dearcry | 617a0ef26dacf4c492487684212684360431f39c8e69748ba74dab77109b4a1e

Analysis

max time kernel
86s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
Size

1.3MB
MD5

0e55ead3b8fd305d9a54f78c7b56741a
SHA1

f7b084e581a8dcea450c2652f8058d93797413c3
SHA256

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
SHA512

5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa
SSDEEP

24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3

Score

10^/10

dearcry discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 638428e5021d4ae247b21acf9c0bf6f6

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry
Renames multiple (7379) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 12 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 60 IoCs

Processes:

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2636447293-1148739154-93880854-1000\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2636447293-1148739154-93880854-1000\desktop.ini	explorer.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2636447293-1148739154-93880854-1000\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Public\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	explorer.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-125_contrast-white.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\ui-strings.js.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_fr.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-125.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\url-polyfill.min.js	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_th.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-100.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\ui-strings.js.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-200.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-125.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-80_altform-unplated_contrast-white.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-20_contrast-black.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Windows.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30_altform-unplated.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\ui-strings.js	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Private.ServiceModel.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-200_contrast-white.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell.png.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClient.resources.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\ui-strings.js.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-high.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-400.png	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js.CRYPT	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Queryable.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeexplorer.exeexplorer.exeSearchApp.exeSearchApp.exeexplorer.exeexplorer.exeexplorer.exeSearchApp.exeexplorer.exeSearchApp.exeexplorer.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeSearchApp.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2636447293-1148739154-93880854-1000\{383A3052-AC64-4FDA-9593-1F0A8CE156B8}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "2"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2636447293-1148739154-93880854-1000\{56448275-A557-4980-8A3F-716AB0E80B28}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2636447293-1148739154-93880854-1000\{46CE525C-6A64-4A14-B874-6661C8B37B10}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2636447293-1148739154-93880854-1000\{84805CA5-3664-4DF7-B5BB-566FF14FAFAB}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe
Token: SeShutdownPrivilege	3592	explorer.exe
Token: SeCreatePagefilePrivilege	3592	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
4580	StartMenuExperienceHost.exe
4348	StartMenuExperienceHost.exe
1368	SearchApp.exe
2996	StartMenuExperienceHost.exe
1616	SearchApp.exe
2684	StartMenuExperienceHost.exe
3440	SearchApp.exe
1972	StartMenuExperienceHost.exe
2324	StartMenuExperienceHost.exe
3948	SearchApp.exe
1300	StartMenuExperienceHost.exe
1972	SearchApp.exe
4968	StartMenuExperienceHost.exe
3444	SearchApp.exe
4000	StartMenuExperienceHost.exe
4168	SearchApp.exe
1036	StartMenuExperienceHost.exe
2224	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe
"C:\Users\Admin\AppData\Local\Temp\2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2892

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1368

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:3516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2092

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
PID:2472

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3152

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:624

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1132

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2136

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3596

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:764

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1960

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1560

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2960

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4420

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1156

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5060

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2156

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png

Filesize
388B

MD5
1dc5d31ef9205f1034b64d635d59cb32

SHA1
c172576576c5ac5a3c2912bdfd0c8365b5365513

SHA256
676d1f912a22a12ad4c80bf552355a7e0995c56e6ef7527aaa9b77e513efc065

SHA512
bc334638acb1416787df04cbaebde99cd15d96c5b96b6f950cbdfb54177fcd2f2ecce4dc9212a9a3f2f85269ac901aef147ec6297c31c5ee6cc39ee4cdac17c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png

Filesize
552B

MD5
7d00bc0d46dcb90890a4fe6b76bc5c3a

SHA1
7159b1e1c264a6863708a971eaeca32cff864aa1

SHA256
2fcd2848cbcab1a3b8154138288cc659cd2c187412cb887eec6554b6165b8c33

SHA512
2f113cb27028aa0fa0f028b09ddcddb4a1ede6ae0823909d99763db6e5be57b1b4ae6977537ec17808cd622bc548e1ba3122e35b58de9d856400d33042234a35

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js

Filesize
1KB

MD5
6e8d259daabf1168ae5136a3de48ee80

SHA1
b015257e3ae0810ddbda53c0b12991161a863ffb

SHA256
13370a65ca7e31fbf3a133156c208bf99c01a54880d55a8a4500495683e3a47f

SHA512
cf3c564c18c6b0965a431cda1ed8fa97cbeeb839d992e48f77c073bc8054ead03b4823df381c5179d3d398877da3473b92d70ae905a2bd0c7e5fc45505340113

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js

Filesize
1KB

MD5
88151ac4ebd7f5ff2d381c65e68cece7

SHA1
f979db4063d15ef2e32db3c38890899bb87c78e5

SHA256
c1ea4ada9462abd4ec352dfaf670575e9caff1e55d303db96a2f2500d50d92e8

SHA512
326195f5176beed6cc39849b8d6e87a5136c41a04aa76f53c30bbed1ff74391e16a6114e236f39d403c7f82fda032c00a9ee1df583412dfea224047e51f4c3bb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js

Filesize
1KB

MD5
60f1a26612dc049ce3e00fe917b6475d

SHA1
05791d089cbcd759088adbbd9483433dc9a10206

SHA256
8ced84488e1ea81e8cc3ec1a25f5b849de902601bef557b6ec65f9de2982bece

SHA512
06f080a9df9081a2bfd557165f9c21cf2bce3ee161c0896a9f9a6e0f8a3ae545b1cfaaca9ce1d46757dbe0163ddd0421bdb51558ef092dd0a6e5c2052ead4706

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png

Filesize
683B

MD5
ea321d33cfeb1d029794bd01c5b78e85

SHA1
4e04b2d8f7f23f44f96f4bbf134233e1feb5e28b

SHA256
3add439f478220ce8001abf2543810144a0d80f8116bc0ca13947c9745983c55

SHA512
f574d12330a668d89402265cf5a859a76325ed548e1730e02f51dfd36e3d5dccf2c8b75a76a8c931597bfc130a42364c73eef0200523d4eefbcf4fa5ccacddea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png

