dearcry | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
77s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Size

1.3MB
MD5

0e55ead3b8fd305d9a54f78c7b56741a
SHA1

f7b084e581a8dcea450c2652f8058d93797413c3
SHA256

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
SHA512

5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa
SSDEEP

24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3

Score

10^/10

dearcry discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 638428e5021d4ae247b21acf9c0bf6f6

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry
Renames multiple (7374) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 60 IoCs

Processes:

DearCry_13_03_2021_1292KB.exeexplorer.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini	explorer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	explorer.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	DearCry_13_03_2021_1292KB.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

DearCry_13_03_2021_1292KB.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proofing.msi.16.en-us.vreg.dat	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SplashScreen.scale-100.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4.jpg	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_contrast-white.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-200.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_welcome_page.jpg	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\Logo.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxManifest.xml	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_altform-lightunplated.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-200.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-100.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-100.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_altform-unplated_contrast-white.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxManifest.xml	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-unplated_contrast-black.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-200.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-150.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Collections.NonGeneric.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main.css.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Ear.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-400.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\ui-strings.js	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\AppSplashScreen.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.41\msedgeupdate.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\THMBNAIL.PNG.CRYPT	DearCry_13_03_2021_1292KB.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

DearCry_13_03_2021_1292KB.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DearCry_13_03_2021_1292KB.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DearCry_13_03_2021_1292KB.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 55 IoCs

Processes:

explorer.exeStartMenuExperienceHost.exeexplorer.exeexplorer.exeSearchApp.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "2"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1750093773-264148664-1320403265-1000\{54BC93C3-1377-4A14-9BE0-4F794E59B614}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1750093773-264148664-1320403265-1000\{12DBA035-02B1-4671-BC85-F1C1A4063E0D}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1750093773-264148664-1320403265-1000\{E1D6C444-D0A4-45AD-B71A-68C133EACD9F}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "0"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4980	explorer.exe
Token: SeCreatePagefilePrivilege	4980	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	4040	explorer.exe
Token: SeCreatePagefilePrivilege	4040	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4980	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exe

pid process

1040 StartMenuExperienceHost.exe
1628 StartMenuExperienceHost.exe
3972 SearchApp.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

pid	process
1040	StartMenuExperienceHost.exe
1628	StartMenuExperienceHost.exe
3972	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5020

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4504

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5004

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4576

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1656

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4064

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4416

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:380

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1444

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3888

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1316

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4136

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4180

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png

Filesize
388B

MD5
1dc5d31ef9205f1034b64d635d59cb32

SHA1
c172576576c5ac5a3c2912bdfd0c8365b5365513

SHA256
676d1f912a22a12ad4c80bf552355a7e0995c56e6ef7527aaa9b77e513efc065

SHA512
bc334638acb1416787df04cbaebde99cd15d96c5b96b6f950cbdfb54177fcd2f2ecce4dc9212a9a3f2f85269ac901aef147ec6297c31c5ee6cc39ee4cdac17c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png

Filesize
552B

MD5
7d00bc0d46dcb90890a4fe6b76bc5c3a

SHA1
7159b1e1c264a6863708a971eaeca32cff864aa1

SHA256
2fcd2848cbcab1a3b8154138288cc659cd2c187412cb887eec6554b6165b8c33

SHA512
2f113cb27028aa0fa0f028b09ddcddb4a1ede6ae0823909d99763db6e5be57b1b4ae6977537ec17808cd622bc548e1ba3122e35b58de9d856400d33042234a35

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js

Filesize
1KB

MD5
6e8d259daabf1168ae5136a3de48ee80

SHA1
b015257e3ae0810ddbda53c0b12991161a863ffb

SHA256
13370a65ca7e31fbf3a133156c208bf99c01a54880d55a8a4500495683e3a47f

SHA512
cf3c564c18c6b0965a431cda1ed8fa97cbeeb839d992e48f77c073bc8054ead03b4823df381c5179d3d398877da3473b92d70ae905a2bd0c7e5fc45505340113

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js

Filesize
1KB

MD5
88151ac4ebd7f5ff2d381c65e68cece7

SHA1
f979db4063d15ef2e32db3c38890899bb87c78e5

SHA256
c1ea4ada9462abd4ec352dfaf670575e9caff1e55d303db96a2f2500d50d92e8

SHA512
326195f5176beed6cc39849b8d6e87a5136c41a04aa76f53c30bbed1ff74391e16a6114e236f39d403c7f82fda032c00a9ee1df583412dfea224047e51f4c3bb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js

Filesize
1KB

MD5
60f1a26612dc049ce3e00fe917b6475d

SHA1
05791d089cbcd759088adbbd9483433dc9a10206

SHA256
8ced84488e1ea81e8cc3ec1a25f5b849de902601bef557b6ec65f9de2982bece

SHA512
06f080a9df9081a2bfd557165f9c21cf2bce3ee161c0896a9f9a6e0f8a3ae545b1cfaaca9ce1d46757dbe0163ddd0421bdb51558ef092dd0a6e5c2052ead4706

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png

Filesize
683B

MD5
ea321d33cfeb1d029794bd01c5b78e85

SHA1
4e04b2d8f7f23f44f96f4bbf134233e1feb5e28b

SHA256
3add439f478220ce8001abf2543810144a0d80f8116bc0ca13947c9745983c55

SHA512
f574d12330a668d89402265cf5a859a76325ed548e1730e02f51dfd36e3d5dccf2c8b75a76a8c931597bfc130a42364c73eef0200523d4eefbcf4fa5ccacddea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png

Filesize
1KB

MD5
a660ce180dea34b4944d83569f4789bc

SHA1
e3ca7b90c8bd299c49585bd29bc3fb7494c0fa4e

SHA256
03ab6f2f396e0531f1b1299b61485408cff93f183942910a7d0d5f0c7a666bd8

SHA512
9de185c0e6a8cc49852ebb454a00a7a19f5382b358327d393a6952b32099036147c1eb799cc60078bf24477e9607a1b4c88288a213a8ffcafd8d60caab0f0720

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js

Filesize
1KB

MD5
cdc58b2bf0a1a34f96af8fdcb62dc30b

SHA1
69eb0d674e9830e81cecdd610792225a2a5dc265

SHA256
3b5888b652cd86408bdd59e86405d3f171d23132059228544fbe693cfcb2b73c

SHA512
d8ef3220b8984f759347a0e83eb75939c914bf865db492d28e226f113b469a97325befa008886743aeae2e0f32c74c0a1e7ce8b60eaf5949b51058a618daa502

