9de94be52e669684a401810dd255cfc34ca25f91432086e755f785acee789517

Analysis

max time kernel
59s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240802-de
resource tags

arch:x64arch:x86image:win10v2004-20240802-delocale:de-deos:windows10-2004-x64systemwindows
submitted
18-09-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FTA RansomWare _v1.exe
Size

1.0MB
MD5

eb3c187ffa93148e3c46c4a13e5087c0
SHA1

3119ee5b8495efcb7ad9bc2e828679cb2abc339b
SHA256

9de94be52e669684a401810dd255cfc34ca25f91432086e755f785acee789517
SHA512

5006b26482fcf83a36c167a1f1ee60b46e0d59dea2d31700baa14e362b44949fac7f4f47a776d3a7f082c0186ba7f076b9693f01c00a92e37a2c5b061a23c922
SSDEEP

12288:s81lcRX7J1Ote+HfKst1I0OaLU2oUefp6WnbmgM4nPllwurndV02WC/R:s81lgn0egDiHpnnbmgM4PlbsiJ

Score

9^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\dxgmms1.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\afd.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\pmem.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\afd.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\luafv.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\http.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\rdpdr.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\uk-UA\SensorsCx.dll.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\mskssrv.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\i8042prt.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\nwifi.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\lltdio.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\mausbip.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\pci.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\mouhid.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\EhStorPwdDrv.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\NfcCx.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\BthMini.SYS	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\srv2.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\scmbus.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\usbccgp.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\sdstor.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\pciide.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\UcmUcsiAcpiClient.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\fileinfo.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_I2C_GLK.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\MTConfig.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\NdisImPlatform.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\percsas2i.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\asyncmac.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\cimfs.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\EhStorTcgDrv.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sas2i.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\hidbatt.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\storqosflt.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\usbdr.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\vmbus.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\en-US\partmgr.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\agilevpn.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\bthenum.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\scfilter.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\tcpip.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\storahci.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\hidir.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\disk.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\tsusbhub.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\SensorsCx.dll.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\acpiex.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\rfxvmt.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\sdstor.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\hidclass.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\wimmount.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\en-US\sermouse.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\ntfs.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\hdaudbus.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\vmstorfl.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sss.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\rdbss.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\storqosflt.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\KNetPwrDepBroker.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\ksecdd.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\NdisImPlatform.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\kbdhid.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\wacompen.sys.mui	FTA RansomWare _v1.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	FTA RansomWare _v1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Public\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	FTA RansomWare _v1.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	FTA RansomWare _v1.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VSP-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-UtilityVM-Containers-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DMRCDecoder.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\ialpssi_gpio.INF_loc	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\lltdio.inf_loc	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wpdmtphw.inf_loc	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\bxnd60a.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Storage-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS{53b39e63-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\cryptnet.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\de-DE\inetcpl.cpl.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\de-DE\smartscreen.exe.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\uefi.inf_loc	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\C_949.NLS	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\de-DE\UevAgentDriver.sys.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgatew.inf_amd64_7e6c377859cfcb7c\mdmgatew.inf	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientExtensions-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UpdateTargeting-ClientOS-EKB-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.264.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CodeIntegrity\CiPolicies	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\de-DE\mispace.dll.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationheadset.inf_amd64_47c7e539c0156424\PerceptionSimulationHeadset.inf	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Not-Supported-On-LTSB-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-RemoteApplications-Client-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\de-DE\ddputils.dll.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\de-DE\sdrsvc.dll.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\dot3api.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netelx.inf_loc	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\halextintclpiodma.inf_amd64_7f59f2c73a7fab14	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0111~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\de-DE\sort.exe.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.inf	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ehstortcgdrv.inf_amd64_5cb0c23f45dac01c\EhStorTcgDrv.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HgsClient-Core-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\certmgr.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\EAPHost.inf_loc	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\0409	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DdcComImplementationsDesktop.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\downlevel\api-ms-win-core-processenvironment-l1-1-0.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_nettrans.inf_loc	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\dataclen.