Filesize
1KB

MD5
a660ce180dea34b4944d83569f4789bc

SHA1
e3ca7b90c8bd299c49585bd29bc3fb7494c0fa4e

SHA256
03ab6f2f396e0531f1b1299b61485408cff93f183942910a7d0d5f0c7a666bd8

SHA512
9de185c0e6a8cc49852ebb454a00a7a19f5382b358327d393a6952b32099036147c1eb799cc60078bf24477e9607a1b4c88288a213a8ffcafd8d60caab0f0720

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js

Filesize
1KB

MD5
cdc58b2bf0a1a34f96af8fdcb62dc30b

SHA1
69eb0d674e9830e81cecdd610792225a2a5dc265

SHA256
3b5888b652cd86408bdd59e86405d3f171d23132059228544fbe693cfcb2b73c

SHA512
d8ef3220b8984f759347a0e83eb75939c914bf865db492d28e226f113b469a97325befa008886743aeae2e0f32c74c0a1e7ce8b60eaf5949b51058a618daa502

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png

Filesize
445B

MD5
55c2b47c9aea50661a855fe91eb8ac32

SHA1
13ea23a51394ea2c13420ddac1294eae6f82f846

SHA256
ba5a59d879c1f6543b46085d02f5c90fdb22e663487d3586b6533cd887c83b72

SHA512
947da2e85f5c21e7847f10d727729915973c911a47de233ef1fb97f60ae41db05f4c8c0ee655e3aa264db2067763e4134b76279f1d3ea8ad43640a64176522a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
611B

MD5
808e7aedbb1da793b86c92816309035e

SHA1
b4a2fca53290a35ae222f2cdf80f68ec7eab51e6

SHA256
a90f0edb8324760029a5db9f641b05694f8717c25514b2d6abde7662c827e0cb

SHA512
0af4e6a83661378b618c40de02c6cb7244be544dcb02f1f14c83b6abd791fa0330b6d508c86f0ba8e345608639d8505a2f26d3a6d3ae201bb01319c10c212d4a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js

Filesize
1KB

MD5
5c1dc195043bdea8525930a9882c10d7

SHA1
17415e551255ab016f7682d7b33451cfcb91e687

SHA256
019bad9e72430b758828953e3310007695c55fed1d25fdd707c76fec561f2bc5

SHA512
e912b84e9b4856864d302154b68adf6822189aa78859265cf8f529279e77a9d7c086452b4527ebb75d9c910ad9a6a1e95e1f45498fc168628da80739acff742e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]

Filesize
162B

MD5
8db5f9dff9d857a8827ea6d66fea4880

SHA1
ef5de087109543e49ee7fe70adb49efe27e15121

SHA256
e8c6ae3d3f05d53d58200db3f31383861d434c6abbf66f82e925321029058a10

SHA512
70723910b4bf8814f848e10390378d53d9fb67e8a319edb708edc41b5c858c1d2cfc0b86a2909e33f72062df8b32e70554fa5ebe7aad7ec474ad78087560069b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js

Filesize
1KB

MD5
4e6de5201d795432e75c0628dd306b26

SHA1
80ae62145f6bc55c2a25f68ad9d6bc9fcae496db

SHA256
1265f683d27701f95b545e6201577fb4eadf5dcfbc1fc8cedb8dd39635515788

SHA512
950227253fb845bd9a4519a209d72404760492473bda8101d846ded18aef1a2f6f6ab99b1b1b2186c0eed423c151c089316e124384f214644632e6a0f4dbece3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js

Filesize
856B

MD5
fc4cdc00064f47d2eedf58bd02068fe1

SHA1
cbb7157d8c560e9b2cdffac3a2b831202d76d2e6

SHA256
0e8fb0e6e1dd239a2a1996059914a5ec5e753782527c1a07c62d808eb77df3e0

SHA512
753d312596fdd24d3ad87b7916c5d108d185b42beff7c750099aecb38c7a321ff04260c19492d18cc27cf8f8843c6b3facde0934e67a46e9ce4291c3646abbe8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js

Filesize
1KB

MD5
c5596fa17e59cbf92a2ea2e1ad5c6f8b

SHA1
4153a71b5750685afba568403ed7522e83a9894f

SHA256
5812ebbc6311c0ff9919a27137b22435cbca3cb9fd56959b44ddb82f93609b99

SHA512
762580962300f0e0501054450772ed59cdfec76d7aa6b1944f557ccd74ec2fcd171ffd67765f2b367c526d0193eabd184f0d4ac1dadb7a0d25f00f9866f670bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js

Filesize
850B

MD5
26645133c9de7799e35cee0e47b82ee0

SHA1
bb6be735f6814d765bbe6b3f3ce034d1767366c5

SHA256
1180e5728ff28a49eec43c61f15d49541419e79397ae58479db67b533d292d36

SHA512
c466dc886b25fea5a0e16aec28a4e784afe797f3937c7863788d0e5fa41414346bb17546d49178a48815debcca50aec3acabadc1f508fe0a3207008bc722608e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css

Filesize
802B

MD5
89728f1ec13231dd11d2ea20afe39d67

SHA1
b4350cd128350483be389b2c865633bd1ae0f78b

SHA256
aff85e66d5b690dc0188f4c2348ca78abdc14605286128407242a4e91a684754

SHA512
58203e9c3898367c78c6d10fa629c0bd2356b2ae54e225afbcee83be1d5d297977a5a9633e773ffc2b8079a6e2eb2aa0afc530c27d29f512af40d8c9ae539adb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png

Filesize
179B

MD5
a93c09c1a326a8733b4eceb713ca7457

SHA1
90ba7a4c24bb0d424abda46b736170ea3b43e541

SHA256
d03f54aaa9216f4e32053928ce87a317341232f107140c84f73b2b6490b5a81a

SHA512
432c3400257d00391baa255d32fd03e0b8c97231d684ef35534868a38bcbf9cb70b433eacfe154c25fd3376e69592a7000a823535700f353975572c5101a56af

