Analysis
-
max time kernel
569s -
max time network
637s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
04-11-2024 03:37
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
f5b93af3ee1b64dacd2bac9ba4af9b27
-
SHA1
1f2a038199a71a2b917dca4dff2f5fac5e840978
-
SHA256
48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01
-
SHA512
83703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302
-
SSDEEP
49152:mv2I22SsaNYfdPBldt698dBcjHQzRJ6TbR3LoGd/oobTHHB72eh2NT:mvb22SsaNYfdPBldt6+dBcjHQzRJ6FA
Malware Config
Extracted
quasar
1.4.1
Office04
Inversin-43597.portmap.host:43597
80329fd2-f063-4b06-9c7e-8dbc6278c2a3
-
encryption_key
744EA1A385FEBC6DA96387411B7000D77E66B075
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java updater
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/5116-1-0x00000000006A0000-0x00000000009C4000-memory.dmp family_quasar behavioral1/files/0x0028000000045041-3.dat family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation Client.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 852 Client.exe -
Executes dropped EXE 1 IoCs
pid Process 852 Client.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Wallpaper = "\"C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg\"" Client.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\R: wmplayer.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fb801a51-cb44-4861-aab5-5095cbe45332.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241104034118.pma setup.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 7256 mspaint.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 42 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 45 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70990e676b2edb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1646721288" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141483" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b5f7b9c8d0056d4cb6a81b653656cce700000000020000000000106600000001000020000000a97eec8c786a937c258fe00912b460edae42743f2489b50411161ef3a92564f2000000000e800000000200002000000087270dcfed6f346797b12c297becc69c35ede2a7c2ac73569176c3598865c51a20000000f9e89c4e765faf8a564d0c09d4ed206639858fef635d8e0d93e440f57bd939a4400000004787bedeb4e31c00903f194c30a855f78469fae8c765851ab16bb72aa14a58d7e378bf8551b29bac5030613c9e624d813e104ff87e31585450f6f8fc199cb81c iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1741405798" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437456609" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e60dba071121c3449617e227b63a842d00000000020000000000106600000001000020000000096c13306e57d7314b9ff7c4b3f23c393b87103c43587a012b94a97536fbcf9f000000000e800000000200002000000055c265c9c16e7671aa9eeeb9f88e90e1de64b6580d6b19b420993a69aa616eab200000009b80e3c5a0041161a844aa9b893a9c30bc972e1f096ca3341d8e49f45a881f624000000064fc7a8822507a72b4840aac4da9e141521a70282a6a2adda674047fcefd20831b502b2336de93bb9bef4d7403b34652c268c46630ce68b2225b25986f5e01a4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 604d29676b2edb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1614686810" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1618829121" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4e00000000000000d404000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141483" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8BDE4AC5-9A5E-11EF-96B2-D61134EACE76} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141483" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80fc26086c2edb01 iexplore.exe -
Modifies registry class 45 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings Client.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 9 IoCs
pid Process 7680 NOTEPAD.EXE 1184 NOTEPAD.EXE 1716 notepad.exe 6884 NOTEPAD.EXE 4108 NOTEPAD.EXE 5752 NOTEPAD.EXE 7736 NOTEPAD.EXE 8500 NOTEPAD.EXE 3400 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3368 schtasks.exe 4088 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 13 IoCs
pid Process 3972 vlc.exe 1380 WINWORD.EXE 1380 WINWORD.EXE 3968 WINWORD.EXE 3900 WINWORD.EXE 5352 WINWORD.EXE 6908 WINWORD.EXE 7764 WINWORD.EXE 7812 WINWORD.EXE 8068 WINWORD.EXE 7048 WINWORD.EXE 4272 WINWORD.EXE 8160 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 5468 msedge.exe 5468 msedge.exe 5028 msedge.exe 5028 msedge.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 6532 identity_helper.exe 6532 identity_helper.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 852 Client.exe 7496 msedge.exe 7496 msedge.exe 7496 msedge.exe 7496 msedge.exe 852 Client.exe 852 Client.exe 7132 mspaint.exe 7132 mspaint.exe 1652 EXCEL.EXE 1652 EXCEL.EXE 8460 mspaint.exe 8460 mspaint.exe 9056 mspaint.exe 9056 mspaint.exe 1096 mspaint.exe 1096 mspaint.exe 5976 mspaint.exe 5976 mspaint.exe 5140 mspaint.exe 5140 mspaint.exe 7256 mspaint.exe 7256 mspaint.exe 7912 mspaint.exe 7912 mspaint.exe 8104 taskmgr.exe 8104 taskmgr.exe 8104 taskmgr.exe 8104 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3972 vlc.exe 852 Client.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 5116 Client-built.exe Token: SeDebugPrivilege 852 Client.exe Token: SeShutdownPrivilege 2164 wmplayer.exe Token: SeCreatePagefilePrivilege 2164 wmplayer.exe Token: SeShutdownPrivilege 3956 unregmp2.exe Token: SeCreatePagefilePrivilege 3956 unregmp2.exe Token: 33 8960 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 8960 AUDIODG.EXE Token: SeDebugPrivilege 8104 taskmgr.exe Token: SeSystemProfilePrivilege 8104 taskmgr.exe Token: SeCreateGlobalPrivilege 8104 taskmgr.exe Token: SeManageVolumePrivilege 3492 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 852 Client.exe 852 Client.exe 2164 wmplayer.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 2992 iexplore.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 2992 iexplore.exe 3972 vlc.exe 3972 vlc.exe 2992 iexplore.exe 5028 msedge.exe 5028 msedge.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 2992 iexplore.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 2992 iexplore.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 2992 iexplore.exe 3972 vlc.exe 3972 vlc.exe 2992 iexplore.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 852 Client.exe 852 Client.exe 3972 vlc.exe 3972 vlc.exe 852 Client.