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\control.exe	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\de-DE\hlink.dll.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\hidspi_km.inf_loc	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Guest-KernelInt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\lsi_sas3i.inf_amd64_79c7a4d8be0a9744\lsi_sas3i.sys	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netip6.inf_amd64_f29ffcd2b14f21f5\netip6.inf	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\basicdisplay.inf_loc	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\microsoft-windows-mspaint-fod-package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.746.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-Feature-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_22_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DevicePairingExperienceMEM.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_glk.inf_amd64_dad1e0a2b185e32b	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_e87e378eb673af65\mdmhay2.inf	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_A_TP203NA.bin	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Internet-Browser-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-Feature-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-InternetPrinting-Client-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\dc21x4vm.inf_loc	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\percsas3i.inf_amd64_c17a63dada1eaa02\percsas3i.sys	FTA RansomWare _v1.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\fdc.PNF	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.Resources	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions.resources	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Web.Mobile.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.264.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\1040	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.it.resx	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.resx	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\WindowsBase.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\SystemRestore.adml	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-MSPaint-FoD-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Multimedia-MF-WOW64-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\it\DropSqlPersistenceProviderLogic.sql	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Net.Http.WebRequest.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\INF\.NET CLR Data\0000\_DataPerfCounters_d.ini	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoft.ApplicationId.Framework.Resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\System.ServiceProcess.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsCore-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Windows.Forms.DataVisualization.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\QOS.adml	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Help-ClientOOBE-Feature-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design.Resources\3.5.0.0_fr_b77a5c561934e089	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es-ES	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Holographic-Desktop-Merged-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Multimedia-MFCore-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\diagnostics\index\NetworkDiagnostics_5_Inbound.xml	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Globalization\ICU\icudtl.dat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\System.Web.DataVisualization.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Host-Guardian-Deployment-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-DataCenterBridging-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Boot\EFI\hu-HU	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Help\mui\040C	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoft.ApplicationId.RuleWizard.Resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PhotoBasic-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.Linq.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Xml.Linq.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.EnterpriseServices.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics.Vectors.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Numerics.Vectors.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Data.Entity.Design.resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Common-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\INF\netwtw04.inf	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Media\Show_48000Hz.raw	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Compute-System-VmDirect-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Branding\Basebrd\ja-JP\basebrd.dll.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Host-Guardian-Deployment-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-Optional-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\diagnostics\system\Power\en-US	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.Resources\2.0.0.0_es_b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.Resources.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\PolicyDefinitions\VolumeEncryption.admx	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Identity-Foundation-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\diagnostics\system\IESecurity\uk-UA\DiagPackage.dll.mui	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.dll	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\diagnostics\system\Keyboard\ja-JP	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\PolicyDefinitions\Winsrv.admx	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingCommon-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingReceiver-Media-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.mum	FTA RansomWare _v1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFramework.Royale\3.0.0.0__31bf3856ad364e35	FTA RansomWare _v1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "6;18;22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Lts Lexicon"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40A;C0A"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Spanish Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "11.0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "407"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Female"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - en-US Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{06405088-BC01-4E08-B392-5303E75090C8}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Discrete;Continuous"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "404"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = 4f12242f895bd461c879f1e773d97c8ee816e4b5a37737ac6216dd9bb9e3a2bb	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\Total = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033David"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	FTA RansomWare _v1.exe
Token: SeManageVolumePrivilege	2660	svchost.exe
Token: SeDebugPrivilege	3012	SearchApp.exe
Token: SeDebugPrivilege	3012	SearchApp.exe
Token: SeDebugPrivilege	3012	SearchApp.exe
Token: SeDebugPrivilege	3012	SearchApp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2396	notepad.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3012	SearchApp.exe
3012	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\FTA RansomWare _v1.exe
"C:\Users\Admin\AppData\Local\Temp\FTA RansomWare _v1.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=de --service-sandbox-type=asset_store_service --field-trial-handle=1628,i,10321913671405323973,12338093221500387349,262144 --variations-seed-version --mojo-platform-channel-handle=3408 /prefetch:8
1⤵
PID:1388

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:1616

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy
1⤵
PID:4432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3836

