pony | 036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66

Analysis

max time kernel
73s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 19:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
Size

279KB
MD5

bec12b59a1f6396476b0b56bdf37a2d8
SHA1

a42a07a7ca2b2486f0e3c4554401c19243383bd4
SHA256

036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66
SHA512

9325324314e2028661441ddc25f414aef83dfd7dcbd6adacdfb6f789f34634f12e90d30444048302b3bb63cdf0eb219629d037124a54fec6b1e5003aa4de450e
SSDEEP

6144:kn5jzAWmB/lkHai8y38jfM9kTZnXqbvOvbGOWhGGtebfKphGS7S2s1gBdl:kn5j8Ww/ly36v9n6bvVOWhG1eph+9Q

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 7 IoCs

resource	yara_rule
behavioral2/memory/3132-3-0x0000000000400000-0x000000000046A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/3304-11-0x0000000000400000-0x000000000046A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/3132-18-0x0000000000400000-0x000000000046A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/4404-92-0x0000000000400000-0x000000000046A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/3132-134-0x0000000000400000-0x000000000046A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/3132-268-0x0000000000400000-0x000000000046A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/3132-293-0x0000000000400000-0x000000000046A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/3944-129-0x0000000000400000-0x000000000041B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

UPX dump on OEP (original entry point) 7 IoCs

resource	yara_rule
behavioral2/memory/3132-3-0x0000000000400000-0x000000000046A000-memory.dmp	UPX
behavioral2/memory/3304-11-0x0000000000400000-0x000000000046A000-memory.dmp	UPX
behavioral2/memory/3132-18-0x0000000000400000-0x000000000046A000-memory.dmp	UPX
behavioral2/memory/4404-92-0x0000000000400000-0x000000000046A000-memory.dmp	UPX
behavioral2/memory/3132-134-0x0000000000400000-0x000000000046A000-memory.dmp	UPX
behavioral2/memory/3132-268-0x0000000000400000-0x000000000046A000-memory.dmp	UPX
behavioral2/memory/3132-293-0x0000000000400000-0x000000000046A000-memory.dmp	UPX

Disables taskbar notifications via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
3944	8F89.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3132-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3304-11-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3132-18-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4404-92-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3132-134-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3132-268-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3132-293-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DF2.exe = "C:\\Program Files (x86)\\LP\\D3A3\\DF2.exe"	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\D3A3\8F89.tmp	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
File opened for modification	C:\Program Files (x86)\LP\D3A3\DF2.exe	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
File created	C:\Program Files (x86)\LP\D3A3\DF2.exe	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{47D64B3E-2718-47CD-99AB-D755A6CECC9F}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{9B2CC07E-300F-4B40-B851-1BD669791270}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4952	msiexec.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe
Token: SeCreatePagefilePrivilege	5488	explorer.exe
Token: SeShutdownPrivilege	5488	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe
5488	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3532	StartMenuExperienceHost.exe
3652	SearchApp.exe
6056	StartMenuExperienceHost.exe
5136	SearchApp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 3304	3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe	107
PID 3132 wrote to memory of 3304	3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe	107
PID 3132 wrote to memory of 3304	3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe	107
PID 3132 wrote to memory of 3944	3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe	112
PID 3132 wrote to memory of 3944	3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe	112
PID 3132 wrote to memory of 3944	3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe	112
PID 3132 wrote to memory of 4404	3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe	113
PID 3132 wrote to memory of 4404	3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe	113
PID 3132 wrote to memory of 4404	3132	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe	113

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
"C:\Users\Admin\AppData\Local\Temp\036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3132
- C:\Users\Admin\AppData\Local\Temp\036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
  C:\Users\Admin\AppData\Local\Temp\036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe startC:\Users\Admin\AppData\Roaming\3E9E2\7BED3.exe%C:\Users\Admin\AppData\Roaming\3E9E2
  2⤵
  PID:3304
- C:\Program Files (x86)\LP\D3A3\8F89.tmp
  "C:\Program Files (x86)\LP\D3A3\8F89.tmp"
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Users\Admin\AppData\Local\Temp\036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe
  C:\Users\Admin\AppData\Local\Temp\036e48bc428237cda45e8ed687a7bc04371b484c345a166dfd50e3bff5b28a66.exe startC:\Program Files (x86)\E21AE\lvvm.exe%C:\Program Files (x86)\E21AE
  2⤵
  PID:4404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4424 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4136

