Overview

overview

10

Static

static

1

21a7fba68d...44.ps1

windows7-x64

5

21a7fba68d...44.ps1

windows10-2004-x64

10

Resubmissions

10-01-2025 13:36

250110-qwg51sxphm 10

10-01-2025 12:58

250110-p7ryxsxjfr 10

Analysis

  • max time kernel
    129s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21a7fba68d5abd4c3837521c2e86a03454e98a4f9517fa83ff00c47fb3c4cd44.ps1

  • Size

    1.1MB

  • MD5

    21d9746b4d1970e0e38ce62e2f36270e

  • SHA1

    126d0de73b2c8e9276806a02e5c2ee3d1f1a7e7d

  • SHA256

    21a7fba68d5abd4c3837521c2e86a03454e98a4f9517fa83ff00c47fb3c4cd44

  • SHA512

    4045eca5e5f4f97f530837692256554e3687aafbebd58b53f7bd6f02de3d0c4a3c8c7efbd3edc45971076b435192937f227f6a7a6e67916ff628397bef4b4992

  • SSDEEP

    24576:XIJElvW93GPtN3jQeiKAsaLQG0Q0uidX/V:4Q15

Score
10/10
lockbitdefense_evasiondiscoveryexecutionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\teViazD4k.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe. Tor Browser Links: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion Links for normal browser: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us and decrypt one file for free on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from you. If you need a unique ID for correspondence with us that no one will know about, tell it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link available only to you (available during a ddos attack): http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion Tor Browser Links for chat (sometimes unavailable due to ddos attacks): http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Your personal ID: 0FADF2D6517D3F4B97BF44EEB1CFA28F <<<<< >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They won't help and will only make things worse for you. In 3 years not a single member of our group has been caught by the police, we are top notch hackers and we never leave a trail of crime. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there is no guarantee to decrypt your files and remove stolen files, this is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it is a matter of our reputation, we make hundreds of millions of dollars and are not going to lose our revenue because of your files. It is very beneficial for the police and FBI to let everyone on the planet know about your data leak because then your state will get the fines budgeted for you due to GDPR and other similar laws. The fines will be used to fund the police and the FBI, they will eat more sweet coffee donuts and get fatter and fatter. The police and the FBI don't care what losses you suffer as a result of our attack, and we will help you get rid of all your problems for a modest sum of money. Along with this you should know that it is not necessarily your company that has to pay the ransom and not necessarily from your bank account, it can be done by an unidentified person, such as any philanthropist who loves your company, for example, Elon Musk, so the police will not do anything to you if someone pays the ransom for you. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI will not be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI will not protect you from repeated attacks. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees. >>>>> What are the dangers of leaking your company's data. First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed. Read more about the GDRP legislation:: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr.eu/what-is-gdpr/ https://gdpr-info.eu/ >>>>> Don't go to recovery companies, they are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars. >>>> Very important! For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information. But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor multimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions prescribed in your insurance contract, thanks to our interaction. >>>>> If you do not pay the ransom, we will attack your company again in the future.
URLs

http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion

http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion

http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly

http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly

http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Renames multiple (120) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 19 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 38 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 35 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\21a7fba68d5abd4c3837521c2e86a03454e98a4f9517fa83ff00c47fb3c4cd44.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\21a7fba68d5abd4c3837521c2e86a03454e98a4f9517fa83ff00c47fb3c4cd44.ps1
      2⤵
      • Sets desktop wallpaper using registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:716
      • C:\ProgramData\B7E6.tmp
        "C:\ProgramData\B7E6.tmp"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:4292
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B7E6.tmp >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3340
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1700
  • C:\Windows\system32\werfault.exe
    werfault.exe /h /shared Global\be769c0213144ef4a2d241e2ebf7fa4b /t 3360 /p 3356
    1⤵
      PID:3532
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3584
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3932
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4240
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4264
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4128
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:3928
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3064
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3148
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3988
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:860
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4924
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1364
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4436
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies registry class
      PID:2584
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\teViazD4k.README.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:3784
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4156
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4768
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      PID:1336
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1412
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3316
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:4076
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2300
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:5096
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:400
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3736
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3704
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:2620
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2800
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:5024
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:2032
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3092
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3228
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:632
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4176
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3340
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      PID:4520
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3444
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4928
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      PID:376
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2156
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:448
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:976
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4364
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3360
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2808
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4044
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:208
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4244
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      PID:2160
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4448
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2484
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:1244
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4092
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4928
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:1592
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:1648
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:4428
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:1652
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:4144
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:4452
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:4188
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:3412
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:5004
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                          PID:3880
                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                          1⤵
                            PID:4428
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:1160
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:1876
                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                1⤵
                                  PID:1220
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                    PID:3764
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                      PID:1648
                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                      1⤵
                                        PID:2292
                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                        1⤵
                                          PID:4920
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          1⤵
                                            PID:2212
                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                            1⤵
                                              PID:4340
                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                                PID:2252
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:3380
                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                  1⤵
                                                    PID:4608
                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                    1⤵
                                                      PID:1308
                                                    • C:\Windows\explorer.exe
                                                      explorer.exe
                                                      1⤵
                                                        PID:1336
                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                        1⤵
                                                          PID:3772
                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                          1⤵
                                                            PID:2076
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:884
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                                PID:2484
                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                1⤵
                                                                  PID:2220
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:5032
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                    1⤵
                                                                      PID:4272
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                      1⤵
                                                                        PID:3128
                                                                      • C:\Windows\explorer.exe
                                                                        explorer.exe
                                                                        1⤵
                                                                          PID:3756
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                          1⤵
                                                                            PID:3256
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                            1⤵
                                                                              PID:3300
                                                                            • C:\Windows\explorer.exe
                                                                              explorer.exe
                                                                              1⤵
                                                                                PID:4600
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                1⤵
                                                                                  PID:2032
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                  1⤵
                                                                                    PID:1308
                                                                                  • C:\Windows\explorer.exe
                                                                                    explorer.exe
                                                                                    1⤵
                                                                                      PID:5000
                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                      1⤵
                                                                                        PID:4756
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                        1⤵
                                                                                          PID:1484
                                                                                        • C:\Windows\explorer.exe
                                                                                          explorer.exe
                                                                                          1⤵
                                                                                            PID:4984
                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                            1⤵
                                                                                              PID:60

