61acd5b1150cc1e118ac8cb7819f59be509744240c9e7e9f3858967e90a68e10

Analysis

max time kernel
74s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ransom.exe
Size

3.1MB
MD5

6043b56833c3803e8f9f9a5ad5a3d590
SHA1

7dcd417070875f6b04c3b53549b4dc84d100e84d
SHA256

61acd5b1150cc1e118ac8cb7819f59be509744240c9e7e9f3858967e90a68e10
SHA512

5618a92c40aabcfc14ce3ef602de3f14afd37b7699eb2888ceb2060cffc84374cac55c2462f67fcb4dbaa631a045286e59c10fb8b3806d745714287c9c263bb6
SSDEEP

49152:8FaCt1EwG9ZvoYWjXUgYqRDTe3EbIyemalpn0o:v6j/75e3lpn

Score

8^/10

defense_evasion execution persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 17 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5008	powershell.exe
1528	powershell.exe
3128	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
3224	powershell.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{B8788493-6A03-4EBA-817C-498FCDC083B8}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{1C32AFC1-5976-4C2C-985E-DA9C0CB41D9A}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{F54B50F9-65A6-42EA-B481-9BA9DD6836EF}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{F91152F3-91AC-4646-A112-3D46062348D0}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\MuiCache	SearchApp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2032	explorer.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5008	powershell.exe
5008	powershell.exe
5008	powershell.exe
3224	powershell.exe
3224	powershell.exe
3128	powershell.exe
3128	powershell.exe
1528	powershell.exe
1528	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	2032	explorer.exe
Token: SeCreatePagefilePrivilege	2032	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	3888	explorer.exe
Token: SeCreatePagefilePrivilege	3888	explorer.exe
Token: SeShutdownPrivilege	2024	explorer.exe
Token: SeCreatePagefilePrivilege	2024	explorer.exe
Token: SeShutdownPrivilege	2024	explorer.exe
Token: SeCreatePagefilePrivilege	2024	explorer.exe
Token: SeShutdownPrivilege	2024	explorer.exe
Token: SeCreatePagefilePrivilege	2024	explorer.exe
Token: SeShutdownPrivilege	2024	explorer.exe
Token: SeCreatePagefilePrivilege	2024	explorer.exe
Token: SeShutdownPrivilege	2024	explorer.exe
Token: SeCreatePagefilePrivilege	2024	explorer.exe
Token: SeShutdownPrivilege	2024	explorer.exe
Token: SeCreatePagefilePrivilege	2024	explorer.exe
Token: SeShutdownPrivilege	2024	explorer.exe
Token: SeCreatePagefilePrivilege	2024	explorer.exe
Token: SeShutdownPrivilege	2024	explorer.exe
Token: SeCreatePagefilePrivilege	2024	explorer.exe
Token: SeShutdownPrivilege	2024	explorer.exe
Token: SeCreatePagefilePrivilege	2024	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
2024	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
4468	explorer.exe
4468	explorer.exe
4468	explorer.exe
4468	explorer.exe
4468	explorer.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2032	explorer.exe
2032	explorer.exe
5076	StartMenuExperienceHost.exe
4468	StartMenuExperienceHost.exe
1328	StartMenuExperienceHost.exe
4832	SearchApp.exe
4364	StartMenuExperienceHost.exe
4256	StartMenuExperienceHost.exe
4780	SearchApp.exe
1148	StartMenuExperienceHost.exe
2052	SearchApp.exe
2192	StartMenuExperienceHost.exe
4008	SearchApp.exe
