zebrocy | hxxps://github[.]com/orangegrouptech/Biohazards-from-orangegrouptech/raw/refs/heads/master/Ransomware/Snakeransom/snakeransom[.]exe

Analysis

max time kernel
135s
max time network
127s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-12-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/orangegrouptech/Biohazards-from-orangegrouptech/raw/refs/heads/master/Ransomware/Snakeransom/snakeransom.exe

Score

10^/10

zebrocy backdoor discovery persistence spyware stealer trojan

Malware Config

Signatures

Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
trojan backdoor zebrocy

Zebrocy Go Variant 1 IoCs

resource	yara_rule
behavioral1/files/0x002800000004622a-135.dat	Zebrocy

Zebrocy family
zebrocy

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2892	snakeransom.exe
4884	snakeransom.exe
5720	snakeransom.exe
5580	snakeransom.exe
5560	snakeransom.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\AppStore_icon.svg	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\ui-strings.js	snakeransom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	snakeransom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_tr_135x40.svg	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\ui-strings.js	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldThrow.snippets.ps1xml	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ui-strings.js	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\PREVIEW.GIF	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	snakeransom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ko_get.svg	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fil_get.svg	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\ui-strings.js	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS	snakeransom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main.css	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241211145934.pma	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt	snakeransom.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ui-strings.js	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Dev.msix.DATA	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr-Cyrl-BA.pak.DATA	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ga.pak.DATA	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fi_get.svg	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.js	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.png	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\AppStore_icon.svg	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\ui-strings.js	snakeransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\PREVIEW.GIF	snakeransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	snakeransom.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snakeransom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snakeransom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snakeransom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snakeransom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snakeransom.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Internet Explorer\IESettingSync	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{06405088-BC01-4E08-B392-5303E75090C8}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\lsr1031.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "11.0.2016.0129"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 ^ 0008 1 0009 2 000a ~ 000b : 000c a 000d aw 000e ax 000f ay 0010 b 0011 d 0012 ch 0013 eh 0014 eu 0015 ey 0016 f 0017 g 0018 h 0019 ih 001a iy 001b jh 001c k 001d l 001e m 001f n 0020 ng 0021 oe 0022 oh 0023 ow 0024 oy 0025 p 0026 pf 0027 r 0028 s 0029 sh 002a t 002b ts 002c ue 002d uh 002e uw 002f uy 0030 v 0031 x 0032 y 0033 z 0034 zh 0035"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Anywhere;Trailing"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5248260"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - de-DE Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\r1031sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Adult"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_HW_ja-JP.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "既定の音声として%1を選びました"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5223743"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\lsr1040.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - it-IT Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Locale Handler"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6072	explorer.exe
6072	explorer.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4320	msedge.exe
4320	msedge.exe
640	msedge.exe
640	msedge.exe
460	identity_helper.exe
460	identity_helper.exe
2272	msedge.exe
2272	msedge.exe
4884	snakeransom.exe
4884	snakeransom.exe
2892	snakeransom.exe
2892	snakeransom.exe
5720	snakeransom.exe
5720	snakeransom.exe
5580	snakeransom.exe
5580	snakeransom.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
6052	msedge.exe
6052	msedge.exe
6052	msedge.exe
6052	msedge.exe
6052	msedge.exe
6052	msedge.exe
6052	msedge.exe
6052	msedge.exe
5560	snakeransom.exe
5560	snakeransom.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5552	explorer.exe
6072	explorer.exe
3564	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	5164	vssvc.exe
Token: SeRestorePrivilege	5164	vssvc.exe
Token: SeAuditPrivilege	5164	vssvc.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	5552	explorer.exe
Token: SeCreatePagefilePrivilege	5552	explorer.exe
Token: SeShutdownPrivilege	6072	explorer.exe
Token: SeCreatePagefilePrivilege	6072	explorer.exe
Token: SeShutdownPrivilege	6072	explorer.exe
Token: SeCreatePagefilePrivilege	6072	explorer.exe
Token: SeShutdownPrivilege	6072	explorer.exe
Token: SeCreatePagefilePrivilege	6072	explorer.exe
Token: SeShutdownPrivilege	6072	explorer.exe
Token: SeCreatePagefilePrivilege	6072	explorer.exe
Token: SeShutdownPrivilege	6072	explorer.exe
Token: SeCreatePagefilePrivilege	6072	explorer.exe
Token: SeShutdownPrivilege	6072	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
5552	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4152	StartMenuExperienceHost.exe
5284	SearchApp.exe
4284	StartMenuExperienceHost.exe
4176	SearchApp.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
2136	StartMenuExperienceHost.exe
5404	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4544	640	msedge.exe	81
PID 640 wrote to memory of 4544	640	msedge.exe	81
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4772	640	msedge.exe	82
PID 640 wrote to memory of 4320	640	msedge.exe	83
PID 640 wrote to memory of 4320	640	msedge.exe	83
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84
PID 640 wrote to memory of 4548	640	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/orangegrouptech/Biohazards-from-orangegrouptech/raw/refs/heads/master/Ransomware/Snakeransom/snakeransom.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ff9df6f46f8,0x7ff9df6f4708,0x7ff9df6f4718
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  PID:1252
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff613df5460,0x7ff613df5470,0x7ff613df5480
    3⤵
    PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,510664008038318963,16620118148090024877,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2272
- C:\Users\Admin\Downloads\snakeransom.exe
  "C:\Users\Admin\Downloads\snakeransom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Users\Admin\Downloads\snakeransom.exe
  "C:\Users\Admin\Downloads\snakeransom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Users\Admin\Downloads\snakeransom.exe
  "C:\Users\Admin\Downloads\snakeransom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5720
- C:\Users\Admin\Downloads\snakeransom.exe
  "C:\Users\Admin\Downloads\snakeransom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5164

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5284

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6072
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:1700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:1904
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ApproveReset.html
  2⤵
  PID:5464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9df6f46f8,0x7ff9df6f4708,0x7ff9df6f4718
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:6052
- C:\Users\Admin\Downloads\snakeransom.exe
  "C:\Users\Admin\Downloads\snakeransom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1532

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\ba.txt

Filesize
10KB

MD5
697006013a58a3387042918272b19bf7

SHA1
08ec1f7fed0c4fe13fab0bc80b84d9d991c15fdb

SHA256
8ca54231d219c11e865ee0140157c3799c9b15a6521e238790597e4d90663045

SHA512
7ddc56f5f9f63efe6dbe5ebfeb978006f2c785403f76dd7de7d151d2607548928d6bcd40c3b40afd51c1f80b884169837c57810b2bfc4aed93a62eadce051c0e

