pony | ce1b526bd03a7d5dd0c4d5803ae9c3c881de4f2229cae4e6c01d07c81b2a6541

Analysis

max time kernel
37s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcd19eee4fabb093e3e5fd6ed05c845c.exe
Size

283KB
MD5

dcd19eee4fabb093e3e5fd6ed05c845c
SHA1

b0c6823a142435c8f20455c83797b820a4bff5d2
SHA256

ce1b526bd03a7d5dd0c4d5803ae9c3c881de4f2229cae4e6c01d07c81b2a6541
SHA512

84d6cdb4bba43c5e10dc963e3b106d002d14b495c40f7dd02ce560d2d53ed4eef696849eac437dc38f2431f70b7388e91f3611a169384c82d88c755d192c4d67
SSDEEP

6144:y/aIitjKYKKiYkuKcuuiRahdoZ1oiAcYS+U7MyXP2R0:yiIitGPuKcniYhdoZ1gRSL7dP2

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

dcd19eee4fabb093e3e5fd6ed05c845c.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" dcd19eee4fabb093e3e5fd6ed05c845c.exe
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Disables taskbar notifications via registry modification
evasion

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	dcd19eee4fabb093e3e5fd6ed05c845c.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

Processes:

6A2.tmp

pid process

3992 6A2.tmp
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3992	6A2.tmp

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/448-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/448-3-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/448-43-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4100-44-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/448-115-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/536-116-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/448-217-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/448-254-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/448-296-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dcd19eee4fabb093e3e5fd6ed05c845c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0DA.exe = "C:\\Program Files (x86)\\LP\\1C70\\0DA.exe"	dcd19eee4fabb093e3e5fd6ed05c845c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

dcd19eee4fabb093e3e5fd6ed05c845c.exe

description	ioc	process
File created	C:\Program Files (x86)\LP\1C70\0DA.exe	dcd19eee4fabb093e3e5fd6ed05c845c.exe
File opened for modification	C:\Program Files (x86)\LP\1C70\0DA.exe	dcd19eee4fabb093e3e5fd6ed05c845c.exe
File opened for modification	C:\Program Files (x86)\LP\1C70\6A2.tmp	dcd19eee4fabb093e3e5fd6ed05c845c.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Modifies registry class 32 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{DB9E7E71-F520-4F2F-B23E-46FBDEBDD28A}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{757BFE29-2175-403C-8770-CB6F9E633078}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{27BB8D0E-72B1-4093-B107-C618B8952A68}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

dcd19eee4fabb093e3e5fd6ed05c845c.exe

pid	process
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe
448	dcd19eee4fabb093e3e5fd6ed05c845c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeSecurityPrivilege	4584	msiexec.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	1828	explorer.exe
Token: SeCreatePagefilePrivilege	1828	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5084	explorer.exe
Token: SeCreatePagefilePrivilege	5084	explorer.exe
Token: SeShutdownPrivilege	5100	explorer.exe
Token: SeCreatePagefilePrivilege	5100	explorer.exe
Token: SeShutdownPrivilege	5100	explorer.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
1828	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exe

pid process

4996 StartMenuExperienceHost.exe
4860 StartMenuExperienceHost.exe

pid	process
4996	StartMenuExperienceHost.exe
4860	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dcd19eee4fabb093e3e5fd6ed05c845c.exe

description	pid	process	target process
PID 448 wrote to memory of 4100	448	dcd19eee4fabb093e3e5fd6ed05c845c.exe	dcd19eee4fabb093e3e5fd6ed05c845c.exe
PID 448 wrote to memory of 4100	448	dcd19eee4fabb093e3e5fd6ed05c845c.exe	dcd19eee4fabb093e3e5fd6ed05c845c.exe
PID 448 wrote to memory of 4100	448	dcd19eee4fabb093e3e5fd6ed05c845c.exe	dcd19eee4fabb093e3e5fd6ed05c845c.exe
PID 448 wrote to memory of 536	448	dcd19eee4fabb093e3e5fd6ed05c845c.exe	svchost.exe
PID 448 wrote to memory of 536	448	dcd19eee4fabb093e3e5fd6ed05c845c.exe	svchost.exe
PID 448 wrote to memory of 536	448	dcd19eee4fabb093e3e5fd6ed05c845c.exe	svchost.exe
PID 448 wrote to memory of 3992	448	dcd19eee4fabb093e3e5fd6ed05c845c.exe	6A2.tmp
PID 448 wrote to memory of 3992	448	dcd19eee4fabb093e3e5fd6ed05c845c.exe	6A2.tmp
PID 448 wrote to memory of 3992	448	dcd19eee4fabb093e3e5fd6ed05c845c.exe	6A2.tmp