C:\Windows\notepad.exe
"C:\Windows\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PN3DX0DD\microsoft.windows[1].xml

Filesize
97B

MD5
cd2e0477d1761e022cdfcd49a187f035

SHA1
73de4f2c49d11c44a14c790ad6eb0bf8929a7802

SHA256
e27489848643b86ce44fc4a41214ab3ef8b2ba136d947e6a797351e072c2476d

SHA512
5a833fdd74eaff6397a88cccbdfe94d8c7671710a3b29f676fde1f942ea3c1e81e20b43d80214777e418904d31d75cb512cfcd2c9ff1ee2ca7a73a9252630e6c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_SnippingTool_exe

Filesize
36KB

MD5
bad093419be1135cfe9694ea77088c78

SHA1
76204c7ca72cf666add9c9931389d635c82e8af0

SHA256
136808af50ee73df9befd76f7aca21765782565b0095227c5a287f3be0b5ef3c

SHA512
3b5cb7f80d7cbc557b5a32a995cd607257ac8e56af935ce6f64c54ba1f311a65ef00c69c69047b6eb7bb678c2b1bc0a3c37548aef417ea49e414e1a34bcf651d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{461ad9ea-1d4b-4607-aae9-6463bce799ad}\0.0.filtertrie.intermediate.txt

Filesize
14KB

MD5
641b04c0c2e568ecea6d8d29f1e8e9e5

SHA1
086d3a349aced38254367eb0c4204637ac06033e

SHA256
806d6968803e161fd84c284e60962fe3eaebbb8602554349923453e44297073f

SHA512
bdf26098bbdec4fc023a1ce2bcbf6ee595f6381f2a4ede7f87caa8b09381fede8d5530e36dde46c7971398aeb515116ac363f2e30c5879ab3846bd5994b0814a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{461ad9ea-1d4b-4607-aae9-6463bce799ad}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{461ad9ea-1d4b-4607-aae9-6463bce799ad}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{461ad9ea-1d4b-4607-aae9-6463bce799ad}\Apps.ft

Filesize
20KB

MD5
6f0c247471743fa91434f295608e4d40

SHA1
4a32b7ddf68e58e2a721d32f4d87644f19300dcd

SHA256
e957a261ed739a0a98f774ca46a4baa5e0c9b430cacf9df2148da46d6b1d038c

SHA512
3b8e42a74571feebd0de63a06265573040b39bad7477b11b38a78d1f67a8e0249697c9320f81b135e79ac852cac880d0f765697332067b8c29433638a542c251

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{461ad9ea-1d4b-4607-aae9-6463bce799ad}\Apps.index

Filesize
969KB

MD5
b29111b8884b5de898e2877cc008829e

SHA1
cfe1976d83a45a05ebb18218b2228ba20db2a40b

SHA256
2e1d413b2d59d3b873007493e70a3b870750009f105f04e95756deabc33c6504

SHA512
8e11f13900b7b90efc18af2341bf93c4b94c38ede58c5f578f676e5be9599c3369bcf6664494aa032f60da70d7327ba1a4eb54ef5e56ff814245ee46c091370d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{8eb81df9-4169-49a5-a63e-5d27ae462a92}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{8eb81df9-4169-49a5-a63e-5d27ae462a92}\apps.schema

Filesize
150B

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{8eb81df9-4169-49a5-a63e-5d27ae462a92}\appsconversions.txt

Filesize
1.4MB

MD5
2bef0e21ceb249ffb5f123c1e5bd0292

SHA1
86877a464a0739114e45242b9d427e368ebcc02c

SHA256
8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

SHA512
f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{8eb81df9-4169-49a5-a63e-5d27ae462a92}\appsglobals.txt

Filesize
343KB

MD5
931b27b3ec2c5e9f29439fba87ec0dc9

SHA1
dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

SHA256
541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

SHA512
4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{8eb81df9-4169-49a5-a63e-5d27ae462a92}\appssynonyms.txt

Filesize
237KB

MD5
06a69ad411292eca66697dc17898e653

SHA1
fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

SHA256
2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

SHA512
ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133711642969583651.txt