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png

Filesize
445B

MD5
55c2b47c9aea50661a855fe91eb8ac32

SHA1
13ea23a51394ea2c13420ddac1294eae6f82f846

SHA256
ba5a59d879c1f6543b46085d02f5c90fdb22e663487d3586b6533cd887c83b72

SHA512
947da2e85f5c21e7847f10d727729915973c911a47de233ef1fb97f60ae41db05f4c8c0ee655e3aa264db2067763e4134b76279f1d3ea8ad43640a64176522a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
611B

MD5
808e7aedbb1da793b86c92816309035e

SHA1
b4a2fca53290a35ae222f2cdf80f68ec7eab51e6

SHA256
a90f0edb8324760029a5db9f641b05694f8717c25514b2d6abde7662c827e0cb

SHA512
0af4e6a83661378b618c40de02c6cb7244be544dcb02f1f14c83b6abd791fa0330b6d508c86f0ba8e345608639d8505a2f26d3a6d3ae201bb01319c10c212d4a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js

Filesize
1KB

MD5
5c1dc195043bdea8525930a9882c10d7

SHA1
17415e551255ab016f7682d7b33451cfcb91e687

SHA256
019bad9e72430b758828953e3310007695c55fed1d25fdd707c76fec561f2bc5

SHA512
e912b84e9b4856864d302154b68adf6822189aa78859265cf8f529279e77a9d7c086452b4527ebb75d9c910ad9a6a1e95e1f45498fc168628da80739acff742e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]

Filesize
162B

MD5
8db5f9dff9d857a8827ea6d66fea4880

SHA1
ef5de087109543e49ee7fe70adb49efe27e15121

SHA256
e8c6ae3d3f05d53d58200db3f31383861d434c6abbf66f82e925321029058a10

SHA512
70723910b4bf8814f848e10390378d53d9fb67e8a319edb708edc41b5c858c1d2cfc0b86a2909e33f72062df8b32e70554fa5ebe7aad7ec474ad78087560069b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js

Filesize
1KB

MD5
4e6de5201d795432e75c0628dd306b26

SHA1
80ae62145f6bc55c2a25f68ad9d6bc9fcae496db

SHA256
1265f683d27701f95b545e6201577fb4eadf5dcfbc1fc8cedb8dd39635515788

SHA512
950227253fb845bd9a4519a209d72404760492473bda8101d846ded18aef1a2f6f6ab99b1b1b2186c0eed423c151c089316e124384f214644632e6a0f4dbece3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js

Filesize
856B

MD5
fc4cdc00064f47d2eedf58bd02068fe1

SHA1
cbb7157d8c560e9b2cdffac3a2b831202d76d2e6

SHA256
0e8fb0e6e1dd239a2a1996059914a5ec5e753782527c1a07c62d808eb77df3e0

SHA512
753d312596fdd24d3ad87b7916c5d108d185b42beff7c750099aecb38c7a321ff04260c19492d18cc27cf8f8843c6b3facde0934e67a46e9ce4291c3646abbe8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js

Filesize
1KB

MD5
c5596fa17e59cbf92a2ea2e1ad5c6f8b

SHA1
4153a71b5750685afba568403ed7522e83a9894f

SHA256
5812ebbc6311c0ff9919a27137b22435cbca3cb9fd56959b44ddb82f93609b99

SHA512
762580962300f0e0501054450772ed59cdfec76d7aa6b1944f557ccd74ec2fcd171ffd67765f2b367c526d0193eabd184f0d4ac1dadb7a0d25f00f9866f670bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js

Filesize
850B

MD5
26645133c9de7799e35cee0e47b82ee0

SHA1
bb6be735f6814d765bbe6b3f3ce034d1767366c5

SHA256
1180e5728ff28a49eec43c61f15d49541419e79397ae58479db67b533d292d36

SHA512
c466dc886b25fea5a0e16aec28a4e784afe797f3937c7863788d0e5fa41414346bb17546d49178a48815debcca50aec3acabadc1f508fe0a3207008bc722608e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css

Filesize
802B

MD5
89728f1ec13231dd11d2ea20afe39d67

SHA1
b4350cd128350483be389b2c865633bd1ae0f78b

SHA256
aff85e66d5b690dc0188f4c2348ca78abdc14605286128407242a4e91a684754

SHA512
58203e9c3898367c78c6d10fa629c0bd2356b2ae54e225afbcee83be1d5d297977a5a9633e773ffc2b8079a6e2eb2aa0afc530c27d29f512af40d8c9ae539adb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png

Filesize
179B

MD5
a93c09c1a326a8733b4eceb713ca7457

SHA1
90ba7a4c24bb0d424abda46b736170ea3b43e541

SHA256
d03f54aaa9216f4e32053928ce87a317341232f107140c84f73b2b6490b5a81a

SHA512
432c3400257d00391baa255d32fd03e0b8c97231d684ef35534868a38bcbf9cb70b433eacfe154c25fd3376e69592a7000a823535700f353975572c5101a56af

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

Filesize
703B

MD5
cc62ce00dfbe76fd8affad9c89fced8c

SHA1
75d64cc57ff45a50c066f882bfd8e3845f8fa323

SHA256
e324ff224bfa2baf51d4ab75f686195a76b8c984676c450ed660eb9ca2b36f4e

SHA512
028056e42f0eb02646752b351bb04a6b9f87ff27a2e1060b4fe4d4867118fe90f42f555ea8c645361963405583005ec4f3802c7c57729fc8616df1af09cc94dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js

Filesize
823B

MD5
fa904cdf440c6743078637992d58489f

SHA1
6969f407be2a1b52c5a41be256433026cabf9917

SHA256
152f6d0325802be61521bff49a8dd07063feaffeb2447d3ae6f47adf214cbffb

SHA512
c6237e56225d36d26ed594406a5bc08987bc34fac8d425dac8f909512ff19e6a27e1566651c591a38c0a5476e74dca09beb53ec15d4f08b6de2843fa064cbd3f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js

Filesize
1KB

MD5
573dd292166f86741bb965ee068c3793

SHA1
169fcf0880c7a2c5993f5bf28ff64cd9ed441dd9

SHA256
ab2b7de642b66db6e6b610dab8fb3c94c972465e07b7f681127c40a6629d8c2e

SHA512
0217d582d827a7b6faa950bc726d41c4c7644ba11b19689b9e5eb60cf54df4afaefcf4eac3649e8315dc1134988dc71abcb94bd9a640829bf9d68a6ffa17241b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
924B

