dearcry | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

max time kernel
83s
max time network
119s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
25/03/2025, 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Size

1.3MB
MD5

0e55ead3b8fd305d9a54f78c7b56741a
SHA1

f7b084e581a8dcea450c2652f8058d93797413c3
SHA256

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
SHA512

5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa
SSDEEP

24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3

Score

10^/10

dearcry discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 638428e5021d4ae247b21acf9c0bf6f6

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry
Dearcry family
dearcry
Renames multiple (7441) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 58 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1702774510-645589634-1201277210-1000\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1702774510-645589634-1201277210-1000\desktop.ini	explorer.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1702774510-645589634-1201277210-1000\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-1702774510-645589634-1201277210-1000\desktop.ini	explorer.exe
File opened for modification	C:\Program Files\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	DearCry_13_03_2021_1292KB.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\ui-strings.js	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\NOTICE.TXT.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\ui-strings.js	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_az.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpn.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabimp.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\CHANGELOG.md	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\show_third_party_software_licenses.bat.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MetaProvider.PowerShell.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ie_to_edge_stub.exe.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\illustrations.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\awt.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\PdfPreview\PdfPreviewHandler.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\j2gss.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll	DearCry_13_03_2021_1292KB.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DearCry_13_03_2021_1292KB.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{A79020BC-1F7E-4D20-AC2A-51D73012DDD5}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_ja-JP.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\sidubm.table"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Paul"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Spanish Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Traditional Chinese Phone Converter"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ayumi"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\c1031.fe"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "CC"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1031-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Has seleccionado %1 como voz predeterminada."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033David"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{31350404-77AC-4471-B33A-9020A2EDA1D1}"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "DebugPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_HW_it-IT.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ichiro - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1702774510-645589634-1201277210-1000\{EB366A0F-EA46-4C59-A455-72006147D8B0}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409;9"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	4564	explorer.exe
Token: SeCreatePagefilePrivilege	4564	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
4564	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4260	StartMenuExperienceHost.exe
4120	TextInputHost.exe
4120	TextInputHost.exe
5316	StartMenuExperienceHost.exe
5972	SearchApp.exe
4844	TextInputHost.exe
4844	TextInputHost.exe
4700	StartMenuExperienceHost.exe
2092	SearchApp.exe
5244	TextInputHost.exe
5244	TextInputHost.exe
5096	StartMenuExperienceHost.exe
2604	SearchApp.exe
3928	TextInputHost.exe
3928	TextInputHost.exe
5900	StartMenuExperienceHost.exe
4452	SearchApp.exe
6044	TextInputHost.exe
6044	TextInputHost.exe
4496	StartMenuExperienceHost.exe
4928	SearchApp.exe
2384	TextInputHost.exe
2384	TextInputHost.exe
6012	StartMenuExperienceHost.exe
4700	SearchApp.exe
4568	TextInputHost.exe
4568	TextInputHost.exe
5264	StartMenuExperienceHost.exe
1612	SearchApp.exe
4464	TextInputHost.exe
4464	TextInputHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe bcdedit /set shutdown /r /f /t 2
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2088

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5972

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:3496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5244

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:6072

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6044

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5264

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4464

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5864

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2044

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4976

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3704

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2896

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2116

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1100

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4280

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4628

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png

Filesize
388B

MD5
1dc5d31ef9205f1034b64d635d59cb32

SHA1
c172576576c5ac5a3c2912bdfd0c8365b5365513

SHA256
676d1f912a22a12ad4c80bf552355a7e0995c56e6ef7527aaa9b77e513efc065

SHA512
bc334638acb1416787df04cbaebde99cd15d96c5b96b6f950cbdfb54177fcd2f2ecce4dc9212a9a3f2f85269ac901aef147ec6297c31c5ee6cc39ee4cdac17c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png

Filesize
552B

MD5
7d00bc0d46dcb90890a4fe6b76bc5c3a

SHA1
7159b1e1c264a6863708a971eaeca32cff864aa1

SHA256
2fcd2848cbcab1a3b8154138288cc659cd2c187412cb887eec6554b6165b8c33

SHA512
2f113cb27028aa0fa0f028b09ddcddb4a1ede6ae0823909d99763db6e5be57b1b4ae6977537ec17808cd622bc548e1ba3122e35b58de9d856400d33042234a35

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js

Filesize
1KB

MD5
6e8d259daabf1168ae5136a3de48ee80

SHA1
b015257e3ae0810ddbda53c0b12991161a863ffb

SHA256
13370a65ca7e31fbf3a133156c208bf99c01a54880d55a8a4500495683e3a47f

SHA512
cf3c564c18c6b0965a431cda1ed8fa97cbeeb839d992e48f77c073bc8054ead03b4823df381c5179d3d398877da3473b92d70ae905a2bd0c7e5fc45505340113

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js

Filesize
1KB

MD5
88151ac4ebd7f5ff2d381c65e68cece7

SHA1
f979db4063d15ef2e32db3c38890899bb87c78e5

SHA256
c1ea4ada9462abd4ec352dfaf670575e9caff1e55d303db96a2f2500d50d92e8

SHA512
326195f5176beed6cc39849b8d6e87a5136c41a04aa76f53c30bbed1ff74391e16a6114e236f39d403c7f82fda032c00a9ee1df583412dfea224047e51f4c3bb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js

Filesize
1KB

MD5
60f1a26612dc049ce3e00fe917b6475d

SHA1
05791d089cbcd759088adbbd9483433dc9a10206

SHA256
8ced84488e1ea81e8cc3ec1a25f5b849de902601bef557b6ec65f9de2982bece

SHA512
06f080a9df9081a2bfd557165f9c21cf2bce3ee161c0896a9f9a6e0f8a3ae545b1cfaaca9ce1d46757dbe0163ddd0421bdb51558ef092dd0a6e5c2052ead4706

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png

Filesize
683B

MD5
ea321d33cfeb1d029794bd01c5b78e85

SHA1
4e04b2d8f7f23f44f96f4bbf134233e1feb5e28b

SHA256
3add439f478220ce8001abf2543810144a0d80f8116bc0ca13947c9745983c55

SHA512
f574d12330a668d89402265cf5a859a76325ed548e1730e02f51dfd36e3d5dccf2c8b75a76a8c931597bfc130a42364c73eef0200523d4eefbcf4fa5ccacddea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png

