45833dc7730d4f37357a4149eeb5cf1389c0a87df7ac5a5e52ad5a3ee845357a

Analysis

max time kernel
78s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1234.exe
Size

597KB
MD5

972bda48546cecc13e31bfc3d445e9f7
SHA1

ef6e53d3b99c942df9c4751d93564d84b42748fc
SHA256

45833dc7730d4f37357a4149eeb5cf1389c0a87df7ac5a5e52ad5a3ee845357a
SHA512

2370ea4bd99f75f25cbfdd45fddaec5e2865dfae484e7fa014cc6b1a9a5f08afdfc48e29895463607a449f03c0615838d360c5652f7dab6b03ee2ac450434826
SSDEEP

12288:4IRx6tD2PVle8zpYAgzvbiKoW+dDwm5sY:3RktDLAgT2KoVd0ZY

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

1234.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\regid.1967-07.com.microsoft\\DogDAppxLogso.exe"	1234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe"	1234.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1234.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 1234.exe
Loads dropped DLL 13 IoCs

Processes:

WmiApSrv.exe

pid process

2796
1996
4456
5000
912 WmiApSrv.exe
4580
3640
1980
3884
2916
4544
1452
3520
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1234.exe

pid	process
2796
1996
4456
5000
912	WmiApSrv.exe
4580
3640
1980
3884
2916
4544
1452
3520

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1234.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\\swapdrives.exe"	1234.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Windows directory 4 IoCs

Processes:

1234.exe

description	ioc	process
File created	C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe	1234.exe
File opened for modification	C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe	1234.exe
File opened for modification	C:\Windows\regid.1967-07.com.microsoft	1234.exe
File created	C:\Windows\xdwd.dll	1234.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2336	schtasks.exe
2964	schtasks.exe
4384	schtasks.exe
5088	schtasks.exe
4004	schtasks.exe
2540	schtasks.exe
4164	schtasks.exe
3300	schtasks.exe
3132	schtasks.exe
1612	schtasks.exe
4320	schtasks.exe
4904	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3928 timeout.exe
2624 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3296 taskkill.exe
1556 taskkill.exe

pid	process
3928	timeout.exe
2624	timeout.exe

pid	process
3296	taskkill.exe
1556	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeexplorer.exeexplorer.exeexplorer.exeSearchApp.exeSearchApp.exeexplorer.exeexplorer.exeSearchApp.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{4C6658C2-CB96-404D-A8F4-DCB40B788A30}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{EE0D7BFA-9DB8-4A23-BF16-84C8501AC418}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{1C112791-0A30-427B-870C-234A8989437C}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1234.exeWmiApSrv.exe

pid	process
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
772	1234.exe
912	WmiApSrv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1234.exetaskkill.exetaskkill.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	772	1234.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	4092	explorer.exe
Token: SeCreatePagefilePrivilege	4092	explorer.exe
Token: SeShutdownPrivilege	1016	explorer.exe
Token: SeCreatePagefilePrivilege	1016	explorer.exe
Token: SeShutdownPrivilege	1016	explorer.exe
Token: SeCreatePagefilePrivilege	1016	explorer.exe
Token: SeShutdownPrivilege	1016	explorer.exe
Token: SeCreatePagefilePrivilege	1016	explorer.exe
Token: SeShutdownPrivilege	1016	explorer.exe
Token: SeCreatePagefilePrivilege	1016	explorer.exe
Token: SeShutdownPrivilege	1016	explorer.exe
Token: SeCreatePagefilePrivilege	1016	explorer.exe
Token: SeShutdownPrivilege	1016	explorer.exe
Token: SeCreatePagefilePrivilege	1016	explorer.exe
Token: SeShutdownPrivilege	1016	explorer.exe
Token: SeCreatePagefilePrivilege	1016	explorer.exe
Token: SeShutdownPrivilege	1016	explorer.exe
Token: SeCreatePagefilePrivilege	1016	explorer.exe
Token: SeShutdownPrivilege	1016	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4280	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
1016	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe
4000	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
1004	StartMenuExperienceHost.exe
3876	StartMenuExperienceHost.exe
536	StartMenuExperienceHost.exe
2588	SearchApp.exe
1152	StartMenuExperienceHost.exe
3984	SearchApp.exe
3132	StartMenuExperienceHost.exe
2976	SearchApp.exe
4424	StartMenuExperienceHost.exe
3848	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1234.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.execmd.exeCMD.execmd.execmd.exe

