akira | 2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77

Analysis

max time kernel
88s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
Size

879KB
MD5

2a7a76cde7e970c06316e3ae4feadbe3
SHA1

89d195f59bba9c3b43635607f9f1c3051645332c
SHA256

2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77
SHA512

834f76c0de678d26507fa1a3446cf6336952d36bd2857113f1bbaddf0d33132d4c579bfd232194868c8dc4ddefa66a9c589610e74f4a808787b8edf36f3d5b4f
SSDEEP

24576:dpN2CMwVhLcqnB+c9z2Va31qIU2p1GA3zaIJYj9+M+C6vU1KKoPAFGG+TR3aZX:UC5Uqn4c9z2Vu1qIU2pAA3rM+C6vZJAp

Score

10^/10

akira credential_access discovery execution persistence ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion. 3. Use this code - 6729-HK-NIZN-WOPQ - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	3120	powershell.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Renames multiple (9222) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 10 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell command to delete shadowcopy.
execution ransowmware

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3776 powershell.exe
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

pid	process
3776	powershell.exe

Drops startup file 3 IoCs

Processes:

2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	explorer.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\kn.pak.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\icudtl.dat.DATA.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\aa128bda9d1424a605da622aec5c4055.arika	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\packager.jar.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\ui-strings.js.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\ui-strings.js.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\ui-strings.js.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\ui-strings.js.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FDATE.DLL.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPLACE.DLL.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.ITS.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_listview_18.svg.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WXPNSE.DLL.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.schema.mfl.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File opened for modification	C:\Program Files\BlockTest.ttc.akira	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\akira_readme.txt	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeexplorer.exeSearchApp.exeexplorer.exeSearchApp.exeSearchApp.exeexplorer.exeexplorer.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeexplorer.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "2"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{1C63E335-7312-4AA1-9795-09AD9853EBD1}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{F41F9A61-FC32-4A7D-A125-468A1793E75B}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{6DA28CB8-0010-4683-B166-C3DFD1C9526E}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{BFF420EF-A4EC-4ED4-A7A0-C8D55160D6E5}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{00F2373F-82AD-4329-9548-D7AC66941A58}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3776 powershell.exe
3776 powershell.exe

pid	process
3776	powershell.exe
3776	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exevssvc.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeBackupPrivilege	1588	vssvc.exe
Token: SeRestorePrivilege	1588	vssvc.exe
Token: SeAuditPrivilege	1588	vssvc.exe
Token: SeShutdownPrivilege	2896	explorer.exe
Token: SeCreatePagefilePrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	2896	explorer.exe
Token: SeCreatePagefilePrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	2896	explorer.exe
Token: SeCreatePagefilePrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	2896	explorer.exe
Token: SeCreatePagefilePrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	2896	explorer.exe
Token: SeCreatePagefilePrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	2896	explorer.exe
Token: SeCreatePagefilePrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	2896	explorer.exe
Token: SeCreatePagefilePrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	2896	explorer.exe
Token: SeCreatePagefilePrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	2896	explorer.exe
Token: SeCreatePagefilePrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	2896	explorer.exe
Token: SeCreatePagefilePrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
1900	StartMenuExperienceHost.exe
2860	StartMenuExperienceHost.exe
2800	SearchApp.exe
3808	StartMenuExperienceHost.exe
3696	SearchApp.exe
4076	StartMenuExperienceHost.exe
4664	SearchApp.exe
2932	StartMenuExperienceHost.exe
3908	SearchApp.exe
3196	StartMenuExperienceHost.exe
2736	SearchApp.exe
812	StartMenuExperienceHost.exe
2640	SearchApp.exe
3744	StartMenuExperienceHost.exe
1552	SearchApp.exe
3188	StartMenuExperienceHost.exe
1488	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe
"C:\Users\Admin\AppData\Local\Temp\2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:60

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1336

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3188

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1488

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4532

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2200

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2200

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3700

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3660

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1112

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:636

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1140

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1188

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5088

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3596

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3240

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4484

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\akira_readme.txt

Filesize
2KB

MD5
e158265e513c5b865b19240370d4cb81

SHA1
4a37838237b622bc8f6049cf62573d7ed69b1a25

SHA256
f13ffbbdf446bb88a48de8162406b9b2f97cde15a27ce007a156f4dbd028fb2a

SHA512
dd8e241126d131f4d3d4c3936ccb06eef955258573c7337a241cb93fea66e41324caae2ced4548b9e69c7427f3649d134f670607e0e65a13bdaa61b3381cbb34

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.akira

Filesize
289KB

MD5
e2018d328418d2800987f01af0a6c36d

SHA1
bdd9e374995e320a95f2526bc326b0415a6e442f

SHA256
713dfa3798e64862ac434daaabb3d3ef0ecaa915f84300a35e42c73cdfc6be70

SHA512
4a099ff737bcaea752a2fea950dc154eee03b60917273bc9231be46953ae70569a66c5528b3e9cb3b73eb59b3e75f91a0e43a08489949f0405dec1e32a1a83a2

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.akira

Filesize
623KB

MD5
7bd0ea2c13d68aef3f728a48493f3a2f

SHA1
f2c25ae32281a8cf4251429a70bdb990c0ed33b6

SHA256
6f682e68f43e6c6abc126b9a41c58ab132ac96973f5a4c6b67aa055208c468fe

SHA512
05d97024ea0a948a133dc69996c2d074454d9af46584782912e6267e9191276f05c67d2ea0ae24829a1bc3943da808a38bca67005e08ca5f772853013e313b26

Download Submit
C:\USERS\ADMIN\DESKTOP\BLOCKDENY.CSS.AKIRA

Filesize
745KB

MD5
6a1304b7b4147b2b6e5d444d855a770e

SHA1
6e304b3103a3959b5b623d43c62585b3c168cbe7

SHA256
c5a0343c6f3babaf5ef817d66c15bbbfa730bd91a89998ddef3e67cd649aaed9

SHA512
d79749cbca97aebf064f3636f35488f8547dd490c395b4720b8add05eba806da52b1abdf9f1d2ccf0a585b313af506b3a6536fad3a7fe2d233a46a4e08c35003