Download Submit
C:\Program Files\7-Zip\Lang\be.txt

Filesize
11KB

MD5
ceac18b298a3557aec657f75b34bded2

SHA1
f8aa784d13be244b8fa2a6ff397da1f56763b2fe

SHA256
162ce377710385b4a33d60f653c7ffc4c4b8a29be8a92c4f6d6bdc21903bf2a2

SHA512
d4500f32a1512e66412c0cff27867374a7fab3c5e588773baa598d06da9042b7f8159a329c4b7b7b3faf77cd2196e363c9b63b055f587c4947502f67d5691634

Download Submit
C:\Program Files\7-Zip\Lang\br.txt

Filesize
5KB

MD5
04f072cb519a537f31471affb6881180

SHA1
bc01dc3f14f146be48b5dac0f4cf7eb1de7804b8

SHA256
e7f436e2dbdb5bf1bb054b7d2d7dbeb0e7ce76c70809b807ec6b42858c9dddc6

SHA512
90f413de07eb77c203ba090677ecfdab46a152f0353d364ea0fe78bc1daea4d5d86d0dc73f944549960b1a3761742a7506acf3b0ff5625804cda1a5ba3144e8e

Download Submit
C:\Program Files\7-Zip\Lang\cs.txt

Filesize
9KB

MD5
217cccf53482a4055a6c54e22ba2fc61

SHA1
b322f4f772274c0c617b5d28d2178b475285e84d

SHA256
46f23a4570e7fddc4ac70c6ab9f25bbc2a55903b1b0e8bbf57491c6be1d9ac00

SHA512
8bb915705fffcd5415d95786527b1dcbd6bb5e7f7d7ec7ce7fa9957ef4c37af33f452e0d1e1f92ef9207e0a991a75ec20f4fa1a6581dc05773a6943476c38d1d

Download Submit
C:\Program Files\7-Zip\Lang\cy.txt

Filesize
5KB

MD5
5889b6960810cca3f85a888917fd26f3

SHA1
bdf7eed106b0ed1d7aed9d9ad4047c1af47758f1

SHA256
c08dab7a70f94ad7f1255f67edb052e332723305971e188aa5b915a10804a277

SHA512
ca9d03c3935ec48a14680f3e39c7448f7793fa8966fb1ac35f363bc31b1ab99d95ccdc44375e7660df887dc8efb970db66939abf4687a0b0ad7ac6ea9e842d79

Download Submit
C:\Program Files\7-Zip\Lang\da.txt

Filesize
8KB

MD5
050fa6624d24d651d1b1b00329e22380

SHA1
bad7373680179d76c6d438c0788ba3e0d499d485

SHA256
73b3ecb1c1fb82b1f5a4fd21ffe72e94b821261dddbb3ebe71e62c95dd7ca032

SHA512
349f9288f901eeb4b9504f8f8d77e28a54913c6e9da473c37a554823669d6c7d061e3ade19fbc77b26a824ca847189bb669bfb7e70aa6653a5574363595758de

Download Submit
C:\Program Files\7-Zip\Lang\el.txt

Filesize
18KB

MD5
a087ed8ea17d31c44fbad107281e1702

SHA1
1723dc998537d12649da0a059230d6ef7531bdc4

SHA256
b695f8ae5ae71e57ce8a85583c04d52d7f5bf5f2dd1eb71f3bd9821d09b77bfa

SHA512
177e4d7045dadd96e7431e8507406df9dfc7240391d51c9e8eefdb8bd1f29cf0bdb3f8870c378938e789530b2646033ec362c17949da918636da70c2e4260113

Download Submit
C:\Program Files\7-Zip\Lang\en.ttt

Filesize
8KB

MD5
6d7d5565899ab8ddebf2d3102bfbf467

SHA1
f475f7c762b590e552c493b145b15e0608218b58

SHA256
f1c345faaecaad769f5737a09f03251262656f2b958116a8271e3d0b3fdc16f1

SHA512
989ae81979143d6412e2158ebac5f6054532d782701453510a716cfd44ac99b8a4dedd1a0e4a2a3e1bda6666173e8a13b40cc3fa38bf3e9a4aad2433160eb953

Download Submit
C:\Program Files\7-Zip\Lang\eo.txt

Filesize
5KB

MD5
79cf94da5a33918167dcfe668c9f5298

SHA1
3c6de7fc29ffb1573ff4b2ca50d5d8ac3e7ede00

SHA256
c9ea5923dd661c4efc6b692bbe1c24a815082f54d312368a6f4b22c695a24d16

SHA512
825230e4e5cf311bd528285e4f9138379a6a24bc73fcade754e136b18e81208b6836bd64837be685d58055b493edab4ba86daef56177a9b57a0d3f5d02d123cf

Download Submit
C:\Program Files\7-Zip\Lang\et.txt

Filesize
6KB

MD5
5c8282b816861543c8f7b1d02f7f6b94

SHA1
c0068011a1001b962fc0e8c46fe26eb4c5857894

SHA256
67333d46a89ce8a80ec1f7f8888a227c08d41f8012ecdaa9ca1796a28bc840cc

SHA512
af95dfefd2d303c142037cbfbd7f80f53d7e5d1f55fbf21c5275b2a264e390d4d596cf700bb3ae5fd69ddde4c52376aef84d31f1477952197fd766a8a460d08b

Download Submit
C:\Program Files\7-Zip\Lang\eu.txt

Filesize
8KB

MD5
9aced6dec37231112906521d088e9022

SHA1
99c6ea9afa850bf1f8eb9e5199833618849d8eea

SHA256
cf1d37a26b833e02b845fdb3d858be08cc1e87797a097099f32e42f0fa08acd8

SHA512
68ef3a382346ec5c004b57416c3eb47c217e67fbee6148d5c2f6d6ec5a77bc21ae897824072016f0321ddd3acd8393597f7077eb404375c79c00179b4528b959

Download Submit
C:\Program Files\7-Zip\Lang\fur.txt

Filesize
7KB

MD5
f96fa04e606d3a9973fbe8eefd6a56fe

SHA1
8c66ed40e35527cb0cc823d23dbf2e215c06c0f2

SHA256
97926e3a9a864a3f7f359f35b2b721161528dc7d11443f253be82b0e3346c7da

SHA512
6be832f2135c8be4a7b08ca34cd5f2c99a104b7ccdbe40c2795ca75e059557dda8e82adf889636fdc33cbfc931ed1cc35a3bc1b71c66853f5d7a5f3715a2f01f

Download Submit
C:\Program Files\7-Zip\Lang\fy.txt

Filesize
6KB

MD5
4c04c1e32c7782f599af8e8598aa0796

SHA1
07426dc91b7c1489d3b7fabc7baed98cd618fc57

SHA256
f6ea3beafc2068df15e5088cf2cd3ebf74e591edb12582eca0c989305f5e0c8e

SHA512
b68126fa2d1b137124e8ba5fca3e6a6c3547a2158e91b0210f7edb98ad6c5d8e3bc0464500fcec87b89fa2dc2f18dcacf981debd899d9fa08e57b97ff526e46c