description	pid	process	target process
PID 772 wrote to memory of 1052	772	1234.exe	CMD.exe
PID 772 wrote to memory of 1052	772	1234.exe	CMD.exe
PID 1052 wrote to memory of 3300	1052	CMD.exe	schtasks.exe
PID 1052 wrote to memory of 3300	1052	CMD.exe	schtasks.exe
PID 772 wrote to memory of 3620	772	1234.exe	CMD.exe
PID 772 wrote to memory of 3620	772	1234.exe	CMD.exe
PID 3620 wrote to memory of 2336	3620	CMD.exe	schtasks.exe
PID 3620 wrote to memory of 2336	3620	CMD.exe	schtasks.exe
PID 772 wrote to memory of 4796	772	1234.exe	CMD.exe
PID 772 wrote to memory of 4796	772	1234.exe	CMD.exe
PID 4796 wrote to memory of 3132	4796	CMD.exe	schtasks.exe
PID 4796 wrote to memory of 3132	4796	CMD.exe	schtasks.exe
PID 772 wrote to memory of 1496	772	1234.exe	CMD.exe
PID 772 wrote to memory of 1496	772	1234.exe	CMD.exe
PID 1496 wrote to memory of 1612	1496	CMD.exe	schtasks.exe
PID 1496 wrote to memory of 1612	1496	CMD.exe	schtasks.exe
PID 772 wrote to memory of 1440	772	1234.exe	CMD.exe
PID 772 wrote to memory of 1440	772	1234.exe	CMD.exe
PID 1440 wrote to memory of 2964	1440	CMD.exe	schtasks.exe
PID 1440 wrote to memory of 2964	1440	CMD.exe	schtasks.exe
PID 772 wrote to memory of 4104	772	1234.exe	CMD.exe
PID 772 wrote to memory of 4104	772	1234.exe	CMD.exe
PID 4104 wrote to memory of 4384	4104	CMD.exe	schtasks.exe
PID 4104 wrote to memory of 4384	4104	CMD.exe	schtasks.exe
PID 772 wrote to memory of 4164	772	1234.exe	CMD.exe
PID 772 wrote to memory of 4164	772	1234.exe	CMD.exe
PID 4164 wrote to memory of 4320	4164	CMD.exe	schtasks.exe
PID 4164 wrote to memory of 4320	4164	CMD.exe	schtasks.exe
PID 772 wrote to memory of 2344	772	1234.exe	CMD.exe
PID 772 wrote to memory of 2344	772	1234.exe	CMD.exe
PID 2344 wrote to memory of 5088	2344	CMD.exe	schtasks.exe
PID 2344 wrote to memory of 5088	2344	CMD.exe	schtasks.exe
PID 772 wrote to memory of 2488	772	1234.exe	CMD.exe
PID 772 wrote to memory of 2488	772	1234.exe	CMD.exe
PID 2488 wrote to memory of 4004	2488	CMD.exe	schtasks.exe
PID 2488 wrote to memory of 4004	2488	CMD.exe	schtasks.exe
PID 772 wrote to memory of 3192	772	1234.exe	CMD.exe
PID 772 wrote to memory of 3192	772	1234.exe	CMD.exe
PID 3192 wrote to memory of 2540	3192	CMD.exe	schtasks.exe
PID 3192 wrote to memory of 2540	3192	CMD.exe	schtasks.exe
PID 772 wrote to memory of 3488	772	1234.exe	CMD.exe
PID 772 wrote to memory of 3488	772	1234.exe	CMD.exe
PID 3488 wrote to memory of 4164	3488	CMD.exe	schtasks.exe
PID 3488 wrote to memory of 4164	3488	CMD.exe	schtasks.exe
PID 772 wrote to memory of 4556	772	1234.exe	CMD.exe
PID 772 wrote to memory of 4556	772	1234.exe	CMD.exe
PID 4556 wrote to memory of 4904	4556	CMD.exe	schtasks.exe
PID 4556 wrote to memory of 4904	4556	CMD.exe	schtasks.exe
PID 772 wrote to memory of 3884	772	1234.exe	cmd.exe
PID 772 wrote to memory of 3884	772	1234.exe	cmd.exe
PID 772 wrote to memory of 4188	772	1234.exe	CMD.exe
PID 772 wrote to memory of 4188	772	1234.exe	CMD.exe
PID 3884 wrote to memory of 4588	3884	cmd.exe	schtasks.exe
PID 3884 wrote to memory of 4588	3884	cmd.exe	schtasks.exe
PID 4188 wrote to memory of 3296	4188	CMD.exe	taskkill.exe
PID 4188 wrote to memory of 3296	4188	CMD.exe	taskkill.exe
PID 772 wrote to memory of 1972	772	1234.exe	cmd.exe
PID 772 wrote to memory of 1972	772	1234.exe	cmd.exe
PID 1972 wrote to memory of 3584	1972	cmd.exe	schtasks.exe
PID 1972 wrote to memory of 3584	1972	cmd.exe	schtasks.exe
PID 772 wrote to memory of 2488	772	1234.exe	cmd.exe
PID 772 wrote to memory of 2488	772	1234.exe	cmd.exe
PID 2488 wrote to memory of 3928	2488	cmd.exe	timeout.exe
PID 2488 wrote to memory of 3928	2488	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1234.exe
"C:\Users\Admin\AppData\Local\Temp\1234.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3300
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2336
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3132
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1612
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2964
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4384
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4320
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5088
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4004
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2540
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4164
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "AssemblyBroker" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\system32\schtasks.exe
    schtASks /deLeTe /F /Tn "AssemblyBroker"
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C taskkill /im explorer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\system32\taskkill.exe
    taskkill /im explorer.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "Svchost" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\schtasks.exe
    schtASks /deLeTe /F /Tn "Svchost"
    3⤵
    PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFBE4.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:3928
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Modifies Installed Components in the registry
    - Enumerates connected drives
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4280
- - C:\Windows\system32\taskkill.exe
    taskkill /im DogDAppxLogso.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:912

