Analysis Overview
SHA256
a05bf5a2ce5ede067135335270d9baf3d01b11589262d484b549ecfc6ed18afb
Threat Level: Known bad
The file s.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 22:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 22:46
Reported
2024-05-31 22:49
Platform
win7-20240221-en
Max time kernel
150s
Max time network
131s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT | C:\Windows\System32\Narrator.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT | C:\Windows\System32\Narrator.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6C9E720DBCFA41DFBA876EBF72DA6BD5.dat | C:\Windows\system32\utilman.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6C9E720DBCFA41DFBA876EBF72DA6BD5.dat | C:\Windows\system32\utilman.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\HighContrast\Pre-High Contrast Size = "NormalSize" | C:\Windows\system32\sethc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "151" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "318" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "382" | C:\Windows\System32\osk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication | C:\Windows\System32\Magnify.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\UseDevice = "1" | C:\Windows\System32\osk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters | C:\Windows\System32\Narrator.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c0735a67-1aa8-4f51-a0dc-cce4d0b33d0a}\Attributes\Vendor = "Microsoft" | C:\Windows\System32\Narrator.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "120" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "464" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "191" | C:\Windows\System32\osk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c0735a67-1aa8-4f51-a0dc-cce4d0b33d0a}\ = "Speakers (High Definition Audio Device)" | C:\Windows\system32\utilman.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "409" | C:\Windows\System32\osk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "0" | C:\Windows\system32\sethc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c0735a67-1aa8-4f51-a0dc-cce4d0b33d0a}\DeviceName = "Speakers (High Definition Audio Device)" | C:\Windows\System32\Narrator.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "113" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "462" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\Generation = "0" | C:\Windows\system32\utilman.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "314" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "364" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "482" | C:\Windows\System32\osk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c0735a67-1aa8-4f51-a0dc-cce4d0b33d0a}\DeviceId = "{0.0.0.00000000}.{c0735a67-1aa8-4f51-a0dc-cce4d0b33d0a}" | C:\Windows\System32\Narrator.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "161" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "279" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "152" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "168" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "183" | C:\Windows\System32\osk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\PhoneConverters\\Tokens\\English" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c0735a67-1aa8-4f51-a0dc-cce4d0b33d0a}\Attributes\Vendor = "Microsoft" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "Magnify.exe" | C:\Windows\System32\Magnify.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c0735a67-1aa8-4f51-a0dc-cce4d0b33d0a} | C:\Windows\System32\Narrator.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "218" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "334" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "156" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "495" | C:\Windows\System32\osk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A} | C:\Windows\System32\Narrator.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "136" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "148" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "290" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "309" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "114" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "373" | C:\Windows\System32\osk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\AudioOutput\\TokenEnums\\MMAudioOut\\" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ScreenMagnifier | C:\Windows\System32\Magnify.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput | C:\Windows\System32\Narrator.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "172" | C:\Windows\System32\osk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c0735a67-1aa8-4f51-a0dc-cce4d0b33d0a}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}" | C:\Windows\system32\utilman.