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

Filesize
703B

MD5
cc62ce00dfbe76fd8affad9c89fced8c

SHA1
75d64cc57ff45a50c066f882bfd8e3845f8fa323

SHA256
e324ff224bfa2baf51d4ab75f686195a76b8c984676c450ed660eb9ca2b36f4e

SHA512
028056e42f0eb02646752b351bb04a6b9f87ff27a2e1060b4fe4d4867118fe90f42f555ea8c645361963405583005ec4f3802c7c57729fc8616df1af09cc94dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js

Filesize
823B

MD5
fa904cdf440c6743078637992d58489f

SHA1
6969f407be2a1b52c5a41be256433026cabf9917

SHA256
152f6d0325802be61521bff49a8dd07063feaffeb2447d3ae6f47adf214cbffb

SHA512
c6237e56225d36d26ed594406a5bc08987bc34fac8d425dac8f909512ff19e6a27e1566651c591a38c0a5476e74dca09beb53ec15d4f08b6de2843fa064cbd3f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js

Filesize
1KB

MD5
573dd292166f86741bb965ee068c3793

SHA1
169fcf0880c7a2c5993f5bf28ff64cd9ed441dd9

SHA256
ab2b7de642b66db6e6b610dab8fb3c94c972465e07b7f681127c40a6629d8c2e

SHA512
0217d582d827a7b6faa950bc726d41c4c7644ba11b19689b9e5eb60cf54df4afaefcf4eac3649e8315dc1134988dc71abcb94bd9a640829bf9d68a6ffa17241b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
924B

MD5
bf70043c03230a91bb5b402e7ee67e63

SHA1
2ec8302c3ebe1e34abb5e0c813abceaadfc5073c

SHA256
a8b45a4c0a3adae007e8ef6b3a0e9966d2ad0c552320210a778109e2799f6c75

SHA512
ecdf54cc56de9c49dec1e9e65aefa736201904e609474b13d089f188bf35ae46b62d1ba492f4c25ad3fd7ff584a1532be18c0115598c2deaa834b22e6e52a601

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js

Filesize
931B

MD5
7adbce4bec815b574ab3fc6d85eb1937

SHA1
7d14e52fc6aa5796996988e9feab97c31eab1e0b

SHA256
efec14a7f219aff9e96c136933c0316abbabfa082b5755a86b2745c0a8423a79

SHA512
4218fc7991ef7ab93b1fab696432fc0130f07c534b2da244ce3370e6092213db657505af8380e7a07576b16b19d7c1b58f6a5498122d73061a362162b31f5b18

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js

Filesize
1KB

MD5
478f0065e127108d705114b29fb9170a

SHA1
3d954983b0594275bdbe444336baad9517129b79

SHA256
1beae6b25a652882189f27e3b52232bc3451a54eeedf3e5cb0eb827fe15032f9

SHA512
4affd4e7c23c555d99a5a1a4ff929228af723961c6cc1c320358998fbba2528e2d84d5c64a5c28fd6420ba3132fad056f2388538086d061510d80e244f7b3990

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js

Filesize
851B

MD5
661fea8b99a08e2422d8b5b9bcfd9921

SHA1
54a78f38a3599aed6d27c6fc711d7af7a205c524

SHA256
60624904ad10defbfcafa3acd5dac4c7c5040edde23bff489b6b32ea5a1403ad

SHA512
69b58c6c99f494ca1b6f2788cd17b63cc9f583b0abca870f666aedb9c504f660b03df699b69828c8ecc43a747297042eeca7e197de96dd43defb7871e2289b9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
855B

MD5
3dd77972f6558af4969a57eb4f19f2d0

SHA1
d56f6ebeaf408c667bb9491845a33ddc19d18947

SHA256
cde2dda4b1709d6591356e21717833ecf9802dc119d719e9dbbc97b090158644

SHA512
68f15867e6b29cce5415ce31203cc3f1790869f85d1b1ba8b2912e9b1b570f61485e5e9aac96d9bcc069e81d298b56d8941cd94a1df72d07c7508c7fdcc7ef1b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js

Filesize
849B

MD5
95e6ecbe44dc4ab34323c697c6568b56

SHA1
0ca5debc2a7b53245ae6b7d6594ba93b3152bdee

SHA256
d3bdbdce059d04ec6e336179e6262bc694def0fcc5fe4b006953dbf178dbb30c

SHA512
af6262bf0a2b16fbd1dff7051eb0373336781c105b63631080ed2b6d38f54adbdbd16d794917fb9ad08c9ee238e0d4df732b7ef3e4c6d521a6b347eb8c2e9804

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js

Filesize
852B

MD5
4fcc8af63d8fea1581c1e96e9436e913

SHA1
5c09be5c84dba1172a2503a3406223baed06f8bc

SHA256
bbce03b612d22d42e40207a0ac4b6492ab0ad8c2cf4690377929f4cad738954d

SHA512
4bb1df7206f7fee79df361d678cd250399efff9d13d3435448170efd515abb425fcbf3b6ad9d0c6da1b4a7860d33dfd15daaa199e96dcdd701afb3b80234f2d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js

Filesize
1KB

MD5
21a5d65fbcf76ed1b8e9489d3bb051f7

SHA1
dcfde89bb81642e0b1bcb2b4d8c0fe574e912950

SHA256
f054ff5e3f41e79c647bd03dc9ad1bad42f8292c7e7b839088faeb8abc182ff4

SHA512
566bc1f2c5f4b2b9888c8e414552c25609d2562e10a8abddf6f036a6cbe2bc7644cbe850311224c25db96380c0e11fb07800f965305f41e068968bee530c320a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
1KB

MD5
0e038344281f0aa0a74103dd77048888

SHA1
163a5a2d3888eb23ecc17b53865742f3eb7aa3c1

SHA256
f3a76de64a79cd7afa5438bb0a4f4330a97497246fe00f7b29fb690e2ffe32cd

SHA512
5988b04142669c005728510cc0a0c7507a9b8561b9d3178e3ef06b77a725e5e3ab7c13faf2998522c601285e823d3f72edbe7b93ba6b14a9c5afefbacb974560