Download Submit
C:\USERS\ADMIN\DESKTOP\BLOCKEXPORT.JPE.AKIRA

Filesize
723KB

MD5
3198f4ee5f4e5fb1e910891ba6cc629a

SHA1
8e7efcabe993114f3313fca7900ca73541cf12c7

SHA256
2bee37cea0bee713c1d20618de27c6360dae0e53c7f5a13f0e1b69a654c23c35

SHA512
61fa7b4c59628e1b2c6118746582211f67c5cab9b794a249733850859b4658242d7198f00e3b0ab161bb648b3014bb82613a1cb206a1c39eac41219e29566ed9

Download Submit
C:\USERS\ADMIN\DESKTOP\CHECKPOINTBLOCK.PNG.AKIRA

Filesize
539KB

MD5
9c6ad3eb2cf8eec025091c95d65ef962

SHA1
b69a1e54d76a9d9c013f734e9a8c31f4092f0a62

SHA256
29c8c1b797ab82768ecc6a84002266789a058b6cdf4cfca822ec1c8b44a18e39

SHA512
3110f65962df89872bed5b2938deee7259bb82f74f29f3f253369fc588306bd4ab24a644ed8929dedcab39f72bd37492ce9fc209a4a08b65f731d01b7827bbc3

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPRESSPUBLISH.MIDI.AKIRA

Filesize
814KB

MD5
1277b2cc2c0b25fa973a55dc3350e0d2

SHA1
3c31d69e232bde1152d2127a8ae51fa2b764d78c

SHA256
e377b8f3d4d2ba8df914ebb349aec2f0ed37765b462688f45d92312233cbcc9f

SHA512
e2d77d3f23daba7c35b5cc6c37aca5dd7918a1fc231e73267702742ec571067e20f623ee6f4cf671e817a0a320af072d33db47401504442067bbcf3a77157d77

Download Submit
C:\USERS\ADMIN\DESKTOP\FINDSET.BMP.AKIRA

Filesize
608KB

MD5
aec93f72e52aef3655e0e1bb1dee7db1

SHA1
f629d0bbb08df8d47c1829ada4cd0c7eb5059cf1

SHA256
91ac98efe745c5f8698803280f738ee2cbf8c5790bf501729eb0145a0d718f86

SHA512
f353482605db7968b3546382514ddfafbaa2a609a03627ff07db7bc1175815cf51de1d1f454115e03f506e08f22228201e25ec6480b05884daf22e7b17277101

Download Submit
C:\USERS\ADMIN\DESKTOP\FORMATREGISTER.PHP.AKIRA

Filesize
447KB

MD5
0ec01a2e82dc5940a0350d254b673a15

SHA1
6c8950e90375e2d8a5877e3658e951b826a6a668

SHA256
b4cc4b1a3f31b8fd0dd9213614bea3ccdd4269a2a0e70b8ef8f8ce91a0f3006a

SHA512
c840609bafd7d8d8c7e136d69b2b7a21e5568cece2ec95980e0a7469d20d0dbc8d519d7aab935f2f0e517a4b7f903e557c772eed0aea7d93ba7131bf0dd9b674

Download Submit
C:\USERS\ADMIN\DESKTOP\GETCONVERTFROM.JPEG.AKIRA

Filesize
333KB

MD5
5ad4ffc35bd0f31d92129c68b07523dd

SHA1
82205237359208e36c0e958599550f8f7308a176

SHA256
9b7a63695186e99c3e833787fdb1c6e037389e19972a0b373ccc85f8e1d29a8f

SHA512
aea03c7d18e3cbc0efd69a5d289b762876e726841b1aaa7dd6375327a61b98203204570856ad8341a5940e31243eaac2d0fe1b377be0a0bf4b68e18fab629306

Download Submit
C:\USERS\ADMIN\DESKTOP\GETTEST.VSDM.AKIRA

Filesize
287KB

MD5
7ff8d00b360111861cc66ff5b6dada29

SHA1
6ca66e77db5a770cb39bbd881854bba96e58c738

SHA256
3b4f66f9e3eb728c364ba598e5458af4a575b6f4f5b5e7d478527964895d3288

SHA512
d42ba8e9551886c778b3bc4d35f0c7418a771981ccb39ce83678aa2f1b75fd5500d162e573b03b413ca63ef8e9db498745154dd2232a81db2f8b4fe05cbd8b7b

Download Submit
C:\USERS\ADMIN\DESKTOP\GROUPAPPROVE.XLSB.AKIRA

Filesize
424KB

MD5
7b40ae6d64a0678289a3664f0b295e4d

SHA1
853773feac1a76f178d81595ee633dac3c44f501

SHA256
f07474fd9b9028b6050c68d3a5e900472fba09f4a6b97cbd9a6cf4bbf6bf62e5

SHA512
2fb5f11bab4a8765e4500a125c4e5eec3c6159e6ae76e8fa0b095f61d65ddd2ca2cc178a0c20f4d698f4844a54ca9d8709ebccff0d63ed80c789f2ec2430f4ce

Download Submit
C:\USERS\ADMIN\DESKTOP\JOINCLEAR.XLSX.AKIRA

Filesize
12KB

MD5
c07d54e6b634e2b3911614a501cf9f4b

SHA1
b1356ca7bd2d28a891e2351a337eb24c965b86d3

SHA256
3505588d9a7a1b1ee2a7695751ec5e409528aa790334862766b9b99eef402e59

SHA512
ce7d1f9222b878171914d110ac372c9420e5ccacbf55c57c4fdd2f6f8600aafe3c3a54676edcdbd60230090488e5ed79462c7698b07a3fa6e9dc319172b9cd61

Download Submit
C:\USERS\ADMIN\DESKTOP\OPENENABLE.RTF.AKIRA

Filesize
378KB

MD5
706445a9f51f7b5a2b37161322a1de03

SHA1
fb5bc569748e571b716c1b706247156eae57f764

SHA256
019711ccb830df913321fb0cad9604631b53ce9ca4954b96745ef18dd9adc704

SHA512
a3d3904185bcc6f3933dfd235df447f4c91c42ee09d46fcb7e4f41a25cfcf2629913ed8019966fffda8f1a63bd17443a2b53eb31820b27027aade826d070c99e