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3876

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1692

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3848

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3612

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3612

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4248

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5112

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4004

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1496

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:672

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4156

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2288

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1352

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3712

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3660

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3960

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
45654e26b54abaef678dbdb46a9eb535

SHA1
a23cc33fe546ee53bdb07589548d84c2101d6ab0

SHA256
329924597f143dd23c32377fbcbde16a057c28500ff47149dfc4768df5853030

SHA512
313a7c6066b6be2cad54272cab1931fdf6f42b68c3ee78fd06eb4f4574df788a2e9892be74bed3f6198aab652fa3dcf36ccfff9f777d62d3c1d51acd0cff7f9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
48baa6ef17627e5f55e64748e0a74a07

SHA1
65dbb40675549062c9311e219ce070fe83e9ad45

SHA256
64d2424bb7c0d0cd276a7b1bf01af9b13fa4c091d789285f0c705557f9b5b287

SHA512
91a223ff20c7efcebba5a78cb6dcb7c4a4742c8cf050cdd9a3ee013538b504e0e064b48b60a81682e757a9bbf9e4aafd11cafd8ab04343abf85c48d8c9106906

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
6424a356142aaa80334d2bd19372f04c

SHA1
e0500ff50a315df1255d1792a9d8ae2ce9f15e72

SHA256
1764012260f9e99c33d16d0cf85a1138f3349da5db911109a7774931d623285b

SHA512
bcf05b0671f72ca42b79041987967c6797f308502c5af8a7511c8b420c38d825268972f4b5ccc31a0e765a62cff59844e523fcd0ed62c6ba2ac81cae69cdd255

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133608818104244956.txt

Filesize
75KB

MD5
79ea60e4feeffe4483ba2d0ea61852fb

SHA1
7d5921a1b6240cc717ad4f4478bbcfc42f3af8e8

SHA256
1e85f6cd486b20682b1a6af9f34e7993a558f3b5dccd1e80a55178847e794923

SHA512
4d0866c2b63af9570fa20bca628a6e67b3704d7ab5a8a1311fb614f38b54444cc6630390092282f075751cae38000a17e4bf1cb992a8900b0c72965c0b24dbf4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\U23Z080G\microsoft.windows[1].xml