MD5
bf70043c03230a91bb5b402e7ee67e63

SHA1
2ec8302c3ebe1e34abb5e0c813abceaadfc5073c

SHA256
a8b45a4c0a3adae007e8ef6b3a0e9966d2ad0c552320210a778109e2799f6c75

SHA512
ecdf54cc56de9c49dec1e9e65aefa736201904e609474b13d089f188bf35ae46b62d1ba492f4c25ad3fd7ff584a1532be18c0115598c2deaa834b22e6e52a601

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js

Filesize
931B

MD5
7adbce4bec815b574ab3fc6d85eb1937

SHA1
7d14e52fc6aa5796996988e9feab97c31eab1e0b

SHA256
efec14a7f219aff9e96c136933c0316abbabfa082b5755a86b2745c0a8423a79

SHA512
4218fc7991ef7ab93b1fab696432fc0130f07c534b2da244ce3370e6092213db657505af8380e7a07576b16b19d7c1b58f6a5498122d73061a362162b31f5b18

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js

Filesize
1KB

MD5
478f0065e127108d705114b29fb9170a

SHA1
3d954983b0594275bdbe444336baad9517129b79

SHA256
1beae6b25a652882189f27e3b52232bc3451a54eeedf3e5cb0eb827fe15032f9

SHA512
4affd4e7c23c555d99a5a1a4ff929228af723961c6cc1c320358998fbba2528e2d84d5c64a5c28fd6420ba3132fad056f2388538086d061510d80e244f7b3990

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js

Filesize
851B

MD5
661fea8b99a08e2422d8b5b9bcfd9921

SHA1
54a78f38a3599aed6d27c6fc711d7af7a205c524

SHA256
60624904ad10defbfcafa3acd5dac4c7c5040edde23bff489b6b32ea5a1403ad

SHA512
69b58c6c99f494ca1b6f2788cd17b63cc9f583b0abca870f666aedb9c504f660b03df699b69828c8ecc43a747297042eeca7e197de96dd43defb7871e2289b9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
855B

MD5
3dd77972f6558af4969a57eb4f19f2d0

SHA1
d56f6ebeaf408c667bb9491845a33ddc19d18947

SHA256
cde2dda4b1709d6591356e21717833ecf9802dc119d719e9dbbc97b090158644

SHA512
68f15867e6b29cce5415ce31203cc3f1790869f85d1b1ba8b2912e9b1b570f61485e5e9aac96d9bcc069e81d298b56d8941cd94a1df72d07c7508c7fdcc7ef1b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js

Filesize
849B

MD5
95e6ecbe44dc4ab34323c697c6568b56

SHA1
0ca5debc2a7b53245ae6b7d6594ba93b3152bdee

SHA256
d3bdbdce059d04ec6e336179e6262bc694def0fcc5fe4b006953dbf178dbb30c

SHA512
af6262bf0a2b16fbd1dff7051eb0373336781c105b63631080ed2b6d38f54adbdbd16d794917fb9ad08c9ee238e0d4df732b7ef3e4c6d521a6b347eb8c2e9804

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js

Filesize
852B

MD5
4fcc8af63d8fea1581c1e96e9436e913

SHA1
5c09be5c84dba1172a2503a3406223baed06f8bc

SHA256
bbce03b612d22d42e40207a0ac4b6492ab0ad8c2cf4690377929f4cad738954d

SHA512
4bb1df7206f7fee79df361d678cd250399efff9d13d3435448170efd515abb425fcbf3b6ad9d0c6da1b4a7860d33dfd15daaa199e96dcdd701afb3b80234f2d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js

Filesize
1KB

MD5
21a5d65fbcf76ed1b8e9489d3bb051f7

SHA1
dcfde89bb81642e0b1bcb2b4d8c0fe574e912950

SHA256
f054ff5e3f41e79c647bd03dc9ad1bad42f8292c7e7b839088faeb8abc182ff4

SHA512
566bc1f2c5f4b2b9888c8e414552c25609d2562e10a8abddf6f036a6cbe2bc7644cbe850311224c25db96380c0e11fb07800f965305f41e068968bee530c320a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
1KB

MD5
0e038344281f0aa0a74103dd77048888

SHA1
163a5a2d3888eb23ecc17b53865742f3eb7aa3c1

SHA256
f3a76de64a79cd7afa5438bb0a4f4330a97497246fe00f7b29fb690e2ffe32cd

SHA512
5988b04142669c005728510cc0a0c7507a9b8561b9d3178e3ef06b77a725e5e3ab7c13faf2998522c601285e823d3f72edbe7b93ba6b14a9c5afefbacb974560

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js

Filesize
1KB

MD5
c4b091c93a4910ecfc619efdf3c56111

SHA1
4147f571dfd1d77b6a6943c57784820bd0cba24c

SHA256
d30e4139d68728b1c0b7c0fdccf649fc98c269f0d57c08e1d2033c13f162c29a

SHA512
b276ec16ba3a0737c8958a7373c3b5b53d384432535e65ee5651dce90da0eaf7dad1a02479243efb0b5ea78234c0f423ebc10c82b6e28db557106b8a21db1964

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png

Filesize
289B

MD5
65afdbfd57a964a5525ef68ca68cb5f4

SHA1
986fd9886e54eaa35b90561c94b00f85eb758711

SHA256
322fa7539ee1552758dbb051fe1199a7b4b247ec8335fb35cabf043d8947466d

SHA512
88b2d9c205d6fa4fb7823fa118fb95c651977cbaf1b54445ced380d34541e5367a218de4335a341b3994839386b487fcc33718b749ab2e05678ae87e0da1dbd7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png

Filesize
1KB

MD5
2870d12e27e8a50bf66493145c06939a

SHA1
f4319fc28ae1f99e359b5cfbd4c8c69af67dc03e

SHA256
dd6fda1bd17d115065254a8af134a7906d8e15e2725b01223582c3add3240272

SHA512
39b2281464998cd9f3d87659cdf7f3f2690a82bb8093ac64d5141d837dd4f951514cf0fcbfc02a0102f3d8ce780805886a361c649d6df2347db60b383442e5d0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png

Filesize
1KB

MD5
d1dfee6d7b14e63f64c349b2cae8ad27

SHA1
fd382215ff99c0993d8924f18ff7912b4835f4ad

SHA256
b63bba00ed3b7a86b6ed36ab7d6eede57656454e0a583b875d34ee19466714e4

SHA512
220e189bc67b20bef3f92da6dd063b12fd53436c6fa9e728553669e4d42dbe595c52801e68a929797c48dc56fa4ff47919aa3d065363ce881e207abc83f7de77