Download Submit
C:\USERS\ADMIN\DESKTOP\POPOUT.JPG.AKIRA

Filesize
562KB

MD5
2ef8b06a65308a14f6450e8399ff2fda

SHA1
00548bdbd53dc4ef65c09340fb61d934ddc36da9

SHA256
cfc107d66df2f8531cac81a2d827f762cfe893f166b6f9bd70bc064ec5937591

SHA512
3558aaaada606aea6bfa8eb1f0c974d052f746d29a06c86e02a21b51d75796acd188a3ff84d0320798db6eb266a21fb80e38deafa59fc0f4f6cbc8236e279f54

Download Submit
C:\USERS\ADMIN\DESKTOP\PROTECTRESTART.CAB.AKIRA

Filesize
356KB

MD5
3729cf801d8a7f3c358f5fcc629be2da

SHA1
38c778eca24fa46c58ef894e2809c23431d7a959

SHA256
d941ef2e0c8402e69602f44bb1ce03b889bc074e0d2923dcc4123a8fc2bbe4a6

SHA512
73ff9fc92d511bbf6919d99051298df880afcfb7bb9f1ca4a9ceeadf45a56b4d56fba81c19ddfc35a5590883e5b07ea958eca7acd1fa4cef804f870755f8348c

Download Submit
C:\USERS\ADMIN\DESKTOP\RENAMEEDIT.MHTML.AKIRA

Filesize
401KB

MD5
3cdf090758b6b087101379ea59e3aa4f

SHA1
60e2537e2444ce14d27ee5f57b843ae35a324c64

SHA256
0159331932c490e7d83b7e224db040ce25a2a8d1556bc9805c3b2bd1362b2a2a

SHA512
ccda6a47b407c3ffeb1aa0aacac5dc4af83fb74fe838129a1ffd231b976a42561502982d3a75ed218d48865b402ee8f9eafbfd9209fab097b1f0108653a167a2

Download Submit
C:\USERS\ADMIN\DESKTOP\REPAIRADD.MP2V.AKIRA

Filesize
791KB

MD5
5924fb2d096756ac508a749fc9ce3cf5

SHA1
b46f16264b9b9b99b071234bd6a8c552e3b904f7

SHA256
e316e4dec4e8ccb40fc9ddc7f7f0552cdfc8e5243bbfa27f4e78af9500d234a4

SHA512
a21f55f4889f728f78415c5b12456d5bc4acdf90292ee8e47bb3679d5ace287b97e3952a3c81608c54184e2fa9a2aef7ee5ca15208ebf79d93abe487ff1187fc

Download Submit
C:\USERS\ADMIN\DESKTOP\REPAIRCLOSE.XLSX.AKIRA

Filesize
11KB

MD5
d395804af96da411abf02f29c5a28d59

SHA1
406bb3377815d39a9bd98d98e22749393b32ab55

SHA256
bafa046861c91bcb6199c3685237e7651b846be1f04863d59b27edc5afef7a30

SHA512
8c915975293e9e04849ddaba75e06b26f3f270c9e8bf4f199158b8db772f099fbed61e16ce7a549ba6e560b06f9f8df765bedf6b043c829dd3e0f8d6c1f75251

Download Submit
C:\USERS\ADMIN\DESKTOP\REQUESTSUBMIT.001.AKIRA

Filesize
631KB

MD5
ee900c58ffe8b43b0f9e044557cd4019

SHA1
f79d03060be67c07ed74a25a592576adf0301efd

SHA256
d0299ee6588642f22c92ef506b57048c6aaadc4477d3e613efa988cf040fb83f

SHA512
4f7b4601df6749a09bcc5c39d4012b4e4721cec0bce3d3528d351048f94176332b7ab4e105570f7a9225dc4256a4dbb18a09b1e59d651c18b5e41251e30add19

Download Submit
C:\USERS\ADMIN\DESKTOP\RESETCOPY.TIF.AKIRA

Filesize
677KB

MD5
f4e1ec8339ef6d82e69cc00bfcb81d87

SHA1
ec2cb9aa873883f0afc15d5e0bda4648ef06a57a

SHA256
2fc7ee31937e02e03d5ac8c53681e971f2363d46470c1ba3a847883fe071b1a4

SHA512
5731f853a7fdfa1af80dfdd30806b3705f2c8dcaef4632d4a5b931e5d9374fa1f41d5db19b33cd4efca808d561be85b055d5cb45062961f9fcf4913b342882eb

Download Submit
C:\USERS\ADMIN\DESKTOP\RESIZEUPDATE.JPEG.AKIRA

Filesize
310KB

MD5
9c7f654a23de0d8b50d87f5bee110d4d

SHA1
dc365f4332e3e3b580c9928a134ac7a3d2ac1a5b

SHA256
fb4c5af962a5e7afbfb0eb410b3de032cf82d12f9e3a626a3c3c11a770fda401

SHA512
2cd5bd4852c8d10a79b5fca94e04d7f790e1505dc728dbc3f89f40899682fe608fd7aeb675a9dc0b5b9fa86d82bcbb9253fa60217d493b6590aaed02b6c34181

Download Submit
C:\USERS\ADMIN\DESKTOP\RESOLVECONVERT.VDX.AKIRA

Filesize
654KB

MD5
978f36c4b64ceab150a54bf97d2b3c5b

SHA1
d3b4ebd71475fd734da30e69e03cfa20a6c67aed

SHA256
d7046cb01b42708e913a08316bfaf35f67a4ed50e718f9b3dccdb9e8ff148206

SHA512
9617fe81fa900f1914f3949aed315dd8857f41e4de7a41e42ae002d474628654f91cbe05c5ce1a8ab8243860759d74181b9a876718c7d0d0bf66d6b87693ad21

Download Submit
C:\USERS\ADMIN\DESKTOP\RESOLVEPUBLISH.DOCX.AKIRA

Filesize
15KB

MD5
8f8916e98cff37c447bb2870d9d6ebaa

SHA1
93c52b6c394b07172e12218e172dec6a44a4e59b

SHA256
bd4a934b06cc13abba27f8fe04d5c93c8655b81f7f8a541ac01db8776e7cafcc

SHA512
91d438351d35a24d141eade38287f1b7bb92d77c7eaec60e66fc4bc7032d81e37b1ed8193bb9d5f88c1beeb3078066dfab969e797accee2773379517d2e1af5f

