7cd00e06d5562d0fe748c83413fc3374f7b6a4d10e1d32f9df8c7c6e4d7a71bc

Analysis

max time kernel
44s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e11b07de217fd3393260f882361ec1a7.exe
Size

288KB
MD5

e11b07de217fd3393260f882361ec1a7
SHA1

b1ecd38e2e1911986a8b5ac3aaa627925161ac8d
SHA256

7cd00e06d5562d0fe748c83413fc3374f7b6a4d10e1d32f9df8c7c6e4d7a71bc
SHA512

cf29a20f2a1c8d4495b30d02144260c2ae80db824973b2140eb3efd30ea31fa217525edcea41ba4a560ac1fefebfc98dc8f8bf9fb975b11abcf35a6ed407e3c3
SSDEEP

6144:xX8JXHMQUXu+9qjCTWeqKas8hiAHlkyvbhA5qLXtE8VZP6lnrlZdgpP:uBM7u+xWEAyeAGy8V168P

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

e11b07de217fd3393260f882361ec1a7.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" e11b07de217fd3393260f882361ec1a7.exe
Disables taskbar notifications via registry modification
evasion

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	e11b07de217fd3393260f882361ec1a7.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

Processes:

8C6C.tmp

pid process

6068 8C6C.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
6068	8C6C.tmp

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2860-1-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2860-3-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4980-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4980-16-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2860-17-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/5524-168-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/5524-170-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2860-299-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2860-378-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e11b07de217fd3393260f882361ec1a7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\969.exe = "C:\\Program Files (x86)\\LP\\4830\\969.exe"	e11b07de217fd3393260f882361ec1a7.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

e11b07de217fd3393260f882361ec1a7.exe

description	ioc	process
File created	C:\Program Files (x86)\LP\4830\969.exe	e11b07de217fd3393260f882361ec1a7.exe
File opened for modification	C:\Program Files (x86)\LP\4830\969.exe	e11b07de217fd3393260f882361ec1a7.exe
File opened for modification	C:\Program Files (x86)\LP\4830\8C6C.tmp	e11b07de217fd3393260f882361ec1a7.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe

Modifies registry class 21 IoCs

Processes:

explorer.exeStartMenuExperienceHost.exeexplorer.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{332871CA-165A-4F67-A803-6163571A4FDA}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{99E4A904-3B88-4A7B-A349-194472C7C1AA}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

e11b07de217fd3393260f882361ec1a7.exe

pid	process
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe
2860	e11b07de217fd3393260f882361ec1a7.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

msiexec.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeSecurityPrivilege	1092	msiexec.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	4408	explorer.exe
Token: SeCreatePagefilePrivilege	4408	explorer.exe
Token: SeShutdownPrivilege	6140	explorer.exe
Token: SeCreatePagefilePrivilege	6140	explorer.exe
Token: SeShutdownPrivilege	6140	explorer.exe
Token: SeCreatePagefilePrivilege	6140	explorer.exe
Token: SeShutdownPrivilege	6140	explorer.exe
Token: SeCreatePagefilePrivilege	6140	explorer.exe
Token: SeShutdownPrivilege	6140	explorer.exe
Token: SeCreatePagefilePrivilege	6140	explorer.exe
Token: SeShutdownPrivilege	6140	explorer.exe
Token: SeCreatePagefilePrivilege	6140	explorer.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe
6140	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

5552 StartMenuExperienceHost.exe

pid	process
5552	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e11b07de217fd3393260f882361ec1a7.exe

description	pid	process	target process
PID 2860 wrote to memory of 4980	2860	e11b07de217fd3393260f882361ec1a7.exe	e11b07de217fd3393260f882361ec1a7.exe
PID 2860 wrote to memory of 4980	2860	e11b07de217fd3393260f882361ec1a7.exe	e11b07de217fd3393260f882361ec1a7.exe
PID 2860 wrote to memory of 4980	2860	e11b07de217fd3393260f882361ec1a7.exe	e11b07de217fd3393260f882361ec1a7.exe
PID 2860 wrote to memory of 5524	2860	e11b07de217fd3393260f882361ec1a7.exe	e11b07de217fd3393260f882361ec1a7.exe
PID 2860 wrote to memory of 5524	2860	e11b07de217fd3393260f882361ec1a7.exe	e11b07de217fd3393260f882361ec1a7.exe
PID 2860 wrote to memory of 5524	2860	e11b07de217fd3393260f882361ec1a7.exe	e11b07de217fd3393260f882361ec1a7.exe
PID 2860 wrote to memory of 6068	2860	e11b07de217fd3393260f882361ec1a7.exe	8C6C.tmp
PID 2860 wrote to memory of 6068	2860	e11b07de217fd3393260f882361ec1a7.exe	8C6C.tmp
PID 2860 wrote to memory of 6068	2860	e11b07de217fd3393260f882361ec1a7.exe	8C6C.tmp