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "241" | C:\Windows\System32\osk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\sethc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "99" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "324" | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "352" | C:\Windows\System32\osk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums | C:\Windows\system32\utilman.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "100" | C:\Windows\System32\osk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\osk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "300" | C:\Windows\System32\osk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c0735a67-1aa8-4f51-a0dc-cce4d0b33d0a}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}" | C:\Windows\System32\Narrator.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "343" | C:\Windows\System32\osk.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Windows\System32\Magnify.exe | N/A |
| N/A | N/A | C:\Windows\System32\Narrator.exe | N/A |
| N/A | N/A | C:\Windows\System32\osk.exe | N/A |
| N/A | N/A | C:\Windows\System32\osk.exe | N/A |
| N/A | N/A | C:\Windows\System32\osk.exe | N/A |
| N/A | N/A | C:\Windows\System32\osk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\s.exe
"C:\Users\Admin\AppData\Local\Temp\s.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\s.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 's.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6369758,0x7fef6369768,0x7fef6369778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1300,i,7970215104766960834,18414406305458604165,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1300,i,7970215104766960834,18414406305458604165,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1300,i,7970215104766960834,18414406305458604165,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1300,i,7970215104766960834,18414406305458604165,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1300,i,7970215104766960834,18414406305458604165,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1456 --field-trial-handle=1300,i,7970215104766960834,18414406305458604165,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2904 --field-trial-handle=1300,i,7970215104766960834,18414406305458604165,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3492 --field-trial-handle=1300,i,7970215104766960834,18414406305458604165,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3604 --field-trial-handle=1300,i,7970215104766960834,18414406305458604165,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 --field-trial-handle=1300,i,7970215104766960834,18414406305458604165,131072 /prefetch:8
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UpdateRegister.ogg"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\JoinStop.DVR-MS"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DismountPush.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DismountPush.txt
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x184
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\utilman.exe
utilman.exe /debug
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\System32\Narrator.exe
"C:\Windows\System32\Narrator.exe"
C:\Windows\System32\Magnify.exe
"C:\Windows\System32\Magnify.exe"
C:\Windows\System32\Sethc.exe
"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
C:\Windows\system32\sethc.exe
sethc.exe 101
C:\Windows\System32\osk.exe
"C:\Windows\System32\osk.exe"
C:\Windows\System32\Sethc.exe
"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
C:\Windows\System32\Sethc.exe
"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:19130 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
memory/2320-0-0x00000000001B0000-0x0000000000528000-memory.dmp
memory/2320-1-0x00000000748FE000-0x00000000748FF000-memory.dmp
memory/2320-2-0x00000000001B0000-0x0000000000528000-memory.dmp
memory/2320-3-0x00000000748F0000-0x0000000074FDE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d9210f77952314df48761806739e3e56 |
| SHA1 | f1ea74f2129c1ac6880a25c9e295e1519dd1d3b5 |
| SHA256 | 24efe0aa35540def5e437e99fb53a4974ab8b97dc69c7eb5afbe2c0f8a52653a |
| SHA512 | 058a439227f341a0ef973296c776f14c8c27e4913f276aac6664872137c334e890e9db7fb9641a689ceb726c516388ea597e8748638426b93fdfcc27b9b72bf4 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 09633ffe1d3b4c7a747e4408f8efbce5 |
| SHA1 | 1204d7963755d1d126b4b37110b3ce9aa363be26 |
| SHA256 | a05bf5a2ce5ede067135335270d9baf3d01b11589262d484b549ecfc6ed18afb |
| SHA512 | 63bfca8dca0e438b8eef2ba4ad5aafcb2369793cb5c1c979b2b4090ad1153c540372ec274cc1a9fd4f4fc85e142e2e6eb7a7b4780106c9d7189a9ece89a6bb60 |