Download Submit
C:\USERS\ADMIN\DESKTOP\SAVEPUSH.SEARCH-MS.AKIRA

Filesize
1.1MB

MD5
4cd7d46c1fd748b64bdc1cfecf3ff537

SHA1
2f95c328874722146d70561a376ee31695805c9d

SHA256
10dcd05c7a2ed6d05176de57130830176ebff2f2b5463b115874982f1d7fe36b

SHA512
0df7f9e6a5e4a1fd1182815c14bab586e94ca056615b6edd47e7e9690736d326cf363e35b4ba66cefa790a2889067606af3c897d19d9d70914ea74a6337f4dbf

Download Submit
C:\USERS\ADMIN\DESKTOP\SHOWSPLIT.HTA.AKIRA

Filesize
700KB

MD5
0be467dfafe9bdc26ba39255624e2134

SHA1
561fe77c5c0c3e7ef7eac65cfc840d887d701830

SHA256
0e14d2d2704969b3b1f7bd367893da3a630130e161c24ea1ff16456492dec546

SHA512
118a1903a9fe9a744dc71153059b3b6ed38408812311fb68888ee4cb555cf5dbdc9b68421835b2d7bbc88015f0f45c8b03be5bc57dd4d46788999b20756b0dc1

Download Submit
C:\USERS\ADMIN\DESKTOP\SPLITPOP.CSV.AKIRA

Filesize
493KB

MD5
1c43fb5620586c43da1568e0d62b2ef9

SHA1
0f43776b55ffcdd087bc8be912c861f983ff8905

SHA256
439064b9b373b28138c4192fee943d3be568199fdbb72d0bb43624ac325a6424

SHA512
fc00de97198b653015ac955b6b204e37b3fdba35b4219563aecd798e1b627666cf2ba1f7948e197e867d754e8fbe3b1c87f935e52a7591abaa6501d68f07e5c2

Download Submit
C:\USERS\ADMIN\DESKTOP\SUBMITSET.TXT.AKIRA

Filesize
470KB

MD5
9208de31e6ca5695157cd6436e0d9982

SHA1
33039beb70bfcfc3e9071b900c0260f3f8cc3d92

SHA256
08486df39ee65af2540d303a076a364ee9d3f3506d5d7acddaf7721ed4f75bff

SHA512
aa62a35811100fb43d40c4363e3098bddd5e44c1414230e17c3efa0583248528b707f1492379d9c8346362fe5c03e845d599de26a08ef20683f4d94111100835

Download Submit
C:\USERS\ADMIN\DESKTOP\SWITCHMOUNT.ODT.AKIRA

Filesize
768KB

MD5
94b7b7781cb9e3c0fd0e4d4ab6ea09fe

SHA1
9ed143960f1d577560207bbdc33640a627f6a2c4

SHA256
bd59233d7a41307fdd7ba738d0500c65f200483f3b7ea511806c11b3bf63b2c6

SHA512
ec4cd685346099eba53c80531318b0f71b9b973a75d2bb55ef6d4fde6b13049fc9d131b61e05bbaa288242181e7eb0e4bb89127d91a5e8c0aafe04735a903096

Download Submit
C:\USERS\ADMIN\DESKTOP\UPDATEMOVE.ODT.AKIRA

Filesize
585KB

MD5
a6bb44b723af409100a85b797b5c3be1

SHA1
7e076bc0ab1248f2df95eb7ff49c8d45e37a9c46

SHA256
ab2f479d9dc31ca9aa91bb0c9b6174fdf6e643ef24fadf2b802d5066317ea9a6

SHA512
76986f81fc000ef4119a927aba05b0ae4854e2f21fad7e237a138973b8b87587e7ef5cba2c10ca2d76c4549fd1268d03ad967e09419988398df6456d54cf1770

Download Submit
C:\USERS\ADMIN\DESKTOP\USEEDIT.ICO.AKIRA

Filesize
516KB

MD5
bef0f3b5b681d537fa0beabac7755a08

SHA1
2bc083688bbab1627e99852a27eb937c92237d92

SHA256
2620f1bb92d7e6c9284a5d9a904e4d8ad9db57466593f7eede03679ba643bf70

SHA512
7849e27570d307faf96be7018adcb49f1a8dd35baeb3c120514ad4f434cd3dddf0ed4b7cbc5c110c6f879154ff027cd21b8b3753430d2d28073281db8e6fa1d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
164893fa105c3af57ac0b9cdc632a5a6

SHA1
31e202729296509b30220119dfe7a3509a11fbcd

SHA256
2a00fb93752310034d7a39e452b92dce0cf56adbb4544378b4bd347864e4ded4

SHA512
aba68c39d9a428241dba7673c94118b2545c6de3aab6f4e0fdf6c121ca829d1e941988ad92a21d9f1a60e7ad132e476513d2703c1c08445e75a6f5633f72fa55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
71d8f40661f795177a445fc0314ec1a8

SHA1
cdee9e064af8c141deb6e18674f9527a65a5f060

SHA256
b62c77e451e2840f3e5af372c629554a7c358599ba3feb1e7cca9de5c6f77abf

SHA512
0b1e8f3c41c88a8abebda6ff4f628b751d0b67317e16083b637697f728a76a1377063b7e3194589a65918703de6ee2c0cbd2bbbd91e841a86ae9281eec005a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
6f98855e8869599e57f2e8009ce47ad0

SHA1
1fb2d935dfad3714496d419ca793e0983fc86108

SHA256
0b64b960cf7469facd5b069e0d7f0992a5c2b302088f05e3fbd50e042bac4318

SHA512
286c4a57bd79e70fd855c1e8e87e3116b31002ec4595249225a7283ab5c3c133c7fdbbedee17af1f618694c7f4d199f96a965febe990ec8ac41fed774f76ab9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
413KB