                                                                                            Network

                                                                                            MITRE ATT&CK Enterprise v15

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\ProgramData\B7E6.tmp
                                                                                              Filesize

                                                                                              14KB

                                                                                              MD5

                                                                                              294e9f64cb1642dd89229fff0592856b

                                                                                              SHA1

                                                                                              97b148c27f3da29ba7b18d6aee8a0db9102f47c9

                                                                                              SHA256

                                                                                              917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

                                                                                              SHA512

                                                                                              b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\APPROVECOMPRESS.GIF.TEVIAZD4K
                                                                                              Filesize

                                                                                              569KB

                                                                                              MD5

                                                                                              4fcc5d12e923bdb84dc22ac112c6504b

                                                                                              SHA1

                                                                                              32542bc3300c9b0950a7d7853844b8ffabc9e53e

                                                                                              SHA256

                                                                                              680294340db6c0c54d4e7ec00cf9befc0d5f4e1b4452823e3db6a27b71edb372

                                                                                              SHA512

                                                                                              aa10e2a667d6ad9531b517635f4060e786bd1d4c9d6e40b7561368bf7afc6347c4714e6ea2c182125aff20fd246577b0fe589156c2bee9f06b2a492c3d18c670

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\BLOCKHIDE.PPSX.TEVIAZD4K
                                                                                              Filesize

                                                                                              392KB

                                                                                              MD5

                                                                                              98d2ade5f31b2975a3202a1f621f4a95

                                                                                              SHA1

                                                                                              ee5c7d0f7d3739ed3ca4e450b2a3bf699dbe7ba0

                                                                                              SHA256

                                                                                              ac5007c91f9daa9db14a6f4402c91763a66bf6fd4e16841e0411940297ff063b

                                                                                              SHA512

                                                                                              c412664f0003ce5ebb830384a412af0f2e7a332e13146eb05ee15ad8b9ef0d980ce3e8ce4a0f007f8530b58c5f43d79047ea409adcc0647eb8f3d68011bd379b

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\CHECKPOINTWATCH.POTX.TEVIAZD4K
                                                                                              Filesize

                                                                                              518KB

                                                                                              MD5

                                                                                              c1ab2f0fc1cc2831225c974954bcbca0

                                                                                              SHA1

                                                                                              87e6dd03304e5fb20b39b801687c21e4e8f1dc13

                                                                                              SHA256

                                                                                              06d81fa5628bbb7619184daeef7e696f9bd2e39d55c39768b78ecc64067bc4a5

                                                                                              SHA512

                                                                                              67f9ede9e235b9470943203d2be870200e199e88ef9bec71547530db867fe642517a716e17d6267327a19ab5215864ffdf85975b2f0441a6c824fcecbf50ccae

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\COPYOPEN.OGG.TEVIAZD4K
                                                                                              Filesize

                                                                                              771KB

                                                                                              MD5

                                                                                              8c34dc878047231d61e543481e8196e2

                                                                                              SHA1

                                                                                              2b95eecdaec991cecbc42121a26fd87d8bfad206

                                                                                              SHA256

                                                                                              67feac4b19d8aee62ffe2eb8f952995394bcc204477ee6581be47681ed245e58

                                                                                              SHA512

                                                                                              4dde90e1a8b3907bf31705c0516b940f9e2afb3c8a1efd3d4daa78c296b7307fae1b61d8bf454f3a223ed3df50583c4d082d5130276a4a804d89636e3f9d01d5