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
2KB

MD5
598b166da1d843121d50f9593073a15e

SHA1
e41c87d8fa9aa263dfe783bdd692556fb8e24f43

SHA256
c46d21ff4c32097f172b4e99b5794374ed4a1cb025040d157f611f43929e98d5

SHA512
107ceb56129c1baade5930cea77fdc9c53264ff06b92936a5823c483235ffce8ab4ca3efef5001c5cc16eb3351b663877e1e4184749ba33d785b4927fe2f2db1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
2KB

MD5
48a2c150eaa7d9fe84e7e31163e67495

SHA1
cfd5375b61328af47b784d2e1229c95c9355ce06

SHA256
ff1d90818c6ec24ad8dc4334bed7e72b3ceb9460cdfe3b25ec24d2b31b4c9288

SHA512
e6abeeb5ed043270c9148b58fa359d8536e0a9606aaed86446f3cc3ef14a855b711a86869d02fe27f50ef79b91895c77bc970c6ccf962caeb8311984c4778410

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
385B

MD5
34300ee4cd847a5329747c2294699c1f

SHA1
5e1086c8ebeaf9205517c82d8ae1711931ec48e1

SHA256
122650bd6eea6dc3c3cde5c472c78fe200967b33c6e3f3d2f394d8fb66c3acfe

SHA512
ecea239cb49cc1b9018e9d5bc34fa0d501cd9dc6bd7a8c01b8a2bfe9cb8d9baf805081d3705f0f986903a93a35a3ddcb852463bc2698606b556999cd0608ad6e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
1003B

MD5
d82b1439dcd0ea62ce3edcf6d36eac1e

SHA1
f5216b9a0c6b294584b24a5fd50b43e79d46310e

SHA256
44f25bfcbff16b8e7c81ac93d6dcbc312035c81ba6d62e61d4177e23ef62dbff

SHA512
bc789786f1261ce50116190f56ce7da3063fb944af6e5da17fd0a61e51d3d25b11fc09a83d2fd1805e16f33c2c469bd28d05366b8fff7faa85d3dd498e5e3d1a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
2KB

MD5
7d1b0ec51595563c9214ddfdec36f303

SHA1
bbb988973a8281943b5bfacb8ab03d97c0f0f398

SHA256
c915635ac032617e1acf87810abd8e8d9825c7e40a74245bc9efcf31d6da9da9

SHA512
709deed649d6062cf8c1ada7207b9c871d51a69a4bc7dc3c1408bd6a38d211ff53ce19a091cc4bb68a62eb00aa512afd07a33d314393812716391f04faea93d3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
840B

MD5
ac24e253ff384d8523af43f5a93688f7

SHA1
beb4ffa972185300803e9a1f6a16ec062cec1015

SHA256
f49327d72a4888fee8721962d13a94571e349ba666a0e1354c4f49331e858cff

SHA512
9c559a1bdaae9172fbe9e6a9b907390041fd16d0382a202423e0d9d19bb0f2c06a7228d6bc17df943d4e927c0420f302982e0463755bfd5c0d6e4ecb65504a61

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
1KB

MD5
cb05ff26ffcb30838de16f659f8d93c9

SHA1
f9e977e1f60be49be8a17cf75d31f4a7620827ab

SHA256
ef97178fce43f78773e1c57cebaadd55904a1e5d810f8f75219b23e92c00687d

SHA512
26fc3838e5ef5b638d974be02b6d8f76f7f4778b1b612ea9031c5a5b1cf4a421e48c7a667a1f8db55270c1c86c4e1ec469c8078dd0edaeec2df02fddff27a999

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
930KB

MD5
45d3d62890fa98b808e4379a0a399baf

SHA1
5b5459717f961d20f002e3c5d3268906a71e7f73

SHA256
de96183d3d1e3c5a790c8fb31df0c6879d3bf1ca64b10be23452b58ee8e2b69e

SHA512
748cdde074183fe2780a236a9cf3e8141c5a79f492cad5656e44f706a74a58575015181d32d39bc177a4b68a045f7f0b836ba9d66e73fefe9877efb5744d6f2f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
190B

MD5
f0be99f92d8b8ad3d79c9aa580fc2f08

SHA1
a9ab5160208575c2c19277491406d5c95690a5f0

SHA256
e290cb91a6aaf54bb397c8f72d0bf5e8a70935ca00abde862e3d13fdf75fdbb0

SHA512
c9c2002d0f14f1d92924f80105c4b092bcb8de5bcb838179f2129b125fbcdf83f78ee80f44b0e26bab451c6fa5d6a29547a4933a92858e310dfbbdcee32f8cae

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
950ac8e007b49ed7acf1646758393817

SHA1
3a795f27aac36ba92f33165a6550cc7f201b3254

SHA256
4ab0585ac1cc953813901847e774a0a6e2542bedd0e5964cacf31e421455223e

SHA512
6bf7c6bdc1f802cdc8cea1d5a22de2e2cdf307411504499351fa5e9bdb7d1826c1968c4cc8bbb2fc17ea69850d69e0e2d77b76d29ad991813b598fc18ea0982e

Download Submit
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

Filesize
744B

MD5
c181d62d13f055127f354bb60cdfa03b

SHA1
6cbfcbcdb417807d7ce1ffeeaa2eaaf9b548885a

SHA256
d8dc1b9aa2aefd658fae2d9b6bf36318bdda72fcecba0538a1f121592b44e3b6

SHA512
62dd4c375f5e3299843c78dc86026da551a8a66c2c4cfac4003b8e4774ddd1cc36c130611c15182b61a472169305b75c845f17ec899e53250461867cc82abd36

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

Filesize
223B

MD5
dbac9649c4bd702f55fbd1afafe87c44

SHA1
0d914f4a809cfe400ca111ebfbd0ad552d500785

SHA256
b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127

SHA512
86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{06341C50-7ABC-4353-A54D-B7B639697520}.2.ver0x0000000000000001.db

Filesize
1KB

MD5
8b836d8d3ea988668ddae3311f514a57

SHA1
af3199496b831b74bde630f871615ce5848f9857

SHA256
ac944397bb7351bf439ea8b7e6cf5863fed078383f3da0b7c92b53408fe680d5

SHA512
f205183db25237a58c6a33b9c83af86df3210fc7cc411d4638af9c856fb39a2795c99d612601bdf183101402ed6455b7949a9deabfb2b2262afe47dff0c17cc2

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8cfc804a-d777-2361-1670-4569e516397e.xml

Filesize
2KB

MD5
29eb0301f92bda0d67f79582acadf847

SHA1
2c2ac90238793f699322833c2f8bd043cc29ddec

SHA256
221ce3a8c269f4dff433a9a8a9807f65d8fa7b302e640b245f7293a0998363d6

SHA512
61f47426e5dff09a432a7848f3d07cfb5f85cab6b327fb416c31223e6a5ecaaf3a3f065a6c4bf0a352fb4fd3c7199ae481c929c43da3d596000f87d7f6bd52c1