MD5
2350b47261040b1ee32f7df427ab30fc

SHA1
e656cced405e01b6a60b7444b2c9e1b31ed7c63a

SHA256
612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db

SHA512
a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

Filesize
174B

MD5
e0fd7e6b4853592ac9ac73df9d83783f

SHA1
2834e77dfa1269ddad948b87d88887e84179594a

SHA256
feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

SHA512
289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.akira

Filesize
414KB

MD5
1c63ce5fa6de407af8801cbdd8b3b679

SHA1
4c6dfc9534fc217211410f05f2a3db5011d60a76

SHA256
6cb6d52869ce9daa3a443e990ff257e6d13527e371d89bb3594b4f8b88716841

SHA512
83be69bc4f7e1a5ff46cb5d7b0afddaa04993121dc95076e147fabfe8b429babb606298202b4df9a0268f792a68756495e9a044286f8ff08681d208bcc843670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db.akira

Filesize
94KB

MD5
130194006c7315a66f1a0aa3923094fe

SHA1
0f10abecd4e78baaa22fb7447ba77ed065da98e2

SHA256
6631b1a79c75624190b12bc58cc095637ed8425adaf7f9878cef1ad571f3f42a

SHA512
e34a195bbdee9bae86ac583b7d7d525fa9f89c9a43b6c1b63dfb641f1d587f4a0542d94dc7b12bdf9e781d3eae2745883ce2ea6bb6d04aee73fbf90a7ee2a283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm6DF.tmp

Filesize
24B

MD5
419a089e66b9e18ada06c459b000cb4d

SHA1
ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a

SHA256
c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424

SHA512
bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

Filesize
24B

MD5
2dd3f3c33e7100ec0d4dbbca9774b044

SHA1
b254d47f2b9769f13b033cae2b0571d68d42e5eb

SHA256
5a00cc998e0d0285b729964afd20618cbaecfa7791fecdb843b535491a83ae21

SHA512
c719d8c54a3a749a41b8fc430405db7fcde829c150f27c89015793ca06018ad9d6833f20ab7e0cfda99e16322b52a19c080e8c618f996fc8923488819e6e14bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
5214afac2f863d1b7f1f43c66dd7654f

SHA1
0c136f927b7852a6b96b983fa78bafa4f6162074

SHA256
2a9150db264d439d43ca3555d428448b7e8d48c73fa49547a8b2a231c1b39fdc

SHA512
dd658b39e5bb1095ef718ba25157fcaa09cc3be5a7a1fa81857f88b0933746576e92e1f42fff1e44e9b9ffeac0bb5a9eebc34f0e9571866872e0f953eeab343a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

Filesize
24B

MD5
635e15cb045ff4cf0e6a31c827225767

SHA1
f1eaaa628678441481309261fabc9d155c0dd6cb

SHA256
67219e5ad98a31e8fa8593323cd2024c1ca54d65985d895e8830ae356c7bdf1d

SHA512
81172ae72153b24391c19556982a316e16e638f5322b11569d76b28e154250d0d2f31e83e9e832180e34add0d63b24d36dd8a0cee80e8b46d96639bff811fa58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db

Filesize
24B

MD5
f6b463be7b50f3cc5d911b76002a6b36

SHA1
c94920d1e0207b0f53d623a96f48d635314924d2

SHA256
16e4d1b41517b48ce562349e3895013c6d6a0df4fcffc2da752498e33c4d9078

SHA512
4d155dfedd3d44edfbbe7ac84d3e81141d4bb665399c2a5cf01605c24bd12e6faf87bb5b666ea392e1b246005dfabde2208ed515cd612d34bac7f965fd6cc57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

Filesize
24B

MD5
2d84ad5cfdf57bd4e3656bcfd9a864ea

SHA1
b7b82e72891e16d837a54f94960f9b3c83dc5552

SHA256
d241584a3fd4a91976fafd5ec427e88f6e60998954dec39e388af88316af3552

SHA512
0d9bc1ee51a4fb91b24e37f85afbf88376c88345483d686c6cff84066544287c98534aa701d7d4d52e53f10a3bea73ee8bc38d18425fde6d66352f8b76c0cbb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
24B

MD5
60476a101249aedff09a43e047040191

SHA1
de5b6a0adc7de7180e19286cf0f13567278cdb64

SHA256
35bc77a06bfdde8c8f3a474c88520262b88c7b8992ee6b2d5cf41dddc77a83fb

SHA512
f1d2dcc562a36434c6c6405ec4eac7ecfa76fc5a940114da6f94495b77584a132d5d82ad3556df749490be096cfd238fa8b484b7c734cbc4d074e963e5d451f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
e7d820e1a9d7ecf9bef4daa811b65148

SHA1
8a8d1dd25b5ff8537dd0774bc336c740ccbff8bd

SHA256
1a331453b26f8e07152175e66aacbfa20a33fcfd9b600134d8900414bfc53bfe

SHA512
8a4b3c32c98e87731401db8e574556cb1f2181aaddcbb08761f860c1e4c732416d63f0349cb25e7953ec0e06048accd59f01956def69c09bac280a7b5e076a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
777dd969da3dd17026244668b774e058

SHA1
e0a066d28dfc6bcca1c13a50bfc4b35a37541b7a

SHA256
221f1bd7bad281fe93374736df606e52ce7393ae4fe0bdd4682935b90f184e59

SHA512
1f1a19b1a969a62cd8c83622e89077492457dd00f28505f0fe49a600688b18bf0407cae61e0da9f0d23fd0f6d874125fe83a5666ca7975976d612743fda08158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
e2392161a27013d704889522efe6d762

SHA1
bc75156c4890ebad10546d8b8413705f6438e190

SHA256
9bd2b1c2d9be016f682c7e00c35bd0ef665f556c54f6145bb756d755a38bfead

SHA512
94bc5871a82224372dfd136249f4f46bbcecb69c09b888ebfd4c436d2e9a8d0b346c3a6451c66b45b96d7f0a78d060511e83c8b475f7c04d87bdc20104b0c49b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