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5488

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5136

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3676

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5852

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5612

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5304

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5980

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\D3A3\8F89.tmp

Filesize
98KB

MD5
a947ad1236b35422485681abe768ff48

SHA1
454b8c85500ca1d2496c875fa4e32311aaf6dc02

SHA256
10ca53e5ca35f67264d4892eed888984ff03c172292d1082714187e03ef7974d

SHA512
fb71b6369bef57f1f4e6b39fe9745620d1acd3c216343dd68affd70b2057f893d3966b76afb2ac4f6fed5941dcee60a2c8322b423f9e7789f3ccb7a64a6cdf8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
94cb3d35c6757a6627b6810f0dba6730

SHA1
6e354e4685f7e35f004daf04702c3b1f41d78a38

SHA256
f6b05bec7203657825a9e0c5174f19a8681d6062b3deb03e118c54f472b33aed

SHA512
db3b46690dfe5cc2e4b4c56a62d88a72422c9c89dd380f58372f4d6dceab4e8f8b75690c004ec527087d373232fc1b1366f1fe86b80c94fe85b584a2da197902

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
baeab679e09890cc7d95d3a5d8bc7694

SHA1
87f2966e2713627492c36ca8b6f31ad9561f7f26

SHA256
655b40fc9149ce3ea5d3414588b16c393526264c408d33c505764891dfaae6db

SHA512
9a1b9692779a924ca2a513fa792e3a3140216235a0048592e0fb57bb3e4787c99a45f1d3cc31e17b098f5480ab5a66a74c6076bc85fd60e92aa4435800d5f8ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
f00da9dd355fd4f3da2f9a3106dfbb25

SHA1
62dc6bfd17dc5be13253d1b92174dc96fbda81eb

SHA256
a9a014d4284dad0101b29ac6c21b5b9544852cacab614a287d3e4ae5d178240b

SHA512
ae6a4c183324d6d10ba4c4812226a90a629d5263d881f854eee08e6618779757bf4652e43fee6cf6674fb9194a6ad3a46c3003740c722bd0105dd83aa13fa1cd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133544850576555349.txt

Filesize
74KB

MD5
80dffedad36ef4c303579f8c9be9dbd7

SHA1
792ca2a83d616ca82d973ece361ed9e95c95a0d8

SHA256
590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e

SHA512
826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml

Filesize
96B

MD5
84209e171da10686915fe7efcd51552d

SHA1
6bf96e86a533a68eba4d703833de374e18ce6113

SHA256
04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

SHA512
48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

Download Submit
C:\Users\Admin\AppData\Roaming\3E9E2\21AE.E9E

Filesize
1KB

MD5
c1a4ad3aea370f75f80cdf9602569c63

SHA1
b11985fe26cec155b38402c245feecf0794d5973

SHA256
37ca00fe83de4570fba62e609124ec6ae8927e1960ec158eba6ed8fe76d84213

SHA512
5f2b50990427d1d636a1e1c8e778d475951bc78cacbb24446150f96c3b56386bd88291930197c38faf32986c5d317f8b03ea8f2e3ef3aefecb1cf01a6a1a5be5

Download Submit
C:\Users\Admin\AppData\Roaming\3E9E2\21AE.E9E

Filesize
897B

MD5
639905947c3629c9484ff965f1912e7b

SHA1
82851fc6e6b2588e8ec6ff8d017d55ef2a3c1e4e

SHA256
da0a9bb823db59257d58d7bd5b5d42c724ce32034d83f7bc9abe2f8f3484eff3

SHA512
59424aea2ceffaf409e00e771be7afa5a6dd4e80d76489c4e3c0e32236583c09d3ce0beaa1586dfda63b8752deb995c08fdc3a32734fa6a947efabcfe095ebd8

