Malware Analysis Report

2024-11-30 05:03

Sample ID 240229-lcdk9scd8w
Target file_d90a1e1b684c4b609b4ab724f669eb80_2024-02-29_09_21_32_441000.zip
SHA256 59dfeee74c204f2f9f030965baf88e8236371fa07b011a1d67a9759e8119f719
Tags
lumma discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59dfeee74c204f2f9f030965baf88e8236371fa07b011a1d67a9759e8119f719

Threat Level: Known bad

The file file_d90a1e1b684c4b609b4ab724f669eb80_2024-02-29_09_21_32_441000.zip was found to be: Known bad.

Malicious Activity Summary

lumma discovery evasion persistence

Lumma family

Detect Lumma Stealer payload V4

Stops running service(s)

Modifies Installed Components in the registry

Registers COM server for autorun

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 09:22

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A

Lumma family

lumma

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 09:22

Reported

2024-02-29 09:25

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe

"C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 09:22

Reported

2024-02-29 09:24

Platform

win10v2004-20240226-en

Max time kernel

31s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ExplorerPatcher\ep_setup.exe C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A
File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A
File created C:\Program Files\ExplorerPatcher\ep_weather_host.dll C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A
File created C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A
File created C:\Program Files\ExplorerPatcher\WebView2Loader.dll C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A
File created C:\Program Files\ExplorerPatcher\ep_setup.exe C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A
File created C:\Program Files\ExplorerPatcher\ep_gui.dll C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A
File created C:\Program Files\ExplorerPatcher\ep_dwm.exe C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A
File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\dxgi.dll C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{887FCDFD-D57C-43DF-9BED-EDA7B4B3A55C} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32\ = "{CDBF3734-F847-4F1B-B953-A605434DC1E7}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "IEPWeather" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods\ = "28" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\DllSurrogate C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "PSFactoryBuffer" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PromotedIconCache = "{7820NR83-23R3-4229-82P1-R41PO67Q5O9P},{7820NR82-23R3-4229-82P1-R41PO67Q5O9P},{7820NR81-23R3-4229-82P1-R41PO67Q5O9P},{7820NR75-23R3-4229-82P1-R41PO67Q5O9P},{7820NR74-23R3-4229-82P1-R41PO67Q5O9P},{7820NR73-23R3-4229-82P1-R41PO67Q5O9P}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{72C17435-7AD1-4F71-B271-51028B20F76C} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PromotedIconCache = "{7820NR83-23R3-4229-82P1-R41PO67Q5O9P},{7820NR82-23R3-4229-82P1-R41PO67Q5O9P},{7820NR81-23R3-4229-82P1-R41PO67Q5O9P},{7820NR75-23R3-4229-82P1-R41PO67Q5O9P},{7820NR74-23R3-4229-82P1-R41PO67Q5O9P},{7820NR73-23R3-4229-82P1-R41PO67Q5O9P}" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\AppID = "{A6EA9C2D-4982-4827-9204-0AC532959F6D}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods C:\Windows\system32\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe

"C:\Users\Admin\AppData\Local\Temp\entry_1_0\ep_setup (1).exe"

C:\Windows\system32\sc.exe

"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

C:\Windows\system32\sc.exe

"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:80 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard72.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard72.blob.core.windows.net tcp
US 8.8.8.8:53 219.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.38.150.20.in-addr.arpa udp
US 204.79.197.219:80 msdl.microsoft.com tcp
US 20.150.38.228:443 vsblobprodscussu5shard72.blob.core.windows.net tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 204.79.197.219:80 msdl.microsoft.com tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard72.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard72.blob.core.windows.net tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 36.70.150.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 204.79.197.219:80 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard72.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard72.blob.core.windows.net tcp
DE 140.82.121.3:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp

Files

C:\Program Files\ExplorerPatcher\ep_weather_host.dll

MD5 74d2a253680034bfc1c8b24f3bd777ac
SHA1 1a00fb3b4628002149fe560a7e231f0bc4a6e97b
SHA256 52a99a4d45e8847decea13d49ef9aea5ebb629d6f810b6d529df344b9f632299
SHA512 f3351fb54790e01cf69b66c824a934d9beb8866140a97823d79c18400b8ece845ed71070c5ec2cb21c6f17560fb462794e66b4bc3354e79ef552094c22944063

C:\Program Files\ExplorerPatcher\WebView2Loader.dll

MD5 c44baed957b05b9327bd371dbf0dbe99
SHA1 80b48c656b8555ebc588de3de0ec6c7e75ae4bf1
SHA256 ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef
SHA512 ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35

C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

MD5 578479c0c09270e357ca9a9320a2540a
SHA1 4e0fe7abb9b760004995e95103e28796e986cceb
SHA256 f5a33582ac070a90d214d26e70d05f72df1885a8626a837bbe6ff731cd22ed82
SHA512 d0ce12ea49e268bfd55c9d72a380ad7c5c23d406124cc917c0d745979f19ff7688fad7c094d118c1d9efdaf66cd66f17daea03e7eb122d24d8571a79620e9954

