA512
29d315b9c347211c88f45c09594495b575c99897180218008261535b94fe77ccf0a1c6b926daf8df931ab426def9031932388684dec73c97d1130355fc3857a9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
174KB

MD5
486c6dc5a98a01451c5165757bd93eb0

SHA1
d44f43677c62f7f54ead6d05ae4062fb2c723240

SHA256
e5e481a92ff1685ad6edc97fa748cb1ff061f4b3f7222286f030f096b6f61e07

SHA512
c81ab0d49a790f699e3d736480f7e41d141e718e388a4900b0844c979e3764768662936529275b1b5e62e6bb014d7a89ec58673d2b9ab5f16537219344eb0546

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
174KB

MD5
08840c3e832886fd75388279a8df228f

SHA1
6a8e2940f45b4fa965950d56b38ebba4925d139d

SHA256
1b0c309ef00be021cbf48acc9cd65340302878cac9e0d87074a4d92a4fba27f8

SHA512
cde7476c33c2bd3f27e95897c0a19f2f555e3f1750d8cde173d1081130401c314ef56b73c04ca6bc7334cbfd3396c0411eda88abf3276ff5decbbfec6e6f5b28

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
176KB

MD5
1bef6d18b2be51ef2914f2981d88a483

SHA1
3a592184c81c7d332f0f6b15d307acf544e0927c

SHA256
4e9f51280261838c2d178448107f058f45535ccae05c996021145ab178b67082

SHA512
e6aa276543d71d4edfa9fa20243d80a32d86dc8966be9605c6c5945ea6f663e21bbee0a9438570acd9f655e1a510847e45fd71dd60da2440dc28c3e890855447

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
9KB

MD5
0eb3957aaa369897a886608816f3c5d7

SHA1
9dc768f66dc0adb7aa5164443731eab38cee0f2a

SHA256
118cf09641c2963cfe19a7dba3e70d40272378f6bc31c87e11e233ea51d5d1af

SHA512
a3fdbe1dc1221cd8330300bce4117e33c98a6c92a1da0e6bf32902fd3dc44069e13006f86e2d734f8ee3fa3bad6b053ff607605260110cfee0470d27dd3472fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
10KB

MD5
f8166805bab4e8822748b9ca47c70b44

SHA1
250bf515994c08fdc51cecd4fc45b8f15ada0237

SHA256
d47fb304caf4d992a88bd7dcb08b21787c8a4390f20e82199a5807dd4cc4d5df

SHA512
cd9d19d6039e6a55ed52fdf032bc4aa7905ff066d926b9e3b40c5a69be0e0346582d29e6825250308007995200c0e90cb52b5337e7f6660670e84c2bd60ef53f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
83faf2be4a27117c9dad35c7bcd04e7b

SHA1
525f6ff4ab0c8c1d86ba7c41c6aaa6ab0801a285

SHA256
03b6393349aa23dbdff17b5d56231d6c5752cb100638a1f5304756dd01786c71

SHA512
8005f7a929b2e3728c96e3a858402d914b3eae596fa75813a10d02f5c2e182bc87494e16412f57ee35866d117b6b42e94b6777552783c693ed9d90921f5370c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
8c1e9491ee17fb0231f6b0a916f8eb64

SHA1
d0128be737fb8bafd7b234b1e7c25b67093bb8d7

SHA256
5b0576ebc61d6ce3584d00bc39837d05f280e4f4c87e6a61d73d2a2b00cef7c2

SHA512
9e263ae20b12dc70b41254f12159b30d7b88dadc3d1e9cdf60fefa6affe0a89e2b29f983e80fb496fa633392d0a64e969b37269645731a6d0adfd69e0e573c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\55A.tmp\56B.tmp\56C.vbs

Filesize
588B

MD5
67706bca9ceaba11530e05d351487003

SHA1
3a5ed77f81b14093a5f18c4d46895bc7ea770fee

SHA256
190a0d994512ed000cf74bd40fb0502988c2ac48855b23a73fd905c0305fc30f

SHA512
902ac91678d85801a779acbc212c75beba72f8da996b0ed1b148a326c2dd635b88210f9a503fbbffa5271335483eae972e6a00acbc01ec013cf355c080444598

Download Submit
memory/2156-31-0x0000028B141C0000-0x0000028B141C1000-memory.dmp

Filesize
4KB

Download
memory/2156-32-0x0000028B141C0000-0x0000028B141C1000-memory.dmp

Filesize
4KB

Download
memory/2156-30-0x0000028B141C0000-0x0000028B141C1000-memory.dmp

Filesize
4KB

Download
memory/2156-29-0x0000028B141C0000-0x0000028B141C1000-memory.dmp

Filesize
4KB

Download
memory/2156-34-0x0000028B141C0000-0x0000028B141C1000-memory.dmp

Filesize
4KB

Download
memory/2156-28-0x0000028B141C0000-0x0000028B141C1000-memory.dmp

Filesize
4KB

Download
memory/2156-33-0x0000028B141C0000-0x0000028B141C1000-memory.dmp

Filesize
4KB

Download
memory/2156-24-0x0000028B141C0000-0x0000028B141C1000-memory.dmp

Filesize
4KB

Download
memory/2156-23-0x0000028B141C0000-0x0000028B141C1000-memory.dmp

Filesize
4KB

Download
memory/2156-22-0x0000028B141C0000-0x0000028B141C1000-memory.dmp

Filesize
4KB

Download
memory/5088-76-0x000002333D140000-0x000002333D141000-memory.dmp

Filesize
4KB

Download
memory/5088-94-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-93-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-92-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-91-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-90-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-89-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-88-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-87-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-86-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-85-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-84-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-83-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-82-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-81-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-80-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-79-0x000002333D160000-0x000002333D161000-memory.dmp

Filesize
4KB

Download
memory/5088-78-0x000002333D140000-0x000002333D141000-memory.dmp

Filesize
4KB

Download
memory/5088-77-0x000002333D140000-0x000002333D141000-memory.dmp

Filesize
4KB

Download
memory/5088-75-0x000002333D130000-0x000002333D131000-memory.dmp

Filesize
4KB

Download
memory/5088-73-0x000002333D130000-0x000002333D131000-memory.dmp

Filesize
4KB

Download
memory/5088-71-0x000002333CFF0000-0x000002333CFF1000-memory.dmp

Filesize
4KB

Download
memory/5088-52-0x0000023334E40000-0x0000023334E50000-memory.dmp

Filesize
64KB

Download
memory/5088-36-0x0000023334D40000-0x0000023334D50000-memory.dmp

Filesize
64KB

Download