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe 3972 vlc.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 5004 OpenWith.exe 624 OpenWith.exe 1420 OpenWith.exe 3264 OpenWith.exe 620 OpenWith.exe 5028 OpenWith.exe 360 OpenWith.exe 4868 OpenWith.exe 548 OpenWith.exe 3972 vlc.exe 964 OpenWith.exe 3344 OpenWith.exe 1492 OpenWith.exe 2992 iexplore.exe 2992 iexplore.exe 5096 IEXPLORE.EXE 5096 IEXPLORE.EXE 5096 IEXPLORE.EXE 4384 IEXPLORE.EXE 4384 IEXPLORE.EXE 1380 WINWORD.EXE 4384 IEXPLORE.EXE 1380 WINWORD.EXE 1380 WINWORD.EXE 1380 WINWORD.EXE 1380 WINWORD.EXE 1380 WINWORD.EXE 5080 OpenWith.exe 2992 iexplore.exe 2992 iexplore.exe 2992 iexplore.exe 2992 iexplore.exe 5084 IEXPLORE.EXE 5084 IEXPLORE.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 5084 IEXPLORE.EXE 2040 IEXPLORE.EXE 2040 IEXPLORE.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 2040 IEXPLORE.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 4004 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5116 wrote to memory of 3368 5116 Client-built.exe 82 PID 5116 wrote to memory of 3368 5116 Client-built.exe 82 PID 5116 wrote to memory of 852 5116 Client-built.exe 84 PID 5116 wrote to memory of 852 5116 Client-built.exe 84 PID 852 wrote to memory of 4088 852 Client.exe 87 PID 852 wrote to memory of 4088 852 Client.exe 87 PID 852 wrote to memory of 4108 852 Client.exe 101 PID 852 wrote to memory of 4108 852 Client.exe 101 PID 2164 wrote to memory of 4012 2164 wmplayer.exe 105 PID 2164 wrote to memory of 4012 2164 wmplayer.exe 105 PID 2164 wrote to memory of 4012 2164 wmplayer.exe 105 PID 4012 wrote to memory of 3956 4012 unregmp2.exe 106 PID 4012 wrote to memory of 3956 4012 unregmp2.exe 106 PID 852 wrote to memory of 3972 852 Client.exe 110 PID 852 wrote to memory of 3972 852 Client.exe 110 PID 852 wrote to memory of 2992 852 Client.exe 114 PID 852 wrote to memory of 2992 852 Client.exe 114 PID 2992 wrote to memory of 5096 2992 iexplore.exe 115 PID 2992 wrote to memory of 5096 2992 iexplore.exe 115 PID 2992 wrote to memory of 5096 2992 iexplore.exe 115 PID 852 wrote to memory of 1116 852 Client.exe 116 PID 852 wrote to memory of 1116 852 Client.exe 116 PID 2992 wrote to memory of 4384 2992 iexplore.exe 117 PID 2992 wrote to memory of 4384 2992 iexplore.exe 117 PID 2992 wrote to memory of 4384 2992 iexplore.exe 117 PID 852 wrote to memory of 1380 852 Client.exe 118 PID 852 wrote to memory of 1380 852 Client.exe 118 PID 2992 wrote to memory of 5084 2992 iexplore.exe 122 PID 2992 wrote to memory of 5084 2992 iexplore.exe 122 PID 2992 wrote to memory of 5084 2992 iexplore.exe 122 PID 852 wrote to memory of 548 852 Client.exe 123 PID 852 wrote to memory of 548 852 Client.exe 123 PID 852 wrote to memory of 3968 852 Client.exe 124 PID 852 wrote to memory of 3968 852 Client.exe 124 PID 852 wrote to memory of 5028 852 Client.exe 126 PID 852 wrote to memory of 5028 852 Client.exe 126 PID 2992 wrote to memory of 2040 2992 iexplore.exe 127 PID 2992 wrote to memory of 2040 2992 iexplore.exe 127 PID 2992 wrote to memory of 2040 2992 iexplore.exe 127 PID 5028 wrote to memory of 2084 5028 msedge.exe 128 PID 5028 wrote to memory of 2084 5028 msedge.exe 128 PID 852 wrote to memory of 3400 852 Client.exe 129 PID 852 wrote to memory of 3400 852 Client.exe 129 PID 852 wrote to memory of 3900 852 Client.exe 130 PID 852 wrote to memory of 3900 852 Client.exe 130 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 PID 5028 wrote to memory of 5460 5028 msedge.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3368
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4088
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\ntuser.ini3⤵
- Opens file in notepad (likely ransom note)
PID:4108
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\DebugCheckpoint.aiff"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3972
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5096
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:82946 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4384
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:17422 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5084
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:82948 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2040
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:82954 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:5592
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:82964 /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:7276
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:82974 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:7208
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:17452 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:6368
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\GrantWait.asf"3⤵PID:1116
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\NewStep.dotm"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1380
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\ShowCompare.ram"3⤵PID:548
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\SyncLimit.odt"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\UndoAssert.mht3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff880bb46f8,0x7ff880bb4708,0x7ff880bb47184⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:24⤵PID:5460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:84⤵PID:5508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:14⤵PID:5784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:14⤵PID:5792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:14⤵PID:5776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:14⤵PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:14⤵PID:6248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:14⤵PID:6256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:14⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:84⤵PID:6360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
PID:7152 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7b6625460,0x7ff7b6625470,0x7ff7b66254805⤵PID:5404