memory/2320-27-0x00000000026E0000-0x00000000026F0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
memory/2320-68-0x00000000748FE000-0x00000000748FF000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/2320-84-0x00000000748F0000-0x0000000074FDE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1d2a3484-90cd-4eaf-ab89-419479989b63.tmp
| MD5 | bd34181b0871a5678534754589d20972 |
| SHA1 | 4f469cd87c2b1653abd656dbd02d30e41bc6ba0e |
| SHA256 | dc3baf6978f573123c20c7a1130222842a94664100684d95652a1f7d8469689b |
| SHA512 | 4c9a256e908d08fd7b4cc713feacdd74276da51fbef26a3d188442295abfd1f3c885d3ea8bdb07d77a1dd4f1498ac98fc57dc208c6212e4924f51af140c31c3f |
memory/2320-187-0x00000000026E0000-0x00000000026F0000-memory.dmp
memory/552-190-0x000000013F350000-0x000000013F448000-memory.dmp
memory/552-191-0x000007FEF69D0000-0x000007FEF6A04000-memory.dmp
memory/552-193-0x000007FEF7BC0000-0x000007FEF7BD8000-memory.dmp
memory/552-194-0x000007FEF6E50000-0x000007FEF6E67000-memory.dmp
memory/552-195-0x000007FEF6A50000-0x000007FEF6A61000-memory.dmp
memory/552-192-0x000007FEF5960000-0x000007FEF5C14000-memory.dmp
memory/2488-208-0x000007FEF6A50000-0x000007FEF6A61000-memory.dmp
memory/2488-207-0x000007FEF6E50000-0x000007FEF6E67000-memory.dmp
memory/2488-205-0x000007FEF5960000-0x000007FEF5C14000-memory.dmp
memory/2488-210-0x000007FEF6990000-0x000007FEF69A1000-memory.dmp
memory/2488-211-0x000007FEF6970000-0x000007FEF698D000-memory.dmp
memory/2488-209-0x000007FEF69B0000-0x000007FEF69C7000-memory.dmp
memory/2488-206-0x000007FEF7BC0000-0x000007FEF7BD8000-memory.dmp
memory/2488-203-0x000000013F350000-0x000000013F448000-memory.dmp
memory/2488-212-0x000007FEF5630000-0x000007FEF5830000-memory.dmp
memory/2488-213-0x000007FEF6950000-0x000007FEF6961000-memory.dmp
memory/2488-215-0x000007FEF5600000-0x000007FEF5621000-memory.dmp
memory/2488-217-0x000007FEF55C0000-0x000007FEF55D1000-memory.dmp
memory/2488-218-0x000007FEF55A0000-0x000007FEF55B1000-memory.dmp
memory/2488-220-0x000007FEF5560000-0x000007FEF557B000-memory.dmp
memory/2488-219-0x000007FEF5580000-0x000007FEF5591000-memory.dmp
memory/2488-216-0x000007FEF55E0000-0x000007FEF55F8000-memory.dmp
memory/2488-214-0x000007FEF6910000-0x000007FEF694F000-memory.dmp
memory/2488-204-0x000007FEF69D0000-0x000007FEF6A04000-memory.dmp
memory/2488-222-0x000007FEF4490000-0x000007FEF44A1000-memory.dmp
memory/2488-221-0x000007FEF44B0000-0x000007FEF555B000-memory.dmp
memory/2488-223-0x000007FEF4470000-0x000007FEF4488000-memory.dmp
memory/2488-224-0x000007FEF4440000-0x000007FEF4470000-memory.dmp
memory/2488-225-0x000007FEF43D0000-0x000007FEF4437000-memory.dmp
memory/2488-227-0x000007FEF4340000-0x000007FEF4351000-memory.dmp
memory/2488-231-0x000007FEF4220000-0x000007FEF4244000-memory.dmp
memory/2488-232-0x000007FEF4200000-0x000007FEF4217000-memory.dmp
memory/2488-234-0x000007FEF41B0000-0x000007FEF41C1000-memory.dmp
memory/2488-238-0x000007FEF3320000-0x000007FEF334F000-memory.dmp
memory/2488-237-0x000007FEFB680000-0x000007FEFB690000-memory.dmp
memory/2488-236-0x000007FEF4160000-0x000007FEF4181000-memory.dmp
memory/2488-235-0x000007FEF4190000-0x000007FEF41A2000-memory.dmp
memory/2488-233-0x000007FEF41D0000-0x000007FEF41F3000-memory.dmp
memory/2488-230-0x000007FEF4250000-0x000007FEF4278000-memory.dmp
memory/2488-229-0x000007FEF4280000-0x000007FEF42D6000-memory.dmp
memory/2488-228-0x000007FEF42E0000-0x000007FEF433C000-memory.dmp
memory/2488-226-0x000007FEF4360000-0x000007FEF43CF000-memory.dmp
memory/2488-248-0x000007FEF5960000-0x000007FEF5C14000-memory.dmp
memory/2488-247-0x000007FEF69D0000-0x000007FEF6A04000-memory.dmp
memory/2488-246-0x000000013F350000-0x000000013F448000-memory.dmp
memory/2488-249-0x000007FEF44B0000-0x000007FEF555B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 43d2f6fff494e584814016335a250096 |
| SHA1 | f686ec5f4b174eedad70cbe80071737bd2d77eec |
| SHA256 | 04b38e2295174c1653462421a9014f04377fd84e8222fdcf3a95c1e9b5dbfe41 |
| SHA512 | 29dc681c31e514efcdf4b9d9e706175aa44aad63de4387a30d8b58578b81cbf76ec7ee7ec2f5911b13b2e3039ee3b6777ef8cad232824b6d4e991673e1c27685 |
memory/2320-283-0x00000000001B0000-0x0000000000528000-memory.dmp
memory/2320-284-0x00000000748F0000-0x0000000074FDE000-memory.dmp
memory/2320-285-0x00000000026E0000-0x00000000026EA000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6C9E720DBCFA41DFBA876EBF72DA6BD5.dat
| MD5 | 0497eca41bf55f4da16c40ebb536ed0d |
| SHA1 | a12b9ad720c4e68d8cf45933074fd4e09b04781f |
| SHA256 | 5a6f216abcc892e004f1df0127446e83094c92fbdbd9255dfa8b565203e2275b |
| SHA512 | 2f92033512ba9453ee9d9e0b8191010f72a2b25852d59487d8a070fd8e57759229c1aadfd8b6b77dc7d92f9d921fb018d02507c7d28e3d68588d5ac214f87389 |
memory/1660-310-0x0000000002AD0000-0x0000000002AE0000-memory.dmp