Filesize
74KB

MD5
f49be28fb77ae6d0f34753829256d56c

SHA1
8fb4c2135f4f16d1a92f710dea4215722845e653

SHA256
95c670be7031c14460996855d420407d49d164538520ad4b06489e7a21419f40

SHA512
02c8f418df4b1d990502055a5c53e34ed69d5df7769cdca71f222b9ddb07e513d2705a2beab600e8accda3a0c65255413ca10f91514f411a57c7dfa7884d0c36

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt

Filesize
801KB

MD5
f1cf4337c201c880528cfd12111e103c

SHA1
8b1870cc3b0c43c8bfc88fb65d245da58e82651e

SHA256
aa5a3795294bcf13c6482f98209e65d40ba8fe6030e3588cc77e9cab0424d339

SHA512
75cfca0a9b339aaff950597e8aedf0cd3db090cc819816890e7f76abdac89aeb1562ea569aba77b35242563ac30770497e8e30d65efb378a1c97d10314bac5b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
10KB

MD5
da031d91637fc2a506ec2a7c7ed4e1ae

SHA1
75285db476659c8d4d5f7726661f8765d1725104

SHA256
77c5575c8465236509e5976bd406a8b25e39d6f4a57a20fb554728d41f4df4c0

SHA512
162d78218fc4bb8815c49c6e80e063d3eefd7c535bd641f02f2ce319c20c8fe3598ed06c6b4325b580dd7247a3046dc35386a5470c069ae40f67e43b9e4f433b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
10KB

MD5
cfa963b1ba3c6115d488ce7c9e58902c

SHA1
2f9e2ec9e0ad04e624a6ff7016a1cfc60a10b0fa

SHA256
30aceea2bd1217ce98eb6b9b1a075ce8d386229eda1a59a886e9fb205b2323e5

SHA512
4ad9ef8f31ad65399c11a408955844af331c2218472f9489b742314e5ea5290cea1a7d61ab30b3d26272dcdd157bd81774f78c9ec2f5266cd291e972716ee78c

Download Submit
memory/2660-48-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-51-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-54-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-47-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-55-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-56-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-57-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-59-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-58-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-60-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-61-0x00000153FEA80000-0x00000153FEA81000-memory.dmp

Filesize
4KB

Download
memory/2660-63-0x00000153FEB90000-0x00000153FEB91000-memory.dmp

Filesize
4KB

Download
memory/2660-62-0x00000153FEA80000-0x00000153FEA81000-memory.dmp

Filesize
4KB

Download
memory/2660-65-0x00000153FEB10000-0x00000153FEB11000-memory.dmp

Filesize
4KB

Download
memory/2660-64-0x00000153FEB10000-0x00000153FEB11000-memory.dmp

Filesize
4KB

Download
memory/2660-0-0x00000153FA640000-0x00000153FA650000-memory.dmp

Filesize
64KB

Download
memory/2660-35-0x00000153FE900000-0x00000153FE901000-memory.dmp

Filesize
4KB

Download
memory/2660-50-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-52-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-53-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-49-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-16-0x00000153FA740000-0x00000153FA750000-memory.dmp

Filesize
64KB

Download
memory/2660-46-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-45-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-44-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-42-0x00000153FEA50000-0x00000153FEA51000-memory.dmp

Filesize
4KB

Download
memory/2660-43-0x00000153FEA70000-0x00000153FEA71000-memory.dmp

Filesize
4KB

Download
memory/2660-41-0x00000153FEA50000-0x00000153FEA51000-memory.dmp

Filesize
4KB

Download
memory/2660-39-0x00000153FEA40000-0x00000153FEA41000-memory.dmp

Filesize
4KB

Download
memory/2660-40-0x00000153FEA50000-0x00000153FEA51000-memory.dmp

Filesize
4KB

Download
memory/2660-37-0x00000153FEA40000-0x00000153FEA41000-memory.dmp

Filesize
4KB

Download
memory/3012-67-0x0000028917700000-0x0000028917800000-memory.dmp

Filesize
1024KB

Download
memory/3012-68-0x0000028917700000-0x0000028917800000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads