Analysis Overview
SHA256
1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227
Threat Level: Known bad
The file 1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Sets service image path in registry
Adds policy Run key to start application
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Adds Run key to start application
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Suspicious use of FindShellTrayWindow
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-19 19:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 19:17
Reported
2025-01-19 19:19
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe = "c:\\users\\admin\\appdata\\local\\temp\\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe:*:Enabled:SMPN" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\SysWOW64\regedit.exe | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Drops file in Windows directory
Browser Information Discovery
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\Dism\\ja-JP\\SmiProvider.dll.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_72f3d4cf9d3dccb6.manifest" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_microsoft-windows-c..tasp1.res.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d6425db9d79ae22.manifest" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "1048" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "104063" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "29068" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\\Amd64\\HPZIPR12.DLL" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "74525" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "111203" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_microsoft-windows-p..peeradmin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_719df0580731deba.manifest" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsVersion1Warning.htm" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "36371" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_microsoft-windows-s..trolpanel.resources_31bf3856ad364e35_6.1.7600.16385_it-it_04f87c1305f0d058.manifest" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Common Files\\System\\msadc\\ja-JP\\msdaremr.dll.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "34152" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "103851" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "106258" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_microsoft-windows-t..inkwatson.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f734ab4b52e9d642.manifest" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "26545" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\\Amd64\\smf6x5u.xml" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_microsoft-windows-shell-comctl32-v5_31bf3856ad364e35_6.1.7601.17514_none_97c2246fee970dbb.manifest" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\gpedit.dll" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\en-US\\powershell_ise.resources.dll" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_prnep003.inf_31bf3856ad364e35_6.1.7600.16385_none_9403111e2c10328e\\prnep003.inf" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "98522" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\de-DE\\arcsas.inf_loc" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\en-US\\msaatext.dll.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "49739" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-directwrite.resources_31bf3856ad364e35_7.1.7601.16492_ru-ru_29e175fbc10a89d0\\DWrite.dll.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\\Amd64\\BRD131C.GPD" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "71746" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "77349" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\BitLockerDiscoveryVolumeContents\\de-DE_BitLockerToGo.exe.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16520" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "31915" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "66209" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_sti.inf_31bf3856ad364e35_6.1.7600.16385_none_b5d3c30ffa77a77a\\scsiscan.sys" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "103376" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\schemas\\EAPHost\\eapuserpropertiesv1.xsd" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\it-IT\\loadperf.dll.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "11622" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30427" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "37963" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "75332" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "91035" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "107718" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "114565" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\features\\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\\META-INF\\ECLIPSE_.RSA" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\prnhp003.inf_amd64_neutral_4480210763997eb4\\Amd64\\hpd7200t.gpd" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "66817" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "95072" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7601.17514_it-it_1ee6b4808fedf0f8\\msdasqlr.dll.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-onlineidcpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_808b0be0dbba7418\\OnLineIDCPL.dll.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_66e40021f6ac2d53.manifest" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsTemplates\\Hardware Tracker.fdt" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\mtxlegih.dll" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\amd64_microsoft-windows-m..nager-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bd23d596d204e54\\odbcint.dll.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "95944" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Manifests\\amd64_brmfcmf.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8910876519478872.manifest" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "23518" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "32918" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\it-IT\\runonce.exe.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "78183" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\winsxs\\Backup\\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636.manifest" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe
"C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe"
Network
Files
memory/2676-0-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Windows\msrpc.exe
| MD5 | 9e4fc5458e8c6538130bfdf13f46ce45 |
| SHA1 | a3bb4a1598f2162a88351f5f78a49660e54b9c52 |
| SHA256 | 612b3f592a79e685c5699ea5e0f75514d1e15bb576f4633150dd21d9da560a0e |
| SHA512 | 36e4688c89ce4126de2effbccd52e760c8380d443c09ad0258627f599964d813dcdab0b58ce841d5189ba128e1fa39167ba8204f90143fd18b9b418062908f1d |
memory/2676-17-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2676-22-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2676-24-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2676-25-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2676-26-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2676-27-0x0000000000400000-0x0000000000425000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 19:17
Reported
2025-01-19 19:20
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
111s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe = "c:\\users\\admin\\appdata\\local\\temp\\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe:*:Enabled:SMPN" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\SysWOW64\regedit.exe | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Drops file in Windows directory
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Microsoft Office\\root\\Office16\\ODBC Drivers\\Salesforce\\lib\\OpenSSL64.DllA\\openssl64.dlla.manifest" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30030" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "52435" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-cloudfiles-filter_31bf3856ad364e35_10.0.19041.21_none_981e0aa9bd72183e\\r\\cldflt.sys" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "32708" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\DriverStore\\FileRepository\\netathr10x.inf_amd64_2691c4f95b80eb3b\\eeprom_qca9377_1p1_NFA435_olpc.bin" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "64081" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "97885" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "2133" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\contrast-white\\Weather_TileWide.scale-100.png" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\\Assets\\InsiderHubAppList.targetsize-96.png" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "26951" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "63965" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "3252" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "13977" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\Font\\PFM\\SY______.PFM" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "46394" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\\cortana.html" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "32946" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\Packages\\HyperV-Host-Compute-PowerShell-Module-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.mum" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "61745" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "77840" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_63994a974590744a\\bootmgfw.efi.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "91185" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "2356" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "14748" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "38630" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "79114" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\migration\\netiomig.dll" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "81251" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "86201" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\\images\\contrast-black\\GenericMailSmallTile.scale-150.png" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30182" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\DE\\System.EnterpriseServices.Resources.dll" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\InboxFodMetadataCache\\metadata\\Language.Speech~es-mx~1.0.mum" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "63225" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-enhancedstorage-api_31bf3856ad364e35_10.0.19041.1_none_8b1fdc6daf23ffa9\\EhStorAPI.dll" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "97094" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16632" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "50179" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\wbem\\uk-UA\\netttcim_uninstall.mfl" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "52291" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-cryptuiwizard-dll_31bf3856ad364e35_10.0.19041.804_none_99449be11762eb74\\r\\cryptuiwizard.dll.mun" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "94477" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWOW64\\aadauthhelper.dll" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "72129" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "3007" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "24872" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "32715" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SystemApps\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Ratings\\RatingStars41.contrast-black_scale-200.png" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "44964" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "50848" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "53521" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "63779" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "13884" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "19199" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\yuzka873.default-release\\safebrowsing\\analytics-track-digest256.vlpset" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\es\\System.IdentityModel.Selectors.resources.dll" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "80126" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "91961" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "51607" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\WinSxS\\amd64_microsoft-windows-a..orecodecs.resources_31bf3856ad364e35_10.0.19041.1_it-it_86b855572c427fcd\\msg711.acm.mui" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\\Assets\\contrast-black\\BadgeLogo.scale-100_contrast-black.png" | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe
"C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3756-0-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Windows\msrpc.exe
| MD5 | dfd6768390ce065fbf9039f5925737c3 |
| SHA1 | c6ebb6d7c4b1721ca9c6275b37d02e4a540de873 |
| SHA256 | d4b3c2c520d34ae0002abebe22ec1707175be4682abbf9282436354466ada9e8 |
| SHA512 | 6ca13f23ce336fed25296d5281311f3e0dc43aa15214534591ee0a3d72e2785b46ba673c594a90dcb15a57d14cbe0209f42d80b2f112c8ccf11704918d60afd2 |
memory/3756-17-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3756-20-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3756-25-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3756-27-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3756-28-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3756-30-0x0000000000400000-0x0000000000425000-memory.dmp