Filesize
1KB

MD5
a660ce180dea34b4944d83569f4789bc

SHA1
e3ca7b90c8bd299c49585bd29bc3fb7494c0fa4e

SHA256
03ab6f2f396e0531f1b1299b61485408cff93f183942910a7d0d5f0c7a666bd8

SHA512
9de185c0e6a8cc49852ebb454a00a7a19f5382b358327d393a6952b32099036147c1eb799cc60078bf24477e9607a1b4c88288a213a8ffcafd8d60caab0f0720

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js

Filesize
1KB

MD5
cdc58b2bf0a1a34f96af8fdcb62dc30b

SHA1
69eb0d674e9830e81cecdd610792225a2a5dc265

SHA256
3b5888b652cd86408bdd59e86405d3f171d23132059228544fbe693cfcb2b73c

SHA512
d8ef3220b8984f759347a0e83eb75939c914bf865db492d28e226f113b469a97325befa008886743aeae2e0f32c74c0a1e7ce8b60eaf5949b51058a618daa502

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png

Filesize
445B

MD5
55c2b47c9aea50661a855fe91eb8ac32

SHA1
13ea23a51394ea2c13420ddac1294eae6f82f846

SHA256
ba5a59d879c1f6543b46085d02f5c90fdb22e663487d3586b6533cd887c83b72

SHA512
947da2e85f5c21e7847f10d727729915973c911a47de233ef1fb97f60ae41db05f4c8c0ee655e3aa264db2067763e4134b76279f1d3ea8ad43640a64176522a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
611B

MD5
808e7aedbb1da793b86c92816309035e

SHA1
b4a2fca53290a35ae222f2cdf80f68ec7eab51e6

SHA256
a90f0edb8324760029a5db9f641b05694f8717c25514b2d6abde7662c827e0cb

SHA512
0af4e6a83661378b618c40de02c6cb7244be544dcb02f1f14c83b6abd791fa0330b6d508c86f0ba8e345608639d8505a2f26d3a6d3ae201bb01319c10c212d4a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js

Filesize
1KB

MD5
5c1dc195043bdea8525930a9882c10d7

SHA1
17415e551255ab016f7682d7b33451cfcb91e687

SHA256
019bad9e72430b758828953e3310007695c55fed1d25fdd707c76fec561f2bc5

SHA512
e912b84e9b4856864d302154b68adf6822189aa78859265cf8f529279e77a9d7c086452b4527ebb75d9c910ad9a6a1e95e1f45498fc168628da80739acff742e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]

Filesize
162B

MD5
8db5f9dff9d857a8827ea6d66fea4880

SHA1
ef5de087109543e49ee7fe70adb49efe27e15121

SHA256
e8c6ae3d3f05d53d58200db3f31383861d434c6abbf66f82e925321029058a10

SHA512
70723910b4bf8814f848e10390378d53d9fb67e8a319edb708edc41b5c858c1d2cfc0b86a2909e33f72062df8b32e70554fa5ebe7aad7ec474ad78087560069b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js

Filesize
1KB

MD5
4e6de5201d795432e75c0628dd306b26

SHA1
80ae62145f6bc55c2a25f68ad9d6bc9fcae496db

SHA256
1265f683d27701f95b545e6201577fb4eadf5dcfbc1fc8cedb8dd39635515788

SHA512
950227253fb845bd9a4519a209d72404760492473bda8101d846ded18aef1a2f6f6ab99b1b1b2186c0eed423c151c089316e124384f214644632e6a0f4dbece3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js

Filesize
856B

MD5
fc4cdc00064f47d2eedf58bd02068fe1

SHA1
cbb7157d8c560e9b2cdffac3a2b831202d76d2e6

SHA256
0e8fb0e6e1dd239a2a1996059914a5ec5e753782527c1a07c62d808eb77df3e0

SHA512
753d312596fdd24d3ad87b7916c5d108d185b42beff7c750099aecb38c7a321ff04260c19492d18cc27cf8f8843c6b3facde0934e67a46e9ce4291c3646abbe8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js

Filesize
1KB

MD5
c5596fa17e59cbf92a2ea2e1ad5c6f8b

SHA1
4153a71b5750685afba568403ed7522e83a9894f

SHA256
5812ebbc6311c0ff9919a27137b22435cbca3cb9fd56959b44ddb82f93609b99

SHA512
762580962300f0e0501054450772ed59cdfec76d7aa6b1944f557ccd74ec2fcd171ffd67765f2b367c526d0193eabd184f0d4ac1dadb7a0d25f00f9866f670bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js

Filesize
850B

MD5
26645133c9de7799e35cee0e47b82ee0

SHA1
bb6be735f6814d765bbe6b3f3ce034d1767366c5

SHA256
1180e5728ff28a49eec43c61f15d49541419e79397ae58479db67b533d292d36

SHA512
c466dc886b25fea5a0e16aec28a4e784afe797f3937c7863788d0e5fa41414346bb17546d49178a48815debcca50aec3acabadc1f508fe0a3207008bc722608e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css

Filesize
802B

MD5
89728f1ec13231dd11d2ea20afe39d67

SHA1
b4350cd128350483be389b2c865633bd1ae0f78b

SHA256
aff85e66d5b690dc0188f4c2348ca78abdc14605286128407242a4e91a684754

SHA512
58203e9c3898367c78c6d10fa629c0bd2356b2ae54e225afbcee83be1d5d297977a5a9633e773ffc2b8079a6e2eb2aa0afc530c27d29f512af40d8c9ae539adb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png

Filesize
179B

MD5
a93c09c1a326a8733b4eceb713ca7457

SHA1
90ba7a4c24bb0d424abda46b736170ea3b43e541

SHA256
d03f54aaa9216f4e32053928ce87a317341232f107140c84f73b2b6490b5a81a

SHA512
432c3400257d00391baa255d32fd03e0b8c97231d684ef35534868a38bcbf9cb70b433eacfe154c25fd3376e69592a7000a823535700f353975572c5101a56af