Download Submit
C:\Program Files\7-Zip\Lang\ga.txt

Filesize
8KB

MD5
f45837e9660cd94276d6987890a377f2

SHA1
baa3408b03d7a8ffce848b0900c67b48fef0a41b

SHA256
3cb799b0778993a094ad6b2ee7c8423430eb6acff83e25de9be6cfc41395eb99

SHA512
3dda2cee871ad6d9122e1cecf5f87ea8265aadfaf0c5a37aa9558c6be9ac4a3042b95a5fe5449ce83198245c7bfa33c98ce975bfde1c909c95895527252d236e

Download Submit
C:\Program Files\7-Zip\Lang\gl.txt

Filesize
9KB

MD5
f503ef905f2a38f3f4dd157ac2446ed7

SHA1
27737f1b77c2d34d23c97f127c8adf50822472d4

SHA256
42afd4a91ac431b9886bf445bd95561388d317a9d6bb9cb15cde9c4a309b3c7b

SHA512
c9d04ca5981f6568dae6b5cd585e7e92105b0dca9fff4151711ef156bfa791d527599457853c5de77a4acbb123acf58791c57b9fa8c3623fc2dc865a7c1a2784

Download Submit
C:\Program Files\7-Zip\Lang\hi.txt

Filesize
17KB

MD5
9045ba63739bc0f2ea2d445e721b9e6e

SHA1
d7145221d9c823249cb4414699e3d8284c829602

SHA256
b60871447abae272742778a4a6c8df05fc6bf3fad33bbc6922a9e0f6b3f9f105

SHA512
0bb7104500b4129c8a2b3528b0c15fa03431268e8b3abd5c09ce6cc324dae5f1ef87281a1aa3821bb12d23086afa698bd4e7d78912f69b3e8405f2d926102682

Download Submit
C:\Program Files\7-Zip\Lang\it.txt

Filesize
10KB

MD5
6a2e818c8eab620541851b9e54247af7

SHA1
dad5699f1f11ef8a8c5351739562c35a29bd2302

SHA256
0a8c7eab1b217b05e55d1c54fd5a2cc8d8fdcceea3f51ee692ba728942575b32

SHA512
cdcd4a9d4bd4221ca99e3216cdc81b574e408c49f140e32cd5ecf48d3bdc699e1e3e1076cdc5d14910c6dbddc1db53557bf154490a36e4e3b0cc17cc461ab880

Download Submit
C:\Program Files\7-Zip\Lang\kk.txt

Filesize
10KB

MD5
f7949121c3c21318ff5d601fc07646d7

SHA1
e99ff40870fc6bfd8737854dd1fd35fd126e4cfa

SHA256
8386ddc0b317788889d11c752b10fdf99c96686f01fe348ec8a6c7fbdb1d7b8d

SHA512
19a2a5891da0712dc7637cd4435eab67139b251259c2d4f6ed488b5f137c9c3e69206d391419ed06c27445402567b4404726cc5018f9abf0bc958ae2606249d6

Download Submit
C:\Program Files\7-Zip\Lang\ko.txt

Filesize
10KB

MD5
a5818cca0e0ac54229cd7a7cf4e0f081

SHA1
7d81b2d76399e34566af3509cc5d0c64dfcedc26

SHA256
d50ed55b12daafb8b7ab873860681b5891b2173d268a4d2744fe57ced3e09d2e

SHA512
f63e556f130168e6c18693ef9188a7d348afc03a4b353724fa51c4531d4f920f58ae7a40ad747d410977e1848048a6b16e90825e88750323c466b4d2b988118d

Download Submit
C:\Program Files\7-Zip\Lang\ku-ckb.txt

Filesize
12KB

MD5
ea61c93ecb6aa88bdbc7ca4d09303df9

SHA1
f60de437557e1bc7c22183ab68949f9312c0aa07

SHA256
5939ed5b5ba70e9c991f7bbfe2733b29a0b5b3140b9b343050b7496e820983d4

SHA512
617364a1c4ce5656c5bc428500ed0e5f9eb7280353ffefb7d44f1b76aba55e86ba8f0974e535d402f8623e3da8f49a38b3305f2ccc7a4c343f30440370661f22

Download Submit
C:\Program Files\7-Zip\Lang\ku.txt

Filesize
5KB

MD5
17256c78035b6e2fc5694e4db116f057

SHA1
519bb950f3bb10a5a9db7f785344cf58767d9053

SHA256
f6342a6e9c60a35aa2ece6058858f3483cb9a2a992d759806060137d01d6a87c

SHA512
730986572eab991423347ad466bdb464077950ecc2e054f5aab611c79427b7cb0e47a971f8de540882e67039813731c616f1b0e8dd4821303f870c098e1db054

Download Submit
C:\Program Files\7-Zip\Lang\mng2.txt

Filesize
21KB

MD5
94f50449d2a8a0cfa2052d7c4ab1d157

SHA1
78cd0b42c6e40a0bee924fedd5d842e30ac4a39a

SHA256
37f8bd857c22b4001b343399dd16835b27e1751416e826c522abe6d26d3b515a

SHA512
adbab51b7a70b8415cb94128705f97d753f05bb1c28104d4878dba424e03baee5b87cb3651746305d49dba893f50414a2349510b240fc75db0966c5f7c00ea65

Download Submit
C:\Program Files\7-Zip\Lang\ms.txt

Filesize
5KB

MD5
b59d495cbd70027f3815c82a415a727e

SHA1
c48a658508152a3fcf86bca639b1d9fa2fc7805c

SHA256
c3a3ad334277490e2599e088381f75e27eb8fe6992d254f046084de45626fd86

SHA512
a1005731a653adfddba4f04f88b73e5c77eaed6a60c8b6661aabbec956f96d2fe6d1e52eb3c7224a9da54d6601399d0e7efbe6b1d8bf3a38d85f83c272afcfb9

Download Submit
C:\Program Files\7-Zip\Lang\nn.txt

Filesize
5KB

MD5
0083059294a05f3bda2710f3f0bb7cba

SHA1
58ee0437811d83ef9f97eb741145f9c48de85240

SHA256
1927c69f4b56a8b5b37c5ed0d23e8e060e3ed73372d22b86ae521c90ad68ba02

SHA512
b9ebae382f9cd01e514888a54cc0304bdb710f1d232c146f045289fa5fd9bbb3f7a328b1bb005cd8ef6cefc9758db1f7625f5aebcb4c8812751abcb01ac2fb75

Download Submit
C:\Program Files\7-Zip\Lang\ps.txt

Filesize
8KB

MD5
6217626ff67e35c2e7d5f0155b88216b

SHA1
6857c15f0e9e787366e4587f75c322a19bc29ac0

SHA256
ebd74c3df2a398ab240980b1c2d4a15c5d593c19548e8bb58ca077b4424eecdc

SHA512
e4f6d9d4c07e208238ac01cf34979f42fc74fb71f232c6c3d5d4781700763a2d78b37a6b06505d7abb173c21e279968f9b4f01836515f96660d0e519d87717a3