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml

Filesize
2KB

MD5
31434364acba2fa351fc9715db743df4

SHA1
1c2e77b236cfdd14960e90c9a48e59532d1a255b

SHA256
a94fc52f4840aa6390d47765d3fce16ab6d1c1978441156ef607a4b6f63fc317

SHA512
b069a65226c5aea8d50da2a179a351051a6680cf42a117d5d5b98e97bdcdd12e412f698b89039bd3464550e5794d3b95d97c6ee6931dc72e1bb060daa08e40b4

Download Submit
C:\USERS\ADMIN\DESKTOP\ADDRESTART.PPS.CRYPT

Filesize
423KB

MD5
50f44b4a65455d9a76e97ff26b01c1c1

SHA1
333e5d952096e40ed05a9f560ddd0446f667cc4b

SHA256
fa786a6a556a52be57fd70c3c377cf4be294c8124bd14abc90f9ad56a3bab9e3

SHA512
8ea0e23aff236f5aa2c092d6a61881f410b59e82b3c6f8ad03ebf4833e7caaf184b3ca3b298bea36811ac6854143d8d5b733c230a872fb88ffd0617c895faa03

Download Submit
C:\USERS\ADMIN\DESKTOP\BACKUPCONNECT.HTML.CRYPT

Filesize
199KB

MD5
cd1e8c41c0b154b633c67945a9ed55df

SHA1
6fbe866eb5961ae8a8b19908f6698925680d0f94

SHA256
6604aebe28d97caec7b589be926f2286e4f7eef73169a96d9aabe17e5fd6bcae

SHA512
ef405a773c3cf8f4a3b95c2ba7e5d9f0d561286a6f4a583f47c4b6d47a665eaef2b21a264dc0e86741906334ed6e40369301f5ca899b53ce04c054966dc5524f

Download Submit
C:\USERS\ADMIN\DESKTOP\CLOSERESTART.DOCX.CRYPT

Filesize
21KB

MD5
3cde3bac81ebbf94a2c91f15373382f1

SHA1
ff38e60f71c20bb6f46b90a9841510c7e3fe432b

SHA256
25fea8c3d1a23b7d2829c56fcf109443c30e9846ce86e563a959c76df39a1671

SHA512
a1541d98dbddfe7921d086c6fadfc243f25b9525a7dda61c5b9572cfc5c053879e9891790acade710f0f992819c30a7bb936deed1c0b1d98d35d24ffaaffd64f

Download Submit
C:\USERS\ADMIN\DESKTOP\DENYUNDO.INI.CRYPT

Filesize
274KB

MD5
ebbdeeba12ac5627c39d5554956f61a1

SHA1
db3dba1b1565bd9b7ae4c96bf551f58f3d118f9e

SHA256
d697fe898717bf177172f66e3d4ebc51be5d53bc120d0b2fb8273e2d49824b83

SHA512
48eb22bd84436bc1d56b2d9407fb1c55d0a3a06ce197e0e54e8a437687bb60757ea947edea9d07090630feb8321ec5275e409640a719f29b16d87c72551cc419

Download Submit
C:\USERS\ADMIN\DESKTOP\DESKTOP.INI.CRYPT

Filesize
568B

MD5
c7d97d7df31fe009e3f88c5df22e190d

SHA1
18b933ca384b63b0cf36325eafb7194b14c21cdc

SHA256
61b4385d49c05c0cd5fc8c0d41cad694516e27604d32a2aab964ef185779f821

SHA512
ced3e6151f719fcc365cd5660ae8ec1c2d036c275e19178301271eb0745524632533319e37c18a103a32b0a446bfea2fa15a131a192259ee4c8dc0b515d26d89

Download Submit
C:\USERS\ADMIN\DESKTOP\FINDUNREGISTER.HTM.CRYPT

Filesize
323KB

MD5
f20fa0090d67bf7115a2b12ca1e1d630

SHA1
415f1cec7c8bee0c259df1cd4dfd4235b18ba3ca

SHA256
0495ea44c4eabdbd2b233bece767e66c377e26c6cc1a52a40a8c61567b420fff

SHA512
0448869859b6bbf1594da7d1e3a21f4f6fc8529cae87235d4e3013126a83f5abfbf0bb9c779d2f33e322d7bcf0e6ba597a65f8c4958e4a4db2fa6a48c87d2037

Download Submit
C:\USERS\ADMIN\DESKTOP\MEASUREREVOKE.CSV.CRYPT

Filesize
373KB

MD5
3a97815c55d6047ae2bdc5d8a801c1ce

SHA1
43c32427e15786938bf1f0b48e417caf52cc796a

SHA256
88b0a3fe88d9ddcb1dd5d5ee3c7ece7a42f8154ae4c16e5c98b6ba2444fc77f4

SHA512
4e9994a3cfb946a0f00ac7ee689e77fa6b44a18c6f4b940f752f5040f0e73e38cb8abac8b04dd14de28f693333e6e4465cac68ec98280087650341baa051478a

Download Submit
C:\USERS\ADMIN\DESKTOP\NEWREVOKE.XLSX.CRYPT

Filesize
11KB

MD5
07189b88ce47b0a27bf30d8e914f2fab

SHA1
22f41d4c150f640145484d50e312a895da77ed3e

SHA256
69b1efd779d2865db6251270f5c75ae074bd380ada40797badaae53777c92a19

SHA512
1230623f80812d8485178a804db54d1f41a1fa24e06bbf3a13e3c803f859d36f02bf544c0623d3810718e12f764e967b2d7d2945a6e99063d8617b604b06e2ca

Download Submit
C:\USERS\ADMIN\DESKTOP\PUBLISHGET.WPS.CRYPT

Filesize
386KB

MD5
b8bd52253067f71e0e1b42f060380233

SHA1
3a7fed2700d855969e730272bcf8a082ef63395d

SHA256
edcbb01079cf44cc775f8cf70a078a19445b0e0a2b76ecae7e9f0d0f14cedec9

SHA512
2f24708fa262e8b591598ee4d524096e4cfe4246c571d1eef61c8952c085f0fa62b7a994cd4a786e150143c44797f2e0944cb1599a6f7ca411002bc9a3869089