Filesize
97B

MD5
292a283bdecf4cd89c3ad863a28bc72f

SHA1
18e896fec5f8b3ea2963d0a5cb45a244050c35c1

SHA256
09794c6006f357000111d7d13c1c20075eaea58f68df78e118d14b4547835ec2

SHA512
71349774dcf41cd9e72c881cd374ffaf2527b2156a616cc064f10f34e7bbf0ea6174916acb2b8b06428f2b2f29315359e66dde317965463ea1eb70fef52beaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFBE4.tmp.bat

Filesize
242B

MD5
00f6c983ce95cf17f08764852d123449

SHA1
68edc0fff0a31c19473f909ed8e370b3e4de6969

SHA256
b09f56a47ae5e585b2e5f9d579fbee021ff7f73f371c09c2ae237a07fd0c2d57

SHA512
49cbe7fc448d88a2c885c7332986cd663adff7d8495a930624e156a6a2f0f69daef84ec050d6cc61fb122b01174a7d73f64ea366783747e977724ab661e11545

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/772-104-0x00007FF816413000-0x00007FF816415000-memory.dmp

Filesize
8KB

Download
memory/772-279-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

Filesize
10.8MB

Download
memory/772-352-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

Filesize
10.8MB

Download
memory/772-110-0x000000001C4D0000-0x000000001C4EE000-memory.dmp

Filesize
120KB

Download
memory/772-109-0x00000000027C0000-0x00000000027CC000-memory.dmp

Filesize
48KB

Download
memory/772-108-0x000000001CD60000-0x000000001CDD6000-memory.dmp

Filesize
472KB

Download
memory/772-50-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

Filesize
10.8MB

Download
memory/772-0-0x00000000004F0000-0x000000000058A000-memory.dmp

Filesize
616KB

Download
memory/772-1-0x00007FF816413000-0x00007FF816415000-memory.dmp

Filesize
8KB

Download
memory/1016-362-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1124-1398-0x000001B7F7F30000-0x000001B7F7F50000-memory.dmp

Filesize
128KB

Download
memory/1124-1394-0x000001B7F7000000-0x000001B7F7100000-memory.dmp

Filesize
1024KB

Download
memory/1124-1410-0x000001B7F8500000-0x000001B7F8520000-memory.dmp

Filesize
128KB

Download
memory/1124-1400-0x000001B7F7EF0000-0x000001B7F7F10000-memory.dmp

Filesize
128KB

Download
memory/1124-1393-0x000001B7F7000000-0x000001B7F7100000-memory.dmp

Filesize
1024KB

Download
memory/1124-1395-0x000001B7F7000000-0x000001B7F7100000-memory.dmp

Filesize
1024KB

Download
memory/1496-1839-0x000002782FF40000-0x0000027830040000-memory.dmp

Filesize
1024KB

Download
memory/1496-1838-0x000002782FF40000-0x0000027830040000-memory.dmp

Filesize
1024KB

Download
memory/1496-1840-0x000002782FF40000-0x0000027830040000-memory.dmp

Filesize
1024KB

Download
memory/1524-676-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1524-985-0x000002162CB40000-0x000002162CB60000-memory.dmp

Filesize
128KB

Download
memory/1524-993-0x000002162CF50000-0x000002162CF70000-memory.dmp

Filesize
128KB

Download
memory/1524-977-0x000002162CB80000-0x000002162CBA0000-memory.dmp

Filesize
128KB

Download
memory/1692-825-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/1896-1110-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/2588-381-0x00000235147A0000-0x00000235147C0000-memory.dmp