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e11b07de217fd3393260f882361ec1a7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e11b07de217fd3393260f882361ec1a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	e11b07de217fd3393260f882361ec1a7.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe
"C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2860

C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe
C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe startC:\Users\Admin\AppData\Roaming\04D87\38648.exe%C:\Users\Admin\AppData\Roaming\04D87
2⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe
C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe startC:\Program Files (x86)\87FAD\lvvm.exe%C:\Program Files (x86)\87FAD
2⤵
PID:5524

C:\Program Files (x86)\LP\4830\8C6C.tmp
"C:\Program Files (x86)\LP\4830\8C6C.tmp"
2⤵
- Executes dropped EXE
PID:6068

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:5836

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6140

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2472 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:4276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5284

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:264

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5132

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5332

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5408

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5876

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4608

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4980

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5200

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4316

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\4830\8C6C.tmp
Filesize
102KB

MD5
3dd4e5cd0cb32f735268a740c647065a

SHA1
5e88431137152bf76f61d06b1c2086ecd5082a76

SHA256
a1cb303db454c3faa73fa6705c9a7ce126110615879047fbd579d2c813fba535

SHA512
37463297b6e127dc2689f2b998b14042189baa26727ab1770fc482035b09df2cd3f349fb11038fabde84d0b4a5a07bfc6b5c619001ddc70c9c37c0aa87b3fe04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
54d0ee67e02b977479e03303dfd57b8e

SHA1
1220622e7d66d913421151d044c8c36f3a59fa5a

SHA256
97977c8ab95aa2afd37adcc34ee67e0ccecd470c733f4dab3aae64c1fb79d4b8

SHA512
fd66ff6a39aaafa32e0693749913db7b408386eed9de49e9b9317a0925404f440c2ec3c78accd2c8e94baecbac23ed1603414ca0bc7eac8b8fcc9edd8369fe81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
9fef3caf0e18398a858ff39cef8ce105

SHA1
32b5edca45abf18b10f65160f7613c2b56564d1a

SHA256
54878308fc6bbff4dcf41c076d266a818cf71349e684593fe0072e7946d31fbf

SHA512
814879a1b7771539956b8ded024fee2919bf96387963a646dddfd4e225580a6bc15d1a94c1f0bc0594849236b181b63d4d2a10325082104accae7de545becd25

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133559978394723946.txt
Filesize
74KB

MD5
80dffedad36ef4c303579f8c9be9dbd7

SHA1
792ca2a83d616ca82d973ece361ed9e95c95a0d8

SHA256
590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e

SHA512
826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
Filesize
96B

MD5
84209e171da10686915fe7efcd51552d

SHA1
6bf96e86a533a68eba4d703833de374e18ce6113

SHA256
04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

SHA512
48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

Download Submit
C:\Users\Admin\AppData\Roaming\04D87\7FAD.4D8
Filesize
996B

MD5
50270cf7725f6f609b390e5529c9d343

SHA1
611538d6d09ec8d032fc3de66d54fc7bd32e7e77

SHA256
f2da225401ebfab042db9ca35f09a3703682f2d56236ff7ec011c3b98ecfb1b2

SHA512
78fd20989a39e4b671784231ffbc3613ee055b0b4780b74068b5931fcef585412d2c627016952a90708e93ee80e1d4a497f2dacb460b0f4116dd39c9c8b9b9b8

Download Submit
C:\Users\Admin\AppData\Roaming\04D87\7FAD.4D8
Filesize
1KB

MD5
10303f1876e4a71d9985fd7fe42d4c98

SHA1
45d272cdb2abc35d7e0ac64e0829dc09cb23a6f9

SHA256
6f88ec95f750f9841961c550b92f85bf90a954b7f04860976c9af9c487fd81d2

SHA512
78faaa4653b2daba0b83c5c85a5835b4022798ce55fca3194adc2e4e9783f6beb671232e1841d0d8608e9a94128105696f850bd8086a775927edeb9c4b62d5c2

Download Submit
C:\Users\Admin\AppData\Roaming\04D87\7FAD.4D8
Filesize
600B

MD5
15d29d4f26c090a69cd33db7eb56384f

SHA1
d04f125f285ba2042fa076b78aeec129e07c221e

SHA256
41206b488c8f004a9edab8621691106e47b11f8f8483c517ffbd2c4a1a5ad717

SHA512
a45b6ec1ae73878ea62281858dadb231ed5b8c96dcde7c716c7889e4e6e908e75620ccf9d8f759b7e5de89ba3e1a1d1fe9df5bff7986a719cdf1840e2f3fa1d4