C:\Windows\dxgi.dll

MD5 38fa7926c879b55635a697a6f49cb034
SHA1 539cfcee9654ed2a7b04236d3cd907224e1f6d87
SHA256 8c1c2a374dc65a688837c3fc1c689b66bc9c2cd57209e576084710aa00c44ea3
SHA512 5b8d9cc0e8ef425263aba02b1c539517c16d596ecd31f4c647bc4d6eea86211312527c92be486bb8f739ae114704467467e71dcf68ef2f10ae1909e185a494d4

memory/2764-20-0x00007FFAA66F0000-0x00007FFAA6E2F000-memory.dmp

memory/2764-21-0x00007FFAA66F0000-0x00007FFAA6E2F000-memory.dmp

memory/2764-22-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/2764-23-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/2764-24-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/2764-25-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/2764-26-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/2764-27-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/2764-28-0x00007FFAA5470000-0x00007FFAA5611000-memory.dmp

memory/2764-29-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-30-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-31-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-32-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-33-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-34-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-35-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-36-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-37-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-38-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-39-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-40-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-41-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-43-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-44-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-45-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-46-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-48-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-49-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-50-0x00007FFA8D040000-0x00007FFA8D666000-memory.dmp

memory/2764-47-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-53-0x00007FFA9D810000-0x00007FFA9D862000-memory.dmp

memory/2764-55-0x00007FFA9D810000-0x00007FFA9D862000-memory.dmp

memory/2764-57-0x00007FFA90E10000-0x00007FFA91029000-memory.dmp

memory/2764-59-0x00007FFA9A1D0000-0x00007FFA9A220000-memory.dmp

memory/2764-62-0x00007FFA9D780000-0x00007FFA9D7BB000-memory.dmp

memory/2764-65-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-66-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/2764-61-0x00007FFA9A1D0000-0x00007FFA9A220000-memory.dmp

memory/2764-58-0x00007FFA90E10000-0x00007FFA91029000-memory.dmp

memory/2764-56-0x00007FFA9D7C0000-0x00007FFA9D806000-memory.dmp

memory/2764-54-0x00007FFA9D810000-0x00007FFA9D862000-memory.dmp

memory/2764-52-0x00007FFA9D810000-0x00007FFA9D862000-memory.dmp

memory/2764-51-0x00007FFA8FD30000-0x00007FFA90323000-memory.dmp

memory/2764-42-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

C:\Program Files\ExplorerPatcher\ep_gui.dll

MD5 50fac6e71b1693c8601e5edfe2314c0c
SHA1 ffc45bf1c9a5b0f2ca59d5057335ae79c84306d4
SHA256 3c362868f6740606f86b38c5d492f714265ef67bb9b29f64882bdc4a5519621e
SHA512 800700b79f227131a76d32e4e8c4073e0906ffe28f1e4d67e7f964747280faf56eabb72bf1520f42abc1a28869d35c956eb094eaf4ce6ed96ab4d4d314ccf391

memory/3908-75-0x00007FFAA66F0000-0x00007FFAA6E2F000-memory.dmp

memory/3908-76-0x00007FFAA66F0000-0x00007FFAA6E2F000-memory.dmp

memory/3908-77-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/3908-78-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/3908-79-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/3908-80-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/3908-82-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/3908-81-0x00007FFA98570000-0x00007FFA98790000-memory.dmp

memory/3908-83-0x00007FFAA5470000-0x00007FFAA5611000-memory.dmp

memory/3908-84-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/3908-85-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/3908-86-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/3908-87-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/3908-89-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/3908-88-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/3908-90-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/3908-91-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/3908-92-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/3908-93-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

memory/3908-94-0x00007FF7AF3D0000-0x00007FF7AF86D000-memory.dmp

C:\Users\Admin\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb

MD5 43e1e762002934d5a977d230e303e1a8
SHA1 437f743dc2a41164d8be1521df35cadd69be5905
SHA256 ac18b5a5de8734ce5d944ef9ee269de58a07ab7c540233404c5266265f649a40
SHA512 349f9905cd5036792cb8bf8382d1bd5e09ae701de023ec7b41a555782c1619e27f52163a53fbe5bd1fc0b5f68146227dc06a4551f75e4509baa4041cfa9a1bae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5 6f69c33a55b1b55c335a3d3c87fd840b
SHA1 2536b9842697e768448c67244bc7aa4d6c4545a6
SHA256 defb6657e0e0ba3f06a92b8097c9e7f5c9ed640824c364ec10ccf2292a3bc0ca
SHA512 60ec69626f194327f22804d38c6c34196a3be6e5b97e243d0ade3cb87c592662f24551b684780b4e06b34009e1fd8f18d77f5a775972409105479ce63fa3b365

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5 aff6a63aca4e4f7acc38306a0f6375dd
SHA1 c23dae70c23e80278698aa68735116f7f0b30abb
SHA256 c4fc78d2bb677a0c1602832a1ee8fb355ce12142642d9498c064d1aae6011a5b
SHA512 596d5b12b0838b630a5274ae57ba818829d4e1a8db3046ac4eda6424a3f5d230894e4b7108259f29adcbebd46c1970c1b413b43393f44b7dc2577084d2b94e4a