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\COPYSKIP.XLS.TEVIAZD4K
                                                                                              Filesize

                                                                                              973KB

                                                                                              MD5

                                                                                              be9e3d41653025c62d7626285b0654cf

                                                                                              SHA1

                                                                                              671c4fbcde16408fbe56a5fc970fb58c124fa361

                                                                                              SHA256

                                                                                              d099a72b2d414ebdf503177d9b5273e57d4de38ddbf943930bca700b6ba9af01

                                                                                              SHA512

                                                                                              efc890d5137441748d894ce1caf1de900ebce30e4b8a9d4f34ec241fdfa90f0e2f7fc6528218848a496b96ed8fa670f5bc0fcfc4a69794d9e13fe9e9409099e3

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\EDITDISMOUNT.MPEG2.TEVIAZD4K
                                                                                              Filesize

                                                                                              468KB

                                                                                              MD5

                                                                                              f8db5830f6b6cf336e7a6580cdf7cb4c

                                                                                              SHA1

                                                                                              f263b334f076b91785459c243c2e39b6a20ddbff

                                                                                              SHA256

                                                                                              74ea49b1dd94cfa8ea9279876299d38897de34b702119d8a6f03f002c864a4a9

                                                                                              SHA512

                                                                                              038c7f1b58e664339cdceabf40617af9a7fa470beae70b4592f59597231fba086214387e8f2dfe8f636db0ea61a51e535300777d3c959421e4eff3c89c5c4afa

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\EDITINITIALIZE.POTX.TEVIAZD4K
                                                                                              Filesize

                                                                                              442KB

                                                                                              MD5

                                                                                              0054ebdb3f478b58fa56404a6c5aeeb1

                                                                                              SHA1

                                                                                              0ed075d2073eb9b9a825f63a85adc7118d7daf7e

                                                                                              SHA256

                                                                                              14f3e61abad2f47091ef1481e7a34328e135ba4702eb37c44777b95fd7680873

                                                                                              SHA512

                                                                                              389b62a5d9303a7f79cba559f8b65dfc8e246da8752d7b66e8fb4f7845f836fae8e307fb7dc46587f57745d63d266b4bd5a6a657272f0c3792073088d37a7d20

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\ENABLEBACKUP.MPEG.TEVIAZD4K
                                                                                              Filesize

                                                                                              644KB

                                                                                              MD5

                                                                                              0977e0b55fd123c745957fd260ef9c2b

                                                                                              SHA1

                                                                                              48bf9f08235a916d1f083fe3920a0292b8f8bf52

                                                                                              SHA256

                                                                                              c9017ec745993660bfe6863e0afa369194c5eb48e5f1b06d72ce565911876a68

                                                                                              SHA512

                                                                                              385453b39c557dc70e11ba949276ea9918fe89eb0454b527d826a6aa88e9546069d8a6c65c998b329ae3e99c1c9159ba779780cef50aa6cdd5a0e0e7b0426db8

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\ENTEROPTIMIZE.INI.TEVIAZD4K
                                                                                              Filesize

                                                                                              695KB

                                                                                              MD5

                                                                                              7e16223382b8053f20b04964b1cc62f6

                                                                                              SHA1

                                                                                              b47798fc9439b3bf52da094196f64ec432ef5244

                                                                                              SHA256

                                                                                              f30b4f8549b33847a0357f98304cde608422bdc29b397515eabfc653b19833c6

                                                                                              SHA512

                                                                                              e691aa464c5df4c2fed2922e542da0def8668ba655dd487e85e11ea34f3bee2357c1dc5ed95bbc723214732e61beadf2fe46034e5164dc5e8a7dd4f85cba8b21

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\HIDEUNDO.TXT.TEVIAZD4K
                                                                                              Filesize

                                                                                              619KB

                                                                                              MD5

                                                                                              b3fed26834e356cf9c17da034949d911

                                                                                              SHA1

                                                                                              c2dbe6e45620e7ea0c475479d754a3efc0c213e5

                                                                                              SHA256

                                                                                              4f873f5a3a767f7337a824aa196505ff30417ea5bd76c1efd8deafe93f098dca

                                                                                              SHA512

                                                                                              df8a01988fa32f1f8f39a4a1fe3ca7358c85e2d67e79ee1ceb34797d323c0bbe4b2dc38bd39f612a368cf29e399918566ff396a01608c204caea3ce2b0793965

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\IMPORTSEND.JTX.TEVIAZD4K
                                                                                              Filesize