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

Filesize
703B

MD5
cc62ce00dfbe76fd8affad9c89fced8c

SHA1
75d64cc57ff45a50c066f882bfd8e3845f8fa323

SHA256
e324ff224bfa2baf51d4ab75f686195a76b8c984676c450ed660eb9ca2b36f4e

SHA512
028056e42f0eb02646752b351bb04a6b9f87ff27a2e1060b4fe4d4867118fe90f42f555ea8c645361963405583005ec4f3802c7c57729fc8616df1af09cc94dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js

Filesize
823B

MD5
fa904cdf440c6743078637992d58489f

SHA1
6969f407be2a1b52c5a41be256433026cabf9917

SHA256
152f6d0325802be61521bff49a8dd07063feaffeb2447d3ae6f47adf214cbffb

SHA512
c6237e56225d36d26ed594406a5bc08987bc34fac8d425dac8f909512ff19e6a27e1566651c591a38c0a5476e74dca09beb53ec15d4f08b6de2843fa064cbd3f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js

Filesize
1KB

MD5
573dd292166f86741bb965ee068c3793

SHA1
169fcf0880c7a2c5993f5bf28ff64cd9ed441dd9

SHA256
ab2b7de642b66db6e6b610dab8fb3c94c972465e07b7f681127c40a6629d8c2e

SHA512
0217d582d827a7b6faa950bc726d41c4c7644ba11b19689b9e5eb60cf54df4afaefcf4eac3649e8315dc1134988dc71abcb94bd9a640829bf9d68a6ffa17241b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
924B

MD5
bf70043c03230a91bb5b402e7ee67e63

SHA1
2ec8302c3ebe1e34abb5e0c813abceaadfc5073c

SHA256
a8b45a4c0a3adae007e8ef6b3a0e9966d2ad0c552320210a778109e2799f6c75

SHA512
ecdf54cc56de9c49dec1e9e65aefa736201904e609474b13d089f188bf35ae46b62d1ba492f4c25ad3fd7ff584a1532be18c0115598c2deaa834b22e6e52a601

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js

Filesize
931B

MD5
7adbce4bec815b574ab3fc6d85eb1937

SHA1
7d14e52fc6aa5796996988e9feab97c31eab1e0b

SHA256
efec14a7f219aff9e96c136933c0316abbabfa082b5755a86b2745c0a8423a79

SHA512
4218fc7991ef7ab93b1fab696432fc0130f07c534b2da244ce3370e6092213db657505af8380e7a07576b16b19d7c1b58f6a5498122d73061a362162b31f5b18

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js

Filesize
1KB

MD5
478f0065e127108d705114b29fb9170a

SHA1
3d954983b0594275bdbe444336baad9517129b79

SHA256
1beae6b25a652882189f27e3b52232bc3451a54eeedf3e5cb0eb827fe15032f9

SHA512
4affd4e7c23c555d99a5a1a4ff929228af723961c6cc1c320358998fbba2528e2d84d5c64a5c28fd6420ba3132fad056f2388538086d061510d80e244f7b3990

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js

Filesize
851B

MD5
661fea8b99a08e2422d8b5b9bcfd9921

SHA1
54a78f38a3599aed6d27c6fc711d7af7a205c524

SHA256
60624904ad10defbfcafa3acd5dac4c7c5040edde23bff489b6b32ea5a1403ad

SHA512
69b58c6c99f494ca1b6f2788cd17b63cc9f583b0abca870f666aedb9c504f660b03df699b69828c8ecc43a747297042eeca7e197de96dd43defb7871e2289b9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
855B

MD5
3dd77972f6558af4969a57eb4f19f2d0

SHA1
d56f6ebeaf408c667bb9491845a33ddc19d18947

SHA256
cde2dda4b1709d6591356e21717833ecf9802dc119d719e9dbbc97b090158644

SHA512
68f15867e6b29cce5415ce31203cc3f1790869f85d1b1ba8b2912e9b1b570f61485e5e9aac96d9bcc069e81d298b56d8941cd94a1df72d07c7508c7fdcc7ef1b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js

Filesize
849B

MD5
95e6ecbe44dc4ab34323c697c6568b56

SHA1
0ca5debc2a7b53245ae6b7d6594ba93b3152bdee

SHA256
d3bdbdce059d04ec6e336179e6262bc694def0fcc5fe4b006953dbf178dbb30c

SHA512
af6262bf0a2b16fbd1dff7051eb0373336781c105b63631080ed2b6d38f54adbdbd16d794917fb9ad08c9ee238e0d4df732b7ef3e4c6d521a6b347eb8c2e9804

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js

Filesize
852B

MD5
4fcc8af63d8fea1581c1e96e9436e913

SHA1
5c09be5c84dba1172a2503a3406223baed06f8bc

SHA256
bbce03b612d22d42e40207a0ac4b6492ab0ad8c2cf4690377929f4cad738954d

SHA512
4bb1df7206f7fee79df361d678cd250399efff9d13d3435448170efd515abb425fcbf3b6ad9d0c6da1b4a7860d33dfd15daaa199e96dcdd701afb3b80234f2d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js

Filesize
1KB

MD5
21a5d65fbcf76ed1b8e9489d3bb051f7

SHA1
dcfde89bb81642e0b1bcb2b4d8c0fe574e912950

SHA256
f054ff5e3f41e79c647bd03dc9ad1bad42f8292c7e7b839088faeb8abc182ff4

SHA512
566bc1f2c5f4b2b9888c8e414552c25609d2562e10a8abddf6f036a6cbe2bc7644cbe850311224c25db96380c0e11fb07800f965305f41e068968bee530c320a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
1KB

MD5
0e038344281f0aa0a74103dd77048888

SHA1
163a5a2d3888eb23ecc17b53865742f3eb7aa3c1

SHA256
f3a76de64a79cd7afa5438bb0a4f4330a97497246fe00f7b29fb690e2ffe32cd

SHA512
5988b04142669c005728510cc0a0c7507a9b8561b9d3178e3ef06b77a725e5e3ab7c13faf2998522c601285e823d3f72edbe7b93ba6b14a9c5afefbacb974560

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js

Filesize
1KB

MD5
c4b091c93a4910ecfc619efdf3c56111

SHA1
4147f571dfd1d77b6a6943c57784820bd0cba24c

SHA256
d30e4139d68728b1c0b7c0fdccf649fc98c269f0d57c08e1d2033c13f162c29a

SHA512
b276ec16ba3a0737c8958a7373c3b5b53d384432535e65ee5651dce90da0eaf7dad1a02479243efb0b5ea78234c0f423ebc10c82b6e28db557106b8a21db1964