4108	StartMenuExperienceHost.exe
4440	SearchApp.exe
1892	StartMenuExperienceHost.exe
3544	SearchApp.exe
5016	StartMenuExperienceHost.exe
1596	StartMenuExperienceHost.exe
2468	SearchApp.exe
3092	StartMenuExperienceHost.exe
1172	SearchApp.exe
4168	StartMenuExperienceHost.exe
1564	SearchApp.exe
1896	StartMenuExperienceHost.exe
1472	SearchApp.exe
4780	StartMenuExperienceHost.exe
4476	SearchApp.exe
3116	StartMenuExperienceHost.exe
4356	SearchApp.exe
1624	StartMenuExperienceHost.exe
4284	SearchApp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 1808	4560	ransom.exe	92
PID 4560 wrote to memory of 1808	4560	ransom.exe	92
PID 1808 wrote to memory of 3672	1808	cmd.exe	93
PID 1808 wrote to memory of 3672	1808	cmd.exe	93
PID 4560 wrote to memory of 4712	4560	ransom.exe	94
PID 4560 wrote to memory of 4712	4560	ransom.exe	94
PID 4712 wrote to memory of 1644	4712	cmd.exe	95
PID 4712 wrote to memory of 1644	4712	cmd.exe	95
PID 4560 wrote to memory of 1996	4560	ransom.exe	96
PID 4560 wrote to memory of 1996	4560	ransom.exe	96
PID 1996 wrote to memory of 3612	1996	cmd.exe	97
PID 1996 wrote to memory of 3612	1996	cmd.exe	97
PID 4560 wrote to memory of 5008	4560	ransom.exe	98
PID 4560 wrote to memory of 5008	4560	ransom.exe	98
PID 4560 wrote to memory of 3224	4560	ransom.exe	99
PID 4560 wrote to memory of 3224	4560	ransom.exe	99
PID 4560 wrote to memory of 3128	4560	ransom.exe	101
PID 4560 wrote to memory of 3128	4560	ransom.exe	101
PID 3128 wrote to memory of 3804	3128	powershell.exe	107
PID 3128 wrote to memory of 3804	3128	powershell.exe	107
PID 4560 wrote to memory of 1528	4560	ransom.exe	108
PID 4560 wrote to memory of 1528	4560	ransom.exe	108
PID 1528 wrote to memory of 1480	1528	powershell.exe	109
PID 1528 wrote to memory of 1480	1528	powershell.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ransom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\system32\cmd.exe
  "cmd" /C reg add HKEY_CLASSES_ROOT\.enc /ve /d encfile /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\system32\reg.exe
    reg add HKEY_CLASSES_ROOT\.enc /ve /d encfile /f
    3⤵
    PID:3672
- C:\Windows\system32\cmd.exe
  "cmd" /C reg add HKEY_CLASSES_ROOT\encfile /ve /d "File Type" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\system32\reg.exe
    reg add HKEY_CLASSES_ROOT\encfile /ve /d "File Type" /f
    3⤵
    PID:1644
- C:\Windows\system32\cmd.exe
  "cmd" /C reg add HKEY_CLASSES_ROOT\encfile\DefaultIcon /ve /d C:\Users\Admin\icon.ico /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\reg.exe
    reg add HKEY_CLASSES_ROOT\encfile\DefaultIcon /ve /d C:\Users\Admin\icon.ico /f
    3⤵
    PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "Stop-Process -Name explorer -Force"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "Remove-Item -Path '$env:localappdata\IconCache.db' -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "Start-Process explorer"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:3804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "reagentc.exe /disable"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\system32\ReAgentc.exe
    "C:\Windows\system32\ReAgentc.exe" /disable
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1480