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:6532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:14⤵PID:8028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:14⤵PID:7376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:7496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1072 /prefetch:14⤵PID:5408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:14⤵PID:5548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:14⤵PID:8756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:14⤵PID:8848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2148,13885155773957215583,917826109735713427,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6788 /prefetch:64⤵PID:9152
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\UndoReceive.ini3⤵
- Opens file in notepad (likely ransom note)
PID:3400
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\UnlockRepair.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3900
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\DebugCheckpoint.aiff"3⤵PID:5788
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\GrantWait.asf"3⤵PID:6388
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\NewStep.dotm"3⤵PID:6684
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\ShowCompare.ram"3⤵PID:6200
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\SyncLimit.odt"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:5352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\UndoAssert.mht3⤵PID:5456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff880bb46f8,0x7ff880bb4708,0x7ff880bb47184⤵PID:6688
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\UndoReceive.ini3⤵
- Opens file in notepad (likely ransom note)
PID:5752
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\UnlockRepair.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:6908
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\DebugCheckpoint.aiff"3⤵PID:5892
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\GrantWait.asf"3⤵PID:6692
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\NewStep.dotm"3⤵PID:2628
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\ShowCompare.ram"3⤵PID:7400
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\SyncLimit.odt"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:7764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\UndoAssert.mht3⤵PID:7876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff880bb46f8,0x7ff880bb4708,0x7ff880bb47184⤵PID:7932
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\UndoReceive.ini3⤵
- Opens file in notepad (likely ransom note)
PID:7680
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\UnlockRepair.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:7812
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\DebugCheckpoint.aiff"3⤵PID:5172
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\GrantWait.asf"3⤵PID:8084
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\NewStep.dotm"3⤵PID:7636
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\ShowCompare.ram"3⤵PID:7608
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\SyncLimit.odt"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:7048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\UndoAssert.mht3⤵PID:5612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff880bb46f8,0x7ff880bb4708,0x7ff880bb47184⤵PID:6780
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\UndoReceive.ini3⤵
- Opens file in notepad (likely ransom note)
PID:7736
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\UnlockRepair.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:8068
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Music\AddProtect.M2V"3⤵PID:2604
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Music\ClearCompare.odp" /ou ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:7096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Music\ClearCompress.mht3⤵PID:2780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff880bb46f8,0x7ff880bb4708,0x7ff880bb47184⤵PID:7520
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Music\desktop.ini3⤵
- Opens file in notepad (likely ransom note)
PID:1184
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Music\FindDebug.pptm" /ou ""3⤵PID:448
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Music\InitializeApprove.ps1"3⤵
- Opens file in notepad (likely ransom note)
PID:1716
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Music\InitializeFind.vbe"3⤵PID:3680
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Music\NewPop.xlsb"3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:808
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Music\OpenInstall.emf"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:7132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Music\ProtectInvoke.bat" "3⤵PID:3276
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Music\ProtectSuspend.vbe"3⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Music\RegisterSubmit.html3⤵PID:2448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff880bb46f8,0x7ff880bb4708,0x7ff880bb47184⤵PID:6624
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Music\RenameLimit.asf"3⤵PID:4776
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Music\ResolveEnable.odt"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:8160
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Music\SendUninstall.xlt"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Music\SetExit.dot"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Music\WaitTest.pdf3⤵PID:8672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff880bb46f8,0x7ff880bb4708,0x7ff880bb47184⤵PID:8688
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\ClearFind.emf"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:8460
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\desktop.ini3⤵
- Opens file in notepad (likely ransom note)
PID:6884
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\FormatRestart.jpg"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:9056
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\MeasureAdd.dib"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1096
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\MeasureDebug.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5976
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Pictures\ReceiveMount.svg3⤵
- Modifies Internet Explorer settings