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png

Filesize
289B

MD5
65afdbfd57a964a5525ef68ca68cb5f4

SHA1
986fd9886e54eaa35b90561c94b00f85eb758711

SHA256
322fa7539ee1552758dbb051fe1199a7b4b247ec8335fb35cabf043d8947466d

SHA512
88b2d9c205d6fa4fb7823fa118fb95c651977cbaf1b54445ced380d34541e5367a218de4335a341b3994839386b487fcc33718b749ab2e05678ae87e0da1dbd7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png

Filesize
1KB

MD5
2870d12e27e8a50bf66493145c06939a

SHA1
f4319fc28ae1f99e359b5cfbd4c8c69af67dc03e

SHA256
dd6fda1bd17d115065254a8af134a7906d8e15e2725b01223582c3add3240272

SHA512
39b2281464998cd9f3d87659cdf7f3f2690a82bb8093ac64d5141d837dd4f951514cf0fcbfc02a0102f3d8ce780805886a361c649d6df2347db60b383442e5d0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png

Filesize
1KB

MD5
d1dfee6d7b14e63f64c349b2cae8ad27

SHA1
fd382215ff99c0993d8924f18ff7912b4835f4ad

SHA256
b63bba00ed3b7a86b6ed36ab7d6eede57656454e0a583b875d34ee19466714e4

SHA512
220e189bc67b20bef3f92da6dd063b12fd53436c6fa9e728553669e4d42dbe595c52801e68a929797c48dc56fa4ff47919aa3d065363ce881e207abc83f7de77

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
2KB

MD5
598b166da1d843121d50f9593073a15e

SHA1
e41c87d8fa9aa263dfe783bdd692556fb8e24f43

SHA256
c46d21ff4c32097f172b4e99b5794374ed4a1cb025040d157f611f43929e98d5

SHA512
107ceb56129c1baade5930cea77fdc9c53264ff06b92936a5823c483235ffce8ab4ca3efef5001c5cc16eb3351b663877e1e4184749ba33d785b4927fe2f2db1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
2KB

MD5
48a2c150eaa7d9fe84e7e31163e67495

SHA1
cfd5375b61328af47b784d2e1229c95c9355ce06

SHA256
ff1d90818c6ec24ad8dc4334bed7e72b3ceb9460cdfe3b25ec24d2b31b4c9288

SHA512
e6abeeb5ed043270c9148b58fa359d8536e0a9606aaed86446f3cc3ef14a855b711a86869d02fe27f50ef79b91895c77bc970c6ccf962caeb8311984c4778410

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
385B

MD5
34300ee4cd847a5329747c2294699c1f

SHA1
5e1086c8ebeaf9205517c82d8ae1711931ec48e1

SHA256
122650bd6eea6dc3c3cde5c472c78fe200967b33c6e3f3d2f394d8fb66c3acfe

SHA512
ecea239cb49cc1b9018e9d5bc34fa0d501cd9dc6bd7a8c01b8a2bfe9cb8d9baf805081d3705f0f986903a93a35a3ddcb852463bc2698606b556999cd0608ad6e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
1003B

MD5
d82b1439dcd0ea62ce3edcf6d36eac1e

SHA1
f5216b9a0c6b294584b24a5fd50b43e79d46310e

SHA256
44f25bfcbff16b8e7c81ac93d6dcbc312035c81ba6d62e61d4177e23ef62dbff

SHA512
bc789786f1261ce50116190f56ce7da3063fb944af6e5da17fd0a61e51d3d25b11fc09a83d2fd1805e16f33c2c469bd28d05366b8fff7faa85d3dd498e5e3d1a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
2KB

MD5
7d1b0ec51595563c9214ddfdec36f303

SHA1
bbb988973a8281943b5bfacb8ab03d97c0f0f398

SHA256
c915635ac032617e1acf87810abd8e8d9825c7e40a74245bc9efcf31d6da9da9

SHA512
709deed649d6062cf8c1ada7207b9c871d51a69a4bc7dc3c1408bd6a38d211ff53ce19a091cc4bb68a62eb00aa512afd07a33d314393812716391f04faea93d3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
840B

MD5
ac24e253ff384d8523af43f5a93688f7

SHA1
beb4ffa972185300803e9a1f6a16ec062cec1015

SHA256
f49327d72a4888fee8721962d13a94571e349ba666a0e1354c4f49331e858cff

SHA512
9c559a1bdaae9172fbe9e6a9b907390041fd16d0382a202423e0d9d19bb0f2c06a7228d6bc17df943d4e927c0420f302982e0463755bfd5c0d6e4ecb65504a61

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
1KB

MD5
cb05ff26ffcb30838de16f659f8d93c9

SHA1
f9e977e1f60be49be8a17cf75d31f4a7620827ab

SHA256
ef97178fce43f78773e1c57cebaadd55904a1e5d810f8f75219b23e92c00687d

SHA512
26fc3838e5ef5b638d974be02b6d8f76f7f4778b1b612ea9031c5a5b1cf4a421e48c7a667a1f8db55270c1c86c4e1ec469c8078dd0edaeec2df02fddff27a999

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat

Filesize
63B

MD5
5f1c4bb2970471a5c75b7ba1dc9ee3ed

SHA1
0ec86b3f3ac34ad860fa8da56bcca03a54018049

SHA256
1b58d00f5b1fbd2a1884d666a2be33c2fa7463dff32cd60ef200c0f750a6b70f

SHA512
b973335129e4a8dd92d0984e16cff30899de8829be3c87df30d61a88e6bba8fe1767ffed6ee9a9e2665269cd6c7f3f0bfe8f9449cf16b924db57edfee8f12877

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\show_third_party_software_licenses.bat

Filesize
270B

MD5
44405fefe5799ad2b15f58cada9105d4

SHA1
9172b64b5fcce03c2798322d2fde6cb36726f0fb

SHA256
0cef594c2af7dfc584e30d1813f901aaa5f67c13f7b2141b2220d167abc651d3

SHA512
dfb392a59f57dc184e13ef5f759e0e21bbd36d253fed04971c8fdb42770433aeb778956e3df8625b10544d2fbff3b6ea666c68fe6fd63b3e48353c33f993bb89