Download Submit
C:\Program Files\7-Zip\Lang\sr-spc.txt

Filesize
11KB

MD5
7ae2731764622f8dbf1ae25380f5d1da

SHA1
3e5c50126a1bb45815eb4ad184eec568140022d0

SHA256
f1feb5e42e13ba8021cd2670b7bf19098519a3636d4c83d22ec855cc87b86b25

SHA512
78f6f9a98dcf1808cab1482607cab8fdfbf090721e4eb455db22c300c66b8c1219ba55aa9c788734d9d4417cab63b5beab7962e3ede2577ea38d4f2bcb0ae5b0

Download Submit
C:\Program Files\7-Zip\Lang\ug.txt

Filesize
11KB

MD5
bc96d89e3582f29669e3dc3f665a739e

SHA1
7338cd4166f8abd2e21e446a1b2f4509855a63ab

SHA256
7e870863543c849031696255fe64005dfe53c5e3bf289595e89f82ae1be82ea4

SHA512
9a32fa6e80a3d8242ed9491494d295a965ca61865236575bfc3b0e53fb899bc1832fa5b6cd97e9b57548dd585b47eea3fb413bb0ef4bb26306d824e0bd771a74

Download Submit
C:\Program Files\7-Zip\Lang\uz-cyrl.txt

Filesize
15KB

MD5
8e06ead55a9a61150f40d39e30b90950

SHA1
0a1a4b66734514d02fb3701a94f5767b39b35d44

SHA256
15b2294f60c44c7201eafb3927fd2c7ce7a5b1be90d3a99cb8f583940cce33cd

SHA512
4224916eae8cd056b61d4bc73198a60636d13041d3d6828522992c7b3cca8dce1d00fc3af4c5d486b3c398ed2b84634edb20e657052f3feeaf746be62df20cf1

Download Submit
C:\Program Files\7-Zip\Lang\vi.txt

Filesize
8KB

MD5
9fb744300cccf6463962084458376c53

SHA1
2eb6eb4f4e91f1a84dfd254b14110aecff6407be

SHA256
01a64b548969755df67edc54fa4e7db23ef98ed97e5ca0f58aa2824a3a1423dd

SHA512
f2b6b2410ef4367b5116993277e0b8b349956b3f3cf16915fcea338e5b97739c1a7b4320ced22fb52a966d75dbf82fa36954568d4e57b757f441217fd6e41bba

Download Submit
C:\Program Files\7-Zip\Lang\zh-tw.txt

Filesize
8KB

MD5
70fe5eb1192d98bbbfeb1ef1b500b76b

SHA1
3cd69d0fa43245aad19628a17c016eaf2873a7ac

SHA256
19fff194a3a5d2c118c7dc7f0b4c5a0baefcba6c4ee03fce631ccc458bf2ef6e

SHA512
94946a385aa427b28122f12c07496483716dc43464dc16e83df494019f86cd079ba5bb9c88d1dab1b0bfb8923dc23e123971ebe4d8939d9209d3088bf373e705

Download Submit
C:\Program Files\7-Zip\readme.txt

Filesize
2KB

MD5
8e7a93dd6b44728993940a296e121aab

SHA1
c4ee1e39d410522a1f2e507cb5f29d27948c89b1

SHA256
cfaffa28925a143e15c33db88011d5cf32f7d7b0577e55940058b29c8a69cdf4

SHA512
6f552699c42d3b51357cb336d91bc0a1fedb2b9ff2caac1e64fd5012ab61f2e18781cd71bcc0c1b9ba51f7b1d21874e6102a7fb9c9abed1deda597fb1e0a04b2

Download Submit
C:\Program Files\BackupExit.vbs

Filesize
363KB

MD5
6504d8676939ccee638df573ad4dfc2c

SHA1
18dd838f306d9672e7809adf7aab1e845b035c75

SHA256
7a6bda81d41984eb259cc14c0b829b71382ecee64228e2c9454c1e9e95f597a9

SHA512
89eddde70f342ae3f946f962abd7df147e688d49a1e2927ed9014e77a2c04c75ba4f941983ae4b92c69699709ba0a468d9cafa9d4ea2a052c293208d886a6255

Download Submit
C:\Program Files\ClearSync.WTV

Filesize
624KB

MD5
d870262169888d4fca1336b3a415286b

SHA1
452d8dbd94712e39c8c58154163f9562cd7e6565

SHA256
ad2cd964efc25d344785f0e96c1eac0788fd924f86b1601ada0beea3d87a8d43

SHA512
dd7675208d27b0491c9728f2027203d47daebba3278d152d154da769db8cb0c411a0349159aaf3521848f66a8398ef80d63f23c9a9d712288a4e9a48580329e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json

Filesize
516B

MD5
ddf93b88d23044bd1b0eff4d8ed2e098

SHA1
fc6fd96f265f92ab0d294b3273afab71be58ce78

SHA256
82591a27c009636bcaa136f603dba203d17450b509adeac1baf2586df836b34a

SHA512
2518a0060fef90483b909813de08a26f434df0e41e3d7a6d312bb8da6accb337dab94eb74c64b5508f2952902c667dbcc86e7fb75255958a11ab6603c2d9ad21

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash

Filesize
545B

MD5
f8a22dda298cf6859660f08667ae2528

SHA1
efe41f2b80b404ff9be261b68e6b29c87611d3d1

SHA256
fb76ae327336b2685e735b130894fff820136c4ec6c3af69fd790d6c05a75460

SHA512
c33dcad221d64519bc3dbc90389ab82ab14f648da349810acdd4e45842c1c07a157a8d4124c6bea9a99d293ca88559444777c6d8c01cb7fe421852a67291162f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms

Filesize
905KB

MD5
a4d9d19c392152f8badc4ecc9e488eee

SHA1
2ace3de91172620b9730652de95bce05ce22c129

SHA256
2b6ababf1d934278d429c83b0aa9c79aa6059f452f42d12330c719d5e1577ff7

SHA512
52123bea4929a253a109132684a408404c72cb2ab04c239f811da9e54aebb3d21c8cda5726f805b143e5ded0618d2fc617caa685cf60763cf16bbd8a9ab015df

Download Submit
C:\Program Files\ConfirmReset.odp

Filesize
374KB

MD5
2d1f06a6ae4e1eb5e3c62b3ba077700e

SHA1
24d84fbe8803fde2d793503273b04fcbaab7c9cd

SHA256
18c094474f30957d0af0781d4865eb2de7bd1a4dbc2d822e10d46abfad3aefdd

SHA512
f7542d6e519ea9da06663d2ec7973d9f2eb5ea2773809daf0865015e0e75a81070ce0a8bb6f59ec3fc4ad6e854ea259a6d34a17cc4bacfcaa346cec92287e4b5