Download Submit
C:\Users\Admin\AppData\Roaming\3E9E2\21AE.E9E

Filesize
1KB

MD5
b01a443879b2b943142ac4022c886e6b

SHA1
baca869ce1676ceebc922a8ea16a46d8365d5282

SHA256
a5210cf72c4ef9e70ad69824e71ce01d805850a8eb214d2c9b723d2f949549b8

SHA512
b438efe5c3afe7296de84b8e3396f9f9126bc14028592119c005fa9cbccf995efcbac1316aefbc98d43ca57d590da18aa325f66c8a6c91cfec2fc6cf2d0c56ab

Download Submit
memory/400-365-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/1568-291-0x000001C50B000000-0x000001C50B77A000-memory.dmp

Filesize
7.5MB

Download
memory/1568-277-0x000001CD0C7D0000-0x000001CD0C7F0000-memory.dmp

Filesize
128KB

Download
memory/1568-280-0x000001CD0C790000-0x000001CD0C7B0000-memory.dmp

Filesize
128KB

Download
memory/1568-284-0x000001CD0CBA0000-0x000001CD0CBC0000-memory.dmp

Filesize
128KB

Download
memory/1840-342-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/2076-405-0x000001EF764C0000-0x000001EF764E0000-memory.dmp

Filesize
128KB

Download
memory/2076-403-0x000001EF75EB0000-0x000001EF75ED0000-memory.dmp

Filesize
128KB

Download
memory/2076-400-0x000001EF75EF0000-0x000001EF75F10000-memory.dmp

Filesize
128KB

Download
memory/3132-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3132-268-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3132-2-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/3132-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3132-10-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/3132-293-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3132-134-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3132-18-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3304-11-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3304-12-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/3348-270-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/3572-317-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/3944-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3944-32-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/3944-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-93-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/4404-92-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4544-243-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/5136-232-0x00000178FE980000-0x00000178FE9A0000-memory.dmp

Filesize
128KB

Download
memory/5136-230-0x00000178FE570000-0x00000178FE590000-memory.dmp

Filesize
128KB

Download
memory/5136-227-0x00000178FE5B0000-0x00000178FE5D0000-memory.dmp

Filesize
128KB

Download
memory/5192-253-0x00000218D7830000-0x00000218D7850000-memory.dmp

Filesize
128KB

Download
memory/5192-251-0x00000218D7870000-0x00000218D7890000-memory.dmp

Filesize
128KB

Download
memory/5192-258-0x00000218D7C40000-0x00000218D7C60000-memory.dmp

Filesize
128KB

Download
memory/5296-375-0x00000289852B0000-0x00000289852D0000-memory.dmp

Filesize
128KB

Download
memory/5296-378-0x00000289858C0000-0x00000289858E0000-memory.dmp

Filesize
128KB

Download
memory/5296-373-0x00000289852F0000-0x0000028985310000-memory.dmp

Filesize
128KB

Download
memory/5304-296-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/5304-349-0x000001F1EA510000-0x000001F1EA530000-memory.dmp

Filesize
128KB

Download
memory/5304-351-0x000001F1EA4D0000-0x000001F1EA4F0000-memory.dmp

Filesize
128KB

Download
memory/5304-356-0x000001F1EAB20000-0x000001F1EAB40000-memory.dmp

Filesize
128KB

Download
memory/5488-221-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/5756-303-0x0000024CE9170000-0x0000024CE9190000-memory.dmp

Filesize
128KB

Download
memory/5756-309-0x0000024CE95E0000-0x0000024CE9600000-memory.dmp

Filesize
128KB

Download
memory/5756-305-0x0000024CE9130000-0x0000024CE9150000-memory.dmp

Filesize
128KB

Download
memory/5984-331-0x000001DF9FFF0000-0x000001DFA0010000-memory.dmp

Filesize
128KB

Download
memory/5984-327-0x000001DF9F9E0000-0x000001DF9FA00000-memory.dmp

Filesize
128KB

Download
memory/5984-324-0x000001DF9FC20000-0x000001DF9FC40000-memory.dmp

Filesize
128KB

Download
memory/6052-393-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download