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5076

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4832

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3432

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:3628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3544

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:332

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:2116

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:3980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4176

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4356

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1892

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3236

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3412

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1240

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:560

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3832

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2672

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3980

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3204

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5024

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4392

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2116

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4796

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4296

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1240

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5104

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4940

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\DESKTOP\ADDUNDO.WPS.ENC

Filesize
1.8MB

MD5
a0f74abbb6eab61c8e531e2e21cc8527

SHA1
0a9f48737dc1ad981588c8d092b8f08fd0d65ad8

SHA256
2c13c226ddb2600ba017357c286661bd940e3025ebebd6fc1913937387a6d1cb

SHA512
d0a40f1e11d2697b791f76378751eac53a9b766ce7e55440a3cbdb6c8e4ec1bc6cb4e9a26a16558d11c63b1b9e61fa733cd999fea5933541dcc3b05c760134cb

Download Submit
C:\USERS\ADMIN\DESKTOP\ASSERTINITIALIZE.XLSX.ENC

Filesize
14KB

MD5
2e082d34a861c6b6f4ea00c68744e0c6

SHA1
d0887615269ab68435261c811a91586232b86959

SHA256
62cf64e04e1286b6e09a029310da1e7d487801b304dda419b84b486d345a1a7f

SHA512
3d2ed8e6c44dffa2f672234ce9e27113755baa3e76860ab051ec6a0d749ca016d33d72cee6a498766145048fcb531271285be5e90fa447f08bfb7abed700e7e8

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPARERENAME.MOD.ENC

Filesize
1.3MB

MD5
bc226e30b6c2f27878ae5537448a9777

SHA1
d6903b8aa39e6ffdf7360c460a0c2ecc97ef86c8

SHA256
eaa805e2ec217aa4582d4fa36cfccc3d801e51ebd6774a2b371e3cfb5a8787ce

SHA512
96e7bc0cb8a6ccd0408ff787fac4e7cc73a326caf30b3a238d8f639ca0e4bd283d15d1eb15540d8497c50a1021fa5aa42d64d66979b9c6ed2175173fc47e2754

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPRESSASSERT.MOV.ENC

Filesize
460KB

MD5
d7b90d7c80c78106107822e25f051095

SHA1
4dcaeca24c8beab488fb6640b2644f9dbbe4c8f6

SHA256
bca4368bf2626dc6ba068776ee3bad6862f43c8eeedf3765f3613556d7afb4a5

SHA512
ffadb895e6378f73926dad0d6344b1f9806441c7c6085f398edbe2da3ffd058dab339e1b6343eece1db72ef9025348eecee6ad8f34a83649ebf9858cb38120df

Download Submit
C:\USERS\ADMIN\DESKTOP\CONFIRMRESTORE.3GPP.ENC

Filesize
506KB

MD5
e44b14ffcb38fca6d04d458b152ad884

SHA1
e5594788f079816505d60458a0b439367f63965a

SHA256
9d0ae6347e9d7f1697ca4f86e85076550265f68f1baa324f0b3959a553b33737

SHA512
4a369aad1fd4aadd3c70816932ba30fa67dd6b287cae654bae5e56faf476cfecacd0cc28cac93e6aa9118c145dbcd43473c31146534d10484c4df7cee625c463

Download Submit
C:\USERS\ADMIN\DESKTOP\DESKTOP.INI.ENC

Filesize
288B

MD5
9f96642b5e8536767b9ad18a2e0bf223

SHA1
6c81395fdca0afa146aafd89b112847c4cacf14e

SHA256
917fd34c905069d4917fe167d940c3612998b9142243acab94800a093e949396

SHA512
166f046c1074fe47c87ebb62a5aedd1a319251aec039ab5e90933b02c2e227d91b24ced8bdb553ab6dda42f0fb4f976bdd87a99ee96a40e79ea106f0ac16b55b

Download Submit
C:\USERS\ADMIN\DESKTOP\FORMATPUBLISH.SVG.ENC

Filesize
1.1MB

MD5
87ff6c5a1875a10aedce45a2a5b67522

SHA1
eb90e3327b9b257e39fd259c97ccbcc12c61e4c0

SHA256
ec0b1867e618f2924a136f75b2a45136a50d533bac60cba1b2c7eb7fb74a8fd4

SHA512
ba9d0e110d3fe98ce8092fb9ec5803c24ffe82e1b0dcba727f3d91f52652710936f735022ea7893ebb828b00d256e9fe8e30db1a7f2fc3a1b2b705db2f3481bf

Download Submit
C:\USERS\ADMIN\DESKTOP\GRANTAPPROVE.MPA.ENC

Filesize
921KB

MD5
12f9f6e0daab86aa11d9ed2858ba5f89

SHA1
06717e42dd1237922a9161a5f3757e5ad0eb8390

SHA256
d2267df0fa26c497be27c9d9b888f8f0102e6746566de40f4796ab9dccb5763b

SHA512
4a8386237e7ee3bf47d19e30010a2984f85c9b73e829b30a9cdcca079eaec39da3b4ed5ea4535c923605df42e864bdfb9a2c43157a5395d0cf0e184eb909affd