                                                                                              543KB

                                                                                              MD5

                                                                                              0449aa5e57c4de6588ccd6622c9c43ba

                                                                                              SHA1

                                                                                              ff655fac3ab20be83a40276d89fe027e301229be

                                                                                              SHA256

                                                                                              5c31f515a9eab02ed0d0bab6db8044faaf0dfe6f49b2659c2ca28bedeb5b6dac

                                                                                              SHA512

                                                                                              f18fa40c12b1ecfc9f4e8524b09e39844d11ecad19f730c54f423ad88ea934e365c10447f9cf094fdf61671aeb76fffa403f34308460fabfeeb10446342acf9e

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\JOINUPDATE.XLSX.TEVIAZD4K
                                                                                              Filesize

                                                                                              11KB

                                                                                              MD5

                                                                                              72510a14eebee112f54be040f335ffd3

                                                                                              SHA1

                                                                                              b110f80c55bba08d37cffeb7a6f7654ab350c98d

                                                                                              SHA256

                                                                                              6c85a80fd4d21e23e3dd6004fb7bfab06da017fdbbe214f5bf6eac78b959d2eb

                                                                                              SHA512

                                                                                              cd5cf4ab96be55ebcea22088b90e26fda5bf381ccc1c65ff14969e791adff4cdd21e4e7f9e1c2f2ec86f0eff03286f42e7e7b18a6711341d57050f8a796a5e52

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\LOCKCONVERTTO.TIFF.TEVIAZD4K
                                                                                              Filesize

                                                                                              796KB

                                                                                              MD5

                                                                                              1a3be294bfbe968adab98a29cb8d25e2

                                                                                              SHA1

                                                                                              35cb658dd4d2ff5a93bfdd2a8bf1d83dd4312565

                                                                                              SHA256

                                                                                              5402722d87a3621e9e87dca5b4043dc660b9039f42340b2281084979caf6f98d

                                                                                              SHA512

                                                                                              5796009327f600d2adef6f020f3332e251a7533af7ecf5cf35025029cb8bc632f8919791edf1c94e43e92b9b8da78f97f8cd0a2f9385877fe27a987dc6804736

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\MERGENEW.DOCX.TEVIAZD4K
                                                                                              Filesize

                                                                                              20KB

                                                                                              MD5

                                                                                              c634de24e7f4296f5ac3644fd85565bc

                                                                                              SHA1

                                                                                              7b3f5170b986393aa1d8e284a5157eed8d17caf7

                                                                                              SHA256

                                                                                              f4374e3d5d6a24b07fa8db849a423f364b4189b727fd6ba920b7aa90bca52ca8

                                                                                              SHA512

                                                                                              b55b0834ec365cd1569e989fc1953c1e4a727ed3f14d147218e254c8cf40dfcd14d8ff72f946f436e7e5432a7dfc7d77d7d5a3dab51cf5fde7683773b5d06e34

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\MERGEOUT.ASF.TEVIAZD4K
                                                                                              Filesize

                                                                                              417KB

                                                                                              MD5

                                                                                              e134f0c083415e17de74fbea2a86f323

                                                                                              SHA1

                                                                                              8829d3d8cbebbd2edae901fbd4c3ec33f1ef7236

                                                                                              SHA256

                                                                                              07b8bd69ac5e3356916b83ecedb899a6d42d60fde7211c4dd34ce0efd8502976

                                                                                              SHA512

                                                                                              f6827ab391751806bec42d14aba8833208a86c326b43fc8fbaf6331b592c6a961111dbd4ba2d107a1c2fc2a4d5ae1e4bf370e94819d31a56f8ff84f7c3de4086

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\MERGEREDO.I64.TEVIAZD4K
                                                                                              Filesize

                                                                                              847KB

                                                                                              MD5

                                                                                              263f4a3fb271d4a4f11c5cb911634bdf

                                                                                              SHA1

                                                                                              120e7914e98602e45041397818f286774f5120b2

                                                                                              SHA256

                                                                                              afaa7a1f7386b8de963ddb07da3d02670f26399a77dbd19f03f23dc3bb206c72

                                                                                              SHA512

                                                                                              f938e8c77a0800711a106dd94d39393c3871cbfe76cd699ea989ce1e337ec541d466959433fe26c96f6fdf42d100aefd98a49e209a46bdb70718abbb1de253a3

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\OPENRESET.ODT.TEVIAZD4K
                                                                                              Filesize

                                                                                              720KB

                                                                                              MD5

                                                                                              3c48fb55f24ded47cdd306b4acba986a

                                                                                              SHA1

                                                                                              3c1524352aad2650f29d689917ce10e1f4b6d3b1

                                                                                              SHA256

                                                                                              04465a6c02b487448023877a5c10677cebff90aac54ab2de31a99dcd7c301c46

                                                                                              SHA512

                                                                                              481ee0e4a40a88fe9b7032c0b831cb5784cc782a9ed69c1d55dad2a8b6141a0e3f62699db7b5f07cbd230a580ab44cffbc2d43ad7c24a0d2e087379a321876cb