PID:3536 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3536 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:8764
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\SavePing.wmf"3⤵
- Drops file in Windows directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7256
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\SearchStart.png"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:7912
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Videos\desktop.ini3⤵
- Opens file in notepad (likely ransom note)
PID:8500
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\SyncLimit.odt"3⤵PID:4288
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\UnlockRepair.doc" /o ""3⤵PID:9364
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵PID:3304
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5004
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:624
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1420
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3264
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:620
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5028
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:360
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4868
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:4588
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:548
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:964
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3344
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1492
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5080
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4004
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5752
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5844
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:5892
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:5768
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6232
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6692
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6912
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6792
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6704
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6836
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6864
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6188
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6368
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:5576
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6772
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:7172
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:7324
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6216
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6100
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:7592
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:5500
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:8040
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:2016
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:3152
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6612
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:7200
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6992
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:8276
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:8516
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x460 0x2f81⤵
- Suspicious use of AdjustPrivilegeToken
PID:8960
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:4972
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:7924
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8104
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:7972
-
C:\Windows\System32\dnk2o1.exe"C:\Windows\System32\dnk2o1.exe"1⤵PID:7616
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy1⤵PID:3320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2508
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵PID:1720
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵PID:9780
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵PID:9884
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy1⤵PID:9500
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy1⤵PID:5564
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5788
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD58a30a9b50fedce017b52120d4343b95a
SHA18de5de177d1008f9667108f6b5802a2a52b88a88
SHA2564550fdafe58e9e306e641eefdb4bfd0a0f560bad671dfe5730a4ef029b3ffb3d
SHA5127edf4b47f415103805bf251adb8e135398ca632eced27d87ee5d40f8854edc7bdf06e84173ed537791dd0a56554d6e692e500274f991bec08d408f9dc73cbab1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5b4c368f8851eec362f9bab6aa80623da
SHA11960934afb425ff73c3b6546f307e74e64f343ff
SHA2569009daecfdb4168f9c167f4742b4f99e650ab1f967f98424d1a3e688f18389c1
SHA5122388b164753293d451f7acb162234f15071718f97f5cb340ef3616b81f418a77e3edf8031222861a84aacd3d4e528308c8c5e150fbdbb48b1421edab2d95e723
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5973605426184fcdb23f89ae5edab6708
SHA1f0cdb8c1fc0a00e89d7a8e325cca9b592d4097dc
SHA25614a4bb1bc601db0ad12ee787e3c0178d9e2fec43ab8a7552f53281fc494a238d
SHA512ab58b4705d5ba34097b14785f8ea41fba0ce9a8be09f4438411e9da9e574b4492db5b1895cfef3ad14d25e89526c34315ca4801b054f19e5ec09b8883b3b93e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD5b2aa33958e532214c6810bf39d869b96
SHA1fca9899503c4b3c3162bbea8a837a0f73a914371
SHA256ab35a7d533ccc52b5a4ab508d19a8f4ce924968af7fccddf428e5186a41dc971
SHA512e68a2830d3d0a6aeadb7602bdc94bd5b7d0261faf42dd9e6ab341aa1f42362220da4f8b32314fdfad53acc6b1f38764ea695f220ddb057b5eee288f889a0e3bb
-
Filesize
152B
MD5e87625b4a77de67df5a963bf1f1b9f24
SHA1727c79941debbd77b12d0a016164bae1dd3f127c
SHA25607ecc7bd328990f44b189112a1a738861b0f4528097d4371e1ab0c46d8819f4e
SHA512000d74220ba78628b727441c1b3f8813eec7fc97ff9aa6963eb2ab08d09525fa03935b32e86458c42e573b828a22b0b229af02b47eee511dc83de4ed3b5e726b
-
Filesize
152B
MD55d9c9a841c4d3c390d06a3cc8d508ae6
SHA1052145bf6c75ab8d907fc83b33ef0af2173a313f
SHA256915ea0e3e872d2b2e7d0e0ca30f282675139c787fec8043a6e92b9ef68b4f67d
SHA5128243684857e1c359872b8e795a0e5f2ee56b0c0c1e1c7e5d264c2c28476e9830981bb95244f44c3b2ed334c3e1228f3d6245cce2f3d1f34cdbce8e2af55b4c85
-
Filesize
152B
MD53a64c98dc7daad5ad686b126bc41fc2b
SHA163ac1632e77c36bec84bdb0155f299040a409119