Download Submit
C:\Program Files\ConvertFromRestore.ram

Filesize
250KB

MD5
80c768658fde850cb5c50cf1db1cefea

SHA1
99a4a6f79ed50c868449619a1958202b1082f67d

SHA256
af98cc20453301d428ff545a7aecc55582a2a4a5c9ebf712d7457ffe1853052a

SHA512
6875226332e6f22bb9ed0b627fccc7d32c741f4b226c0191715205d4fd06ec96f3dc54f1a358b23377b679e5d6c599d04cc979120394563b150e0b6c362c0d0c

Download Submit
C:\Program Files\DisconnectCompare.vb

Filesize
284KB

MD5
cb27896ce84ab60ecd1158b35bc2f330

SHA1
b9d8c3295be51788388448ea40b90bd94791a514

SHA256
ea5e62306e9d804544b26009ff606fcfdfaeec2fef596ebb50e2ad4704a20031

SHA512
6139d988a3a727b9f74109f0d1c1a85536bbb4408f679b4d9b422a86ae48beb33a721e6e3d67a150ef6caaf1b6d56951e034c4977070d9ebe083aeed9e59261e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json

Filesize
564B

MD5
bc21196d2a2be341f8e167f0b346c6a7

SHA1
93340aff4ee5cebdaf0287d048a58f7ec4c53eef

SHA256
61d563ca1b29c26f0bae04fea14d1dd06a71e5787071335711169a26130a5b61

SHA512
5f7971d7ae880535a78b8d4459f808c84e140bd929fd556cf148fe644d95a4d3bc35531cd6cb150f258702233563ce27f32d32f96aeb16f2d4f07187aae3dbfd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig

Filesize
1KB

MD5
6f3e67f4181d96305baf05e9bee73707

SHA1
cca70d709d5ca8330c4a97fa2c5f206ff12e7ab6

SHA256
fddb4d1db51b3d06916424dfbb0bbe0d6f3f27422b9a04a04bcbfd8098684572

SHA512
c4b8e48292dc006174e51a80d615a65ecadc0902d6070f3df89987139d6adbd44f5daeda92b0c13d665ccc556ffac155180363e0f0ea5cde9cc71351ffc58161

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak

Filesize
1.2MB

MD5
4d6289b7b6e1dfe45128951d046a3c8f

SHA1
7f4ff5e266ef2e949af7eb2a2120ec6d19a75159

SHA256
8dbd4fee2e3de0d2f74fb4dc6f12c5e686abaa7df352d35fb77eef21d48c82e4

SHA512
d46a15b1b83772f7ec0dcd49ea19d4f78191637d6b1b849fc49c1e79f20da15bd74e9910d6a6f420a1f30f180c26255c9cc4074858516469d23303a8a16b455a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json

Filesize
1KB

MD5
887620b6149a74e186209dfa35909ceb

SHA1
2e152ad971644bec031a70da5e8d70c2bfa496ab

SHA256
839c5cf567fbf2279c45f8ce6f14bb741ddb2d70140852f306c8597a7789452d

SHA512
ace3312755a50f46717b1ce565b6845cb979f410705ca4edb1895a54953366ecbcb98ef0f19de2fdf380a17347faf9d4ec27af730626d1078b6e2458170f56cd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat

Filesize
10.2MB

MD5
6a59a83f0ffd1944c024d1407392fd38

SHA1
2d499e698b63970b14b47fdc20d4094b8024df16

SHA256
dcd52c0ffbfc374bd9a9ec96129817a3489cda1fe6e6b7c947c0c6328b5e0478

SHA512
c3b9728d1c042820f471cf7c9b77d61d1d6686a5b0bb7784f44081eaae43353510aacf6079a9a2f18c44850c719f7f6c4930677999420b6f9c1901e9629f70bf

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version

Filesize
490B

MD5
87270eff83fc223b986dd55f16e69e52

SHA1
a6e1ca4272b276640868c7318be5194cb4589591

SHA256
b9eb9c930bfd0036b96a2eaf8e055acb8abd3f40b55bcdddd5b3286673782664

SHA512
0040d900b2dbc210e190b6c84d8113e4c04e1311d55858bb19200dbf3be02bed3b2e230d8a23a35d9dab125eebeb0e86ce61138c40f942c5a46d4034a7daff07

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json

Filesize
1KB

MD5
c51d2fa67666e1cc853d1aa4857b3780

SHA1
6d28051b3da82af9274bee8b88ab5080001d19de

SHA256
3f23211f7330f7264b2c844242357af758bcdbda7e4327790d2b7df38a721cf0

SHA512
68d9a60121df85eb5ccc2799897dfdb435dd0d37d6ee221913fa58b21c14b4a3fab4a16d277da2d8cb318690b9f388ea73910b9851794c53c71abe3a335757b0

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version

Filesize
490B

MD5
4fdc50841393d694d176901ae3f34f9e

SHA1
0d7e2afdfe738d87a6724594a4861d614cf551dc

SHA256
693ac69856e7aa35468c39c213693c9f823ec151824907d9a414044e513180e2

SHA512
a861366baa86256855609872d3860eca8de22c44225cbfa7a10723f6df1d856e597014cb61ecb3e8e00735612378e8046b93e3388987017b2786bfe26ab12093

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version

Filesize
488B

MD5
42b37668e516b28fb549c77cd15c2ed4

SHA1
7d0e8c3a80b92dc52a6e61d18404f26752cc469b

SHA256
dfce75f9c0e8d5e2173fb898a0647ea86c65ad18792f761261d49ccad6546779

SHA512
d57d2284f080012ef3f1c942cd4758933a6582874c581f1cb4786cddadac695bef5c11206cb50be4d1aa6555e68e4e9f6c30de0177be1ae9505725fe14ab1c26

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json

Filesize
524B

MD5
9a864b1e540ebf1fd5b358ec996978cb

SHA1
170d856233326197e3efc18b4844d76c2717d236

SHA256
e7ca3888f8cf64e7f0f0353d5242cf1a05c131fdd43315195e0b9d32c004356f

SHA512
b8fe68d27edf8909e3b7a5dce224826e3c05ef5fb4eee982d2d961220b1b75d78cc28cc6d63647c6e1f378613ac9cb521cd36806d2d5d0990115f1f10355b034

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json

Filesize
667B

MD5
e898d566548fcdcce4496ce7c7162799

SHA1
c24ac16a7ad5ceabf7b35620df0af45f16a1ff73

SHA256
3d5ee0c0c972720b8a8e2aad75980050ec574fa68a841d98fb45f67ff867ecda

SHA512
527173e7b62584ef4873a3e1c67e1b4d233a735f4ca9c2e5ab35e0a34f2ecaf5f72d99d336c94ba1de21c0acb30e59ae674f5bd6aaec90779549049673ed3663