Download Submit
C:\USERS\ADMIN\DESKTOP\HIDECONVERT.DOCX.ENC

Filesize
16KB

MD5
0e4d70f9f1e0e6dbc8103eb73500e649

SHA1
99714f91268434db5e825067dec40aa372f74a09

SHA256
7a420c9c67f4b30fd6a5f84a1d8aa919cfe6de56025e6c653261939144583801

SHA512
c1ff6dd6e529581941c384a2b7ec76f05a1d67ab7670e2aff23cf285aa77382259dd47026fd3073755b6ca7105fb03fb5185bf0bc4a10f200051a73a5b9e3a62

Download Submit
C:\USERS\ADMIN\DESKTOP\JOINRESTART.RMI.ENC

Filesize
552KB

MD5
c48e4c4104e805c869076c4eceaedff3

SHA1
ff2078c6eeaa1714e34eb4ee1d4ddd320f9a676a

SHA256
05d7c1f5de1bbc7eae29f95ffb9f92044a3a855b3a53d198d8d2705df9312c0c

SHA512
a87b3a6a98844fd1b993ba6948576480ed19eb4b74e2b1ff0ad5a21e4b8386d8bacc533ce061364c3cb9976f75bc34bc4315cb4cd4ac815a81a30fc1c05e6a54

Download Submit
C:\USERS\ADMIN\DESKTOP\LIMITCLOSE.BMP.ENC

Filesize
783KB

MD5
a8496430852522d42d4bafc30b7af4fa

SHA1
463085162f0c6832a53effb86cfd71d928dab2f4

SHA256
f1017e84670fd713f4d16a54dadefd530a7ae52262999c8459a7420ecfe2ea6b

SHA512
2d6028cdb7ef9854d3bf82ec32d43d70198b54e55f93e1f9ecd74f55bca2741f9785e180eee22dc5145c6a963e99d8b26562957ddabf3ed2717039077e6b2a43

Download Submit
C:\USERS\ADMIN\DESKTOP\MEASUREUNLOCK.PNG.ENC

Filesize
875KB

MD5
7ebb7699349456e1fb88b4b4da647192

SHA1
b0b35b13ad584b9fbc9f5f370901785a065ce8fb

SHA256
93bb93e9c03aebd1fd83d07264900e342b988291e04686ce83689604f79465c7

SHA512
22a55b973519ec9bd3ed245fb7a9983ec58b1fca0e04d4be7fc643f5c819f9218309676fcb407667aaad36a478deea13e0af7ae2d15670e652b2608c52ca578d

Download Submit
C:\USERS\ADMIN\DESKTOP\MERGEWAIT.FON.ENC

Filesize
599KB

MD5
258113944fce22efe43eb56a665fe7ba

SHA1
b07933f28b9bf32a646f2993333ffd09332905e5

SHA256
24b4d1b50bb12c77af53cf7cadded41984629460095e6f0beee75c1f1cfb9c48

SHA512
066278d603173cf1fdc7de608611480215c6fc8bd4469aad03e664292e91c439d7a417c97d4657590ae8c5d835b6b0df1d10db9c8b2b2875fed5cb15ffa8b7d5

Download Submit
C:\USERS\ADMIN\DESKTOP\PUBLISHGRANT.MPE.ENC

Filesize
737KB

MD5
9ad267a6d8d2cbffc4f55c84168a6937

SHA1
8bd0cdd160322adf1fcacd646a6f5518d356713d

SHA256
fd18b507d886a4c49d5cb0f518cb296311078940e0bceaabf1c4bd62a44ea6e8

SHA512
96e00eeb2c33f2adee0edb6b33b52c249b8fc7d1872661237354a6fbba2e0fc005216c94ff537b041f7db1b05aad4fef742cb9c496f434bc0f020ceb8e080249

Download Submit
C:\USERS\ADMIN\DESKTOP\PUSHRESUME.RMI.ENC

Filesize
1.2MB

MD5
6c17405e758e4dde9047ca3f68a066ef

SHA1
44428e32d436181a0c5a4ce8fe9d0cce5a6a4d36

SHA256
0886aebe848b187b39fca419461ea69e61ee2ad8d84dadf2283214468370cbbc

SHA512
3fe1f2e5d0049eb8e5ff7a55e9e177593cdbd8935f55e236120d90dbfea4b5b9b56b7e5404e8f9925a81cbb7547838abd96542986adebf0d897143dbcb28214f