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\REQUESTCONFIRM.JPE.TEVIAZD4K
                                                                                              Filesize

                                                                                              872KB

                                                                                              MD5

                                                                                              f3178e85f3d484d7f4058539606b7d93

                                                                                              SHA1

                                                                                              c7ec00e7ef632d02be51af3615af511ce106e90c

                                                                                              SHA256

                                                                                              9244ea8b963aef35f3dacb36da486772db9217e222ce451bec47d26d3a2c6338

                                                                                              SHA512

                                                                                              0c070fcc34ac08114163c759b75ab5b551fc3f18d7d353a1c09a2e631b4c134a8638081806ab3e70dc9e0268d5b51989381ea8056114f7f348ef4b7b40968067

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\RESTOREDEBUG.JTX.TEVIAZD4K
                                                                                              Filesize

                                                                                              948KB

                                                                                              MD5

                                                                                              608d401a09404c02cdeb7784407c00a3

                                                                                              SHA1

                                                                                              b0a0f7b4ed9912c651f5486f82f3ad9574577745

                                                                                              SHA256

                                                                                              689e299f64b99c680b3e3b55587d6260a76da0ae6df0599f244e216ad432ae43

                                                                                              SHA512

                                                                                              0ba8a8dab61658b72cde4c2833bc264efce9c134da687cb0744eb7dcc73edf735492a9f8e41d3a7524a67c3fd44ea853549617558200ffdb2013ce543515eaa6

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\SPLITCOMPLETE.JFIF.TEVIAZD4K
                                                                                              Filesize

                                                                                              897KB

                                                                                              MD5

                                                                                              c67e42720a9300873d46835dd4368c87

                                                                                              SHA1

                                                                                              61bb37e0ea4b6b272234d11fe0e1498942e4fb05

                                                                                              SHA256

                                                                                              e2e30f7a070563e09acf677393aea1dc6b7eb3b34e0af0566ddf11390adc5730

                                                                                              SHA512

                                                                                              72c8861ded05210ce44a5d60c5d9b8eeeec997a0a50206448cf12fed6c678058338dbb167f5ae0389a4dcb0141cd7ab5fef087861e963b13d4f6e93c4916f4c7

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\SWITCHRENAME.TIFF.TEVIAZD4K
                                                                                              Filesize

                                                                                              923KB

                                                                                              MD5

                                                                                              9503fe3d609f08eb0c9d2eb245e60327

                                                                                              SHA1

                                                                                              1fc4cc9830f1c2c06b0dcb23a2439c05e2aa7fb0

                                                                                              SHA256

                                                                                              edbeb52dd041a7188511b91d58b58790c9cbc878b615cab4c3863674c1a984e9

                                                                                              SHA512

                                                                                              a07205c42ce4fd73e0c81ae844f6be4d57dfce6ecaad3e9202c37d821d59fe1f8626b56732ea004c037ac0bc0559d50bae33cd00b4188bd7babb63d271f2f694

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\TESTENABLE.XLSX.TEVIAZD4K
                                                                                              Filesize

                                                                                              10KB

                                                                                              MD5

                                                                                              c5f26a78479d0599cb20bf2b37e380ab

                                                                                              SHA1

                                                                                              a3c77b6268e5dc8c197bda2e205cdb55ad45dc06

                                                                                              SHA256

                                                                                              698e56f9464959a4eeec19f753b1a9b47b4971fcfb82ead5e71db949fdb2d66b

                                                                                              SHA512

                                                                                              3c5642cfd925e6c714b96c01545b282c0dc99dd9ed0fd25b4f923907f9862c5329d4762e95331f06e17a98d3d18c110128a721b3796146f32f60879263279add

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\UNBLOCKFORMAT.VBE.TEVIAZD4K
                                                                                              Filesize

                                                                                              366KB

                                                                                              MD5

                                                                                              301ae0ad39c3e80272cd9c5db39b3045

                                                                                              SHA1

                                                                                              e38c2727dfbc0f02615e855456fca448b2873e0a

                                                                                              SHA256

                                                                                              c17abedd4fcce60da4813451f9c09c250709ea1405d22371cb76f50397f87bee

                                                                                              SHA512

                                                                                              a9f0434bb74386ce811f33defd0a998a2916d3ac664876f37412198ece1e45f140bf9f41278a41098d2a854c2dde77968694e61e43c2a5e69c4f5cfc1c59275f

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\UPDATEDENY.DOTX.TEVIAZD4K
                                                                                              Filesize

                                                                                              1.3MB

                                                                                              MD5

                                                                                              3440131b1c253cd9650da4beff86e0b1

                                                                                              SHA1

                                                                                              ec5752ac6fb8f7a00c4ab3294ba4bdc03f3d2993

                                                                                              SHA256

                                                                                              a2fca8e81184ec8cea66f8db0a3741c64ec84899ae917b056bb057e3198715d8

                                                                                              SHA512

                                                                                              75504829fd20c27b0f89967be7d3d9800cd8733648572f348cd7a65989f5d964140791638e146f866429a470cbe6bdaac1bc957fe95e56225275757fb1a949bd