SHA256d485dae02e838f24b027b13ea300898a64b8773c27cc95f9e3bfb49beebe694b
SHA5123f2d5146750452c323e87296384e8492e2d43fcfc89d570f5a091973a05bb9593390014480258115ce784e586c17fa3a30ef19668006d75b4675b9f469d9dea9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\28f64a1c-81e5-42f8-a236-78b939fc0d46.tmp
Filesize4KB
MD594c715d1ab557e88b92be91be1e44847
SHA1cff1bf06f6291d3f4c414e9ddb6c14008a8c0a39
SHA256c4f2b0f0f91c44e898b4c01a3e3af04133cd12f322ca4a332da5c714ae4fb7fc
SHA512ae2f49b312b94ed6dd0e8571c5ca166a092b9bd8132b335bd5c0ff2a11ce911af58ab840dfb24b199d8e2adeb4a36c6be26b124b141014f1833a1a662e51f053
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5b2aaa130f3a58dfd1b3c256227922ad7
SHA1de4b296f397ce66d258df0c22c2946421690a389
SHA256f30fde9c97f60ec21ffc102bf55e093daf49a52f91de05582c73c2890bd739ca
SHA512a0e4a4cb855705c6386833a888ede68eaadeca4e9fce09e543c6a457de5b49472a3a36abd6c7824aa1d5c0814bcec7484c419b795d0ce0284bffa3657829d98e
-
Filesize
5KB
MD5a704be7b96bef43773be70d818417374
SHA1032daf1d040ec0baf9747c8606870642f10cd20f
SHA2561909a81cc0d284b697dd9589cad76f7013dd8ece686adeab10ddb57dde12eaec
SHA512dbe092df7909f5dd57557a9b5675fae33a93e112bff7c2aff605dde1409d392808446d4fca5f4fadae6ac637e0c9b10244e2cffcc3c9771c2ef3e7677d020d1d
-
Filesize
5KB
MD531a42d424a57af44b2bbdf04f9be302a
SHA1d06fa4ccdb9b92f7dd39608087d10e17593a3322
SHA25628a7f0f986b2c7cfed0a402faa7aa30098182024c1399c871d70e910fa97575a
SHA5125d7307627ce61d839c4a76ad7283d7d025f1d1f30ed02cc68fbc0a56cdfa680107ab54a94c7d346c1d9b59b2f23377998a3ac25142ed94fd7cc5c3d0fdebd360
-
Filesize
5KB
MD50a5f17a6a59ab9971fa30830f49a7e64
SHA11bf82a7c7c703b2ba419ce6a5d240ef9595c593f
SHA25605bb862c0337be8d2920a1c5ca0ddc60d8912b4dd1a9b3c1fdaa53bfec2da0ae
SHA5128364f69f149c62e3d7f9627de3694c3956fcd1839174c7e093b0d4d98e95437250dfbb1936d1a7f2816ef70b1a9c7ea8d6b8e7cd3bb6c8e7ef110c12a34cf765
-
Filesize
24KB
MD5137094a3453899bc0bc86df52edd9186
SHA166bc2c2b45b63826bb233156bab8ce31c593ba99
SHA25672d823cac2d49660cdd20ebf4d3ac222c4dd15aae6e5ac4a64f993ef5c4fdd44
SHA512f8f149c9eab06e8d7e1aa62145f0fc588dc36fc521ef4dceceb80a191b72d79586d920feb5f3b1d19595109cc6d608c143e32f521a4da1068c708a2538899ada
-
Filesize
24KB
MD5364592d2cc18adf665987584bf528cba
SHA1d1225b2b8ee4038b0c42229833acc543deeab0f6
SHA256bd97dd6797bb763681cfb1fc3cc21a44a273aab1d9a4f4f9332675c662d2136c
SHA5120e852db825e451464cbcfda95eae2dfe780874bd20e7b467604962428007d1735ece752aa5901d468708a68d66d029271d5567b39c530d2d44b875abbff9aa40
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
8KB
MD516ade98fe50249604b732a2df740bb6a
SHA15e0a89505d4df58140b31f54a8454a54077a06c1
SHA256c05f136b978be1f4ee9d2043dd2f6cded154b05451ab9ba63e9b7a1f6e05f478
SHA512111c1486236828217d51d5a40661aff4e3ae888fdafb36b8b2683ddf9455ecf63945dfbc65925ee7759e13e77df571cf9e907f230638da2b7f212ea92645d722
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
512KB
MD5e3cda569479ef50e500d68e62e6c0720
SHA13404b999c84fe1b971b93ba6b5a15d5383f778e9
SHA2566c79a9c47fc1e7a6263b3cacc9269f2ac96bce1754376b6b3075203ebb3953ff
SHA512c6281d22466017ae07d2523774ac171e87c10ee24e9a3b7ca68a237fa933308e68b433dda09ffe3e56eddf2eb8bf70af4adada34706ef905c87290592ef2f1fa
-
Filesize
1024KB
MD54a689c66b9ded6bced59e996ccb5cb6c
SHA1758c7b5116141dbaa4c86d54c8d8918d161c7ffb
SHA2566e1917931fc7668df9c67300fed84f5f659f5178fe0d5079b09f639ffb9d22be
SHA512ce06863eca3dc4aaa723a702e55c748c728a73d67a7afedc78e462df17a26d7416684337c1c4476f6f55c803f20737e11de7ca983d57e4caf37fb5c0174f9bba
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EE14613F-88CD-4228-B23B-2713F6F7EBED
Filesize174KB
MD5aad79185d56977146e3c01d2c99e4790
SHA1255bb3768602aba7967930e1baef199572e9461a
SHA2569d47b460e7456231aaf5926e4dd89c27d32729099675a1094c08df2f7733a1c0
SHA5120cd50e32fdf57f392e51bbfceb424b8a651b7805307525d15042ab80659fef2ca3a4638f457b0c7c3edbfdb0e296407bfcfb9e4bf28dc1d62187db24430a5eef
-
Filesize
322KB
MD5317f1f9edf5959a34124294155ba2ebb
SHA1494e587b8a5bba0e7c486fa43417dea9cc48e6e3
SHA2562c90ea17b0fb5989229335f384fbcc84e07fa6f42a9f41f87588b8d474101f26
SHA5122a3f4f97ee09fe340d39dc8bbef48c7cbbe6c1d63f71a14cef4694436f50c8d6d48b73be47103d7f3acc26902fcaa69040348e907396cd1aa2299ebedce462c7
-
Filesize
331KB
MD51bcf6c23bf664d904d38d808ebe2a3d2
SHA166937c0a38e75fa67750219821783ec3f7c85574
SHA256bfe1107b134aec3f0ca9d47c58c7e59cb5af6214b06bf1431493cc709af7e074
SHA512592985d6a19b3857dedeee49863cd77229b5ba01ad26a8711f46858c3693a3dbfd003060a0c7cb868e69f0fd4ddf1d733e7997c1b3eeaba5b85505caad341efb
-
Filesize
12KB
MD5ab582b00632e90c8587f312c3b403ab7
SHA1bbcc1d57a48812e5c9e847b21dbce6bb00fe4626
SHA25688e7a68ad4aedc7471b179a66f25c7bba26d6beb4d4da3db0b6346c8794fcea9
SHA512f9493817f0569fc8c3bf578165a370ff394310ad9f787b6feff3459bb7db17888998b1092c417e1e26c7885b20a42a9fa2337aab3d9f196f5dd80a0b781e0b42
-
Filesize
4KB
MD5f138a66469c10d5761c6cbb36f2163c3
SHA1eea136206474280549586923b7a4a3c6d5db1e25
SHA256c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6
SHA5129d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9
-
Filesize
56KB
MD5d2e76ef61dc7e98f4773fba1ece5b712
SHA16afc99df443fb1b2d7cbef3de524ddba3916ffc9
SHA2568335192938c03f73239fa2ffbedcabb9aaf27e4a6ae8e8a5c1e5c73a6bff6d58
SHA5122a90997ecd6d792164f6dfc9d8654a185b639316e89a9cb544399e2e1eaf33eeee3bea9ef4d0e91452bd3fa3ab86e475f9650706793fd605132d3251d93ca2e9
-
Filesize
60KB
MD520a4dc33a68b59fab76f89bfbf75bf60
SHA1deb96d5c6101bbcfaf81fd0bc96fcfa2aacecdfa
SHA2561e6cfd181bc62e44f28a836de88e8b88c54892755a6aa6c3ab0d9996398022a5
SHA5126d2929cc14753421adc574d89a4cedacfc3bf0b688988d7d0cf9faef408527d90ad9a8e734627da26c50f31f9bdb4fd0a7cdd4a5666fbfbdcf4f29d37e6c0959
-
Filesize
64KB
MD58da346586883fd8135c1fb6ab938759f
SHA1f20ce0970a097808c8877ddca9a50b9780ff7312
SHA2563c25da46f94f1215cf681601a4df0a30bf14ea667782dff068143a3cb91fc010
SHA512e812c337e23c82ac49ba4d3ab912c1b069bf0ee01680ebc35e8053248723aa456a6a74d0d98774740a1459051f3423da6fae202e58e11aced155dcac6a2b77c0
-
Filesize
68KB
MD563680913b5f737dc6918f90a5d6b10d5
SHA1f34285b41751877f0ee9e3f3a6f124bc2894182d
SHA25649c2f47e1addd61522848d280756b987de7b38e3d4eb50b614dd4bb4f72515c2
SHA512f4e06c0fd9f7849b5728595a88d1b34424e6cb54df31689a4894860c4fd0a5206f8b9dcf76a4400e0bd3be498df8af40fad14f32a43e28781d94ac7eb81c6744
-
Filesize
72KB
MD5d97ddb471378cea0235525e3b0fe13b8