Download Submit
C:\USERS\ADMIN\DESKTOP\READSUSPEND.MP3.ENC

Filesize
967KB

MD5
10acdf38fa10f7a83b0bb425b0da9397

SHA1
dd1b7ec4cbec337cb6e07582da3d9fcb24f80d58

SHA256
e4fa84303337ef8549fadc297e4cd076522b5d613f6dff6a346189c1854e61f2

SHA512
e362552fe479394ce715e3247028597ffe5120050e4bc5ee40278476a9a64cc3098ad2800062fca0756b6eaa90e8ffc2796e746c911ff2cbfc3bd31de23a6385

Download Submit
C:\USERS\ADMIN\DESKTOP\REGISTEREXPORT.SCF.ENC

Filesize
645KB

MD5
65c95f3a91d16b77e3a9d0d64a7b29cd

SHA1
67cd89b64a56854bf4a1c8db7106cb1400ac94a5

SHA256
bfb3d2d6f4385ba9f6d94196742ed7ff484676ccf508ed360a978d7d99b0f899

SHA512
dfd90811c16cc94f2e2d9512ad5e641c4354d6192f5972e748e3ed33eaacd9224d9e09b330a5223bf6f11b938ca9ffc625a326bc22c35fb34df5b6e29275075e

Download Submit
C:\USERS\ADMIN\DESKTOP\RESTOREUNDO.VDW.ENC

Filesize
1.2MB

MD5
169a49c91f2f23924b24e3be6665c8d9

SHA1
9039bb7f0e3d01f1c0ce0fab251f25fc3beb899c

SHA256
f1410177646ec147fd24ec252ab3a9300973fa2aad6772f1279edbc4726076c5

SHA512
190a2cefca1c7f5f893ad3943db5d48af0fd5daa42a685fe9169a92d13b4738215c83193413d6e82f6de22eff54b82622e433db6f731bed543e620793341b098

Download Submit
C:\USERS\ADMIN\DESKTOP\SELECTADD.OGG.ENC

Filesize
691KB

MD5
ca2dc17187fc7d0bacbffa68a5efd15b

SHA1
1758601d34edde0cce2669120aa8377456b945f5

SHA256
bb3c362760c705eed585e97bf55596dad0db5dee4c978005ade08918eb534bd4

SHA512
5aa59cdcc356f7c2bc22c978fe71ce3b45940a869c3aa11c00462e2362bde8828f12d78564ed3c5c10cb866f0679dcfce074dd76f026d221c26c43a05b8268d4

Download Submit
C:\USERS\ADMIN\DESKTOP\SETRESTORE.MP3.ENC

Filesize
1.1MB

MD5
f9836b3122bdb7463d0fbf6b7e0dcd28

SHA1
d41fbde04820a8947e97233bf6892a4894045847

SHA256
c75af8cd98766681fa9dc56d8a74f8cdda5986d14cb943e0117c9e5411adca4f

SHA512
5944a3390817766ef49bc708a31b6cf1863c7aa4472f142425df1f9f94bf46a55fc17cd567424b95bc7632750d23e369416b20cb0835ab6de4afaec1de52cb11

Download Submit
C:\USERS\ADMIN\DESKTOP\SPLITDENY.SCF.ENC

Filesize
1.0MB

MD5
0b23848760af68f5570d5a922d48f9b8

SHA1
2d6932bd337d435ca748cbc94e5743f2d925b5e4

SHA256
06889fe1366f00e28aac76359993570d8fbcfdae18c62034a3b22691f4c4760e

SHA512
c11835dc76b55e8a2bba59ed1b364bd74e3ddb4ccd06430602406aed0f5e70f000e24ce60347ef2087613ac7cfe8a45ae8274f6913ce6942f14804196ac42aa8