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
f4592d9c7f114d591e4b1faeca54f10a

SHA1
46dedbbaa8f09175822b4a4ba39b6c3d46bbf133

SHA256
633dd753b32e1458d78280440522f47424131fba4f94aabc2b8289285a08ddda

SHA512
7eb9a286582202b9c2d8ce27227a5985f72676e82d25b62add201a311b76ad5ec557b9670b006897f4720ee721f9a1679444afe0b2e277d1ba3df97610a47ede

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
190B

MD5
f0be99f92d8b8ad3d79c9aa580fc2f08

SHA1
a9ab5160208575c2c19277491406d5c95690a5f0

SHA256
e290cb91a6aaf54bb397c8f72d0bf5e8a70935ca00abde862e3d13fdf75fdbb0

SHA512
c9c2002d0f14f1d92924f80105c4b092bcb8de5bcb838179f2129b125fbcdf83f78ee80f44b0e26bab451c6fa5d6a29547a4933a92858e310dfbbdcee32f8cae

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
950ac8e007b49ed7acf1646758393817

SHA1
3a795f27aac36ba92f33165a6550cc7f201b3254

SHA256
4ab0585ac1cc953813901847e774a0a6e2542bedd0e5964cacf31e421455223e

SHA512
6bf7c6bdc1f802cdc8cea1d5a22de2e2cdf307411504499351fa5e9bdb7d1826c1968c4cc8bbb2fc17ea69850d69e0e2d77b76d29ad991813b598fc18ea0982e

Download Submit
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

Filesize
744B

MD5
c181d62d13f055127f354bb60cdfa03b

SHA1
6cbfcbcdb417807d7ce1ffeeaa2eaaf9b548885a

SHA256
d8dc1b9aa2aefd658fae2d9b6bf36318bdda72fcecba0538a1f121592b44e3b6

SHA512
62dd4c375f5e3299843c78dc86026da551a8a66c2c4cfac4003b8e4774ddd1cc36c130611c15182b61a472169305b75c845f17ec899e53250461867cc82abd36

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

Filesize
223B

MD5
dbac9649c4bd702f55fbd1afafe87c44

SHA1
0d914f4a809cfe400ca111ebfbd0ad552d500785

SHA256
b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127

SHA512
86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{F09467A3-9856-44DE-8BC4-801A33419028}.2.ver0x0000000000000001.db

Filesize
1KB

MD5
8b836d8d3ea988668ddae3311f514a57

SHA1
af3199496b831b74bde630f871615ce5848f9857

SHA256
ac944397bb7351bf439ea8b7e6cf5863fed078383f3da0b7c92b53408fe680d5

SHA512
f205183db25237a58c6a33b9c83af86df3210fc7cc411d4638af9c856fb39a2795c99d612601bdf183101402ed6455b7949a9deabfb2b2262afe47dff0c17cc2

Download Submit
C:\USERS\ADMIN\DESKTOP\CLEARINVOKE.PDF.CRYPT

Filesize
254KB

MD5
247a38d1d3937d80664b8f896a7cb25c

SHA1
58e4bd488e8ea5f225d6b0c0b5537e6d93ffde93

SHA256
bd1bee6699fca22aaeeef4f9e3f30c0de6f00c0059fe7813630edd811af78639

SHA512
c9c15dfda6fed88452553a610f7aad48bbe1d8c54f31e66c7bc8b32cca4a3affa87107eb986b0080e101a20f716f95a99095eaeab2108a1351b722fd34a11fb7

Download Submit
C:\USERS\ADMIN\DESKTOP\DESKTOP.INI.CRYPT

Filesize
568B

MD5
489463d13d2571e25737ee4922795754

SHA1
54447a4ddc48c722a75de6301ea195e9c290a359

SHA256
1145ac831fd362141551c9d96a6f5fa0efe7a1120c5da5b5fedfc43fa5d84b1f

SHA512
9d297451ace65497b3a0c4698579b6aa5d35b78809df8612f35bd508ad1abb01e3878655001571e4c9a605a3899eb1ebc0b684ac290093451d73980df9461609

Download Submit
C:\USERS\ADMIN\DESKTOP\FORMATUNREGISTER.BMP.CRYPT

Filesize
98KB

MD5
a02ca731a0f3e4513821da757ba06103

SHA1
623066693a34f3f15320a6316ae04865fc08a77f

SHA256
68d002582b5c06f4b0f2777b69f51fefba4ac23797aca8833990e722524b85de

SHA512
7881b350ddbabd7de5e591d2c712b7a75bb8ac11eff7b7e3994eca7af2dd67751af53f0aaeda052260337555dcabb34601fcd8ae443c7ca25f31f09d0c7d3229

Download Submit
C:\USERS\ADMIN\DESKTOP\RENAMEINSTALL.XHT.CRYPT

Filesize
183KB

MD5
ff4c582725d1cb6d917cd1ffa48092c8

SHA1
8301c1ed420745989d93b381e686a3c7d39b32e1

SHA256
82a4a3209950b9e60d36ba7e65d0f6cdbbd0f07f17744584e0790aaa203ef858

SHA512
ad8519fd3e10945b841e1c150525e44739dc6d22fbf2ae421028ff8ea3d79b264604be35c308ec582a99538e16b7379fe7ae92bdf19fcf3f8cdd36020f3da5db

Download Submit
C:\USERS\ADMIN\DESKTOP\RESIZERESOLVE.PPTX.CRYPT

Filesize
235KB

MD5
9a40fe2c585714b96f42fb2a6f8729f7

SHA1
f8e1d4bfb7ad4e2e108f8cdc83267a8ab69e20f2

SHA256
3d481248042b931cf31a5261c2cb514fd74099057a789028314dc5221e6c12c0

SHA512
9fbfbd8e3602c86fc50cd583feda9d6a24a37ca252d0cc33749fc73217c47fa7751866fe479e46d4acf1ac546ea3c2b410e71e4dca4b4a8110eb42013b73539a