Download Submit
C:\USERS\ADMIN\DESKTOP\READHIDE.DOCX.CRYPT

Filesize
16KB

MD5
776162c333b112b29b1da0448b7ab15d

SHA1
9abe37cfce6bd1091f3685faf36201414572bce5

SHA256
ecc2f5176160ef14d2dd5f19c145344184672a7a85cf27e8efb7afe3d82ea9a9

SHA512
54be488c39e48c3e4fd94865c4765c6dbdb9ee4c65a59fac907f357256d21bc054649c593f9ee853ab09cfac576351006f89e02518dcc6fb4a79f1eb93900253

Download Submit
C:\USERS\ADMIN\DESKTOP\REGISTEREXPORT.JS.CRYPT

Filesize
585KB

MD5
317e74071329753ac00b64424ab3a04e

SHA1
640873c2f3cbb297c76ae26af632e6de4776302d

SHA256
5380ee2f5d41e592007856fbd92bb82e5563de9bdbcc61fe44d39c83c5403984

SHA512
929208c89022dea540859fd7d71a70af310e13144572d4ff6d2071cda18127244352f1f584a9b0a2e159a90f14925a61f22fc1d0aef68bcd7810960d8764ef3d

Download Submit
C:\USERS\ADMIN\DESKTOP\SHOWMEASURE.DOCX.CRYPT

Filesize
14KB

MD5
682f9daa47699bb818b7ece4d8cae4fd

SHA1
3db0947e797dda8470725c8d2514e8a1f9893da0

SHA256
ebe0eb033230f75b0c720b2d9cfb8a17587180ff20cdef7173b021670e3b51a1

SHA512
e6708159eae6049508aa6ae683bda398fca799e97aae76f77bcf2b0d9bf9f8c248ca6324fe0ac5315627f7fbe3daec6ea58867f2af8df1da1cf61fd30b234619

Download Submit
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI.CRYPT

Filesize
456B

MD5
ed50a3740efb5788147ac732cd46e73f

SHA1
49f543bf3e47564eaa3c14d2137f72b80a684be1

SHA256
7a180ada88c8903078fb5332294e9f44975e89349cc99a1de6b8cc8e9b1a3832

SHA512
f8e886fa74d4f49942935b775c23401a027b307712bf89cddbc916c36f87e9a23b10648bb50ab2c188da20351fa0fd8551435ba809269819508e26bd4d3ed668

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png

Filesize
1024B

MD5
d47b127bc2de2d687ddc82dac354c415

SHA1
746c3f4d286c531e065e8af76e0ac0868831c6b4

SHA256
6ab72eeb9e77b07540897e0c8d6d23ec8eef0f8c3a47e1b3f4e93443d9536bed

SHA512
6ceec4ab9b9b8a5839e6650648089e263b6645d4be3e1912bf867c0e3e174f976a39f5446c4bd1d57d837d6319b123103fe2fee2f590380a83fe4d0ed98099ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
413KB

MD5
2350b47261040b1ee32f7df427ab30fc

SHA1
e656cced405e01b6a60b7444b2c9e1b31ed7c63a

SHA256
612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db

SHA512
a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini

Filesize
174B

MD5
ace3165e852adb8aedbeda2aa3be570b

SHA1
4577ff7e92850e2723008f6c269129bd06d017ea

SHA256
237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f

SHA512
cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

Filesize
174B

MD5
e0fd7e6b4853592ac9ac73df9d83783f

SHA1
2834e77dfa1269ddad948b87d88887e84179594a

SHA256
feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

SHA512
289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

Filesize
16KB

MD5
4534f12102d235344cf8dda748f0cabf

SHA1
7db67baceeecb3a420bf37a7beca4a45185f8f3c

SHA256
1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

SHA512
7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.CRYPT

Filesize
414KB

MD5
741504733cb68b875aa72ec5d0627635

SHA1
b8741f20aab40cd60266c41c4e81fc6fd31630c9

SHA256
50abe2f6ca20d4429481d24e92525ce6c7ded0c6d2ff863db3aa7fbfa6b6650c

SHA512
565f38a5075f568c967b44d0f37c2700bdb857834a29bd37f3690ea8f006272d92525e7dd1e071688281b18c5c080a02eca72286bcefde0734320020397edc62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
b4c70949a62a7356119b5fb8b43c44d7

SHA1
1d36d1023cdb15948211d105c5f74a519f502598

SHA256
079f87216895f0459e196a1c06885803befec97f6460d0797317897a41ca1514

SHA512
39cd64ca7d6b6c2b9de7549d8c32e63842f96da73a39b3bb429b6314dc398069a5dc72cc9e42658aa4723b5cfbc691cbb218b698a05644f702e0dec2b2fba22e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
7ed46e1dbf6b169ecf4f7911303c1f51

SHA1
49c8458155776459c110d5729d14793378dab1ca

SHA256
a737f6e2c3edbd10d4cc6b35a741216db5736552dd1ea31fe5c02b3319e1aaf7

SHA512
8aa8e823aa8a9ba4b90bbcf8fb836fd2c1f7aaac35a6232ec93db175395457d09d016a6b362d8a8a59929b5518bfd714382520e6ae9b81b9b2217bee4c33521a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
777dd969da3dd17026244668b774e058

SHA1
e0a066d28dfc6bcca1c13a50bfc4b35a37541b7a

SHA256
221f1bd7bad281fe93374736df606e52ce7393ae4fe0bdd4682935b90f184e59

SHA512
1f1a19b1a969a62cd8c83622e89077492457dd00f28505f0fe49a600688b18bf0407cae61e0da9f0d23fd0f6d874125fe83a5666ca7975976d612743fda08158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
382eb55a81964f39214279e544e145ae

SHA1
11f3b41f6dd4a6eda6078b89e22b7c3ef818cb90

SHA256
5db0fdffa49651e306f20351ab01e87fab4211d3d5d514eb737ca8f42ab160e2

SHA512
ee93f169c72be31907bb7d50e7f6fd22e83c7f7f091498d19afcc23ec813b7eaa835f6c01e7a83e8e271bdde05878d098970b479b580fa85d62be296ea8e348b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Filesize
24B

MD5
c7c6abfa9cb508f7fc178d4045313a94

SHA1
4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

SHA256
1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

SHA512
9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
77b65a77cac00fe47b16dd4819c4a4c7

SHA1
5d174cc05cfc487ee35db8aaa770930a26529bc0

SHA256
31aa3f7fa15dc18c49e4e36554fbaed761808284a0fa4a792a48e46d267e0383

SHA512
abcc320916161427a5b5683edd9242ad065680eee55f35b770e24c58f3ddb5b77bc1f58bc4c5fb851bec15b441a8de904a10dbb7eeaf6dcdf9460470d3d33d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
c1629d23ffbef716b620cdcd3008a801