Download Submit
C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag

Filesize
950B

MD5
17ada46034366332cb1c15c9b1f249a7

SHA1
16e594d285d7bad4721c7893ed95e82f33a9ce7b

SHA256
71453900d0ebbfaedc42f8602897b1bef9e6ef588c3f39d3d09c8454f385e10b

SHA512
bb13ce8184b5f1c4679fe379e35a30fbf1c8991dd2c637578d9e76b9e973b5d0dc605630cc1d677f3c6f80c95a25c7d6dd3253977f4df5ff239e18fee1b3f211

Download Submit
C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag

Filesize
947B

MD5
bb8f7a69e55baf08e06d441ceab81a70

SHA1
00279f301f07ed5235e7131abc3e6bc29fb9c145

SHA256
921f55ca7baed2f257837707620d40bdd52c47bd2306a3d408bc96275575e1f9

SHA512
b57ba9049cd4fdea1303a9587b0300c1a2540816bd9faa6a975deb0059f90340a87c1dd07a36708aa625a1293250c70767bd43d632398ba0c64ec511acea70f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
212B

MD5
4244a117d7d40e245b3e2ea50e759f0e

SHA1
d5a1544e907c895ee5278e7a6df56f61f9e334e9

SHA256
a693868e5ee3195ddadc0c662923ceee204deb967bc3b64de85756c5ace230b1

SHA512
faeeaed786c29f9e5e8c22ee1086591a4cbe0ad106255b40a5fa4854b0a39ccc1cdbd4657a4f20633796187d0e5e603a3843bb83be5193a7a42d559ece0974d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\73732abd-8de7-4c34-a815-c5bb1fca3855.dmp

Filesize
3.6MB

MD5
55dd588bd31aae97a7486fee780199bf

SHA1
addd286bc9fd62dee39d672c8f45fb79402a066f

SHA256
bb767e66c29cce1f8d1fe31849952578c14985a6d391c43f0fa13ad403e177b1

SHA512
77cb60d6b283339ee35ebf577459e0d24becb3976fa865f33991723d8f9bace9c380cc896b5e5647d3183378816a9370403b90d33fdc8bda99944f38f9c224ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\9bdf36c0-01bd-410b-b026-46900e237034.dmp

Filesize
6.9MB

MD5
1e7242c2cb8bc5748c57f8aa82886935

SHA1
f2130351413e06910620982362e8e98857c2df21

SHA256
5c2fac211639da6d621d0ca17a8cd94952781edc7abbc63451505a52e008f197

SHA512
93f6ec0bbe64b784bdfc348248426a375e88cfd0c39416d501d5412cf0ab6dbea7b28f13e01c1746f123a24887dde24ad3edd5e5ed18e83f2fd234f78ad8d2bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
913cd25b0de81960e841c81a7bee8b19

SHA1
2c4bf2a4de37c06bea3e39898c9a98ee611b5455

SHA256
b01953744098bc035aee2a21976607df9352ca42abc3e01d769e2ceee1c9bd5f

SHA512
e5a879cdd1f83d6b6ee13117924522c967e2413c29722b5507b632514e28a0defbbcc942e7176f819e05df7bef37ca5133ba5efeb67a91c34b3736eec05ac8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de0e1d3019517b3b005d7731bbb8a355

SHA1
ddf1f15c241f72585595cd30de12c4c3ce4e2f97

SHA256
4ceef5b8daa774c456edd70e46668746b8fa086bb9515ed5975e6737e40dc3f0

SHA512
84f7a069fd6f0713fdb9d35f17839b8755671047be477e49102f5777e8ebeeaa6421d3816727dd37f1241f4653c063fb0823ae7bab1d3001635c5075c2ba464d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
611f33210befc38b884b8a1f05a55a4d

SHA1
a952f7683a98e902dd4a94826819ab009ee40a14

SHA256
bd35583693149a51fcead9edbb01ca906ef321d1ba6a16c5df1e13a97c3426d6

SHA512
ffce86ba7a7b4adbca049321fda6e5ced82e5ed2b8bda664f94757f0ddeeaab8de1a43baf75e1a2db5e941b56ed65c28f357e25e959e3472940183de9169730f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b9ca2f9cb6bf2dc8e2a30ba4b0e0e50

SHA1
f58fc65dee7e54f6dd73b7d764ddbc797989aabe

SHA256
cb15bf56563b4d7c14de2e60f8267cb3a801529cd39b846a6926e7a1b5e2d1b7

SHA512
ace9f5938acc953b53e8f735050ec4d4ab65d8751f3cbd4cfa69a00ed5c6c5f9058d16f9b3d9823499a696d78ca32f42a57aaf058170827f98ff26e17f7146d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0248da7e5ae822ed92a42a7e200720b7

SHA1
56aca130dea741887c2ad4d3cbe1a3d72a360d2b

SHA256
78ba8d1a6fb8032e94d596598a30838436f04fa2a92244f56759515f8f4a590d

SHA512
6fe62aef77a9ca00af3253af2e981e87b88c74ffbcee435871e49df9757c68320da5eae6a82bccdb614789a4a1cc39e43ebc4c768213a5fbc5a42c539f23d3f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
cc420cc45f686797b102b94f6bfda2ee

SHA1
2b0b5d4848cc346c341cbd51d5fc6ce8a08910e7

SHA256
23f845e57c6718a65f93b97ac9c425d7abaad84f75e77e662c4df298305b9a19

SHA512
2410ec9ef56e8ad547219c4ffde2d02ab4fe8ea668c51f6519e224805770375427a4db95eab5e5f062ebdf36323c5bf03d1633508776fa553da2e8c408846092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
832b664db8c95c83ff39b95fac93bb5b

SHA1
9d244b3081440efd5dcb15c341b2e790e5af359c

SHA256
d1d1d00928970105a43609aa8e2516b41e9473ac285cb591fecaf74b69213487

SHA512
0d46d177ca250277b341f04e3e4565b048069a14993bd1d89d38d03ac8cc4b499dcb2c181bd86f12f903054923a3bb47787d229ee975d900dfd6297db22c246b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
38ea9ce2305b3344bf57121179110d46

SHA1
4942d59302552a2f315c1073b9b4c5c97439fd3e

SHA256
13e03556dccda1ca2025c29b07df526c484e5c712db9fb519d70c49a87c8665e

SHA512
8186983dabeab7410d5edfee60e2df015bd59cbd8ab5275434e2c325a040aaec3f52eea69dba6b8a7d91f01d5774afef88875447409747f3c80492d9943e40a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
c4ad034141094c168e909fa830fc7cf6

SHA1
e3c3f94d93effa9702d0868c43fdd09912c9d599

SHA256
e11810508811a599a6fce49e6d268c789096291cfa674e75cc71d55c68d53f35

SHA512
5b14545417581fb972009fa036f3dfd9683a4359fd7b5ef99ac654d6ded43e414e368fd2100afc79ff0f91bf830461728bf93d8de0eb12a5cb7f8a2785cc81a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
6ec57a9cb5be2bb98751f1ed1f8de0b9