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

dcd19eee4fabb093e3e5fd6ed05c845c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dcd19eee4fabb093e3e5fd6ed05c845c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dcd19eee4fabb093e3e5fd6ed05c845c.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dcd19eee4fabb093e3e5fd6ed05c845c.exe
"C:\Users\Admin\AppData\Local\Temp\dcd19eee4fabb093e3e5fd6ed05c845c.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:448

C:\Users\Admin\AppData\Local\Temp\dcd19eee4fabb093e3e5fd6ed05c845c.exe
C:\Users\Admin\AppData\Local\Temp\dcd19eee4fabb093e3e5fd6ed05c845c.exe startC:\Users\Admin\AppData\Roaming\0D243\9D21C.exe%C:\Users\Admin\AppData\Roaming\0D243
2⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\dcd19eee4fabb093e3e5fd6ed05c845c.exe
C:\Users\Admin\AppData\Local\Temp\dcd19eee4fabb093e3e5fd6ed05c845c.exe startC:\Program Files (x86)\43DA5\lvvm.exe%C:\Program Files (x86)\43DA5
2⤵
PID:536

C:\Program Files (x86)\LP\1C70\6A2.tmp
"C:\Program Files (x86)\LP\1C70\6A2.tmp"
2⤵
- Executes dropped EXE
PID:3992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3920

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4052 --field-trial-handle=3084,i,11997299123381683778,5904351605020331957,262144 --variations-seed-version /prefetch:8
1⤵
PID:5420

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5916

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6136

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5628

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2000

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5960

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3600

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6032

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2800

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1060

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4360

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5232

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5400

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5864

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5576

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2764

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3340

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5644

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5596

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5768

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5112

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6032

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\1C70\6A2.tmp
Filesize
99KB

MD5
9d83b6d4629b9d0e96bbdb171b0dc5db

SHA1
e9bed14c44fe554e0e8385096bbacca494da30b1

SHA256
d3a6060ff059a7724a483d82025a9231a61143839b633a6d3842a58ccb5a7d7d

SHA512
301187bdcab5ca9942b2c7b7114e37e53e58b5661eef50c389622950d7691993a29f5a825132cf499ca73cdb6637d3f58afdc024cb04fac2b8e01f752209572c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
1912b0de9722581d54626ce20721f9b6

SHA1
f412c2f35cfcb0136eb91da25a55c418df42b343

SHA256
3bbddcc2d1995d3dc52f8085db9dc953da9a6035d528d44fd9ec800ab35a5429

SHA512
b1621b61d045e649abbaa9d6cd50a7ba1a1a66422f1025fd3719aca30fc584976ec0ec2a0d7a16545c6b6d110dc99359db8a95cc7624bb2fe562854ab0a8ecd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
5cc8f3f3b23b2ffb049346c57467f954

SHA1
caf9f4801e8b1a6ede5e06cdc8872671e9104ce6

SHA256
6548ea48b21b61c133707f14fd9007f8bc18211848a63412a0a467c7b832b90c

SHA512
3f71c3a383a8ee535f3c724ef589f09cdbc5ba012aee3dca41589fdc896172f45ea396ac22723db745d3447bcc08f07e7ff8fec006e000ffd4d9474cd2c484da

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize
2KB

MD5
39e90217cb5dce5c52a79d78956befa1

SHA1
6a62e2e2e28bbf1768a94cb99c0ffef5eb97bcbc

SHA256
2eed62db645bf338231ffd57913abe1449bdf2bcf2209a070770348ad2fb56b8

SHA512
8c9c3bd7cf244cbda50f13eb89c2a3b817867363003ddeeb4bec117d171deda6f634afcc9974c6b45c514cdf58ecc42d1f183515ed4ed559051b958459822101

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133558010472881701.txt
Filesize
74KB