Filesize
128KB

Download
memory/2588-368-0x00000235147E0000-0x0000023514800000-memory.dmp

Filesize
128KB

Download
memory/2588-365-0x0000023513700000-0x0000023513800000-memory.dmp

Filesize
1024KB

Download
memory/2588-364-0x0000023513700000-0x0000023513800000-memory.dmp

Filesize
1024KB

Download
memory/2588-391-0x0000023514BE0000-0x0000023514C00000-memory.dmp

Filesize
128KB

Download
memory/2976-695-0x0000022E30340000-0x0000022E30360000-memory.dmp

Filesize
128KB

Download
memory/2976-714-0x0000022E30750000-0x0000022E30770000-memory.dmp

Filesize
128KB

Download
memory/2976-683-0x0000022E30380000-0x0000022E303A0000-memory.dmp

Filesize
128KB

Download
memory/2976-679-0x0000022E2F220000-0x0000022E2F320000-memory.dmp

Filesize
1024KB

Download
memory/2976-678-0x0000022E2F220000-0x0000022E2F320000-memory.dmp

Filesize
1024KB

Download
memory/3756-1709-0x000001800BD20000-0x000001800BD40000-memory.dmp

Filesize
128KB

Download
memory/3756-1720-0x000001800C130000-0x000001800C150000-memory.dmp

Filesize
128KB

Download
memory/3756-1248-0x0000012C99420000-0x0000012C99520000-memory.dmp

Filesize
1024KB

Download
memory/3756-1696-0x000001800BD60000-0x000001800BD80000-memory.dmp

Filesize
128KB

Download
memory/3756-1284-0x0000012C9A950000-0x0000012C9A970000-memory.dmp

Filesize
128KB

Download
memory/3756-1265-0x0000012C9A540000-0x0000012C9A560000-memory.dmp

Filesize
128KB

Download
memory/3756-1253-0x0000012C9A580000-0x0000012C9A5A0000-memory.dmp

Filesize
128KB

Download
memory/3804-1566-0x000002D8DB650000-0x000002D8DB670000-memory.dmp

Filesize
128KB

Download
memory/3804-1544-0x000002D8DB280000-0x000002D8DB2A0000-memory.dmp

Filesize
128KB

Download
memory/3804-1556-0x000002D8DB240000-0x000002D8DB260000-memory.dmp

Filesize
128KB

Download
memory/3804-1539-0x000002D8DA120000-0x000002D8DA220000-memory.dmp

Filesize
1024KB

Download
memory/3804-1541-0x000002D8DA120000-0x000002D8DA220000-memory.dmp

Filesize
1024KB

Download
memory/3828-970-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/3848-828-0x0000023EC0100000-0x0000023EC0200000-memory.dmp

Filesize
1024KB

Download
memory/3848-831-0x0000023EC1260000-0x0000023EC1280000-memory.dmp

Filesize
128KB

Download
memory/3848-827-0x0000023EC0100000-0x0000023EC0200000-memory.dmp

Filesize
1024KB

Download
memory/3848-863-0x0000023EC1620000-0x0000023EC1640000-memory.dmp

Filesize
128KB

Download
memory/3848-826-0x0000023EC0100000-0x0000023EC0200000-memory.dmp

Filesize
1024KB

Download
memory/3848-841-0x0000023EC1220000-0x0000023EC1240000-memory.dmp

Filesize
128KB

Download
memory/3984-561-0x0000020F0E870000-0x0000020F0E890000-memory.dmp

Filesize
128KB

Download
memory/3984-562-0x0000020F0EE80000-0x0000020F0EEA0000-memory.dmp

Filesize
128KB

Download
memory/3984-531-0x0000020F0E8B0000-0x0000020F0E8D0000-memory.dmp

Filesize
128KB

Download
memory/4000-524-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/4220-1246-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/4344-1537-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/4512-1689-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/5008-1392-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/5040-1116-0x0000011D4C2F0000-0x0000011D4C310000-memory.dmp

Filesize
128KB

Download
memory/5040-1129-0x0000011D4C2B0000-0x0000011D4C2D0000-memory.dmp

Filesize
128KB

Download
memory/5040-1111-0x0000011D4B400000-0x0000011D4B500000-memory.dmp

Filesize
1024KB

Download
memory/5040-1148-0x0000011D4C8C0000-0x0000011D4C8E0000-memory.dmp

Filesize
128KB

Download
memory/5112-1836-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download