Download Submit
C:\USERS\ADMIN\DESKTOP\RESTARTSELECT.HTM.CRYPT

Filesize
202KB

MD5
a8533e99a9572e6a179b18d67b020a5c

SHA1
86dc2f551a68afe251b4422822669bfb032f70fa

SHA256
3b87db11842bc78a91ec27a6b0fc4584a0802cf8818dafb9bff6c4c5cb59e666

SHA512
a0029f8322fd2f224f3c668acb93e537228d9dfc233c6e7a5d6ed9154e228e1b8c566f07b9ef4cb86ea67a6e02f2df541f3b2204a29b5940f2387166015f3650

Download Submit
C:\USERS\ADMIN\DESKTOP\SAVEREMOVE.ISO.CRYPT

Filesize
104KB

MD5
d76725c9c2f0603610ee3366ee2f8aee

SHA1
424c8e7883898bc4f3c52885712c5b69a1d9cb57

SHA256
ae0de04634ecf4e5c45029c65b79506577fd0fc7c3c89111aa62129eece67046

SHA512
daa6cc5888f00dfb2d4e5a98b09d7a0a7541814bb2a9bbe8a062623d61e5cbec042196b208ecf6d3e238c5250609ef5d932df15a048a945bb7fb20698d5d62bd

Download Submit
C:\USERS\ADMIN\DESKTOP\SUBMITRECEIVE.BMP.CRYPT

Filesize
130KB

MD5
aff896422e48735c5a2bb1f7e2617b23

SHA1
6fa34fdc8a1533befee3c663f7b959f926a1b152

SHA256
48be4327dee5dee3bfce6c3b15001dbcda617b96d336ab368890377bd74097a8

SHA512
db4c43509ddfea061e5d22cfd5683b92997fe6de77c4c509da4d41a4a538f389147b10f0fa627ba76b2ec3bfbe889925ea5fc42fb574c1456b945657ef481a9d

Download Submit
C:\USERS\ADMIN\DESKTOP\UNBLOCKHIDE.XLSX.CRYPT

Filesize
12KB

MD5
4468d388308961e63c2eb26f2b4e363c

SHA1
755f55e9f8bd354540e3689b2cd5adfbc6c680e4

SHA256
8ebe0b6579e9fdd41fbb9e16e6581b35a9fb99a5ed8ecb275cebdcf07d8b1583

SHA512
b949b04fc95d9ab0255cbd5fde4e34bf64b572245dc97c80e4c07fabf3243b5e22b9f23ecf93606f007b16ede3a943f18bc5f45ced7ed90f2b5efad034bfc679

Download Submit
C:\USERS\ADMIN\DESKTOP\UNINSTALLPUBLISH.ISO.CRYPT

Filesize
196KB

MD5
232e7798f2c16a92d4bcf8171253ff53

SHA1
93a30ecb45e0bd1268aaf47af9c7830c047a9de6

SHA256
7ea6c68a3591867603a858905eaea0f8f79cd69fb022c63ee875538bcc1c0526

SHA512
2133889864916fc7ab020b53667aef44acff208c8d5188b75eadf592bac50ff77a3345d2d9bb39ab1675e7e57f8e5093490dc2508950767547922aa051a5b2dd

Download Submit
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI.CRYPT

Filesize
456B

MD5
a25723e27cb08014f2631a7db8903b9a

SHA1
340a80f01961041c76edc696e23dcff3e3d0c8da

SHA256
712488e811a0ed3bbd45a6d71084fd4b83d1c025c7cae16ee304f4b3b671629b

SHA512
32a960364f9fbea846172269f4f520e496efd94dfc6a903e221ad39778b4fa81748bbc75be38af83ae3642fd2c69b47dd28e44594cb80bf633b15d7801966d9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\page_embed_script.js

Filesize
338B

MD5
e54914068570928febe65c8dc7fde287

SHA1
46d0a3754b75fafad74cfa0912ccf2d9457c14b4

SHA256
a4c65a576c9848bd6438ba704e90be3d2ea275f83de420608343f6a27691640d

SHA512
0a34db8e8a6ff3e67e1af3e63f062a2e7b8f43f8d74a620f130ed25bda34a3300003ea95c3a1ed86d4348a34e450548075fb3d914b87beb25caf4b430f84db00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
414KB

MD5
ab79489e9704fc9cc9d8bee4f8e17ec5

SHA1
b2e19a89b43d537bb5b02ee9ca2418f027259c1e

SHA256
4d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e

SHA512
60d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini

Filesize
174B

MD5
ace3165e852adb8aedbeda2aa3be570b

SHA1
4577ff7e92850e2723008f6c269129bd06d017ea

SHA256
237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f

SHA512
cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

Filesize
174B

MD5
e0fd7e6b4853592ac9ac73df9d83783f

SHA1
2834e77dfa1269ddad948b87d88887e84179594a

SHA256
feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

SHA512
289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

Filesize
16KB

MD5
4534f12102d235344cf8dda748f0cabf

SHA1
7db67baceeecb3a420bf37a7beca4a45185f8f3c

SHA256
1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

SHA512
7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
1e5837b78c82cc35eefe1d189811aea8

SHA1
20d5a4e4cc012cf2f6a30a3c998a0d114bb6a91d

SHA256
e0115975f180d4e70f4c3988c13268c38fd22f1b0709e0252e0de0836286db61

SHA512
7318ab19db78f71c6621a45b646112c42c5fe19e14321dbcbb27cd4b4cca6b7456540fe8c9fb09acccb59eba92984ce8ca1220b578c84860463e01b42934a76f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
a217c5fbceeaa86fc2dabb6dcec688ac

SHA1
bd4ee5ca15678cdba55c680e13899600c7b96d59

SHA256
18827c212bd4d3f820cb3e36676bddd23351d04f7ef56827020f4762fba1a862

SHA512
c06759dcd9979f464d1e201e8fff320e7d86a78be7203826a7ef9d2908de991357af912e7870720c1e4b3bb29ecdc3569cec397746e77797aee73fc2cd9bee17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
ae81a997b2b09e7f0dead9de9903b410

SHA1
cee16b7b17fd8ec1a86e4dcaa2318de6aa290c33

SHA256
e41f5839bdbd764b445b585d0dee3e20e9eafc4c6ce5e442155eb8045908f8ae

SHA512
bb76dce8e71e471ab8508eb520a101c0b6cf87b976ae35ab2480e850fccde3a7a679d66b43fcb6a7fe439c0ece6f3a19e45eecacb0951c5d01eeda73683c6771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
679065aa4a67f72ced2d3fc53155001a