MD5
80dffedad36ef4c303579f8c9be9dbd7

SHA1
792ca2a83d616ca82d973ece361ed9e95c95a0d8

SHA256
590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e

SHA512
826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TV3VV50F\microsoft.windows[1].xml
Filesize
97B

MD5
5b984c298841d3dc3a3a0f8a819790bc

SHA1
27ec8f9f31d80734493d88e29e639b7562276867

SHA256
c9bc2d8c025943515a1412a4cb84dd9c184b73031125619bf2cd2d2d2efc2d66

SHA512
884209f3ea5207c6ad508975e139b2a16a6b861152c6861a3c1f1459973c896387e92407230ee1c90a6d4a9a49c52aa18d9d292b281a5b906f219280b7f15a93

Download Submit
C:\Users\Admin\AppData\Roaming\0D243\3DA5.D24
Filesize
600B

MD5
fe90f2cb9b87e2278f3a5fb7b67cbedf

SHA1
020d5a7b99a299b72eb6768e1c14e42b4dcfc071

SHA256
bab633e421c4da5e69d3998b6148ef0aea3bee3d1dc1a5617f5a330d617e8103

SHA512
c029c2bec728fa439a36c7a9758c01983dc140c13db19c1be718d7dc2a8262116b3846da9a730eed7f0ca2c5d3c7f03236f487514f70eb1fbeac1d98ded48535

Download Submit
C:\Users\Admin\AppData\Roaming\0D243\3DA5.D24
Filesize
996B

MD5
6aa0aabbb8ce2bfcfb8145147a96341b

SHA1
92ae5baf3ccff4c9a97ddd12c46140f0346ac0a0

SHA256
f9d98c615ca509bfe8172ddc711b3d8028df4f3ddee87562e1a3f79bad21981d

SHA512
d3e3f6cf67edb02852a8d807fb8de3bac38446529356f0a39242bf9c278ef64fd65fd5d721ff8f10937f619104ad149e408b5b66f7c1e4c493e5fb7161e431ca

Download Submit
C:\Users\Admin\AppData\Roaming\0D243\3DA5.D24
Filesize
1KB

MD5
f56c4853307d4941eaad730ed18836b7

SHA1
610f49ad95f8dd43854cbb37096c6c27362b281e

SHA256
a55843440c4e0a1d69fdd04402c00fbf1e186269c28160bf929a8027e3f4d59f

SHA512
9839e4b72595d15443dae2973d39724deb42f5d4ed79f0263d5cf6ce01a0fffea5488671c9f8ef50a4c2cf69acee06ae2ca87d6148606bb7ee21cf09fe3fb774

Download Submit
C:\Users\Admin\AppData\Roaming\0D243\3DA5.D24
Filesize
1KB

MD5
508841d7533f7a6ced16a1375cdf8601

SHA1
65731d0b4b086c08a20c3b8db0b0d766bc663a68

SHA256
7a26c805acf7bb1ec1aa0adbdbb65408bb720dc555c4649b1338177ff104b1e6

SHA512
2714b7387e3188822fb7512c203784853f87e154f42d638f3ecf34433c8c760212fa29628c49fac0fcd577d4564cbca139a51ab0a4aeaa1c8d966e97a97d2c3d

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/320-431-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/448-113-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/448-3-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/448-2-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/448-296-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/448-115-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/448-254-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/448-43-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/448-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/448-217-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/536-117-0x00000000005B6000-0x00000000005FE000-memory.dmp

Filesize
288KB

Download
memory/536-116-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1044-378-0x000002119CA00000-0x000002119E32F000-memory.dmp