Download Submit
C:\Users\Admin\AppData\Roaming\04D87\7FAD.4D8
Filesize
1KB

MD5
a78e7b93a58f48a5e39d689c730a0849

SHA1
8e84d55258160ea29dabf55bbaf2dc3968aac776

SHA256
057e6ad8cd3b1e987697ecc9ff1c6247699fabf2d5d4b24422df8616ae9aff41

SHA512
43ca8426ef684c0e5e827070f3153db6dbac83d639c73824829eb8b26ceb852eefc5910a990a3e825a7f1ab9f1488960876e99a6b59629b35177a78567a62a79

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2860-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2860-378-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2860-18-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/2860-17-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2860-3-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2860-299-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2860-2-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/3128-310-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/3248-445-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3512-428-0x000001B3F0690000-0x000001B3F06B0000-memory.dmp

Filesize
128KB

Download
memory/3512-433-0x000001B3F0C60000-0x000001B3F0C80000-memory.dmp

Filesize
128KB

Download
memory/3512-430-0x000001B3F0650000-0x000001B3F0670000-memory.dmp

Filesize
128KB

Download
memory/3512-442-0x000001ABEEC00000-0x000001ABEF37A000-memory.dmp

Filesize
7.5MB

Download
memory/3512-474-0x000002C7D0F90000-0x000002C7D0FB0000-memory.dmp

Filesize
128KB

Download
memory/3512-477-0x000002C7D0F50000-0x000002C7D0F70000-memory.dmp

Filesize
128KB

Download
memory/3512-479-0x000002C7D1360000-0x000002C7D1380000-memory.dmp

Filesize
128KB

Download
memory/4316-490-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/4464-498-0x0000015D7ACA0000-0x0000015D7ACC0000-memory.dmp

Filesize
128KB

Download
memory/4464-501-0x0000015D7AC80000-0x0000015D7ACA0000-memory.dmp

Filesize
128KB

Download
memory/4464-504-0x0000015D7B2A0000-0x0000015D7B2C0000-memory.dmp

Filesize
128KB

Download
memory/4760-341-0x000002B02A2B0000-0x000002B02A2D0000-memory.dmp

Filesize
128KB

Download
memory/4760-345-0x000002B02A5A0000-0x000002B02A5C0000-memory.dmp

Filesize
128KB

Download
memory/4760-347-0x000002B02A660000-0x000002B02A680000-memory.dmp

Filesize
128KB

Download
memory/4760-352-0x000002A827600000-0x000002A828F2F000-memory.dmp

Filesize
25.2MB

Download
memory/4980-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4980-457-0x00000271CB800000-0x00000271CB820000-memory.dmp

Filesize
128KB

Download
memory/4980-455-0x00000271CB3B0000-0x00000271CB3D0000-memory.dmp

Filesize
128KB

Download
memory/4980-453-0x00000271CB3F0000-0x00000271CB410000-memory.dmp

Filesize
128KB

Download
memory/4980-15-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/4980-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5132-367-0x000002BEFD560000-0x000002BEFD580000-memory.dmp

Filesize
128KB

Download
memory/5132-370-0x000002BEFDB70000-0x000002BEFDB90000-memory.dmp

Filesize
128KB

Download
memory/5132-364-0x000002BEFD5A0000-0x000002BEFD5C0000-memory.dmp

Filesize
128KB

Download
memory/5132-379-0x000002B6FBC00000-0x000002B6FC37A000-memory.dmp

Filesize
7.5MB

Download
memory/5200-466-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/5220-358-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/5524-169-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/5524-170-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5524-168-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5544-396-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/5548-316-0x000002B0388C0000-0x000002B0388E0000-memory.dmp

Filesize
128KB

Download
memory/5548-330-0x000002A835C00000-0x000002A83752F000-memory.dmp

Filesize
25.2MB

Download
memory/5548-323-0x000002B038C90000-0x000002B038CB0000-memory.dmp

Filesize
128KB

Download
memory/5548-319-0x000002B038880000-0x000002B0388A0000-memory.dmp

Filesize
128KB

Download
memory/5612-421-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/5748-334-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/5876-391-0x000001B3C1000000-0x000001B3C292F000-memory.dmp

Filesize
25.2MB

Download
memory/5932-416-0x0000015E7C000000-0x0000015E7C77A000-memory.dmp

Filesize
7.5MB

Download
memory/5932-408-0x000001667DC30000-0x000001667DC50000-memory.dmp

Filesize
128KB

Download
memory/5932-405-0x000001667D820000-0x000001667D840000-memory.dmp

Filesize
128KB

Download
memory/5932-402-0x000001667D860000-0x000001667D880000-memory.dmp

Filesize
128KB

Download
memory/6068-301-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/6068-305-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6068-300-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6092-384-0x00000000015B0000-0x00000000015B1000-memory.dmp

Filesize
4KB

Download