Download Submit
C:\USERS\ADMIN\DESKTOP\SUSPENDUNDO.DOCX.ENC

Filesize
17KB

MD5
c60f005f90982688b25b48892dd282b2

SHA1
819b7a2cdc04777e9827fdc972d6b82ecb984455

SHA256
6786d26c9cdf52a6d5f3e2dd37fd350f5963be9c66f4c91a64f03f4a2be4b00c

SHA512
20c66817cdddd4d82791097782071df2e37d81d8c0b359e00bc50cbc433fb2f63be98bf1604272843e91f798c670648575b25fd9e73d8dd64745d131e3440473

Download Submit
C:\USERS\ADMIN\DESKTOP\UPDATEINVOKE.JPG.ENC

Filesize
1013KB

MD5
375bbfc4bb5fcf7ead671ba5f3440ddc

SHA1
b7169dca5c7e84409e945766f67970a42aea5c73

SHA256
a5646dcb764eb1dcd0d56f236ea5ca1be136a28d566c6109cab723230906f88e

SHA512
04310483bf31c69543c123684a6b087a83489026dae755ffd809731253cc50b97a5f8b5ae8ab94da5bfa6ed2648764205a9898b1104cf2cf32216a408c066cf6

Download Submit
C:\USERS\ADMIN\DESKTOP\WATCHLOCK.WMA.ENC

Filesize
829KB

MD5
1ae915bd553d249c6ee6f131ed297244

SHA1
9216985acd6ebe0a450057a989cd2f02ac4c5da8

SHA256
7f61669e1976cf18b04d7de588ff565a6590fc6425c19ec6f63dcdfa5a19f078

SHA512
446fb90ebdfeaf93212025e1376b4f2c7740b24e6e8ac463182575b346ca6f46c8dd6e18355a3e4e10dc9b1e00311a8e6d05ca839452c0e385ab8586c8839295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
7fffd2d841532ad35f039a55b6b9958c

SHA1
bd92a034d1f9410146c52d145420a6fdc085533d

SHA256
719d274ebcde47cac13abbc65fc2063d322593fc2570ede5b38638f58926a538

SHA512
20d695a14bb7f4e0799d360a4d75b8f5266063861548c07bd178da28b6d8cffbdaf8c66ad29684ef8083220db6648632efc0c5a64946644d9c3ab7a191c938d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
82246423bf5e7231158262b6987d20e6

SHA1
6513fa4442fd39711f12a7258433d0d01d199c8c

SHA256
f67c5b034f46e8fb9d6ea702f046c1a36fd28ebeb3787a7d66c7a33a091ad2f4

SHA512
5a6b337a14af19e10641c3c49a2a604c39881fd27331eee42149f5e0d5b4fb7f14b62be5465edaa69c8c9991a41c13e52fd027bc8f685a4125816f49b30f813f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
3b2681005990df74b09147e9a91afccf

SHA1
38d92c5a83cd6aa74b95d3b7d3401edfd88231bd

SHA256
f4b19c77bb6a151d7e9734810a1b7c41849864fa2de91802d2c17fcd8afe05e2

SHA512
ee7cd4e45123f3c95022dd863263ba7a4697e7714177ab7e6611a6108e9e601c86adf1ca244d9419323256fcb6b088c649e5a0151f4dac7350171d6d4e57a157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
873bc46109cc55333059da31c6950003

SHA1
4cd8c01c6b7009c1827a5134aba9c3d0993e5a7c

SHA256
03c9e73679f08d706f60e590b67fc964f518f041f0bcd0caec946be396275f2d

SHA512
951baa67f9daf73ea61510e74f857508b0eddc7735546b503cd5e95c7fd75b4b5e421ff967574aeb05152ebb7e5281fc884f1994d1e6ec6c605982fd535907a3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15

Filesize
36KB

MD5
0e2a09c8b94747fa78ec836b5711c0c0

SHA1
92495421ad887f27f53784c470884802797025ad

SHA256
0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

SHA512
61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer

Filesize
36KB

MD5
ab0262f72142aab53d5402e6d0cb5d24

SHA1
eaf95bb31ae1d4c0010f50e789bdc8b8e3116116

SHA256
20a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb

SHA512
bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133685801377608466.txt