Filesize
25.2MB

Download
memory/1044-369-0x000002199FB00000-0x000002199FB20000-memory.dmp

Filesize
128KB

Download
memory/1044-367-0x000002199F660000-0x000002199F680000-memory.dmp

Filesize
128KB

Download
memory/1044-364-0x000002199F6A0000-0x000002199F6C0000-memory.dmp

Filesize
128KB

Download
memory/1060-341-0x0000025EE17C0000-0x0000025EE17E0000-memory.dmp

Filesize
128KB

Download
memory/1060-344-0x0000025EE1DE0000-0x0000025EE1E00000-memory.dmp

Filesize
128KB

Download
memory/1060-339-0x0000025EE1800000-0x0000025EE1820000-memory.dmp

Filesize
128KB

Download
memory/1060-353-0x00000256DEC00000-0x00000256E052F000-memory.dmp

Filesize
25.2MB

Download
memory/2296-253-0x000001D0FA200000-0x000001D0FBB2F000-memory.dmp

Filesize
25.2MB

Download
memory/2296-245-0x000001D8FD3C0000-0x000001D8FD3E0000-memory.dmp

Filesize
128KB

Download
memory/2296-242-0x000001D8FCF20000-0x000001D8FCF40000-memory.dmp

Filesize
128KB

Download
memory/2296-239-0x000001D8FCF60000-0x000001D8FCF80000-memory.dmp

Filesize
128KB

Download
memory/2880-331-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/3064-231-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/3512-380-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/3600-327-0x000001F674800000-0x000001F67612F000-memory.dmp

Filesize
25.2MB

Download
memory/3600-312-0x000001FE77420000-0x000001FE77440000-memory.dmp

Filesize
128KB

Download
memory/3600-316-0x000001FE77A80000-0x000001FE77AA0000-memory.dmp

Filesize
128KB

Download
memory/3600-314-0x000001FE773E0000-0x000001FE77400000-memory.dmp

Filesize
128KB

Download
memory/3696-415-0x0000021B25DD0000-0x0000021B25DF0000-memory.dmp

Filesize
128KB

Download
memory/3696-413-0x0000021B26020000-0x0000021B26040000-memory.dmp

Filesize
128KB

Download
memory/3696-418-0x0000021B263E0000-0x0000021B26400000-memory.dmp

Filesize
128KB

Download
memory/3696-427-0x0000021323200000-0x0000021324B2F000-memory.dmp

Filesize
25.2MB

Download
memory/3992-198-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3992-133-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/3992-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4100-230-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/4100-46-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/4100-44-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4124-356-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/4520-281-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/4716-264-0x0000020D2B8B0000-0x0000020D2B8D0000-memory.dmp

Filesize
128KB

Download
memory/4716-266-0x0000020D2B870000-0x0000020D2B890000-memory.dmp

Filesize
128KB

Download
memory/4716-278-0x0000020529000000-0x000002052A92F000-memory.dmp

Filesize
25.2MB

Download
memory/4716-269-0x0000020D2BC80000-0x0000020D2BCA0000-memory.dmp

Filesize
128KB

Download
memory/5100-199-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/5384-388-0x0000021608820000-0x0000021608840000-memory.dmp

Filesize
128KB

Download
memory/5384-391-0x00000216085E0000-0x0000021608600000-memory.dmp

Filesize
128KB

Download
memory/5384-394-0x0000021608BF0000-0x0000021608C10000-memory.dmp

Filesize
128KB

Download
memory/5384-402-0x0000021605C00000-0x000002160752F000-memory.dmp

Filesize
25.2MB

Download
memory/5460-439-0x0000018FDFC70000-0x0000018FDFC90000-memory.dmp

Filesize
128KB

Download
memory/5460-443-0x0000018FDFC30000-0x0000018FDFC50000-memory.dmp

Filesize
128KB

Download
memory/5460-445-0x0000018FE0240000-0x0000018FE0260000-memory.dmp

Filesize
128KB

Download
memory/5460-453-0x00000187DD040000-0x00000187DE96F000-memory.dmp

Filesize
25.2MB

Download
memory/5584-212-0x0000015405800000-0x0000015405820000-memory.dmp

Filesize
128KB

Download
memory/5584-206-0x0000015405230000-0x0000015405250000-memory.dmp

Filesize
128KB

Download
memory/5584-209-0x00000154051F0000-0x0000015405210000-memory.dmp

Filesize
128KB

Download
memory/5584-227-0x0000015402800000-0x000001540412F000-memory.dmp

Filesize
25.2MB

Download
memory/5628-288-0x000001E78EEC0000-0x000001E78EEE0000-memory.dmp

Filesize
128KB

Download
memory/5628-290-0x000001E78EE80000-0x000001E78EEA0000-memory.dmp

Filesize
128KB

Download
memory/5628-293-0x000001E78F520000-0x000001E78F540000-memory.dmp

Filesize
128KB

Download
memory/5628-300-0x000001DF8C040000-0x000001DF8D96F000-memory.dmp

Filesize
25.2MB

Download
memory/5660-405-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/5752-256-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/6092-305-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download