SHA1
8d9776f44eb65cd24bb07c78d685f4b9bb099f68

SHA256
54afb4b1d190caddb313d4a172d02f4ff9a5a2caeb5806183a01bb281031ee80

SHA512
bc5ef7b414c1a61e5e9686e6cd141c3b41a99e0db7e37a1aa9ac98b74a3e26bedbef403e1c564ca7a57bd5e42ccca75b3f2c5ca2641d87bdb61848d95ec3a676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
1024KB

MD5
0d2f25297cc2269b6809187457de19c2

SHA1
d388776eab9c044341b50a1eb82f5231489b246a

SHA256
88786b96909d1a88ec0c5aa8949c1b3bfd3643cbc3a9e175c1cb76f1ad37cb82

SHA512
1b5935e649902370efd7919eff5d0ba4223a9fddcece85f57b1b3a2cd0b639a132d55e0d89e0b027c1c6cb0eb1cfccfa26f943956ea1d06f2b88f3b8ab9a27cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Filesize
1024KB

MD5
e6065c4aa2ab1603008fc18410f579d4

SHA1
9a7dcfd9029de86dc088ee6ebbef48df90e7c6cd

SHA256
4e29ad18ab9f42d7c233500771a39d7c852b200baf328fd00fbbe3fecea1eb56

SHA512
1339d6533a0b875db3f1f607290f8de0e8f79172390faa03fe1ae15cb738b9c64828b08ed11721acc2909cc9394cc9cc115c9d7c9895cefa76f5146614961277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Filesize
1024KB

MD5
fa81b2d92a9a1e2a097836e9f9538847

SHA1
9db5ddede06dd505dc65d7714d65fdf3490ec6d7

SHA256
f1bb4b9a6febb67ec216afc1ac4af6812096ce832d874b71d23e64e24be12153

SHA512
cfc92b130585cedbd241432b2f0bf2d884cfe18be47df6c49bfb987b5c8d847d1c378df1f822d212b1f3c4401ce53f0f8d6dae4478e2e8bc7bab40d508608225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
14KB

MD5
d62de45260290993ab8f379c928263eb

SHA1
1a885ddfea2427607247084565bf7b547005b7cc

SHA256
5443a81a010bc1ff7da14947d3737287a2045bac55e5a7057ce5d17171989c58

SHA512
66228c968e4691940ec8e3265de44ca328e7787dcd04fd4a6a0142a63164f70aaada515221e2a9654d7790e90ed1b73cf63024f65c72b3313b05c82c3ee67ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
3eb7c282d0e4a6d6d6c6c1eb330e6703

SHA1
df7affa6a47a504d140f5513ce232af2b71df098

SHA256
2d0906036802971a88d8e7074ac32c8ebd673c566197e41e713841e18e56ac4d

SHA512
82c994ff4f5ad27ecfd85a56ed88669284becab2e45ee138af9fcf3341a2499fb9ebe059934ccf4edde313969900446e130cd2f706cb38d7e68ae5a83405564f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
4708158baf53cc8c8fd3cfdecb49977f

SHA1
2f266dbea68d3163d90df9925992b7064aefc312

SHA256
23914ffc26a90101d879bedb4ad1bc320d3459b923b6a464f2d89a7efe0d93cd

SHA512
6cead375cc42d8db877d697aaa472a7d283cf3e2ea61e87e17ea7804ea55e49eb2ed23fdcffca17db3ab2ffd4aa36706fe8a068a48d1812bf04de2e8bd9e28d1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\76SX1MLC\microsoft.windows[1].xml

Filesize
96B

MD5
590d8314f03d3a14c1ea34dfbd0a32b3

SHA1
ef1bdbc9511c1148d218ce77cda9c1b825e8e35f

SHA256
9053535f2c36919721f340cceaa5232bf2666fe4b022a197079d4fa708913acc

SHA512
85bfce822d52aee0edf432a96bad304f4e7fbfd92c7d74be9cf8ca5708c1f1e569d3e192e2c6e6d9c4ab4ef706cc14c05f619b4613cb0ddcfcc4920bac89ceb9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
c44f12692cc165e5102eae4a69a51c20

SHA1
11284413f6652dd26d4c584574da1d6774d48ae3

SHA256
930bb47469e49bd56bb9efa6530d5047c9c3b4a34ac708f820a31ad2748c9907

SHA512
6569a528129d10f2dae6e14380e0899a19eec6853789c82bf3465ea7bdfca62f71ae86e738772ed198782b2ee54847ab668b428ee5652b8ede29f88a9bf8396d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6f8c21e8-1266-470b-aa9c-23edd8fd2427}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
f6a6263167c92de8644ac998b3c4e4d1

SHA1
c1fe3a7b487f66a6ac8c7e4794bc55c31b0ef403

SHA256
11770b3ea657fe68cba19675143e4715c8de9d763d3c21a85af6b7513d43997d

SHA512
232d43e52834558e9457b0901ee65c86196bf8777c8ff4fc61fdd5e69fd1d24f964fed1bf481b6ef52a69d17372554fecb098fb07f839e64916bdd0d2abf018a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133666585176242334.txt

Filesize
2KB

MD5
ecaea544af9da1114077b951d8cb520d

SHA1
5820b2d71e7b2543cf1804eb91716c4e9f732fde

SHA256
9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6

SHA512
dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
1KB

MD5
cb1f0c7cd627dac6e1aeeeaa2e9d797e

SHA1
ecaffa6a692e92f9c62ae24ffba283e3889b490a

SHA256
3fde4c8669d4d51d1a265161ee912c4ee537875fef98b47942500ef12313dd96

SHA512
cdc1e244e49ae517a3f7748c05d5c09afe194811c989f8e530ac4e61bb3fffeec8591bb4f8eb9fa839277c4dcc540848017e92895d65a447bc539773afe6e49d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
5KB

MD5
3c30aab2bb30558495718034ef68f870

SHA1
f2a261989b9d8feab45b290d111a24b5c59225db

SHA256
d61f6b67da4d94d5d85dace4de2b41fb9a9e7c0d3d4131bad2b769cdd3788d1e

SHA512
6062a61fe885a397678180e71e434e8c06cd35d5f69f76054621d7f68d89036f91263e602eb76eb1ce9c43f97bc4e4c1e1d68e4beba23fadaf95b5b7613ee161