Filesize
75KB

MD5
19dc4b5773c7a2125065d56c86844aa7

SHA1
1618f6e2b05bc6012e34c5848aa2fec1a1c2e816

SHA256
88877347d5f96ba6971d2ae63485f4316ba319b3d726b27f4ff325e4ccbc6c4b

SHA512
4ccfc76596c3443734a1df40bd47200edac949a6043f3efeb88b47deb6ea75b4ed5a71731d3ce21a44a13b3d1a080d5ae511b3fb37ccc17700df2e42bc13df3a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZLWU0D9R\microsoft.windows[1].xml

Filesize
97B

MD5
165c4eb495a1e55b6aa27652f79faaa1

SHA1
2a72fe3964fdace12d0527f52b806e545d9797b2

SHA256
d694847a55f98886fbb45c6cd2b0fed95d9cd7448660cd023c909b3659d1f51c

SHA512
e749ffaf79a8b65f26500c72b3bdacd79c564b89ea16198695892840873ede2b63fda3c6d32480cc5296d7662f91332f83674a5170475d606912af20e5f14367

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fiu4zjzz.k2j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\users\admin\icon.ico

Filesize
66KB

MD5
9034b29160d3e03ffdf13f987e9ba54d

SHA1
28295b8e6dc83cab7a61cd81c27de7eb34b40b8d

SHA256
bec1eefc90d4476a22f8d560ccd455bd234205d2e37f0f604b377a78f6b2e083

SHA512
3cf247a4c2e3b319d311fdeb113a9182e2561350bc571cdce8b07f9179c2d3b717b1ffc771f1931e4ad0cd2add2990363b4c542a6f83f2f628a7a7ff5b4846e5

Download Submit
memory/1172-1270-0x00000220059E0000-0x0000022005A00000-memory.dmp

Filesize
128KB

Download
memory/1172-1300-0x0000022005FB0000-0x0000022005FD0000-memory.dmp

Filesize
128KB

Download
memory/1172-1285-0x00000220059A0000-0x00000220059C0000-memory.dmp

Filesize
128KB

Download
memory/1172-1266-0x0000022003C00000-0x0000022003D00000-memory.dmp

Filesize
1024KB

Download
memory/1172-1265-0x0000022003C00000-0x0000022003D00000-memory.dmp

Filesize
1024KB

Download
memory/1472-1564-0x000001859A100000-0x000001859A200000-memory.dmp

Filesize
1024KB

Download
memory/1472-1567-0x000001859B240000-0x000001859B260000-memory.dmp

Filesize
128KB

Download
memory/1472-1593-0x000001859B600000-0x000001859B620000-memory.dmp

Filesize
128KB

Download
memory/1472-1581-0x000001859B200000-0x000001859B220000-memory.dmp

Filesize
128KB

Download
memory/1524-1412-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/1564-1419-0x0000021BEC7C0000-0x0000021BEC7E0000-memory.dmp

Filesize
128KB

Download
memory/1564-1443-0x0000021BECB90000-0x0000021BECBB0000-memory.dmp

Filesize
128KB

Download
memory/1564-1416-0x0000021BEB500000-0x0000021BEB600000-memory.dmp

Filesize
1024KB

Download
memory/1564-1415-0x0000021BEB500000-0x0000021BEB600000-memory.dmp

Filesize
1024KB

Download
memory/1564-1431-0x0000021BEC780000-0x0000021BEC7A0000-memory.dmp

Filesize
128KB

Download
memory/1564-1414-0x0000021BEB500000-0x0000021BEB600000-memory.dmp

Filesize
1024KB

Download
memory/2024-219-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2052-572-0x00000164E42E0000-0x00000164E4300000-memory.dmp

Filesize
128KB

Download
memory/2052-544-0x0000015CE1E00000-0x0000015CE1F00000-memory.dmp

Filesize
1024KB

Download
memory/2052-545-0x0000015CE1E00000-0x0000015CE1F00000-memory.dmp

Filesize
1024KB

Download
memory/2052-549-0x00000164E3D20000-0x00000164E3D40000-memory.dmp

Filesize
128KB

Download
memory/2052-561-0x00000164E39D0000-0x00000164E39F0000-memory.dmp

Filesize
128KB

Download
memory/2116-1264-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/2468-1161-0x00000262FBCA0000-0x00000262FBCC0000-memory.dmp