SHA14ae11d42358f664306f8d88c25d2f276534d5d91
SHA25691e08d4732b8fd8854c43ab5a1e76904ff252c1def3ba49d2938e4e427c9f667
SHA512ff55326ee147ebeaf1570f7f4cac88e2dcfcc8a8b5220f467b853af417dab520d0c8fae20fb55a5154259406b24af397712ae0f5ed10b4509756d80256dfddc5
-
Filesize
48KB
MD57cd06eee3e7ac7d87b7a72cd0e6b6186
SHA1c3e526241d9e0fbdb0b29863b2c04b5e6746c64e
SHA2568729dfa249f3bf83e2a04aaaa8fe81780fae518472f18dd8cbb61ab69c3189ff
SHA51276f8d743f19c30b645817a29cbd98a424ab2871adbc5c1afcebb91f3786c0a5b55d6d2a733be3362e1ca9232296acd6e903e590ace58dd06bdd2381b16ff4f10
-
Filesize
76KB
MD5523d9187ad985d6f5391b5acf39feeb3
SHA1bdad757d3018b25773e674210309883463bfaab6
SHA256ee5410cdf4bc579df471b280227ca3155e7ac9d3e486f46bf9be317c516352cb
SHA5122b1bf0169e4532118d341fcc577ddb65209a541fa2b03a7900c0f199a51cbf5f0fcd49f245c1d913159e8f2f6d9fd19fa88a9e1816c3dea022da2a23a3099895
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD53ab676fa1d6aea3e64e30f91db53e8d2
SHA134ac39f7f0d1f02a7424e76d4e16503b6f259387
SHA256fa5f39865b527c88d453e7364adb2d313d44301915995dec6c432c564c9f48a0
SHA5128be490e507684ebcf2c033cd5925ce52ac038984a0a7d4a54a6651af900c63a2ee686e62acf5e098232ad8eca3d772d0cbd7f59ca3b283e047cd5e75fa36e6b1
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5a6780c9b9616f0127c8fbfc6fe2dbac1
SHA1771d966409c640b17ad486f5ca6c5798b562eb07
SHA256046027cca40115404409c0093c0593734a90cb85e783e18ca66650fc33b9c55c
SHA512f7e1231d5ef75a2e1b284dc4c14a66d9f4948bf0d0102d332b52bd38e6dbb87c99816481ed0117f10b40973319bbbf815608009525ab6e6f5e5f4cbccfb9b44a
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD55b16b92714df4b5d0256c7ff03f049c9
SHA10975d702080b9abac4192b867435257dd69e271c
SHA256b31e651ef4aeb9648a5b8a0a8b1ac2b9917cc249f8c033076ec7ff25337b769f
SHA5122c2b3cb4f7cbefd370ac296e5826107dac8b23a65c445ded41144695c54dde789f9689bb26e66230a45274b7c216b79b27622a651d4c298fa169b5ff27bd6bfd
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD50e76b6f629e3f7dc5fd5ffb1b3e271f7
SHA16e39dfcf80d9ea47fc4c9429a322b44570285975
SHA256d4422c3f1c85b75c7197464d3097ea4f3df9aa85692fe213109507b34f67ff6a
SHA51238b87dcfe0cc794a7a80ee1d9e60474677d9f15db0010202e007f6a39cd67b13ef26bb06597793233c43dab4ed9eb5e973c37e08c8a7c579dc7fa90b5335a215
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD56b78fa3b6764843019ce634bab3e9e35
SHA100324e70254fc02c6c1750e760457221f5e484fe
SHA256e0390cf277f6bf346ff69d0fd83e97198d04b56451f04542e8858cda43111864
SHA5121a4b62d687cc0ff599f46ecce1039c51aea2ec06857d74b44487249d2c6425231a1f2fa4f3ca935d60c1607f8402bdce6849ba40745c6b9fc40626ae36dbcc12
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres
Filesize2KB
MD527eda8adf9332347f36e283e282a9cc3
SHA1b8def883d4d314def934e290cc40d46bc1b9099e
SHA256a26a8135f0471ee5aa26586a0df5a3d6e984427fa835167b6c9a166a0c1dc91b
SHA512daa80241d11057fb142be5e1cc0e3644e07fb5c32c10df999772972f2ea1ba210f86bea7b512ddd984fa506a8c5c69f9076d5d46e3fd12a797b7f2a4b57216fb
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD58d70f115661b216ebc5614f6f581c66b
SHA10144a120f14aa039633ea8cc07d37f4cbc191e1f
SHA256a98d9b4b0fad92d980d8b35c9b3f29f55e4dc7a25dec20c2e6128b19f60a731e
SHA512d3709c30bf47c7840aab09dd4f5c3a814530d0a333f21ce5e63955c569714f2214da7fc05b876b79806d452a94143c5ac3fa39925f3bf60b76e58e54ed31a5a4
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD5e61accdb7bf15a49b9601702f482a2d8
SHA1f8a425f47e624a51168ed4847fee72ee961c0aac
SHA256ec7353631fa2d23445bb5b596a495f7b0a4e22402ace5834961b55cb307d8f45
SHA51222ef4a09b691923371eafc7e048d5e8515c8baa979022b8465731afff35300a2b693c39a47f6a22984b33fae523315fb1fbe25a68f3d095855e48cb33e55c07f
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
372KB
MD546566e6b718d020466d72fb21543a5de
SHA12d2119e524e45b89c389dc2cc40e430895fdb63c
SHA2561505d17b4d0b19752bdd5bc836e333de14b312141a96cdcbf396471f6fc07080
SHA512aff53372fe11549b0c2d13c87721aa296e1a481aaf128e98d843cd25059e867d325c066df0129e46d7f8a9fdf9f7dd8cabfc28f9be82ed33dadd817c9be0567b
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3S6FHPA6\microsoft.windows[1].xml
Filesize97B
MD58d944d87fe3e5b38cf0ecad3fdb42197
SHA19b656710d009352ae99e2ddd787e9f670d8f6b59
SHA256f6bce45f5460f43e03e364c67ebd622f03ae5fbc30dccdd868806999f8d69567
SHA5123ed6a75f2369c46b72f94c46e6e0e2719dba0be0a8be51ff6afb53e0b09edb87aee627e308e10d07ab255c5470abf7f950785054e383295715c2e132b1d61446
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\IV94H0QD\microsoft.windows[1].xml
Filesize97B
MD59f9316b51fd3208a051a6c3ef3564fec
SHA1a1ad7cce046cefa5fd48732f10574e7384df790a
SHA25681f7f3bdc942344e5e15a00d67576585098e25ee70a3864bd55da01977a487bd
SHA512c4c5a685e77cbc7f48e8ec6af93335eda774679f8b41ba425ffd6a619309f5380ce7e5c5e6a60e25a0d603691adf81a7c226c3c6dd546a0529badc9796d0d4e3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}
Filesize36KB
MD58aaad0f4eb7d3c65f81c6e6b496ba889
SHA1231237a501b9433c292991e4ec200b25c1589050
SHA256813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA5121a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{51325390-AE6A-68FC-A315-0950CC83A166}
Filesize36KB
MD58ab0ccfe101f2a223bf9fc11f910ec64
SHA186a7cf51b399bb786896fb77f59ee8b4844f5afe
SHA2568cc15be591c4f70f964d3554be30283f925747d09eb71692bf40b8125e2bb68a
SHA512b862068ea8bdb828186c2bc693b1e99d622a48a82eea13886090c44e17d132ad1a96bae4a96214d9a8abeb22f7c85f4ef25a000cc1bf977fd43e67bf1064a61e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc
Filesize36KB
MD5eab75a01498a0489b0c35e8b7d0036e5
SHA1fd80fe2630e0443d1a1cef2bdb21257f3a162f86
SHA256fdf01d2265452465fcbed01f1fdd994d8cbb41a40bbb1988166604c5450ead47
SHA5122ec6c4f34dcf00b6588b536f15e3fe4d98a0b663c8d2a2df06aa7cface88e072e2c2b1b9aaf4dc5a17b29023a85297f1a007ff60b5d6d0c65d1546bf0e12dd45
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_Documentation_url
Filesize36KB
MD5bad093419be1135cfe9694ea77088c78
SHA176204c7ca72cf666add9c9931389d635c82e8af0
SHA256136808af50ee73df9befd76f7aca21765782565b0095227c5a287f3be0b5ef3c
SHA5123b5cb7f80d7cbc557b5a32a995cd607257ac8e56af935ce6f64c54ba1f311a65ef00c69c69047b6eb7bb678c2b1bc0a3c37548aef417ea49e414e1a34bcf651d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4547b0d3-75fb-4e71-91a8-620e8494dcdb}\0.0.filtertrie.intermediate.txt
Filesize21KB
MD5fe01e42de0688de80dcf834e6ccb67cd
SHA1e8706d26cf1fdbe50a29aea482a4fce06adf0a17