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js

Filesize
1KB

MD5
c4b091c93a4910ecfc619efdf3c56111

SHA1
4147f571dfd1d77b6a6943c57784820bd0cba24c

SHA256
d30e4139d68728b1c0b7c0fdccf649fc98c269f0d57c08e1d2033c13f162c29a

SHA512
b276ec16ba3a0737c8958a7373c3b5b53d384432535e65ee5651dce90da0eaf7dad1a02479243efb0b5ea78234c0f423ebc10c82b6e28db557106b8a21db1964

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png

Filesize
289B

MD5
65afdbfd57a964a5525ef68ca68cb5f4

SHA1
986fd9886e54eaa35b90561c94b00f85eb758711

SHA256
322fa7539ee1552758dbb051fe1199a7b4b247ec8335fb35cabf043d8947466d

SHA512
88b2d9c205d6fa4fb7823fa118fb95c651977cbaf1b54445ced380d34541e5367a218de4335a341b3994839386b487fcc33718b749ab2e05678ae87e0da1dbd7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png

Filesize
1KB

MD5
2870d12e27e8a50bf66493145c06939a

SHA1
f4319fc28ae1f99e359b5cfbd4c8c69af67dc03e

SHA256
dd6fda1bd17d115065254a8af134a7906d8e15e2725b01223582c3add3240272

SHA512
39b2281464998cd9f3d87659cdf7f3f2690a82bb8093ac64d5141d837dd4f951514cf0fcbfc02a0102f3d8ce780805886a361c649d6df2347db60b383442e5d0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png

Filesize
1KB

MD5
d1dfee6d7b14e63f64c349b2cae8ad27

SHA1
fd382215ff99c0993d8924f18ff7912b4835f4ad

SHA256
b63bba00ed3b7a86b6ed36ab7d6eede57656454e0a583b875d34ee19466714e4

SHA512
220e189bc67b20bef3f92da6dd063b12fd53436c6fa9e728553669e4d42dbe595c52801e68a929797c48dc56fa4ff47919aa3d065363ce881e207abc83f7de77

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
2KB

MD5
598b166da1d843121d50f9593073a15e

SHA1
e41c87d8fa9aa263dfe783bdd692556fb8e24f43

SHA256
c46d21ff4c32097f172b4e99b5794374ed4a1cb025040d157f611f43929e98d5

SHA512
107ceb56129c1baade5930cea77fdc9c53264ff06b92936a5823c483235ffce8ab4ca3efef5001c5cc16eb3351b663877e1e4184749ba33d785b4927fe2f2db1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
2KB

MD5
48a2c150eaa7d9fe84e7e31163e67495

SHA1
cfd5375b61328af47b784d2e1229c95c9355ce06

SHA256
ff1d90818c6ec24ad8dc4334bed7e72b3ceb9460cdfe3b25ec24d2b31b4c9288

SHA512
e6abeeb5ed043270c9148b58fa359d8536e0a9606aaed86446f3cc3ef14a855b711a86869d02fe27f50ef79b91895c77bc970c6ccf962caeb8311984c4778410

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
385B

MD5
34300ee4cd847a5329747c2294699c1f

SHA1
5e1086c8ebeaf9205517c82d8ae1711931ec48e1

SHA256
122650bd6eea6dc3c3cde5c472c78fe200967b33c6e3f3d2f394d8fb66c3acfe

SHA512
ecea239cb49cc1b9018e9d5bc34fa0d501cd9dc6bd7a8c01b8a2bfe9cb8d9baf805081d3705f0f986903a93a35a3ddcb852463bc2698606b556999cd0608ad6e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
1003B

MD5
d82b1439dcd0ea62ce3edcf6d36eac1e

SHA1
f5216b9a0c6b294584b24a5fd50b43e79d46310e

SHA256
44f25bfcbff16b8e7c81ac93d6dcbc312035c81ba6d62e61d4177e23ef62dbff

SHA512
bc789786f1261ce50116190f56ce7da3063fb944af6e5da17fd0a61e51d3d25b11fc09a83d2fd1805e16f33c2c469bd28d05366b8fff7faa85d3dd498e5e3d1a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
2KB

MD5
7d1b0ec51595563c9214ddfdec36f303

SHA1
bbb988973a8281943b5bfacb8ab03d97c0f0f398

SHA256
c915635ac032617e1acf87810abd8e8d9825c7e40a74245bc9efcf31d6da9da9

SHA512
709deed649d6062cf8c1ada7207b9c871d51a69a4bc7dc3c1408bd6a38d211ff53ce19a091cc4bb68a62eb00aa512afd07a33d314393812716391f04faea93d3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
840B

MD5
ac24e253ff384d8523af43f5a93688f7

SHA1
beb4ffa972185300803e9a1f6a16ec062cec1015

SHA256
f49327d72a4888fee8721962d13a94571e349ba666a0e1354c4f49331e858cff

SHA512
9c559a1bdaae9172fbe9e6a9b907390041fd16d0382a202423e0d9d19bb0f2c06a7228d6bc17df943d4e927c0420f302982e0463755bfd5c0d6e4ecb65504a61

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
1KB

MD5
cb05ff26ffcb30838de16f659f8d93c9

SHA1
f9e977e1f60be49be8a17cf75d31f4a7620827ab

SHA256
ef97178fce43f78773e1c57cebaadd55904a1e5d810f8f75219b23e92c00687d

SHA512
26fc3838e5ef5b638d974be02b6d8f76f7f4778b1b612ea9031c5a5b1cf4a421e48c7a667a1f8db55270c1c86c4e1ec469c8078dd0edaeec2df02fddff27a999

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
930KB

MD5
45d3d62890fa98b808e4379a0a399baf

SHA1
5b5459717f961d20f002e3c5d3268906a71e7f73

SHA256
de96183d3d1e3c5a790c8fb31df0c6879d3bf1ca64b10be23452b58ee8e2b69e

SHA512
748cdde074183fe2780a236a9cf3e8141c5a79f492cad5656e44f706a74a58575015181d32d39bc177a4b68a045f7f0b836ba9d66e73fefe9877efb5744d6f2f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
190B

MD5
f0be99f92d8b8ad3d79c9aa580fc2f08

SHA1
a9ab5160208575c2c19277491406d5c95690a5f0

SHA256
e290cb91a6aaf54bb397c8f72d0bf5e8a70935ca00abde862e3d13fdf75fdbb0

SHA512
c9c2002d0f14f1d92924f80105c4b092bcb8de5bcb838179f2129b125fbcdf83f78ee80f44b0e26bab451c6fa5d6a29547a4933a92858e310dfbbdcee32f8cae

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
950ac8e007b49ed7acf1646758393817

SHA1
3a795f27aac36ba92f33165a6550cc7f201b3254

SHA256
4ab0585ac1cc953813901847e774a0a6e2542bedd0e5964cacf31e421455223e

SHA512
6bf7c6bdc1f802cdc8cea1d5a22de2e2cdf307411504499351fa5e9bdb7d1826c1968c4cc8bbb2fc17ea69850d69e0e2d77b76d29ad991813b598fc18ea0982e

Download Submit
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

Filesize
744B

MD5
c181d62d13f055127f354bb60cdfa03b

SHA1
6cbfcbcdb417807d7ce1ffeeaa2eaaf9b548885a

SHA256
d8dc1b9aa2aefd658fae2d9b6bf36318bdda72fcecba0538a1f121592b44e3b6

SHA512
62dd4c375f5e3299843c78dc86026da551a8a66c2c4cfac4003b8e4774ddd1cc36c130611c15182b61a472169305b75c845f17ec899e53250461867cc82abd36

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

Filesize
223B

MD5
dbac9649c4bd702f55fbd1afafe87c44

SHA1
0d914f4a809cfe400ca111ebfbd0ad552d500785

SHA256
b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127

SHA512
86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{75EBC370-ABAA-414E-815E-A85CB7D5DD01}.2.ver0x0000000000000001.db

Filesize
1KB

MD5
8b836d8d3ea988668ddae3311f514a57

SHA1
af3199496b831b74bde630f871615ce5848f9857

SHA256
ac944397bb7351bf439ea8b7e6cf5863fed078383f3da0b7c92b53408fe680d5

SHA512
f205183db25237a58c6a33b9c83af86df3210fc7cc411d4638af9c856fb39a2795c99d612601bdf183101402ed6455b7949a9deabfb2b2262afe47dff0c17cc2

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8cfc804a-d777-2361-1670-4569e516397e.xml

Filesize
2KB

MD5
29eb0301f92bda0d67f79582acadf847

SHA1
2c2ac90238793f699322833c2f8bd043cc29ddec

SHA256
221ce3a8c269f4dff433a9a8a9807f65d8fa7b302e640b245f7293a0998363d6

SHA512
61f47426e5dff09a432a7848f3d07cfb5f85cab6b327fb416c31223e6a5ecaaf3a3f065a6c4bf0a352fb4fd3c7199ae481c929c43da3d596000f87d7f6bd52c1

Download Submit
C:\USERS\ADMIN\DESKTOP\DEBUGUNPROTECT.TIF.CRYPT

Filesize
244KB

MD5
0aabdcef9fdd5d3f9d850d93e251f235

SHA1
7d0666de878fd1b869abb83cc0ebe9c27264680c

SHA256
c9141cfbb709ea6e99addf0f985b61c92c5aa5ac07f26e226492da5f6cbc685f

SHA512
428f88d163e46ec48d3c15f9e8f15247825fc9895883d8fa0d9e59637cf1d6c0fe4ee8c4bb00be996a9a55b451c727f3d4974dd697064ee6c6aefac4271699d6

Download Submit
C:\USERS\ADMIN\DESKTOP\DENYREAD.TIFF.CRYPT

Filesize
463KB

MD5
a56543a9d90020e459ab7166151d2a6f

SHA1
3f6d9613f47d2833784f34666ef3c88a692a5547

SHA256
900a37886350ad06f33cd43c330120e990db6c0bab7fc09e6691affb4275a0ae

SHA512
6f34d534bde97c9488a754830306a3958160d1e4cf8b56a5bb290a9e87ef3d18d3a401ed9e94cbaa17dde82628757e728617e42c9e0ee8b445d825f29814fd5c

Download Submit
C:\USERS\ADMIN\DESKTOP\DESKTOP.INI.CRYPT

Filesize
568B

MD5
b94ae82d5edf7b983748080ea0414ec4

SHA1
8faf9413d105cc134e865deb46f552a295c92cda

SHA256
3dfdb73410d0e6cb0abb26e4a85cdcba72e5e9bc3b394bff43ce2be6d7a3abfd

SHA512
4b3510e6a41ff97f24d4280effb25f98963c1d9580f99cf3bf8f8d6a15ba84a86667c966e8480e346333a85e9252b22839de3ee7774b1384c9b8953d76c99b40

Download Submit
C:\USERS\ADMIN\DESKTOP\ENABLEUNPUBLISH.DOCX.CRYPT

Filesize
514KB

MD5
19abcc95f47abcf7bf547b243976a5d7

SHA1
3d011b2b2eed09b30a36b2ee0971b0f2368cab59

SHA256
fc52df2a3e2d13cda68c560b0fb712817c6945306937ab5b75f01cfe629e4fb4

SHA512
32ebf19b3c01987998b12032f24930e66cba25ef2257cc8e50420249670a6e092f856a342a7cc8a6914f16e309fba29adadcb4f80f46d9dc32d257d205914b56

Download Submit
C:\USERS\ADMIN\DESKTOP\STOPLIMIT.DOCX.CRYPT

Filesize
15KB

MD5
249f6b5a09baf995eb0de8b5e9ac722b

SHA1
891c0e51e1e3392eafc882b95fe085f7bf8cfe19

SHA256
9314984c924972a5243ee90f5482f17da9da89c0ff8681b499784e7a3573967f

SHA512
77864c7a167eaaa31187da204b243f9bca3e7ac43da8ea6ad07afe82ba62277fd1eb4de9dfae5d5fad88c7a586e5c9b497ade4a676619bc287a6b4fa7726da91