Filesize
128KB

Download
memory/2468-1149-0x00000262FB690000-0x00000262FB6B0000-memory.dmp

Filesize
128KB

Download
memory/2468-1135-0x00000262FB6D0000-0x00000262FB6F0000-memory.dmp

Filesize
128KB

Download
memory/3432-542-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3544-998-0x00000233F7120000-0x00000233F7140000-memory.dmp

Filesize
128KB

Download
memory/3544-988-0x00000233F7160000-0x00000233F7180000-memory.dmp

Filesize
128KB

Download
memory/3544-1008-0x00000233F7530000-0x00000233F7550000-memory.dmp

Filesize
128KB

Download
memory/3628-833-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/3980-1709-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/4008-728-0x0000015206060000-0x0000015206080000-memory.dmp

Filesize
128KB

Download
memory/4008-693-0x0000015203C40000-0x0000015203D40000-memory.dmp

Filesize
1024KB

Download
memory/4008-708-0x0000015205C50000-0x0000015205C70000-memory.dmp

Filesize
128KB

Download
memory/4008-697-0x0000015205C90000-0x0000015205CB0000-memory.dmp

Filesize
128KB

Download
memory/4008-692-0x0000015203C40000-0x0000015203D40000-memory.dmp

Filesize
1024KB

Download
memory/4172-981-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4420-690-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/4440-839-0x000001BB316F0000-0x000001BB31710000-memory.dmp

Filesize
128KB

Download
memory/4440-861-0x000001BB31CC0000-0x000001BB31CE0000-memory.dmp

Filesize
128KB

Download
memory/4440-849-0x000001BB316B0000-0x000001BB316D0000-memory.dmp

Filesize
128KB

Download
memory/4440-835-0x000001BB30800000-0x000001BB30900000-memory.dmp

Filesize
1024KB

Download
memory/4468-393-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/4476-1715-0x000001C850160000-0x000001C850180000-memory.dmp

Filesize
128KB

Download
memory/4476-1711-0x000001C84F000000-0x000001C84F100000-memory.dmp

Filesize
1024KB

Download
memory/4476-1710-0x000001C84F000000-0x000001C84F100000-memory.dmp

Filesize
1024KB

Download
memory/4756-1561-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/4780-432-0x000002273F650000-0x000002273F670000-memory.dmp

Filesize
128KB

Download
memory/4780-412-0x000002273F240000-0x000002273F260000-memory.dmp

Filesize
128KB

Download
memory/4780-401-0x000002273F280000-0x000002273F2A0000-memory.dmp

Filesize
128KB

Download
memory/4832-250-0x00000264DED20000-0x00000264DED40000-memory.dmp

Filesize
128KB

Download
memory/4832-225-0x00000264DE960000-0x00000264DE980000-memory.dmp

Filesize
128KB

Download
memory/4832-220-0x00000264DD800000-0x00000264DD900000-memory.dmp

Filesize
1024KB

Download
memory/4832-222-0x00000264DD800000-0x00000264DD900000-memory.dmp

Filesize
1024KB

Download
memory/4832-236-0x00000264DE920000-0x00000264DE940000-memory.dmp

Filesize
128KB

Download
memory/5008-142-0x00007FFE03040000-0x00007FFE03B01000-memory.dmp

Filesize
10.8MB

Download
memory/5008-139-0x00007FFE03040000-0x00007FFE03B01000-memory.dmp

Filesize
10.8MB

Download
memory/5008-127-0x00007FFE03043000-0x00007FFE03045000-memory.dmp

Filesize
8KB

Download
memory/5008-138-0x00007FFE03040000-0x00007FFE03B01000-memory.dmp

Filesize
10.8MB

Download
memory/5008-128-0x000001C9E32D0000-0x000001C9E32F2000-memory.dmp

Filesize
136KB

Download
memory/5052-1128-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download