                                                                                              Download Submit

                                                                                            • C:\USERS\ADMIN\DESKTOP\USEWAIT.JPE.TEVIAZD4K
                                                                                              Filesize

                                                                                              493KB

                                                                                              MD5

                                                                                              489d9e3ba5b92675a1b7e1f92af1d0d4

                                                                                              SHA1

                                                                                              c1ed1b0bcb331a3c012edbd2fd66924deff3cd01

                                                                                              SHA256

                                                                                              35c727359df9105017c2b47e05ecdd11a21068dcbe4010877884fcecbb975cbe

                                                                                              SHA512

                                                                                              13289ae5110cdfd59bf29522e3f01b246ee127c1b99d903b23f78893802d14a3b891d42741b05031f4ecfe124c69b45c8563d9dcac31fb2b7207c8d28eac47f7

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                                                                                              Filesize

                                                                                              471B

                                                                                              MD5

                                                                                              71a1407a7319f8e35c6b9e7d3dd0e793

                                                                                              SHA1

                                                                                              ce6b5717603853d4ef0aa89d0dd794dae6814780

                                                                                              SHA256

                                                                                              616e3e561dbfc729ddc325394f74fa3906c9038956a9a7cca0e689444a63216e

                                                                                              SHA512

                                                                                              f31cd698cad3d5b15a6f53d90d8f517574f5ef9fbf6e9114df202a85a2d01a14b0f28298e28f0c8f2d221536a167e26399753da512e69fb1387f343f6eef76f3

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
                                                                                              Filesize

                                                                                              412B

                                                                                              MD5

                                                                                              eb1fbac3ba0c5322053809cc5f5226f0

                                                                                              SHA1

                                                                                              5045e980ae02c9b3c1b50aa9bed3288686bd9bc2

                                                                                              SHA256

                                                                                              d36299552701954a9618e2dbc4d148213e169959080d077f061268936196fa8e

                                                                                              SHA512

                                                                                              7aba8dda905bd56a9e7fbf276265643bed0e44c0f5dfdc486857a2ad3daecfe7f7e14c9f4ef28b6f06f24ddde241465ec7bba47648ad1a2af71e36da06e5a0ab

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              3cbb28a8f1f8a27e783477941d14b23c

                                                                                              SHA1

                                                                                              33954a514b48e37d15d0257b5a8d04cf5097e083

                                                                                              SHA256

                                                                                              3c121a0b0e2b9a6a262db98c3f3375f4b5a1a72c766426ffff4269954317348b

                                                                                              SHA512

                                                                                              4f3415b0ac959a58ebfcfbee0997c1d2be4d0856c359e76f1be7006341c43e336cead25a33b9912fa7c6fdcdefb90e918c6223e748db4134135a7d9536f9c671

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                                                                                              Filesize

                                                                                              2KB

                                                                                              MD5

                                                                                              e93469fbee8479c6f74bd78c0faaffec

                                                                                              SHA1

                                                                                              169650c5a885bdef31006da29f5a8db3c3fe6206

                                                                                              SHA256

                                                                                              2dea6ac79de47526d4d6e11e8804c176fce3c3d2b7834c2de2827e97accf9210

                                                                                              SHA512

                                                                                              84b539cc0ec1d559d17a437e47cbcc7753b7655d9fb7a40ad0c8df4889ef1bb200fa6d34412cd880ef67dcf5063fb648d693a05b1b4b03eef0033c251de468ec

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help
                                                                                              Filesize

                                                                                              36KB

                                                                                              MD5

                                                                                              8aaad0f4eb7d3c65f81c6e6b496ba889

                                                                                              SHA1

                                                                                              231237a501b9433c292991e4ec200b25c1589050

                                                                                              SHA256

                                                                                              813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

                                                                                              SHA512

                                                                                              1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_osk_exe
                                                                                              Filesize

                                                                                              36KB

                                                                                              MD5

                                                                                              f6a5ffe5754175d3603c3a77dcfeca6b

                                                                                              SHA1

                                                                                              dacd500aeef9dd69b87feae7521899040e7df1d9

                                                                                              SHA256

                                                                                              fab3529f4a4df98271fa2f6a7860a28fdc30215144b7eefbaf6d424a2847d035

                                                                                              SHA512

                                                                                              66ec46041f1fe20203cda7a4d68b61d2e5bcdd09a36ee8171efa53fe92a9e6e023c5a254a4c43c110a99749829d7b99613f8d13dfb4c42656097cb8d224a531e

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\M6JCG2RK\microsoft.windows[1].xml
                                                                                              Filesize