Download Submit
C:\USERS\ADMIN\DESKTOP\UNBLOCKINITIALIZE.INI.CRYPT

Filesize
581KB

MD5
329237089ee6242e384c9d11ad98caf6

SHA1
703042f2372fb64c65af0bfb923a2f41483d9f3a

SHA256
7db65087b59626161b80b46ec95a321909c4b04165f560b6a2dae02642eb61cd

SHA512
d8dfaf120ae18603b5b98001b4ad20d5c335c095fc855e088dcbb24a9b27df306b77c30e728a7fca3400bd37a066466614f0067a56562f4d325d50460b91e869

Download Submit
C:\USERS\ADMIN\DESKTOP\UNPROTECTMERGE.CSV.CRYPT

Filesize
328KB

MD5
7a0ece07007feef5ed247eb6a68d0193

SHA1
59cc4e3de8b4453719eb838462e8f3a6fa50cbd3

SHA256
fd2646d29b534caffcc34b66f56ae3a09e91628c40f6e89757939842c1a1537a

SHA512
ffad62c311fec5bf6411cc54dedd145b43beb9b731c7f86c9e2b0fc4a9a9d71ff0e0fa552250ac9033d641c864bfbca1ec6b62cccab432cd11a0d6611469dc71

Download Submit
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI.CRYPT

Filesize
456B

MD5
f981ac23451f68e4f1f4f75597329d94

SHA1
69aa69a1e29f6eae3cef5a4772fb5a914ac5e0f5

SHA256
f0ef030e93c14f59a5efdb04863af97b353d3359327cbc9e3543789c0dbff76e

SHA512
d9a83195554068915c7cd53251cc7946eb1f4e24628a0b84aa78964f6a09b0c2cf4c75ebe663d44311f874bed5a0d91bcc77105c6f3e8a75edff5c023a19d26d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png

Filesize
1024B

MD5
d47b127bc2de2d687ddc82dac354c415

SHA1
746c3f4d286c531e065e8af76e0ac0868831c6b4

SHA256
6ab72eeb9e77b07540897e0c8d6d23ec8eef0f8c3a47e1b3f4e93443d9536bed

SHA512
6ceec4ab9b9b8a5839e6650648089e263b6645d4be3e1912bf867c0e3e174f976a39f5446c4bd1d57d837d6319b123103fe2fee2f590380a83fe4d0ed98099ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
413KB

MD5
2350b47261040b1ee32f7df427ab30fc

SHA1
e656cced405e01b6a60b7444b2c9e1b31ed7c63a

SHA256
612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db

SHA512
a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini

Filesize
174B

MD5
ace3165e852adb8aedbeda2aa3be570b

SHA1
4577ff7e92850e2723008f6c269129bd06d017ea

SHA256
237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f

SHA512
cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

Filesize
174B

MD5
e0fd7e6b4853592ac9ac73df9d83783f

SHA1
2834e77dfa1269ddad948b87d88887e84179594a

SHA256
feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

SHA512
289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

Filesize
16KB

MD5
4534f12102d235344cf8dda748f0cabf

SHA1
7db67baceeecb3a420bf37a7beca4a45185f8f3c

SHA256
1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

SHA512
7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.CRYPT

Filesize
414KB

MD5
326b991fefb3450935e5a1aa7a33a06a

SHA1
e7a507b9a1a63412fd4cbdd422c00a3e8da98617

SHA256
90a0c8b5f6525eb504836b7d43debb7fd38411f239a788cc941b06982666548b

SHA512
18809a632715e61cb81bc076272083bcb840654bc07d6d7c9e67e831e2583f7874eb3f4ab9557016db6f08a1fc528c603ea854da8e412ec6ef99573d33c29897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
b4c70949a62a7356119b5fb8b43c44d7

SHA1
1d36d1023cdb15948211d105c5f74a519f502598

SHA256
079f87216895f0459e196a1c06885803befec97f6460d0797317897a41ca1514

SHA512
39cd64ca7d6b6c2b9de7549d8c32e63842f96da73a39b3bb429b6314dc398069a5dc72cc9e42658aa4723b5cfbc691cbb218b698a05644f702e0dec2b2fba22e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
7ed46e1dbf6b169ecf4f7911303c1f51

SHA1
49c8458155776459c110d5729d14793378dab1ca

SHA256
a737f6e2c3edbd10d4cc6b35a741216db5736552dd1ea31fe5c02b3319e1aaf7

SHA512
8aa8e823aa8a9ba4b90bbcf8fb836fd2c1f7aaac35a6232ec93db175395457d09d016a6b362d8a8a59929b5518bfd714382520e6ae9b81b9b2217bee4c33521a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
777dd969da3dd17026244668b774e058

SHA1
e0a066d28dfc6bcca1c13a50bfc4b35a37541b7a

SHA256
221f1bd7bad281fe93374736df606e52ce7393ae4fe0bdd4682935b90f184e59

SHA512
1f1a19b1a969a62cd8c83622e89077492457dd00f28505f0fe49a600688b18bf0407cae61e0da9f0d23fd0f6d874125fe83a5666ca7975976d612743fda08158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
6a109b181c1847b9ba33e602a5ef7940

SHA1
fdccbf27ed492043d453c992638256711031b31e

SHA256
596bed87c7e67222a4e22816ea481184228033426e8c9c2be0eb26518036a2c1

SHA512
3552bac222ee6887d54782d47d219758604ffcded938b418b27cc545950c87bbaa9172e06803f079395c7ec95b4a9b484c409c9d95b1bb0f9faa8a29b8809fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Filesize
24B

MD5
c7c6abfa9cb508f7fc178d4045313a94

SHA1
4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

SHA256
1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

SHA512
9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
77b65a77cac00fe47b16dd4819c4a4c7

SHA1
5d174cc05cfc487ee35db8aaa770930a26529bc0

SHA256
31aa3f7fa15dc18c49e4e36554fbaed761808284a0fa4a792a48e46d267e0383

SHA512
abcc320916161427a5b5683edd9242ad065680eee55f35b770e24c58f3ddb5b77bc1f58bc4c5fb851bec15b441a8de904a10dbb7eeaf6dcdf9460470d3d33d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
93d7dc36b446998b4e3bc3320102fa56