Filesize
24B

MD5
d192f7c343602d02e3e020807707006e

SHA1
82259c6cb5b1f31cc2079a083bc93c726bfc4fbf

SHA256
bb4d233c90bdbee6ef83e40bff1149ea884efa790b3bef496164df6f90297c48

SHA512
aec90cf52646b5b0ef00ceb2a8d739befe456d08551c031e8dec6e1f549a6535c1870adb62eec0a292787ae6a7876388dd1b2c884cba8cc6e2d7993790102f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
77b65a77cac00fe47b16dd4819c4a4c7

SHA1
5d174cc05cfc487ee35db8aaa770930a26529bc0

SHA256
31aa3f7fa15dc18c49e4e36554fbaed761808284a0fa4a792a48e46d267e0383

SHA512
abcc320916161427a5b5683edd9242ad065680eee55f35b770e24c58f3ddb5b77bc1f58bc4c5fb851bec15b441a8de904a10dbb7eeaf6dcdf9460470d3d33d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
a7ff91e85b7bc49f27491d6aaeb3debb

SHA1
4eb9b93cbf0c5b6390281a84d34eeda9497c007d

SHA256
ea0361f14e25f3b0cf6cd20014ed6a3e8fec5e700681228f3ddf0c5890eeb6d8

SHA512
36836f1b1ec9e7e9b228b3b6a9ed4930a4c7ccb356f5999bfaaa8b80a2b3b639c8e4c9e5ca0ff13dbc7cf440efc499634f332c4d9f06bd8733f1ef90d73448f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
1024KB

MD5
5bb2982044b7d8692d4e699a2be35af0

SHA1
85bc1eae0ef3ded0819d11c426293b2c2fb59e8d

SHA256
869db0942dfe0c1e6d76623ee3555869f33140a7b40ab0a113f27cf9b88f3990

SHA512
875ece1f231f850b76e26c91c68feb1c2621fed56063c56a82cdc4debf84fb8df2552a64bd73c9f2ff4454730c0d06734a425fd28d144649136a043e54a0d211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

Filesize
536B

MD5
1b2337327fec2e4e43a91029396d90bc

SHA1
851b09faaea1957d626751a9e3ca38b8fbca2f3f

SHA256
9da05c14578bc0de9a9ec163be6158a7571aaa792ee492c0aad76491f955311a

SHA512
76247df5045a8a42dd27b7fec93ca505e529b3ebbe3bb1501ad39add42058f09f85a7fffbe634e930c50acf57a0c8275fd736e62d87f99e4c9f1a48f65964c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db

Filesize
536B

MD5
8648880b0b0e9d246958d40efa7d1ca7

SHA1
317e8b90c8e903df4f753382bd424b5b3ec2ed76

SHA256
9ad2c190bfcb46fef27933736c5dd8de750727ffdee5eac7c9b6438dbd7af5da

SHA512
c93ea9e65326ad2ef38a4292ccb2456224fca3495fa3c1d955b9171c1f9ebbc5d90fb0fdbdb87d4b3a33608adbf81d07d651fd68b230948f4acf646422fe01ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db

Filesize
536B

MD5
d51fc0680c3329614c1b4c83385dbe9a

SHA1
a3bd8ade4f5f8c7004cfc508536c1a3754be4df7

SHA256
0da0b703e59517d9fc56aeb04bb71a1fb3a3f9e79e62aaae6998729762040aef

SHA512
2221713c142c6388b588cb995114e2ea27ce03c55a0df82cc85180c302c8d6c3e9cabdaeb6a16213dd4da9bae5bc3c629835bdf294aa77256bc0568c6de15bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
4ab28508af8aa981f3986486b05f48d9

SHA1
39891123dbf34d174cd4124724d820ed548fa902

SHA256
235b6b2004d4fc841390af1b8e8e6d1ce93b9c65c8362fef7743d2149c3236a1

SHA512
42b513457a18a2886b002f6930244790a1b87ce340d6e38e61d25ec598ed7f56924e53f01ae448c29148e445573dac69e8a55f4413b16c1864956f5a4c5c4e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.akira

Filesize
7KB

MD5
e7587b8e8152855556ac52728ff50d19

SHA1
f707566f4210a881bafa7d448288da2fcbf5cfa9

SHA256
0b40f38a6a62dd90d7ded479a60b60eae03d8289c8683f9c83422ae70baa9625

SHA512
fb304154c84dc595fafe25c9048303eba57ede1e7e7ce6b76b9b6ba1b688cb8a10838af9d6b5d44f88f793e3c8f7a830c199a055f588dae788b456564c4b73fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

Filesize
536B

MD5
fca9666b5b729e88ce3271fe9d1ce58c

SHA1
766e270545a2796d556225261b5f7a64f9b4c2ad

SHA256
8c48e1efd518af080b880b071c0714a5cb4e85b6ae8abedfa5a76493a2422955

SHA512
6e3397b27e07b461c2b576387110c4dfb075f05703f9c0f99415abb563a056709c165830c175bb4017ec256d60d729bcc85a707153c00ccbc4e8f74809d300e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db

Filesize
536B

MD5
f495fdbcc0493167120113730c3372b6

SHA1
918127a0d354b6c98d4dac9a5dc54cafed3113b9

SHA256
57300f05ee7ace6eaea2ac86ea972a79ab73863cb2ce8f75734649651d5dc6df

SHA512
96db5ea26d8e0a930b8c2b0535d9af38f11829a738334b23c72264d7c129793918d4dc3698c094635b44ac862b7dc661f2d4c913482928845b3ff73aff5a0164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db

Filesize
536B

MD5
9ed4d116f2cef4f5b6c68319fd4610ea

SHA1
d914dc98835e25164740dbc128f2a72c6a8fc99d

SHA256
a512188bfca48c1a5947b421063bbe88dfb6d4f5fd5c4e06e1273b823f207b88

SHA512
b58965f8edc16d13b94a8b66e9e4c7b11768ffcc596219c81933449219100690aa02251fec9a5e26ee6e77dfe0f04379c90c79292568d6c136bf54f1fb3e4e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
576B