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin

Filesize
10KB

MD5
0f7dff66a128cced04327977bc7b5e7a

SHA1
d7b4ec941cfc3dec39525b047ca8f02e12061192

SHA256
da07d7603eadcd9d567889527fd3548990260ce623b891acb527486f234807d1

SHA512
45a88d12fedd37014eca03ddf5628fa7c4509270098f2c08412825ac50aeeab37bde8608b8a76a7f8504e6d6b3ad87b676ae69bdffa491620e7d2f2210ff50ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF713EE3-0BF9-4647-9E70-B359D72C9520}.png

Filesize
5KB

MD5
00e5fcfd833151f7cbde607e2f7afeb4

SHA1
55839875c0947aafebff53d22ccc5dad29fe3563

SHA256
b80192aaabe007baecd0603e3ce183e9d554b8a6b0411d20716acfa086ae3035

SHA512
f056777a1987c3becdc217bdc2d82e6aa41086d38fddaa45c42f1726b6f7b7616a10918081650e825a724464ef148b669bc258d38a62e0de8642e2607a0b0de7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/400-23612-0x000001E013600000-0x000001E013620000-memory.dmp

Filesize
128KB

Download
memory/400-23627-0x000001E0133C0000-0x000001E0133E0000-memory.dmp

Filesize
128KB

Download
memory/400-23637-0x000001E0139D0000-0x000001E0139F0000-memory.dmp

Filesize
128KB

Download
memory/572-23604-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/756-22743-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/1348-23484-0x0000021B52B20000-0x0000021B52B40000-memory.dmp

Filesize
128KB

Download
memory/1348-23495-0x0000021B52F20000-0x0000021B52F40000-memory.dmp

Filesize
128KB

Download
memory/1348-23469-0x0000021B52B60000-0x0000021B52B80000-memory.dmp

Filesize
128KB

Download
memory/1348-23464-0x0000021B51C00000-0x0000021B51D00000-memory.dmp

Filesize
1024KB

Download
memory/1444-23038-0x000002017FB80000-0x000002017FBA0000-memory.dmp

Filesize
128KB

Download
memory/1444-23059-0x000002017FF50000-0x000002017FF70000-memory.dmp

Filesize
128KB

Download
memory/1444-23057-0x000002017FB40000-0x000002017FB60000-memory.dmp

Filesize
128KB

Download
memory/1548-23745-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/1656-22605-0x000001E4F47D0000-0x000001E4F47F0000-memory.dmp

Filesize
128KB

Download
memory/1656-22618-0x000001E4F4790000-0x000001E4F47B0000-memory.dmp

Filesize
128KB

Download
memory/1656-22631-0x000001E4F4BA0000-0x000001E4F4BC0000-memory.dmp

Filesize
128KB

Download
memory/3200-23774-0x0000019DECD30000-0x0000019DECD50000-memory.dmp

Filesize
128KB

Download
memory/3200-23753-0x0000019DECD70000-0x0000019DECD90000-memory.dmp

Filesize
128KB

Download
memory/3568-23198-0x000001D45DFC0000-0x000001D45DFE0000-memory.dmp

Filesize
128KB

Download
memory/3568-23187-0x000001D45D9B0000-0x000001D45D9D0000-memory.dmp

Filesize
128KB

Download
memory/3568-23175-0x000001D45DC00000-0x000001D45DC20000-memory.dmp

Filesize
128KB

Download
memory/3568-23169-0x000001D45CC00000-0x000001D45CD00000-memory.dmp

Filesize
1024KB

Download
memory/3580-23351-0x000001C293820000-0x000001C293840000-memory.dmp

Filesize
128KB

Download
memory/3580-23334-0x000001C293420000-0x000001C293440000-memory.dmp

Filesize
128KB

Download
memory/3580-23322-0x000001C293460000-0x000001C293480000-memory.dmp

Filesize
128KB

Download
memory/3580-23319-0x000001C292500000-0x000001C292600000-memory.dmp

Filesize
1024KB

Download
memory/3580-23317-0x000001C292500000-0x000001C292600000-memory.dmp

Filesize
1024KB

Download
memory/3580-23318-0x000001C292500000-0x000001C292600000-memory.dmp

Filesize
1024KB

Download
memory/3888-22446-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3972-22274-0x000001CFD6E20000-0x000001CFD6E40000-memory.dmp

Filesize
128KB

Download
memory/3972-22307-0x000001CFD69E0000-0x000001CFD6A00000-memory.dmp

Filesize
128KB

Download
memory/3972-22308-0x000001CFD7170000-0x000001CFD7190000-memory.dmp

Filesize
128KB

Download
memory/3972-22269-0x000001CFD5E00000-0x000001CFD5F00000-memory.dmp

Filesize
1024KB

Download
memory/3972-22271-0x000001CFD5E00000-0x000001CFD5F00000-memory.dmp

Filesize
1024KB

Download
memory/3984-22888-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/4040-22264-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4164-23030-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/4416-22913-0x0000015167670000-0x0000015167690000-memory.dmp

Filesize
128KB

Download
memory/4416-22927-0x0000015167A80000-0x0000015167AA0000-memory.dmp

Filesize
128KB

Download
memory/4416-22897-0x00000151676B0000-0x00000151676D0000-memory.dmp

Filesize
128KB

Download
memory/4416-22891-0x0000015166700000-0x0000015166800000-memory.dmp

Filesize
1024KB

Download
memory/4496-23461-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/4596-22450-0x0000020AF8B50000-0x0000020AF8C50000-memory.dmp

Filesize
1024KB

Download
memory/4596-22473-0x0000020AF9930000-0x0000020AF9950000-memory.dmp

Filesize
128KB

Download
memory/4596-22455-0x0000020AF9970000-0x0000020AF9990000-memory.dmp

Filesize
128KB

Download
memory/4596-22452-0x0000020AF8B50000-0x0000020AF8C50000-memory.dmp

Filesize
1024KB

Download
memory/4596-22451-0x0000020AF8B50000-0x0000020AF8C50000-memory.dmp

Filesize
1024KB

Download
memory/4596-22487-0x0000020AF9F40000-0x0000020AF9F60000-memory.dmp

Filesize
128KB

Download
memory/4732-23166-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/4920-23316-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/5004-22598-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/5012-22774-0x000001E852E50000-0x000001E852E70000-memory.dmp

Filesize
128KB

Download
memory/5012-22747-0x000001E851B00000-0x000001E851C00000-memory.dmp

Filesize
1024KB

Download
memory/5012-22751-0x000001E852A80000-0x000001E852AA0000-memory.dmp

Filesize
128KB

Download
memory/5012-22746-0x000001E851B00000-0x000001E851C00000-memory.dmp

Filesize
1024KB

Download
memory/5012-22760-0x000001E852A40000-0x000001E852A60000-memory.dmp

Filesize
128KB

Download