SHA1
079a9b9a7c84f51c0d14ec3105dd096b067f4655

SHA256
bccfa0b0c349f20d5c00484e0f6cf57391e38796061c87a3c9ff246bcd10da6f

SHA512
db3a6bb207f5aba4d6578e3ded656c810c8d253227c73d38232392194ddcd6e07228b20ebad2109f36a9f7ba8a42b092bddbd38a51ebf580eace32d967eff33b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Filesize
24B

MD5
c7c6abfa9cb508f7fc178d4045313a94

SHA1
4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

SHA256
1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

SHA512
9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
8dec1691a7dd5ac1f256aab52bd060df

SHA1
74b2719e01035040ce44cc1782aade855e807dc5

SHA256
4b0fc2a90f37b0320ac98fcd1849c13db1061932062904538d1b0354ad077d03

SHA512
726bd481d4d123acebc9a20cdced906d4159aad5f0043c6c9bdeeef373268029716b2608c1f464385ab8d4a7ad5548c14bb05787065e3d6c7547a499da205e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
f8a4862a3cb23f6d4aff608ad5ed414c

SHA1
c15954df08727a12bbbbfe2b73b99bbbcc8500ea

SHA256
45c8ea425cb10eb52f6994ef74ff2df424bf9bb1a278da5cddcebff418d181b0

SHA512
d94ae7fdddeaecff11c39b347b12380431c7e2c838747e9824ca7ba42beb1f027a921615480aac4ed28a19019af1bcc35dc47720ff6c213248e8f940114c4395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
1024KB

MD5
f4c44940ebfa1d35b3e2cec038bbc3f0

SHA1
40c69c980127e2c36a01ef1d6483940073ba7230

SHA256
28acad4e50016abda0e4311c305f619757d4ca010f68cd5f973187efdc910bf2

SHA512
a190fadd541cc0862cf72eb252bc51203e9227b67d03777db5749f58693f44d927c6509792cb6898e8f249bd6a2a2184c41a31a056458e4d7101ed012d7fadc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Filesize
1024KB

MD5
f0bfc616958ef83dea1207dbd011ad71

SHA1
89de6cbc644ecf6108b8be63b87ca377b829354e

SHA256
47a841958781be58da795a47250c97a804524d105f9d7c9c6f9b735ff60e7968

SHA512
ac80c4ab007d41ef97b325675017a898f35b952997d005e511976c21d596a023b87aa54426e0cee507880f0b41dbd30dd11b1998353cd9dc55325088fb434750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
671bb365009e74e59d032fae2605901e

SHA1
e7fb9eea44215c7169de88296baa31452aad0ca8

SHA256
5262e45512e7134daa4a855538c30829bb227cffa1f0119446ef7b259da5e293

SHA512
28d298f3c6415790ee18dfcb791267278dc08ddb75b8d834b3823637182e1d23ddc317dfb7ebb6a6283c8f8aa3652609fc013fa56db79bc30e74d777d9c92b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
cdcb9ac8dc7beb01decdcc86feb40868

SHA1
95254269c6b8bc99bc8ee81284d808f8833eda0a

SHA256
4586f991f9256c9f96d71ee9de5c135d0e2bc8566b0b5db202d034c51659c6db

SHA512
b12803d541d144588fb46cf354d40624fc9d7a2579feac52306838a594d9cee7c47207442d9aabfd9b0e6665f0e9ac0e23b943246dcc81269a8cc16bfb92731c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P0FQ7T3J\microsoft.windows[1].xml

Filesize
97B

MD5
ffe3b29c361e6b13f2a5441ab3a1ad1e

SHA1
2e0679b577d928ebed8b7712faa5c343a1970168

SHA256
0a2bfd24637bb1526c1bf77ee2c43555ed33881f6d169ca03cb0b0e8c1525492

SHA512
0cdcc9efeffb616f3700a77b2fcfeb8ffb5165999de9575fc970bc773648b19768329be3e7a4b26836b9fb9b3c1a8185c1e0e37f6221129f6b59827b45bdf31c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{38999897-f332-4742-9b95-8e8aa3331152}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
f6a6263167c92de8644ac998b3c4e4d1

SHA1
c1fe3a7b487f66a6ac8c7e4794bc55c31b0ef403

SHA256
11770b3ea657fe68cba19675143e4715c8de9d763d3c21a85af6b7513d43997d

SHA512
232d43e52834558e9457b0901ee65c86196bf8777c8ff4fc61fdd5e69fd1d24f964fed1bf481b6ef52a69d17372554fecb098fb07f839e64916bdd0d2abf018a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
2KB

MD5
0369fb1075aadc948455904abb3f86c2

SHA1
4bd97140c05ef564d891219e3f1ff07a9ae77fd6

SHA256
0fdae697eae0511884f1c36787472ecb956310cf4777889c23d4d2e93bfd7ea3

SHA512
1d796b07dab76b5ab52fac326f27255ba72842d096d6a6e634378717eb197060fe93fc5cbf462f850b5a2511d1ef89c3da777272bbe2965b442a3e449ac2a5ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_3_PNGEncoded_Header.bin

Filesize
10KB

MD5
cd858fe341852a076c57565078ab169a

SHA1
c591fd47dcf3b933c4b5513ecde8a88c377d7e05

SHA256
37b7d4146c5afccdd76f3a4cf4eb523672ae9abcf752c8ef1d5ea97a0fa70523

SHA512
dbbc24ab2d235e187201ded4781b7706d800acc08e99aef61c578d11055ca346c2dcaa870967802b804951234f59544d08aaf1a5283bd729df44176ebf39561b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CE710580-A5C1-46AC-ADE3-971EE0227BAE}.png

Filesize
5KB

MD5
00e5fcfd833151f7cbde607e2f7afeb4

SHA1
55839875c0947aafebff53d22ccc5dad29fe3563

SHA256
b80192aaabe007baecd0603e3ce183e9d554b8a6b0411d20716acfa086ae3035

SHA512
f056777a1987c3becdc217bdc2d82e6aa41086d38fddaa45c42f1726b6f7b7616a10918081650e825a724464ef148b669bc258d38a62e0de8642e2607a0b0de7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1702774510-645589634-1201277210-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/1612-23468-0x000001EE90B40000-0x000001EE90B60000-memory.dmp