                                                                                              96B

                                                                                              MD5

                                                                                              732a32ad072ef786d816a4f85b1b6bea

                                                                                              SHA1

                                                                                              fe1945717c160ac3266f291564a003c044d409b0

                                                                                              SHA256

                                                                                              7dd2262373fcd6ebe2ed2c6e66242c85b1434c3fe23ca92ba41ae328ce8b941e

                                                                                              SHA512

                                                                                              55b57d5bf942f20a3557f20adeebb4c01cde4aec9d7a4fa8bfe6281fe0981773d8ce637fdbd1dc64f25abe72d75fad2a6538fadc86483ede9fdc5b59c0d36b79

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
                                                                                              Filesize

                                                                                              1.1MB

                                                                                              MD5

                                                                                              face93955739ef7089e28d1c776984bc

                                                                                              SHA1

                                                                                              91bfce84ad249e65385a7eada4c99a2fd1610c2f

                                                                                              SHA256

                                                                                              1b5b3e748258f94f2eca28c03791e8dfdd916e2e549a3ed6af929f8e2a84ada1

                                                                                              SHA512

                                                                                              e1021fa846a35ca1868577e4797f55a4fdc924885af53d923d1457cab2917b33dd478d69a3165f3119aada2efb362a89b97e2fd37df6a6afd095aa2aa57ce57e

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ewfy5xys.0nx.ps1
                                                                                              Filesize

                                                                                              60B

                                                                                              MD5

                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                              SHA1

                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                              SHA256

                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                              SHA512

                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                              Download Submit

                                                                                            • C:\Users\teViazD4k.README.txt
                                                                                              Filesize

                                                                                              10KB

                                                                                              MD5

                                                                                              24b549a8e1e9b67ba57611bda4761469

                                                                                              SHA1

                                                                                              e86254b64f895ac66b3c1b5fe3400612e7941562

                                                                                              SHA256

                                                                                              6c02d93ba16d11ec189658ef7cac5706ea3593d059d3ff929d7ae49d7b9423e2

                                                                                              SHA512

                                                                                              dce3936363d76d1fa575d28d08acf1d60affb862267b63b26697e9f754730d868792316a790e5eb8d8f71c213b2aec78b1c1773d99814726f4c682327fdf825a

                                                                                              Download Submit

                                                                                            • F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini
                                                                                              Filesize

                                                                                              129B

                                                                                              MD5

                                                                                              a526b9e7c716b3489d8cc062fbce4005

                                                                                              SHA1

                                                                                              2df502a944ff721241be20a9e449d2acd07e0312

                                                                                              SHA256

                                                                                              e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                                                              SHA512

                                                                                              d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                                                              Download Submit

                                                                                            • memory/716-54-0x000000000CEA0000-0x000000000CF43000-memory.dmp

                                                                                              Filesize

                                                                                              652KB

                                                                                              Download

                                                                                            • memory/716-35-0x00000000068F0000-0x000000000690E000-memory.dmp

                                                                                              Filesize

                                                                                              120KB

                                                                                              Download

                                                                                            • memory/716-85-0x000000000D840000-0x000000000D862000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/716-70-0x0000000075170000-0x0000000075920000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/716-100-0x000000000D840000-0x000000000D862000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/716-252-0x000000000D840000-0x000000000D862000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/716-283-0x000000000D840000-0x000000000D862000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/716-80-0x000000000D840000-0x000000000D862000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/716-73-0x000000000D840000-0x000000000D862000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/716-288-0x000000000D840000-0x000000000D862000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/716-64-0x000000000D840000-0x000000000D862000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/716-301-0x0000000075170000-0x0000000075920000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/716-17-0x000000007517E000-0x000000007517F000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/716-18-0x0000000003330000-0x0000000003366000-memory.dmp

                                                                                              Filesize

                                                                                              216KB

                                                                                              Download

                                                                                            • memory/716-298-0x0000000075170000-0x0000000075920000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/716-297-0x000000000D840000-0x000000000D862000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/716-62-0x000000007517E000-0x000000007517F000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/716-63-0x0000000075170000-0x0000000075920000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/716-61-0x000000000D810000-0x000000000D818000-memory.dmp

                                                                                              Filesize

                                                                                              32KB

                                                                                              Download

                                                                                            • memory/716-60-0x000000000D820000-0x000000000D83A000-memory.dmp

                                                                                              Filesize

                                                                                              104KB

                                                                                              Download

                                                                                            • memory/716-59-0x000000000D7E0000-0x000000000D7F4000-memory.dmp

                                                                                              Filesize

                                                                                              80KB

                                                                                              Download

                                                                                            • memory/716-58-0x000000000D140000-0x000000000D14E000-memory.dmp

                                                                                              Filesize

                                                                                              56KB

                                                                                              Download

                                                                                            • memory/716-57-0x000000000D0F0000-0x000000000D101000-memory.dmp

                                                                                              Filesize

                                                                                              68KB

                                                                                              Download

                                                                                            • memory/716-56-0x000000000D880000-0x000000000D916000-memory.dmp

                                                                                              Filesize

                                                                                              600KB

                                                                                              Download

                                                                                            • memory/716-55-0x000000000CFA0000-0x000000000CFAA000-memory.dmp

                                                                                              Filesize

                                                                                              40KB

                                                                                              Download

                                                                                            • memory/716-19-0x0000000075170000-0x0000000075920000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/716-52-0x000000000CE70000-0x000000000CE8E000-memory.dmp