SHA1
abd3558fdf62df4a5af6622ca109776ae21b8fe2

SHA256
471a997eecc1d0cc66ddd8229a2326bcb569588fa785ece9a67768569a4e8ef9

SHA512
b54e51e95537a4f56a5304720016767a92e1e5c2279e12e59f21c9d4e12a9703738c818cda19ebc0994d410501a782235653f18d4c77ac9b13cf26faf8a1d36c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
1024KB

MD5
72a4388f319aa24995cc781ed4866acc

SHA1
bb391584f8ab97005181e882ded06fc06806eaba

SHA256
1c0eedb1eda5974efb01bb6d6ee7ae22617279efc05bf437002db91e334bb0d0

SHA512
c5d5f2dd9e8db0e4fa05375329093ee19c74f10722c85a8a270beb91052adc8f6fd0b57d7fbddc59cb8087cea7e4dbb157e62ff0a2ef43dc836331443648f010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
b9b443c95873a7a1d95348e20518d6d0

SHA1
979088684d8cd536aef6cd26117774e74f1b4251

SHA256
065f7798968071377d0b7eb316b5a98bef0229d8562559073634067f2742ab86

SHA512
6a63b04c4f89c8f4143a1736856c331cfb4b36ac3c81c87eaf7ca7cc731cc9a589df20c665360c94ead2952549e271d759327a34e491ff383440e90789aad089

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SE2RMYWN\microsoft.windows[1].xml

Filesize
97B

MD5
df775ec08e3b2f98b7d703e8a14de95b

SHA1
23b304545f8841f80abbf6c6e1f6377ab0f941b3

SHA256
605aa6fcbb6c3108b13cc4ee8f688cf33dfc64488bf679cb029d28d217d1dcef

SHA512
862231e55f5cc642ac26759511b0918551bf2b466b293acfd8c7b1880bac5357afbd0c4b5074a69ba36c637d21d1d4e0f28edb3da99e079c68fe140e80207059

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SE2RMYWN\microsoft.windows[1].xml

Filesize
97B

MD5
168c4e8e0d8bc89e456f28a335a500e7

SHA1
fa6f5f5520fc160331fc860944112c207a1c0026

SHA256
70e1c581217d386bd11fd632597ddf89c8369081752bb2cada2cf9b5a4a17de9

SHA512
30f9822c2891a259c80d1a895ca55f25fdcd713288c719045c980b9c8a804b0ad2bf3039a79405f92bf8f32e7c2d54ebee7844aeb57a3d6da66d03138a73ee60

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1cebec39-0fcd-411f-a7f9-707f143161aa}\Apps.ft

Filesize
41KB

MD5
e6f9b15b057ddb6b393ab96fbc8ec829

SHA1
1e4634edcd7b881dce18b9b32023cf9c91cb7672

SHA256
6942ee5dcf852e5f758e4f61fd648258984fc87807678ab6f7a0a9d91025ee22

SHA512
069c7e1060a3b77f20514ae86b30008c51e829463b0cba729d3509442adfa806d947eccd7c881987fd8e57c1975953bd8c5c9e84fcb632f7d169dd8a85a49ce2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1cebec39-0fcd-411f-a7f9-707f143161aa}\Apps.index

Filesize
1.0MB

MD5
1f3e645756c2f3555b7d5dc4b7adee6b

SHA1
84795961c142b3ca5d14c52550db8c15894698e6

SHA256
51cb67238535f53440964a9ea4bbe62d71f16d1f3bf09060c6eef965b7b966e1

SHA512
ae780bcdd789f2094a7b1fe051f583b8439e4f2d5b9fb3f887214d27c0c997bd74629d2cc846146f059be4f81cddecccc0fd0e6b8c24fca38a14be7877023da0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1965f5af-1752-4300-8cd8-d4330f444d18}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{db2331ac-6967-4a72-b0f0-1ef1fc30ed34}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{db2331ac-6967-4a72-b0f0-1ef1fc30ed34}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133798318036620859.txt

Filesize
78KB

MD5
2958a9fdee6e08bcfa79bb609f31ab4c

SHA1
892132a7d04dbf5998ad7dd39d4c91da26ecc457

SHA256
87aca38abb46148611af9e83dcdd07feb8c0774e15f0b78b74dfd4aa52e38c33

SHA512
145ba2a552ddfb7d22d6c5276930b2569b67fc1d38949e1b704f87a9bf7ca12187fb972d3aa5c7b98e075aa9430b3a52d61f21b7d068a9b11036990fb3bf2c1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133798318827258227.txt

Filesize
3KB

MD5
6c7c5879f1c75b60ca6fe7048fdf88b6

SHA1
e3faf0e19132003dfc8617a40933f760ec6b64c4

SHA256
5391afca6e19b795f4790c36b762d967859b8dcab7f34f40cd3e9d02fb8ab74c

SHA512
23a865f4b8d9b04b85d85c7e81a24ca6e28b12ad74acc9256ac564b437adeb0c64cb5fdfc723dde91f38a6c9363e63350791eba9d9217d67b9b387ea8ec209bb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt

Filesize
689KB

MD5
2dee0ab82c5db228dee2de2fe0d82eb3

SHA1
c6231ad00bd775537fb422a86bfe2b5754e9b91d

SHA256
0e01a47917642eac553b6d0feb6e97b398f7af84c5ffc74ba35ca66d7a341d39

SHA512
c46ae09aab1f240ba384044ef46240a4cb02b6144b0403d690ff7ddcf79acc67da345c98254ef5436a4008fb419c889af43489fedf86e8ba822128365f30763f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
2KB

MD5
f2805ec70edb1e10640ca9a28e442fdc

SHA1
65f0b42a2f8e339a14678a6681c4e01d599ee123

SHA256
d7488e53ca2f9ab250b6ac681157d155a8087657843ba8fc1367aa7418bc0eba

SHA512
59cbec88509926a6056a6b41ada64ebc3e8b04405a06d7094af21233e26cadaedf433b8ada3d8ba3f59b94ce630bff1696b4e34b9158527cfc793c92c2fedc54

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
2KB

MD5
ff4e095e5951292fdce6b425ce6ee15e

SHA1
63da64f6570126c5b22181f2b7074fa1fa29333b

SHA256
3ea655cae84d99f1d7d4156f634f6400ee3cd405dc11588dfa7ae7b5251fbeae

SHA512
463360590a4beaffc25898710843da04f6311aef70bb65f05da401ed35775b2c2f864d4cd6e88789554f5a9060c14e624e7a3caec2530f82b35749aa175328fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
2KB

MD5
6047945d328a992384d9d33bbb87d485

SHA1
9d3d17e5131e44ad8ff56e33d0066a4eda94feed

SHA256
ed6b667a6e58b81f65575435622e6402e850fa5595e5e443087630be6d3bb20c

SHA512
f87d2ed5cd0db4537a6a499efb9e3e39bd73316b27c2fdb74cda8a24c5e1ba5c4044df2ba369fe062c880b50d36307602bc7ceb6386b8dde3c1addabee5e1efd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
3KB