SHA1
f5951b11b349e68780968cb594b254671ae59dbb

SHA256
9351251f1991bd671bde432c1810efe0b6f8d6b3ab70a7494d343c958ed6a8c6

SHA512
978920427b9aa1b214ea7168e7674db97510ca3f1b63994daafa68b882bfba26dd67e295e366c9f2ec7f59d4f17976a736a753bae339eae3cd1dd2fe91d033b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
1024KB

MD5
a34811c3a050be9cfa6da221175e9023

SHA1
994c711e624984db10f0e5d9d002c903508dcbd5

SHA256
ad165bec834d6001a8be45c0e473bc686556e18d5d096ff1522e88b0b859124f

SHA512
b3c804d491580fa8f96a36743bebf8d7e55f03e7075ffeacf06277ece743e7336b5d246635992b0a25d5d62745a4dbe6caa4c9c0da47d192cd3f1d238688b37e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Filesize
1024KB

MD5
fe01f0fb19db147f5347fc2321f761bd

SHA1
e0302861582fe7f37786030f11b9ec79a583f6c7

SHA256
6ae3721f88d35ac242d91b8bea13630f1edbe6c29ef4eec0cae2ab95f00ac544

SHA512
893a817e30de2ec68ed06eebc240cde8dbf80fd8f6a8f3b7a1b3aa15e6ca318f3597b8721a701893cbb4101c885e3764515da5f94701e4eb3498e3be41a67130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
1ec8fb39fd6806c2b38e46cef46b783e

SHA1
999ce8368757eea9647f15aba9425503fb02f375

SHA256
093071826e1b5f14b28bf8c680c22080cefd3df3a0bd351a84de521a9838b1e7

SHA512
f3043438182d4071699dd02fb815d824d39292a4053994d5f324312a60b04260fd02e8ed06f02074ca80280e2dbb6308cd576ac3c0034699f366198a92675a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
07e0ddb31a90c6102ba8f84b40cd0305

SHA1
0b5c2649551907998fc21ae41a214c851bac6562

SHA256
cd342b6c99e2f9303aab4be7c82f95a65bfaa4d65b371277f787ac3ab6b47a1b

SHA512
ff7fff5f23d080ea4fa93948be281263a80c36702fb2102dbcc692be84e222cea1e4b22c133776f11a64d5a5592ad85f2429ea8ae6e4f7ff8aee8e302a9ebb5d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\76C4KPL0\microsoft.windows[1].xml

Filesize
97B

MD5
0dbb53a17801fa58dfa90d07739ff347

SHA1
a6654817d03464a6892fd4f2011b7e3db9d74335

SHA256
b6625dc0c57efb8aa03ba540b8514f3e6e5daa5cea8676ab614060a64a84f2e8

SHA512
08e95c667d00de6ba3956e05b2095212aa11a2ca0b38caf17997044f552fdd4c74e229b2caddb75ab3140756cb79639232fa7875896a0656443705e3ce44827b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
127e3dff8de34293b79b2b4723ad6a0c

SHA1
4bcba802b1dd4ab5152279cd60cd952c39fa029d

SHA256
aedcbd6f7d8576226ec2d8e5013a6e4e730e26a88a048f6c7c2d600e48e93ca9

SHA512
d9be1019ad8cda17c21086a4dc980e160235e356b7b601b8a9a1f35e8938d6bf1475488e2fe6d33b3f7e15e9bb942900aa801aba39eb8004443d484f5465dc85

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d2a5d977-5dda-42a6-9677-174b8cb4b54a}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
f6a6263167c92de8644ac998b3c4e4d1

SHA1
c1fe3a7b487f66a6ac8c7e4794bc55c31b0ef403

SHA256
11770b3ea657fe68cba19675143e4715c8de9d763d3c21a85af6b7513d43997d

SHA512
232d43e52834558e9457b0901ee65c86196bf8777c8ff4fc61fdd5e69fd1d24f964fed1bf481b6ef52a69d17372554fecb098fb07f839e64916bdd0d2abf018a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133663134765852983.txt

Filesize
2KB

MD5
ecaea544af9da1114077b951d8cb520d

SHA1
5820b2d71e7b2543cf1804eb91716c4e9f732fde

SHA256
9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6

SHA512
dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
1KB

MD5
f25b733a523b34b60a55707c16323ad1

SHA1
666af52be238b1e34240ea79fa123f62c586290f

SHA256
98a6996f21f251627ad92c19328b1aa7a37a8f7b8875dfa5d97d58b96e5626b6

SHA512
15495eae9e04bcb49597a78d2c374a4deba827808a516d6c64e10c0dec03a8a86ded1707c68e89390d428cf716323cab0c83d98508fea1d354559ff8041e0ce9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
1KB

MD5
341491a5245ebc38e96e3285fc942ffc

SHA1
5d94e6b84fedfb1e6f48614510460024a00e294c

SHA256
a80b3d1fd672da6b60750da79ab7cac8a4129396b67b69978be849652517bf9a

SHA512
43315ed543dc41cdf4afdf25475a64b5ff2b767f3137e5b502866a4f3a54049271301bc5e7a63271200cec56863e8b34dd78b24563de360c22aa6d9ee0e21715

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
5KB

MD5
4b9363fbf6718a19d6ab83cf26d05fce

SHA1
49bbd65b5e165a73959c7d3976123b6cc607721a

SHA256
64c312e87580390044a5caabaa82a8da397f6e81f20cd9aaf17978714249daea

SHA512
6bf6d7090229b4c967dca1f16edf7f3bd4af65ef31545776296d509687a5ecb477d314b4036c6852f5a91e0f892599afa241c332a6064bf1c05cb525766dc5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D75769F7-A898-4B02-804B-CA214BEC702C}.png

Filesize
5KB

MD5
00e5fcfd833151f7cbde607e2f7afeb4

SHA1
55839875c0947aafebff53d22ccc5dad29fe3563

SHA256
b80192aaabe007baecd0603e3ce183e9d554b8a6b0411d20716acfa086ae3035

SHA512
f056777a1987c3becdc217bdc2d82e6aa41086d38fddaa45c42f1726b6f7b7616a10918081650e825a724464ef148b669bc258d38a62e0de8642e2607a0b0de7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2636447293-1148739154-93880854-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/916-22460-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1132-23655-0x000002084A360000-0x000002084A380000-memory.dmp