C:\Users\Admin\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb

MD5 0c3519dacafb7c08d95c7b1615c669a6
SHA1 eccef2c11bd7f492c8cc3cab331cdd33f30f7b59
SHA256 70d6d337d8f3e7e7927ddd2f718350cd5194815ccbe3399c54bc38d3bc35dfc5
SHA512 f7bc729e58c9d1ce36335f0657b1f154bd5542e2319fd409e24779cd984a6ebb7f28ab0d16e6c8d21b2bb607206040ea0f4b79e9478e5a9f273dc39af9480d7a

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1HCECE5V\microsoft.windows[1].xml

MD5 6583a2f89cc3c90f77ffa922acf7ee63
SHA1 eccd205c1bb4764f160e86cfd0d860976c32708f
SHA256 34cbdb325cf0420e4bfbc19da431b639890b153b6ac0635ce79ba37ffc677ac2
SHA512 0c7daec9157074607177f75d7ccf190027d9e1830d832cbf16426bfcf221258db4fba74ee35f20c85a9bd6022a1db0409a2f3ec84ecc7317142cf9759eead021

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 ce724509ddcb97da29efb2a13f41b3f2
SHA1 f02145ece51e0ba99056e2275fc33d89867d95e5
SHA256 8a4bf3b55021808df2316da3b429001ee4946bc161e35ca25a981dfd69410387
SHA512 772a41d2bf44771ed164d869cf57111959e3e0031f09d78d138e4403e3dc96fa1a0fb70a56894124130fd3d4bee7d840a8013c37f0378a70aca8d9ce52c978fa

C:\Users\Admin\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb

MD5 d1876a4fe1849914b95578d22607091a
SHA1 a0608475469e29a9901080cc9dcd9eb3bf9a5e53
SHA256 8b1a8fe646f9c6cf080ba144d706072c9c8f293b7d69cfbd655ab7ba5006fc1d
SHA512 b7fe77f468ec8dc4f2028b52da46407e0d57fcfce95541b575a21a051d7b51ff5ab8d637f01bd8c42a724131fecf1f5509391a51f7d1efc1d506b109c87dd401

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

MD5 b92c0ede7cfafda116cc6cfb1a941c87
SHA1 581610fd1b36673a8d9535ac808e0204606465d5
SHA256 a354422bd21ba3acc4ad592ced854a0d0093d6e98d4760025005bd3e3f00d577
SHA512 ad0b8fcb4b7221b257d4196952e08ee877f0f8fe4306678fa6288442c2abf2d2241421b8c89c82fb70f65050ce4209d92be9452d92e8b70820776cc754584efe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_D222662A57BAA60D2F5EA0D2CC7B2F1C

MD5 26b77e57ebe090ac4524f51dcad8fb5d
SHA1 bf847577c8c0bc93fa659e2ea88436efe30be676
SHA256 3e335beb569fa77f3b3927abda1b9bdbfa7fd57176c888d822f90bad02b817e1
SHA512 994c3042a2582987bb33b7939a165d834b2a0a37bbc238c7a651a09c68653566d8b04c975dcdbdd6dbe2ad92309fd73bed342a1f0e91335d8fd646b5c887dd11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_D222662A57BAA60D2F5EA0D2CC7B2F1C

MD5 e3c96567e633b1cf8c503c4724db6fd0
SHA1 430fe9269775f5769facc35f4d19b1ee5090717a
SHA256 c69b306906cdd958cd32d917a15fcb3b54f35cad55e8d8ba4e447e999f8a712c
SHA512 f5c7d6289b2fc345ac343f425465619e6bab46a9a35a529f278e7e955edf95fd38630d4591afc2584e4bb7b32a856598136fee3eb83430c2aebf05c3a91be8f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

MD5 c5b14f7020722b6c9bc7b531cd4912e7
SHA1 91d81369cc903f45514058cbb6cb4da07025d42d
SHA256 7592249dccca253458b6877a74716009251652dbb8f9ed29c195a2fa4f23b836
SHA512 29f61590bb549648e299647d014ff7846aee3bb54f03cbb68ec432b7fff59c2857d1452a639956c887c10762e48bcdcdb59ec5a8ad506d12164f0f0b214a8188

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 fdd8bc387977849b6f87aab262904294
SHA1 337e9a12b2e84bff676059a31319fd0ac1d22553
SHA256 096f11e26931cf3838cb75a24e0cd2344c776ff46da0a312b8095152648230a9
SHA512 b910a2706f918468a744dc1ef02efee41b8ffef74a19bcc6c3cab59376aee4c0ce03f43590f1dd01c600cc64a37ca1837064ef60ce75cd72d30a37182bb893d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 572ea307898c8c6eaa8dc4985a77e177
SHA1 07f16d7a86f8b799364a5c654253e9a2058667af
SHA256 a0af8a9e91c0c0e591be7382e2e875d6ad52eb6fa86dbba599704a5d5189e298
SHA512 01f77c6cd80e50006476a66170dcf4238b6b8d5173a20c071605411dc49610d88950b52d6d8935e07301dd69a42c84c713fa50f7d6bc75686b452f77a5a6d191