MD5
e0869430298ac3970b13e5e43f33c401

SHA1
4a01e211fb45a9e7f3c6a5ba6a9e3b61aebb7f96

SHA256
85487b0886f6ac21bb1df210edd105b73dfe5c732060153c9b96f56428ac19da

SHA512
0a55800f9e160d3c100ccaeab0eb53e35478a26fbc00c8dfc4398d54e04a157fe6147056dd10113218db861155af9c790a9f160d0ee8f21f1dffec17ed982db9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
5KB

MD5
3ce11d956421430c7783cce07a7e7bd0

SHA1
28fe98959024d7c668c982d349dfd91ebbfa480e

SHA256
600086cfe8837e549586f1afb18016a9cbc4e3d3d45f1b1bfb1fd976796d99a8

SHA512
0549749e629bfe0c449baaa8a82bbb254fc8a74531b9cbad23536759055beb78a79223f03d429afbbda89b682610e6e4a416b7d982829f60232679c344e96cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
b50923b40561167474b092afad6766ff

SHA1
c796a92e20b5180edda8cdcc5573d78c71fa9a61

SHA256
9d7de190c4e47f8f5ad6fb39623a8a238cba290b8adb812fd9bcacf80f7caaf4

SHA512
e2d025ff7a765947a7f62eccdf282cf722b6bfbe9e90f0c7c9b2c7b312c3460ff47d5c5b3e3b98b44cdb7d1f455a0bf21712e8cbb6188b78a3ddc40499330c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
e9f7f490ec635a6870693dabe344353c

SHA1
e448e29ebefcbb27773b06392039d277a5ecfb26

SHA256
f32b0515518de70348223d2bd94774f76ece86e3609f107f5117f6079442aa18

SHA512
1fa9d89a6c0e0acf8aa9dfd9920c3cafc50387844fed9afb3d8211009df7efe683ed2a084fea6adcc9c3ab809e5e15f94e56a2e834bea504f81dc2e70b9c9ce2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
14KB

MD5
2257fa8cef64a74c33655bd5f74ef5e5

SHA1
b9f8baf96166f99cb1983563e632e6e69984ad5c

SHA256
ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3

SHA512
7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 780709.crdownload

Filesize
3.7MB

MD5
d659325ea3491708820a2beffe9362b8

SHA1
6e7f725401c33332beb2383a6802a7e4b2db30a9

SHA256
09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138

SHA512
958f4a72530703131be2f25dc906ab7fc8ee174e9cbd13f9c976af7e986593b56a768e0413e6a85d06f2bdc057ac7d9617f6c25cbf8f13cc2f8348bcf441eeb5

Download Submit
memory/3564-9755-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4132-9360-0x000001B6D5D00000-0x000001B6D5D01000-memory.dmp

Filesize
4KB

Download
memory/4132-9349-0x000001B6D5D00000-0x000001B6D5D01000-memory.dmp

Filesize
4KB

Download
memory/4132-9361-0x000001B6D5D00000-0x000001B6D5D01000-memory.dmp

Filesize
4KB

Download
memory/4132-9351-0x000001B6D5D00000-0x000001B6D5D01000-memory.dmp

Filesize
4KB

Download
memory/4132-9359-0x000001B6D5D00000-0x000001B6D5D01000-memory.dmp

Filesize
4KB

Download
memory/4132-9358-0x000001B6D5D00000-0x000001B6D5D01000-memory.dmp

Filesize
4KB

Download
memory/4132-9357-0x000001B6D5D00000-0x000001B6D5D01000-memory.dmp

Filesize
4KB

Download
memory/4132-9356-0x000001B6D5D00000-0x000001B6D5D01000-memory.dmp

Filesize
4KB

Download
memory/4132-9355-0x000001B6D5D00000-0x000001B6D5D01000-memory.dmp

Filesize
4KB

Download
memory/4132-9350-0x000001B6D5D00000-0x000001B6D5D01000-memory.dmp

Filesize
4KB

Download
memory/4176-9362-0x00000193BD140000-0x00000193BEA70000-memory.dmp

Filesize
25.2MB

Download
memory/4176-9179-0x0000019BC0BB0000-0x0000019BC0BD0000-memory.dmp

Filesize
128KB

Download
memory/4176-9423-0x00000193BD140000-0x00000193BEA70000-memory.dmp

Filesize
25.2MB

Download
memory/4176-9180-0x0000019BC0860000-0x0000019BC0880000-memory.dmp

Filesize
128KB

Download
memory/4176-9556-0x00000193BD140000-0x00000193BEA70000-memory.dmp

Filesize
25.2MB

Download
memory/4176-9158-0x0000019BC0840000-0x0000019BC0860000-memory.dmp

Filesize
128KB

Download
memory/4176-9147-0x0000019BBEE20000-0x0000019BBEF20000-memory.dmp

Filesize
1024KB

Download
memory/4176-9149-0x0000019BBEE20000-0x0000019BBEF20000-memory.dmp

Filesize
1024KB

Download
memory/4176-9194-0x0000019BD38B0000-0x0000019BD39B0000-memory.dmp

Filesize
1024KB

Download
memory/5284-9060-0x0000020BE4930000-0x0000020BE4950000-memory.dmp

Filesize
128KB

Download
memory/5284-9061-0x0000020BE4680000-0x0000020BE46A0000-memory.dmp

Filesize
128KB

Download
memory/5284-9043-0x0000020BE4660000-0x0000020BE4680000-memory.dmp

Filesize
128KB

Download
memory/5284-9135-0x00000203E1200000-0x00000203E2B30000-memory.dmp

Filesize
25.2MB

Download
memory/5284-9075-0x0000020BF6A50000-0x0000020BF6B50000-memory.dmp

Filesize
1024KB

Download
memory/5404-9775-0x0000025E793C0000-0x0000025E793E0000-memory.dmp

Filesize
128KB

Download
memory/5404-9790-0x0000025E79800000-0x0000025E79820000-memory.dmp

Filesize
128KB

Download
memory/5404-9808-0x0000025E7BDD0000-0x0000025E7BED0000-memory.dmp

Filesize
1024KB

Download
memory/5404-9793-0x0000025E793E0000-0x0000025E79400000-memory.dmp

Filesize
128KB

Download
memory/5404-9757-0x0000025E78700000-0x0000025E78800000-memory.dmp

Filesize
1024KB

Download
memory/5404-9897-0x0000025676A00000-0x0000025678330000-memory.dmp

Filesize
25.2MB

Download
memory/5404-9900-0x0000025676A00000-0x0000025678330000-memory.dmp

Filesize
25.2MB

Download
memory/5552-9020-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/6072-9145-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download