SHA256921534792386192d550d4e47899e5f16e1085a3de9a9bdd8123661eefaaf07c7
SHA512c659ee806b1f31eb59556ef97c0c131995831a2146e80fc41d0a1a55b192a1d0a5d130a537cd12de7e69497176a2d753c10ee596371c7eed4867a5fda3f0ed6b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4547b0d3-75fb-4e71-91a8-620e8494dcdb}\0.1.filtertrie.intermediate.txt
Filesize5B
MD534bd1dfb9f72cf4f86e6df6da0a9e49a
SHA15f96d66f33c81c0b10df2128d3860e3cb7e89563
SHA2568e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c
SHA512e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4547b0d3-75fb-4e71-91a8-620e8494dcdb}\0.2.filtertrie.intermediate.txt
Filesize5B
MD5c204e9faaf8565ad333828beff2d786e
SHA17d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1
SHA256d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f
SHA512e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{dca95c69-dc90-4d35-bdb1-cfa3ea385bb0}\Apps.ft
Filesize28KB
MD55b8eaf84b46ab0f06676440d877e1cd4
SHA1b34412eead78f88eaf23e50035b1b452aeae1cbf
SHA25658ec60b3a5c77227de84005404156f77eae6563c5c17bcbb0f17bb870de1cc9d
SHA512e31cebfeec4bdde2f1f72a721f552bb42de3fa19cacee7e8852c2569364f160356e8df181776068fbc477cb9f9bd2a771055e99771b8700d76d3d4bc0da0a2e1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{dca95c69-dc90-4d35-bdb1-cfa3ea385bb0}\Apps.index
Filesize1004KB
MD5620b2001a115a8a5794388911d2a620e
SHA14c663799e51cdc50a5fd83cb85e901f4f6edd43c
SHA2566e1aed930af090f1f45e16bf85f5f643644100a3a590143994aecc812964ec4b
SHA512aa1906a12616c8bde276caf7a5d0c99a48f9edff912c509fda97887b396bc5d25444b5877cea9ac63694610c01b5e6438536f89c878b840a25cd2ab077550452
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{80c040d4-1422-4051-8ed1-b39440c6d22e}\settings.csg
Filesize454B
MD5411d53fc8e09fb59163f038ee9257141
SHA1cb67574c7872f684e586b438d55cab7144b5303d
SHA2561844105bb927dbc405685d3bf5546be47fa2fc5846b763c9f2ba2b613ec6bc48
SHA51267b342c434d8f3a8b9e9ac8a4cbd4c3ef83ddfc450fe7e6ad6f375dba9c8a4977a15a08b49f5ad7644fbde092396e6da08865aa54d399836e5444cb177a33444
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{80c040d4-1422-4051-8ed1-b39440c6d22e}\settings.schema
Filesize162B
MD5ac68ac6bffd26dbea6b7dbd00a19a3dd
SHA1a3d70e56249db0b4cc92ba0d1fc46feb540bc83f
SHA256d6bdeaa9bc0674ae9e8c43f2e9f68a2c7bb8575b3509685b481940fda834e031
SHA5126c3fcce2f73e9a5fc6094f16707109d03171d4a7252cf3cb63618243dbb25adb40045de9be27cad7932fd98205bdaf0f557d282b2ba92118bba26efcf1cd2a02
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{80c040d4-1422-4051-8ed1-b39440c6d22e}\settingsconversions.txt
Filesize520KB
MD5721134982ff8900b0e68a9c5f6f71668
SHA1fca3e3eb8f49dd8376954b499c20a7b7cad6b0f1
SHA2562541db95c321472c4cb91864cdfa2f1ed0f0069ac7f9cec86e10822283985c13
SHA5125d1c305b938e52a82216b3d0cee0eead2dc793fac35da288061942b2bd281fb48c7bd18f5fdaa93a88aa42c88b2a0cce1f0513effb193782670d46164d277a59
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{80c040d4-1422-4051-8ed1-b39440c6d22e}\settingsglobals.txt
Filesize43KB
MD5bbeadc734ad391f67be0c31d5b9cbf7b
SHA18fd5391c482bfbca429aec17da69b2ca00ed81ae
SHA256218042bc243a1426dd018d484f9122662dba2c44a0594c37ffb3b3d1d0fb454a
SHA512a046600c7ad6c30b003a1ac33841913d7d316606f636c747a0989425697457b4bc78da6607edd4b8510bd4e9b86011b5bd108a5590a2ba722d44e51633ed784f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{80c040d4-1422-4051-8ed1-b39440c6d22e}\settingssynonyms.txt
Filesize101KB
MD5003ece80b3820c43eb83878928b8469d
SHA1790af92ff0eb53a926412e16113c5d35421c0f42
SHA25612d00eee26e5f261931e51cfa56e04c54405eb32d1c4b440e35bd2b48d5fcf07
SHA512b2d6d9b843124f5e8e06a35a89e34228af9e05cbfa2ae1fe3d9bc4ddbebda4d279ce52a99066f2148817a498950e37a7f0b73fe477c0c6c39c7016aa647079a5
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{bab8393c-f910-4bf7-95c5-fb18560da7d1}\apps.csg
Filesize444B
MD55475132f1c603298967f332dc9ffb864
SHA14749174f29f34c7d75979c25f31d79774a49ea46
SHA2560b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd
SHA51254433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{bab8393c-f910-4bf7-95c5-fb18560da7d1}\apps.schema
Filesize150B
MD51659677c45c49a78f33551da43494005
SHA1ae588ef3c9ea7839be032ab4323e04bc260d9387
SHA2565af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb
SHA512740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{bab8393c-f910-4bf7-95c5-fb18560da7d1}\appsconversions.txt
Filesize1.4MB
MD52bef0e21ceb249ffb5f123c1e5bd0292
SHA186877a464a0739114e45242b9d427e368ebcc02c
SHA2568b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307
SHA512f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{bab8393c-f910-4bf7-95c5-fb18560da7d1}\appsglobals.txt
Filesize343KB
MD5931b27b3ec2c5e9f29439fba87ec0dc9
SHA1dd5e78f004c55bbebcd1d66786efc5ca4575c9b4
SHA256541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e
SHA5124ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{bab8393c-f910-4bf7-95c5-fb18560da7d1}\appssynonyms.txt
Filesize237KB
MD506a69ad411292eca66697dc17898e653
SHA1fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d
SHA2562aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1
SHA512ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{3c53a845-76c6-41e1-86e1-864a7536636e}\Settings.ft
Filesize235KB
MD527af3eca2d60f19fd8c15c85d681c8b5
SHA11cb079485189060ae4395825a7cb66575dac29df
SHA256c633ff7389bbebbd422a6ec4e00740948a48a1535ee85f4a29105785e431c5f4
SHA512020be2f8e3e39737d577e9cf041e641ebbace55ee092f41628bff9177808f4e6a885fc214baa5594643f930ade7e72eb886e5c8a5d29e07ba283c997677796e5
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{3c53a845-76c6-41e1-86e1-864a7536636e}\Settings.index
Filesize1.4MB
MD553da0424b263f10dae6bed10358ae039
SHA13a3fc150688bc5f5ad170a9b27d915b4bec9db52
SHA256a3206fa0c489e6f4c8292ca9bc00bc6507f9338d4dec8245fca687e6ea40c34d
SHA512ba765fd469ff2177b6ea3b49b7b0caa2d44f1f6ed9e790ab97c1a0861e0e129528ceabb19e8cddec2caa37030185de0965d0fb7e8899c5d9b6f467ade263036d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133751656562450156.txt
Filesize67KB
MD5a73050794fad49979860a391628398b9
SHA163b1e7d63ab50640cb188c97d6b7de64aee07301
SHA2563b6f8056494af0e32610534a7e29678fd1409c74871ccdef698b5d846f20cef8
SHA51278c322ed946bd5fc26722b8cbe6750ae6706ba4afdd155d1cb0f6cdf622ca7be8d094e5612a6bcc8534ea044f9859c4b1d2231c8249329ef12f9075c88a668f9
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt
Filesize689KB
MD52dee0ab82c5db228dee2de2fe0d82eb3
SHA1c6231ad00bd775537fb422a86bfe2b5754e9b91d
SHA2560e01a47917642eac553b6d0feb6e97b398f7af84c5ffc74ba35ca66d7a341d39
SHA512c46ae09aab1f240ba384044ef46240a4cb02b6144b0403d690ff7ddcf79acc67da345c98254ef5436a4008fb419c889af43489fedf86e8ba822128365f30763f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize9KB
MD53f16625342d2328c4fc9da1dbe088b30
SHA1d9657f378c12a5bb9d4e2a02dcb6f5e6d9a34432
SHA256e1ded867be81a83070fec7ced8512bdc2cebf2a8f73bb321caee3ab16aac1bb2
SHA5129ae2c6679742ce04a53af5489c9e45c9bde60849d5619efb03a429023613bc7060f9bfd206de977737e39a0c228d09b9cd49b253465a09e5a201f90f0bc4653b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize10KB
MD5f68371c1d2f0661e31e2b59d57386a23
SHA14bf3a32468f2165c9ec9800bbcaa341ca9c9ceb5
SHA2564cf22dcc9ae93e0be6aa290114a7f7175ac52940e35e4831d4e83766b34dee9c
SHA512a1cec38c5060ae9ce24dd26d7c29ab4ee6f734bb213f6df902f9e4e454089d6e61232d751b51a87cb37dd2bde1b56380aa1dabd6c6fbb869dd3c84ceb54ed09e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize10KB
MD567a619cf70045dd184b6d20e081a097e
SHA13119d173cf3217cd71c7ce422641e3aa460e8d49
SHA256e6d0c3505ed442692c6ddfc903fbd52d74ee204e802c8c9a142036f95b09f86a
SHA5122cd1842d8fcf08272cf38afabddb669c8cab1ee9e8098125e72c06020c9cc7580f8c51e208e9a1ae51068da588fa241e4840daeb66ecc9273c28ce8992bf5fa8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize9KB
MD50de4f3c0214744e67dc17cecea46ff06
SHA1f1f3f471186fb07a02ded53008d682964edef797
SHA256b255a40d0216e8f30a67e3d819f585f1bbc9f6b7598950b0ff1d3c446bdd343e
SHA51211a74392af3266b943c755e897abda355cfc6bd503c7de0e660bf48a8cd9278f6fd258e0ce6641559662407eeb2e040452187099ea62636dd929b7083a5493a9
-
Filesize
84B
MD54e7e32381d9e54787f28c85f26edd2f6
SHA19e1ab1cc220d403c8a4d584595a5b8fbeaf552c6
SHA25616a22971f8159964c4268ac8d9f154bcae0a7b3ccc77daef1f40963462e63d2f
SHA51264a9bf906404fceb7bbaa24573ad27c4437fd20d592f03a6c25547127d1a945542d2d82d02bfd6efb355173ca6fba6fb2824b924cd777a4b133f687b8f20f7f0
-
Filesize
1KB
MD54cb6682a70863726c1c90fc163c4a852
SHA1752059fa7504dd3a54cd9ddcf3a8d7a6ad7b7d4b
SHA2560e479a2b3b23b536c459fa86bc214ee95180e8891604480370946ebd345d7453
SHA512968ba5f35d287b509cac18de68c20dd303f07451f7b8cd23b457e6bdc4a07f2f93378b952d714d7a6ec40e261a12b9353df17328d328612296fc7c85a9ae9d01
-
Filesize
2KB
MD5b25bd303b839965acd706cfb121e00d8
SHA13ea2e79d6f55ca294c74dad8a4016786c07a26d6
SHA25611632328d4bd0ba577bde9805a42c0c5038325c19ae3ddd8553b2270706841f3
SHA512a5a299fd88ddca6714e2910a12ca3e2533bbe82489c046fecc8e0dc202085aeb57409f584cab4d9356e3784de52fae6b9df9c4af3b0f9a4a6dc147487e9147b8
-
Filesize
36KB
MD5ff155111fa972ff0ac823a960d8bfc01
SHA1598a8ef2e631a8f0eaf7b17a98e8d7e306dc3c75
SHA256a64a89741d1ca6a50edef9224162051733b65f41c34fd646a81a86f93f1b79b6
SHA5128d9807ac2b0c36ff57f6667216dc46316875d20417728ba2e2305da99d2a68f364fa81d101453441769b9a5924dc22232ae6348408995405cc591d88d0e2d0dc
-
Filesize
36KB
MD52c0434a059979adc28152e496b9bbcfe
SHA1400063ca69f7980ff796cbf6138b5cf59017a440
SHA25602d33a57a365a8ed9ff82661c9038988b648c29d57f7a88bef2787b1c954d150
SHA51243cfcdff630fc8e9412c6f03021c2ac323a9e08daca2dbcb79fa34dc37f417dc220898407092e95808a1180ff0aad1d06dc26fb7cc35c05433a40f9ce39f7bc4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD58a8d7a686da0097e162bde7b29bf6ed1
SHA14c2bb33b4d5621f1557b95ee9ccb8a5716c76dc9
SHA2567ef5f2ddc761fe5fa898e6faa206a849e22305ee436749763378a44ccb65668b
SHA5122f982659627bb58ab370a750de24ec0f1b6b87fe00ac9a9e88ad107e9871adc8371ed40751dc37f3d5197f820c8623eaa72b924fc878c5c65341f7ad52b06341
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5e519ed2537c5dfe7134ddbb05ac4541b
SHA1b1f4761b2800cd2a4e4fa956debe82f5811f6fc9
SHA256671164f6d52154eed967f0821248df094e205f8af557750194d1bf45b73a0827
SHA512250b95bb7ba95957fbd9032053af84c005b15c73ec918aa989ff51243603838607b738afd6b919edfa9f75984cd866a2c41c52e71051ec7bae8e2d88c1ad13d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5df4b1aeff507c8b6ca42c1628e12fbca
SHA100ba6751c64851f9aa9019dbe232fa597a573130
SHA256623cfec512b4fd73b6d93f1ab09d70b9de5f51e1f51018fb2b0b5d2e8b5df55b
SHA5125b01786c30982fe181cc8bc8f06f0e27ad21a8123cb6141b7a309d3e76a4f38d24228ae18e8ea1e3c29d8dc0d4198c4c0aaa1602edf260aed4b9235416932b53
-
Filesize
3.1MB
MD5f5b93af3ee1b64dacd2bac9ba4af9b27
SHA11f2a038199a71a2b917dca4dff2f5fac5e840978
SHA25648d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01
SHA51283703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302
-
Filesize
83B
MD5709ab6da27837eaf65bbc28a5f4e16d4
SHA1c4a4287a6065941808c7aef260d9dc36ef67599b
SHA25681332dd568dcf36082c717da064b0a093eacaf7eaf9b0907181721228795174d
SHA512e0bd49d9a073d6bc631d0b15e771c359e864857642bf2ce699baac319fff838bfbdc2210fa919187f420de8332054da5af782193356a01269a6c9dde9401283b
-
Filesize
353B
MD5bcf67da1a7abebae38801e01568accce
SHA1d67fbb7fefb1860525d7d34e69755ebb6d08c38a
SHA2568633ca91ea02747dbdcf3ed897c221168f3cbad2e6c63abde80c1c1bd92d2355
SHA512ff64f69da2cbba9f26a347fd572aa5c069e084ed3dd91277ff800bc3a6c0e86ccf2c09bb35afe8b6a379dedbf0323e2816d0368b2d2f11e5a2f0c024e751b593
-
Filesize
294B
MD5191d32b3c7022b71f47e45e47f242860
SHA1d578e72dc5fb2790b7975a230a97870cf1b566e3
SHA25650d9b66b3236c2401e2d36f488012944fd975424eecf2430bda6d2d7d212b69e
SHA512006aebbf9d9de1b6c5ae53b996ac79022028c03bacdeb8acd4e9cb61d2b881ad2a2983996a944e74c7df36706d00e21ca3646f85a85fa0431386040c82e01e7a
-
Filesize
18B
MD59d543e44809b9a9fc33d18ca5a175345
SHA19928c06feff8f2ac050313c964cd09316ec6b99d
SHA2568ccb6fb25723e4931a6c1d967f0afdf6f3c54f7a75f7df4c8b0a7505fd1b0c40
SHA5122f15581ba3d7c8890dcd7122ce52d7fbf6245f43073e96c8b0373b06eb8288beb7dc137cd5c556522fb17df087a806ca3dcde634b98eb3dd46da59f86e5c9172
-
Filesize
162B
MD5a14ea26d8d38d6454ebe14b0f5ff8085
SHA1ac1f38422fbb3e7e6ad435992ba1ccad410e8375
SHA2563eb2b6d855d71ea9df6ef53dc59be754b1c439e5d6ca3329078a6d139aaa47f6
SHA512c9cb1833cee5b8fc436ece6cf8c6d85848ba0fb219bde9be523d5594fd43f17198baacb7edcc08482fc1a1284eae0bc1f1da495cb8325663f82e242d4f693304
-
Filesize
162B
MD5393342ffeb0acbd0d1326b4833a46516
SHA11a35007be1d74c7f2439dca30935755175019044
SHA2569daf05d2bfe44f69b707c58df0dae1f9a4cb017a256f9175f83509e0ee352bc6
SHA5120cf25543b0a2ec0da5ac7b9643dff19d59affc19ec4d800e9da01afbea4555448ac5fe09d227cb2f3434c8c7993ffe29fb437f24754966f85df4bbf453b106b2