MD5
74bf43641b845329cb32b3966262e197

SHA1
d49530238d09b376ac6cc12b47e3b835d73c66b6

SHA256
92442be13e79b538e0d79ab06d2785a9645a186bc48d4eb7374855017767734c

SHA512
11b6841e56320288b779421e91951602020edfa0bcc5ab513d621acc8db5f783d50eee5b406a5f12bbaa42c82cbde21625b8956b2130735cf646378c936edcd2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\XIH7UHT1\microsoft.windows[1].xml

Filesize
96B

MD5
037e1bc915e3b80b4747ca893b550d76

SHA1
30d614f262981d2af03e79a3106150ed3433fb06

SHA256
840e618af736482c57e14ac1e9258f6fe318dbec470cd3103635dd08e5df80ee

SHA512
06f176e7ecb0772ebe124dc32f3e7103faf06d914dfcbb8db6206c590659726ed9aec77f747222daa023f0318fefb229405ad9c05dfa7a967847d49196b0c860

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

Filesize
2KB

MD5
c6e444e7a50d6ef93c5e9afb52b42cc3

SHA1
266521c294ec640a2a8013e374d04c4a799f2152

SHA256
ff906e31a888a8070e9a22bbdb8dd6effaf03d76b5368ee6ccc903e71a928e56

SHA512
25e5e0d60dd93452d2b7af84cc234ab396b7813024f98e3feca7f4d6d850607a5aa4ec30013b305bf3cdd6fcffcd226961b93d086bfcdbdd277f1021fdc3f736

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
2410b17b8d7f2a1d9d044cde43c345c4

SHA1
459e925941b08ef7b29920811f386cbacfd1c8ff

SHA256
969db417fd1a762e5fe86b9e9646b128249c1b44e96034ddaa50c59b6ec84f98

SHA512
5010dbc71671d7f5170092e22ee576d731b6f590dfbd2222a14ca1389e6082950614ad326181ef72df5da0d10703058e86b4327114ecdb0716fa45a7e32d3840

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer

Filesize
36KB

MD5
ab0262f72142aab53d5402e6d0cb5d24

SHA1
eaf95bb31ae1d4c0010f50e789bdc8b8e3116116

SHA256
20a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb

SHA512
bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
9KB

MD5
dbc9cdf67293dd4568cf355ce8d08fa9

SHA1
070f852b9b42b966ecf69995fece0617761c72fd

SHA256
22de51dd5b2f883bebf9ebb9e7733179c1b906fa2456a5e51326e43ede95c1ce

SHA512
41b11087460436c097d0fabc8053fede9ca4465db819e9d506f28017f7f5f8647fb42840b1779c28006ee9226ed03379b439cea42ed00f435d2c71c2bae4eb71

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
5KB

MD5
c61cf9edef915abc02d7c5f7159e2ebe

SHA1
f5687a65fe8cfe15af74ec212a1d6b150995f75c

SHA256
ca89e2f89f04b22762701c9c8c4ef285042792d4256d873186e37acf848ba38b

SHA512
a01392d5f0d33ab9f78e73959b0ab8564225b0449cd9c21d4990eb4d3ecb4ba621453c8f8d44569a93869af4b5147b518616d81eff5309bc4b155010a41c2b31

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin

Filesize
10KB

MD5
5b43e2bbed841fbfc37b55963acc009e

SHA1
46df488df006594909838bfe17ab821aabd2839e

SHA256
0e3cbbaf370a4a9a00ee7e2e136b2872c0678414e0f0af3f0eb1968bcaf88025

SHA512
9ec17826c4c685e15261c5fb069aa73fe928fb1b87416b61f3307ee09d10142b3589e8d69957b8396e9183c4e43beeabbc91812c5430a6e8c575633e5fa0d967

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4fiuh0w.vb4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C78B004E-AE3C-4686-88CB-185CD0F5335B}.png

Filesize
5KB

MD5
00e5fcfd833151f7cbde607e2f7afeb4

SHA1
55839875c0947aafebff53d22ccc5dad29fe3563

SHA256
b80192aaabe007baecd0603e3ce183e9d554b8a6b0411d20716acfa086ae3035

SHA512
f056777a1987c3becdc217bdc2d82e6aa41086d38fddaa45c42f1726b6f7b7616a10918081650e825a724464ef148b669bc258d38a62e0de8642e2607a0b0de7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
7KB

MD5
2cb0ec95a6f97aea763cec058e88577e

SHA1
d430d858e8a35cdc424fdc83de62b8832b670d12

SHA256
e4fbf0de11ec007cdf07edada6e4ee1f7c3b14963361d53393a03a09143a6855

SHA512
21285f661b8f513c484309613b0d7f97d4f3aaa09d10982a8f867549dfc61b316983c14a52ebc76ea6371e79c5b71f9b0a08901f167cbc5ffd1332aecd444d93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
14KB

MD5
2257fa8cef64a74c33655bd5f74ef5e5

SHA1
b9f8baf96166f99cb1983563e632e6e69984ad5c

SHA256
ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3

SHA512
7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.akira

Filesize
52KB

MD5
6fdd11b120e3fdfc8358ca5b1a6fac3c

SHA1
b75a1d7d25a29109d1926d0588eb3bc150c51a63

SHA256
8342da12eacb08c93f0e5d531d02ddbae22eafe4242b80d4f9e69ebf9dab27dd

SHA512
8eaf75bc1094577fede879b6a615bbe72aba1fb519a3d13f84b44a5d84fbbc545d477b4e0231902d47446d8c3b205db9d8dc5b0b041a642c2bd17e9ab8e6ef47

Download Submit
memory/60-14471-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1228-15922-0x000002983F770000-0x000002983F870000-memory.dmp

Filesize
1024KB

Download
memory/1228-15923-0x000002983F770000-0x000002983F870000-memory.dmp

Filesize
1024KB

Download
memory/1228-15927-0x0000029840590000-0x00000298405B0000-memory.dmp

Filesize
128KB

Download
memory/1228-15952-0x0000029840B60000-0x0000029840B80000-memory.dmp

Filesize
128KB

Download
memory/1228-15940-0x0000029840550000-0x0000029840570000-memory.dmp

Filesize
128KB

Download
memory/1228-15924-0x000002983F770000-0x000002983F870000-memory.dmp

Filesize
1024KB

Download
memory/1336-15627-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/1376-16195-0x0000021429520000-0x0000021429540000-memory.dmp