                                                                                              Filesize

                                                                                              120KB

                                                                                              Download

                                                                                            • memory/716-53-0x0000000075170000-0x0000000075920000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/716-42-0x0000000071110000-0x0000000071464000-memory.dmp

                                                                                              Filesize

                                                                                              3.3MB

                                                                                              Download

                                                                                            • memory/716-39-0x000000000CE30000-0x000000000CE62000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/716-40-0x0000000070F90000-0x0000000070FDC000-memory.dmp

                                                                                              Filesize

                                                                                              304KB

                                                                                              Download

                                                                                            • memory/716-41-0x0000000075170000-0x0000000075920000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/716-38-0x0000000006F00000-0x0000000006F1A000-memory.dmp

                                                                                              Filesize

                                                                                              104KB

                                                                                              Download

                                                                                            • memory/716-37-0x000000000D160000-0x000000000D7DA000-memory.dmp

                                                                                              Filesize

                                                                                              6.5MB

                                                                                              Download

                                                                                            • memory/716-36-0x0000000006930000-0x000000000697C000-memory.dmp

                                                                                              Filesize

                                                                                              304KB

                                                                                              Download

                                                                                            • memory/716-71-0x0000000075170000-0x0000000075920000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/716-33-0x0000000006510000-0x0000000006864000-memory.dmp

                                                                                              Filesize

                                                                                              3.3MB

                                                                                              Download

                                                                                            • memory/716-28-0x0000000006310000-0x0000000006376000-memory.dmp

                                                                                              Filesize

                                                                                              408KB

                                                                                              Download

                                                                                            • memory/716-27-0x0000000006230000-0x0000000006296000-memory.dmp

                                                                                              Filesize

                                                                                              408KB

                                                                                              Download

                                                                                            • memory/716-26-0x0000000006160000-0x0000000006182000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/716-20-0x00000000059B0000-0x0000000005FD8000-memory.dmp

                                                                                              Filesize

                                                                                              6.2MB

                                                                                              Download

                                                                                            • memory/1364-820-0x00000000049C0000-0x00000000049C1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3148-555-0x000001DC40390000-0x000001DC403B0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/3148-544-0x000001DC3FF80000-0x000001DC3FFA0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/3148-527-0x000001DC3EF00000-0x000001DC3F000000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3148-532-0x000001DC3FFC0000-0x000001DC3FFE0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/3212-11-0x00007FFDBCE00000-0x00007FFDBD8C1000-memory.dmp

                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download

                                                                                            • memory/3212-1-0x000001C677520000-0x000001C677542000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/3212-12-0x00007FFDBCE00000-0x00007FFDBD8C1000-memory.dmp

                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download

                                                                                            • memory/3212-13-0x00007FFDBCE00000-0x00007FFDBD8C1000-memory.dmp

                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download

                                                                                            • memory/3212-0-0x00007FFDBCE03000-0x00007FFDBCE05000-memory.dmp

                                                                                              Filesize

                                                                                              8KB

                                                                                              Download

                                                                                            • memory/3212-16-0x00007FFDBCE00000-0x00007FFDBD8C1000-memory.dmp

                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download

                                                                                            • memory/3928-523-0x0000000004330000-0x0000000004331000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3988-675-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/4128-371-0x000002ECEAD00000-0x000002ECEAE00000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/4128-397-0x000002F4ED020000-0x000002F4ED040000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4128-372-0x000002ECEAD00000-0x000002ECEAE00000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/4128-376-0x000002F4ECC60000-0x000002F4ECC80000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4128-385-0x000002F4ECC20000-0x000002F4ECC40000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4240-366-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/4292-300-0x000000007FE20000-0x000000007FE21000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/4292-362-0x000000007FE00000-0x000000007FE01000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/4292-299-0x000000007FE40000-0x000000007FE41000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/4924-682-0x000001CD3A500000-0x000001CD3A520000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4924-706-0x000001CD3AAE0000-0x000001CD3AB00000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4924-694-0x000001CD3A4C0000-0x000001CD3A4E0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4924-677-0x000001CD39600000-0x000001CD39700000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/4924-678-0x000001CD39600000-0x000001CD39700000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/4924-679-0x000001CD39600000-0x000001CD39700000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download