Filesize
128KB

Download
memory/1132-23651-0x0000020849540000-0x0000020849640000-memory.dmp

Filesize
1024KB

Download
memory/1132-23650-0x0000020849540000-0x0000020849640000-memory.dmp

Filesize
1024KB

Download
memory/1132-23667-0x000002084A320000-0x000002084A340000-memory.dmp

Filesize
128KB

Download
memory/1368-22318-0x000002389C790000-0x000002389C7B0000-memory.dmp

Filesize
128KB

Download
memory/1368-22279-0x000002389B400000-0x000002389B500000-memory.dmp

Filesize
1024KB

Download
memory/1368-22283-0x000002389C440000-0x000002389C460000-memory.dmp

Filesize
128KB

Download
memory/1368-22278-0x000002389B400000-0x000002389B500000-memory.dmp

Filesize
1024KB

Download
memory/1368-22310-0x000002389C400000-0x000002389C420000-memory.dmp

Filesize
128KB

Download
memory/1616-22467-0x000001DE8C400000-0x000001DE8C500000-memory.dmp

Filesize
1024KB

Download
memory/1616-22480-0x000001DE8D1A0000-0x000001DE8D1C0000-memory.dmp

Filesize
128KB

Download
memory/1616-22492-0x000001DE8D7C0000-0x000001DE8D7E0000-memory.dmp

Filesize
128KB

Download
memory/1616-22465-0x000001DE8C400000-0x000001DE8C500000-memory.dmp

Filesize
1024KB

Download
memory/1616-22470-0x000001DE8D1E0000-0x000001DE8D200000-memory.dmp

Filesize
128KB

Download
memory/1972-22922-0x000001BAC7FA0000-0x000001BAC7FC0000-memory.dmp

Filesize
128KB

Download
memory/1972-22897-0x000001BAC6C00000-0x000001BAC6D00000-memory.dmp

Filesize
1024KB

Download
memory/1972-22902-0x000001BAC7BD0000-0x000001BAC7BF0000-memory.dmp

Filesize
128KB

Download
memory/1972-22912-0x000001BAC7B90000-0x000001BAC7BB0000-memory.dmp

Filesize
128KB

Download
memory/1972-22898-0x000001BAC6C00000-0x000001BAC6D00000-memory.dmp

Filesize
1024KB

Download
memory/2092-22744-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/2224-23383-0x00000166035A0000-0x00000166035C0000-memory.dmp

Filesize
128KB

Download
memory/2224-23352-0x0000016602FC0000-0x0000016602FE0000-memory.dmp

Filesize
128KB

Download
memory/2224-23363-0x0000016602F80000-0x0000016602FA0000-memory.dmp

Filesize
128KB

Download
memory/2472-23496-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3152-23500-0x0000022361B00000-0x0000022361C00000-memory.dmp

Filesize
1024KB

Download
memory/3152-23503-0x0000022362AF0000-0x0000022362B10000-memory.dmp

Filesize
128KB

Download
memory/3152-23499-0x0000022361B00000-0x0000022361C00000-memory.dmp

Filesize
1024KB

Download
memory/3152-23498-0x0000022361B00000-0x0000022361C00000-memory.dmp

Filesize
1024KB

Download
memory/3152-23524-0x0000022362EC0000-0x0000022362EE0000-memory.dmp

Filesize
128KB

Download
memory/3152-23512-0x0000022362AB0000-0x0000022362AD0000-memory.dmp

Filesize
128KB

Download
memory/3248-23044-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/3440-22614-0x000002AFD6520000-0x000002AFD6620000-memory.dmp

Filesize
1024KB

Download
memory/3440-22619-0x000002AFD7540000-0x000002AFD7560000-memory.dmp

Filesize
128KB

Download
memory/3440-22643-0x000002AFD7900000-0x000002AFD7920000-memory.dmp

Filesize
128KB

Download
memory/3440-22631-0x000002AFD7500000-0x000002AFD7520000-memory.dmp

Filesize
128KB

Download
memory/3444-23046-0x000001CB82300000-0x000001CB82400000-memory.dmp

Filesize
1024KB

Download
memory/3444-23070-0x000001CB835A0000-0x000001CB835C0000-memory.dmp

Filesize
128KB

Download
memory/3444-23051-0x000001CB82FC0000-0x000001CB82FE0000-memory.dmp

Filesize
128KB

Download
memory/3444-23059-0x000001CB82F80000-0x000001CB82FA0000-memory.dmp

Filesize
128KB

Download
memory/3444-23048-0x000001CB82300000-0x000001CB82400000-memory.dmp

Filesize
1024KB

Download
memory/3444-23047-0x000001CB82300000-0x000001CB82400000-memory.dmp

Filesize
1024KB

Download
memory/3516-22612-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3580-22747-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/3592-22272-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/3948-22764-0x000001C732A20000-0x000001C732A40000-memory.dmp

Filesize
128KB

Download
memory/3948-22775-0x000001C732E30000-0x000001C732E50000-memory.dmp

Filesize
128KB

Download
memory/3948-22754-0x000001C732A60000-0x000001C732A80000-memory.dmp

Filesize
128KB

Download
memory/3948-22750-0x000001C731A40000-0x000001C731B40000-memory.dmp

Filesize
1024KB

Download
memory/3948-22749-0x000001C731A40000-0x000001C731B40000-memory.dmp

Filesize
1024KB

Download
memory/4168-23214-0x0000020643150000-0x0000020643170000-memory.dmp

Filesize
128KB

Download
memory/4168-23231-0x0000020643760000-0x0000020643780000-memory.dmp

Filesize
128KB

Download
memory/4168-23200-0x0000020643190000-0x00000206431B0000-memory.dmp

Filesize
128KB

Download
memory/4352-22895-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/4768-23191-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/4792-23647-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/5040-23343-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download