Filesize
128KB

Download
memory/1488-15646-0x00000203DF150000-0x00000203DF170000-memory.dmp

Filesize
128KB

Download
memory/1488-15656-0x00000203DF560000-0x00000203DF580000-memory.dmp

Filesize
128KB

Download
memory/1488-15635-0x00000203DF190000-0x00000203DF1B0000-memory.dmp

Filesize
128KB

Download
memory/1552-15494-0x000001D4625E0000-0x000001D462600000-memory.dmp

Filesize
128KB

Download
memory/1552-15505-0x000001D462CF0000-0x000001D462D10000-memory.dmp

Filesize
128KB

Download
memory/1552-15483-0x000001D462920000-0x000001D462940000-memory.dmp

Filesize
128KB

Download
memory/1552-15480-0x000001D461900000-0x000001D461A00000-memory.dmp

Filesize
1024KB

Download
memory/1584-15020-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2200-16187-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/2512-15322-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2640-15361-0x000001F9BD5E0000-0x000001F9BD600000-memory.dmp

Filesize
128KB

Download
memory/2640-15352-0x000001F9BCFD0000-0x000001F9BCFF0000-memory.dmp

Filesize
128KB

Download
memory/2640-15330-0x000001F9BD220000-0x000001F9BD240000-memory.dmp

Filesize
128KB

Download
memory/2640-15326-0x000001F9BC200000-0x000001F9BC300000-memory.dmp

Filesize
1024KB

Download
memory/2640-15325-0x000001F9BC200000-0x000001F9BC300000-memory.dmp

Filesize
1024KB

Download
memory/2644-16050-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/2736-15208-0x000001DCD2F80000-0x000001DCD2FA0000-memory.dmp

Filesize
128KB

Download
memory/2736-15177-0x000001DCD2BB0000-0x000001DCD2BD0000-memory.dmp

Filesize
128KB

Download
memory/2736-15186-0x000001DCD2B70000-0x000001DCD2B90000-memory.dmp

Filesize
128KB

Download
memory/2800-14472-0x00000277AB420000-0x00000277AB520000-memory.dmp

Filesize
1024KB

Download
memory/2800-14490-0x00000277AC200000-0x00000277AC220000-memory.dmp

Filesize
128KB

Download
memory/2800-14503-0x00000277AC7A0000-0x00000277AC7C0000-memory.dmp

Filesize
128KB

Download
memory/2800-14477-0x00000277AC240000-0x00000277AC260000-memory.dmp

Filesize
128KB

Download
memory/3244-16054-0x000001FE76B00000-0x000001FE76C00000-memory.dmp

Filesize
1024KB

Download
memory/3244-16053-0x000001FE76B00000-0x000001FE76C00000-memory.dmp

Filesize
1024KB

Download
memory/3244-16058-0x000001FE77B20000-0x000001FE77B40000-memory.dmp

Filesize
128KB

Download
memory/3244-16073-0x000001FE77EE0000-0x000001FE77F00000-memory.dmp

Filesize
128KB

Download
memory/3244-16061-0x000001FE777D0000-0x000001FE777F0000-memory.dmp

Filesize
128KB

Download
memory/3244-16055-0x000001FE76B00000-0x000001FE76C00000-memory.dmp

Filesize
1024KB

Download
memory/3440-14874-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/3452-15781-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/3696-14745-0x0000027308300000-0x0000027308320000-memory.dmp

Filesize
128KB

Download
memory/3696-14758-0x0000027308700000-0x0000027308720000-memory.dmp

Filesize
128KB

Download
memory/3696-14733-0x0000027307420000-0x0000027307520000-memory.dmp

Filesize
1024KB

Download
memory/3696-14736-0x0000027308340000-0x0000027308360000-memory.dmp

Filesize
128KB

Download
memory/3696-14732-0x0000027307420000-0x0000027307520000-memory.dmp

Filesize
1024KB

Download
memory/3700-15920-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/3776-15-0x00007FFF2C2D0000-0x00007FFF2CD91000-memory.dmp

Filesize
10.8MB

Download
memory/3776-12-0x00007FFF2C2D0000-0x00007FFF2CD91000-memory.dmp

Filesize
10.8MB

Download
memory/3776-10-0x00000184CDDD0000-0x00000184CDDF2000-memory.dmp

Filesize
136KB

Download
memory/3776-11-0x00007FFF2C2D0000-0x00007FFF2CD91000-memory.dmp

Filesize
10.8MB

Download
memory/3776-0-0x00007FFF2C2D3000-0x00007FFF2C2D5000-memory.dmp

Filesize
8KB

Download
memory/3836-14727-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download
memory/3908-15023-0x0000017B82300000-0x0000017B82400000-memory.dmp

Filesize
1024KB

Download
memory/3908-15058-0x0000017B82F90000-0x0000017B82FB0000-memory.dmp

Filesize
128KB

Download
memory/3908-15024-0x0000017B82300000-0x0000017B82400000-memory.dmp

Filesize
1024KB

Download
memory/3908-15025-0x0000017B82300000-0x0000017B82400000-memory.dmp

Filesize
1024KB

Download
memory/3908-15028-0x0000017B82FD0000-0x0000017B82FF0000-memory.dmp

Filesize
128KB

Download
memory/3908-15059-0x0000017B835A0000-0x0000017B835C0000-memory.dmp

Filesize
128KB

Download
memory/4520-15475-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/4532-15796-0x000001E5A6C20000-0x000001E5A6C40000-memory.dmp

Filesize
128KB

Download
memory/4532-15807-0x000001E5A7020000-0x000001E5A7040000-memory.dmp

Filesize
128KB

Download
memory/4532-15788-0x000001E5A6C60000-0x000001E5A6C80000-memory.dmp

Filesize
128KB

Download
memory/4552-15169-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/4664-14882-0x000002236F880000-0x000002236F8A0000-memory.dmp

Filesize
128KB

Download
memory/4664-14900-0x000002236FC50000-0x000002236FC70000-memory.dmp

Filesize
128KB

Download
memory/4664-14889-0x000002236F840000-0x000002236F860000-memory.dmp

Filesize
128KB

Download