Filesize
128KB

Download
memory/1612-23483-0x000001EE90E10000-0x000001EE90E30000-memory.dmp

Filesize
128KB

Download
memory/1612-23488-0x000001EE90B60000-0x000001EE90B80000-memory.dmp

Filesize
128KB

Download
memory/1612-23455-0x000001E68E700000-0x000001E68E800000-memory.dmp

Filesize
1024KB

Download
memory/1612-23503-0x000001EEA2E90000-0x000001EEA2F90000-memory.dmp

Filesize
1024KB

Download
memory/2092-22972-0x000001B6F1A50000-0x000001B6F1B50000-memory.dmp

Filesize
1024KB

Download
memory/2092-22923-0x000001B6DDE00000-0x000001B6DDF00000-memory.dmp

Filesize
1024KB

Download
memory/2092-22941-0x000001B6DF650000-0x000001B6DF670000-memory.dmp

Filesize
128KB

Download
memory/2092-22958-0x000001B6DF670000-0x000001B6DF690000-memory.dmp

Filesize
128KB

Download
memory/2092-22957-0x000001B6DF920000-0x000001B6DF940000-memory.dmp

Filesize
128KB

Download
memory/2604-23060-0x0000024CB9490000-0x0000024CB94B0000-memory.dmp

Filesize
128KB

Download
memory/2604-23026-0x0000024CB8000000-0x0000024CB8100000-memory.dmp

Filesize
1024KB

Download
memory/2604-23057-0x0000024CB94B0000-0x0000024CB94D0000-memory.dmp

Filesize
128KB

Download
memory/2604-23042-0x0000024CB9470000-0x0000024CB9490000-memory.dmp

Filesize
128KB

Download
memory/2604-23074-0x0000024CCB9F0000-0x0000024CCBAF0000-memory.dmp

Filesize
1024KB

Download
memory/2780-22791-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3496-22919-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/3752-23242-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/3972-23556-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/4272-23344-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4452-23182-0x0000019040BA0000-0x0000019040CA0000-memory.dmp

Filesize
1024KB

Download
memory/4452-23167-0x000001902DDC0000-0x000001902DDE0000-memory.dmp

Filesize
128KB

Download
memory/4452-23149-0x000001902DD80000-0x000001902DDA0000-memory.dmp

Filesize
128KB

Download
memory/4452-23238-0x0000019040850000-0x0000019040950000-memory.dmp

Filesize
1024KB

Download
memory/4452-23168-0x000001902DDA0000-0x000001902DDC0000-memory.dmp

Filesize
128KB

Download
memory/4452-23133-0x000001882BD40000-0x000001882BE40000-memory.dmp

Filesize
1024KB

Download
memory/4476-23452-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/4700-23394-0x0000027B737F0000-0x0000027B738F0000-memory.dmp

Filesize
1024KB

Download
memory/4700-23380-0x0000027B6FF20000-0x0000027B6FF40000-memory.dmp

Filesize
128KB

Download
memory/4700-23346-0x000002736DB40000-0x000002736DC40000-memory.dmp

Filesize
1024KB

Download
memory/4700-23352-0x0000027B6FE00000-0x0000027B6FF00000-memory.dmp

Filesize
1024KB

Download
memory/4700-23375-0x0000027B701D0000-0x0000027B701F0000-memory.dmp

Filesize
128KB

Download
memory/4700-23362-0x0000027B6FF00000-0x0000027B6FF20000-memory.dmp

Filesize
128KB

Download
memory/4700-23345-0x000002736DB40000-0x000002736DC40000-memory.dmp

Filesize
1024KB

Download
memory/4900-23023-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/4928-23275-0x000001B89C000000-0x000001B89C020000-memory.dmp

Filesize
128KB

Download
memory/4928-23293-0x000001B8AF520000-0x000001B8AF620000-memory.dmp

Filesize
1024KB

Download
memory/4928-23258-0x000001B89BDB0000-0x000001B89BDD0000-memory.dmp

Filesize
128KB

Download
memory/4928-23279-0x000001B89BDD0000-0x000001B89BDF0000-memory.dmp

Filesize
128KB

Download
memory/4928-23246-0x000001B89AA00000-0x000001B89AB00000-memory.dmp

Filesize
1024KB

Download
memory/4928-23247-0x000001B89AA00000-0x000001B89AB00000-memory.dmp

Filesize
1024KB

Download
memory/4928-23245-0x000001B89AA00000-0x000001B89AB00000-memory.dmp

Filesize
1024KB

Download
memory/5864-23561-0x000002C871E00000-0x000002C871F00000-memory.dmp

Filesize
1024KB

Download
memory/5864-23560-0x000002C871E00000-0x000002C871F00000-memory.dmp

Filesize
1024KB

Download
memory/5864-23559-0x000002C871E00000-0x000002C871F00000-memory.dmp

Filesize
1024KB

Download
memory/5864-23574-0x000002C872BE0000-0x000002C872C00000-memory.dmp

Filesize
128KB

Download
memory/5864-23590-0x000002C8734B0000-0x000002C8734D0000-memory.dmp

Filesize
128KB

Download
memory/5864-23594-0x000002C873000000-0x000002C873020000-memory.dmp

Filesize
128KB

Download
memory/5864-23608-0x000002C8765B0000-0x000002C8766B0000-memory.dmp

Filesize
1024KB

Download
memory/5972-22836-0x000001E633140000-0x000001E633160000-memory.dmp

Filesize
128KB

Download
memory/5972-22831-0x000001E633120000-0x000001E633140000-memory.dmp

Filesize
128KB

Download
memory/5972-22801-0x000001E631C00000-0x000001E631D00000-memory.dmp

Filesize
1024KB

Download
memory/5972-22850-0x000001E6468A0000-0x000001E6469A0000-memory.dmp

Filesize
1024KB

Download
memory/5972-22835-0x000001E633160000-0x000001E633180000-memory.dmp

Filesize
128KB

Download
memory/6072-23132-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads