bazarloader | 0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f

Resubmissions

06-11-2021 17:27

211106-v1eynsegh5 10

06-11-2021 17:14

211106-vr22vaegg2 10

06-11-2021 16:59

211106-vhd9escbfk 10

Analysis

max time kernel
601s
max time network
614s
platform
windows11_x64
resource
win11
submitted
06-11-2021 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
Size

201KB
MD5

2f026a4e714a11325ce22490c0558e53
SHA1

89d742acc48ec9a94b2670925cfd31934b022a51
SHA256

0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f
SHA512

512f3d8f193116f67994c34ff8a95b71f032cb2a04be7efb910ebe1460c01e77e2619172f1522ea2de146858a86b0c12982b009ccde20ff46611dc7f1dadee2f

Score

10^/10

bazarloader raccoon redline smokeloader tofsee new superstar backdoor discovery dropper infostealer loader persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://hefahei60.top/

http://pipevai40.top/

rc4.i32

Extracted

Family

redline

Botnet

new

93.115.20.139:28978

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral4/memory/3612-174-0x0000000002B00000-0x0000000002B1B000-memory.dmp	family_redline
behavioral4/memory/984-198-0x0000000002470000-0x000000000248C000-memory.dmp	family_redline
behavioral4/memory/984-200-0x0000000004BA0000-0x0000000004BBB000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 3312 created 4804	3312	WerFault.exe	58E4.exe
PID 476 created 4224	476	WerFault.exe	8E4E.exe
PID 4452 created 2600	4452	WerFault.exe	E1.exe
PID 3200 created 4396	3200	WerFault.exe	198B.exe
PID 3148 created 2960	3148	WerFault.exe	3F44.exe
PID 2284 created 824	2284	WerFault.exe	C1C3.exe

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/3376-231-0x0000000000640000-0x0000000000671000-memory.dmp	BazarLoaderVar5

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

3DCA.exe3DCA.exe58E4.exe774B.exe8E4E.exeB291.exeB291.exeE1.exe198B.exe3F44.exeC1C3.exe42CC.exe42CC.exe

pid	process
4968	3DCA.exe
4808	3DCA.exe
4804	58E4.exe
3612	774B.exe
4224	8E4E.exe
3680	B291.exe
984	B291.exe
2600	E1.exe
4396	198B.exe
2960	3F44.exe
824	C1C3.exe
2264	42CC.exe
4880	42CC.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
1045	eklyusoq.bazar
1248	ofozusoq.bazar
976	zeymxypi.bazar
1919	piyxifvu.bazar
1096	ifecxyoq.bazar
1561	usgaxypi.bazar
2019	vuecusvu.bazar
482	izecifvu.bazar
1028	noepifpi.bazar
928	xeozuspi.bazar
181	ofpyekpi.bazar
531	pipyekvu.bazar
1660	allyekpi.bazar
1953	xeepxyoq.bazar
262	zeutifvu.bazar
1595	oqymusiz.bazar
955	oqgaifoq.bazar
1053	eklyusoq.bazar
1562	usgaxypi.bazar
733	kalyusiz.bazar
746	kalyusiz.bazar
628	vuozxyvu.bazar
1051	eklyusoq.bazar
1323	vuucuspi.bazar
2194	izheifoq.bazar
266	zeutifvu.bazar
487	izecifvu.bazar
1977	alwiusiz.bazar
321	zegaekvu.bazar
1631	xeucusvu.bazar
992	vuyxekoq.bazar
1683	eksaifiz.bazar
2217	ibyxxyiz.bazar
669	ekymifvu.bazar
1034	noepifpi.bazar
1952	xeepxyoq.bazar
420	deepekpi.bazar
897	oqutxyoq.bazar
1204	ubutxyvu.bazar
2003	zesaifoq.bazar
1592	oqymusiz.bazar
1607	ofyxifpi.bazar
1999	zesaifoq.bazar
548	ofpousiz.bazar
1120	zuybuspi.bazar
1497	izygifiz.bazar
2095	nozausoq.bazar
2127	deutekiz.bazar
2165	xyozekvu.bazar
922	ofteekvu.bazar
1467	xypoekpi.bazar
274	vuteekiz.bazar
583	oqygusvu.bazar
604	xeteekoq.bazar
1767	zupoekvu.bazar
1905	ubymuspi.bazar
205	oqzaifiz.bazar
436	zulyxyvu.bazar
1230	piteifpi.bazar
1623	xeucusvu.bazar
1656	allyekpi.bazar
1837	xytexyiz.bazar
1938	ofucekiz.bazar
2241	piucekoq.bazar

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3376 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3376	regsvr32.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe3DCA.exeB291.exe42CC.exe

description	pid	process	target process
PID 504 set thread context of 5108	504	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
PID 4968 set thread context of 4808	4968	3DCA.exe	3DCA.exe
PID 3680 set thread context of 984	3680	B291.exe	B291.exe
PID 2264 set thread context of 4880	2264	42CC.exe	42CC.exe

Drops file in Windows directory 9 IoCs

Processes:

TiWorker.exesvchost.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1900	4804	WerFault.exe	58E4.exe
4656	4224	WerFault.exe	8E4E.exe
2840	2600	WerFault.exe	E1.exe
4964	4396	WerFault.exe	198B.exe
2792	2960	WerFault.exe	3F44.exe
1480	824	WerFault.exe	C1C3.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe3DCA.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3DCA.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3DCA.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3DCA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe

Checks processor information in registry 2 TTPs 44 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe

pid	process
5108	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
5108	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3232
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe3DCA.exe

pid process

5108 0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
4808 3DCA.exe

pid	process
3232

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1460	svchost.exe
Token: SeCreatePagefilePrivilege	1460	svchost.exe
Token: SeShutdownPrivilege	1460	svchost.exe
Token: SeCreatePagefilePrivilege	1460	svchost.exe
Token: SeShutdownPrivilege	1460	svchost.exe
Token: SeCreatePagefilePrivilege	1460	svchost.exe
Token: SeShutdownPrivilege	4124	svchost.exe
Token: SeCreatePagefilePrivilege	4124	svchost.exe
Token: SeShutdownPrivilege	1460	svchost.exe
Token: SeCreatePagefilePrivilege	1460	svchost.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe
Token: SeBackupPrivilege	2592	TiWorker.exe
Token: SeRestorePrivilege	2592	TiWorker.exe
Token: SeSecurityPrivilege	2592	TiWorker.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3232

pid	process
3232

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exesvchost.exe3DCA.exeWerFault.exeWerFault.exeB291.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 504 wrote to memory of 5108	504	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
PID 504 wrote to memory of 5108	504	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
PID 504 wrote to memory of 5108	504	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
PID 504 wrote to memory of 5108	504	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
PID 504 wrote to memory of 5108	504	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
PID 504 wrote to memory of 5108	504	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe	0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
PID 4124 wrote to memory of 1100	4124	svchost.exe	MoUsoCoreWorker.exe
PID 4124 wrote to memory of 1100	4124	svchost.exe	MoUsoCoreWorker.exe
PID 3232 wrote to memory of 4968	3232		3DCA.exe
PID 3232 wrote to memory of 4968	3232		3DCA.exe
PID 3232 wrote to memory of 4968	3232		3DCA.exe
PID 4968 wrote to memory of 4808	4968	3DCA.exe	3DCA.exe
PID 4968 wrote to memory of 4808	4968	3DCA.exe	3DCA.exe
PID 4968 wrote to memory of 4808	4968	3DCA.exe	3DCA.exe
PID 4968 wrote to memory of 4808	4968	3DCA.exe	3DCA.exe
PID 4968 wrote to memory of 4808	4968	3DCA.exe	3DCA.exe
PID 4968 wrote to memory of 4808	4968	3DCA.exe	3DCA.exe
PID 3232 wrote to memory of 4804	3232		58E4.exe
PID 3232 wrote to memory of 4804	3232		58E4.exe
PID 3232 wrote to memory of 4804	3232		58E4.exe
PID 3312 wrote to memory of 4804	3312	WerFault.exe	58E4.exe
PID 3312 wrote to memory of 4804	3312	WerFault.exe	58E4.exe
PID 3232 wrote to memory of 3612	3232		774B.exe
PID 3232 wrote to memory of 3612	3232		774B.exe
PID 3232 wrote to memory of 4224	3232		8E4E.exe
PID 3232 wrote to memory of 4224	3232		8E4E.exe
PID 3232 wrote to memory of 4224	3232		8E4E.exe
PID 476 wrote to memory of 4224	476	WerFault.exe	8E4E.exe
PID 476 wrote to memory of 4224	476	WerFault.exe	8E4E.exe
PID 3232 wrote to memory of 3680	3232		B291.exe
PID 3232 wrote to memory of 3680	3232		B291.exe
PID 3232 wrote to memory of 3680	3232		B291.exe
PID 3680 wrote to memory of 984	3680	B291.exe	B291.exe
PID 3680 wrote to memory of 984	3680	B291.exe	B291.exe
PID 3680 wrote to memory of 984	3680	B291.exe	B291.exe
PID 3680 wrote to memory of 984	3680	B291.exe	B291.exe
PID 3680 wrote to memory of 984	3680	B291.exe	B291.exe
PID 3680 wrote to memory of 984	3680	B291.exe	B291.exe
PID 3680 wrote to memory of 984	3680	B291.exe	B291.exe
PID 3680 wrote to memory of 984	3680	B291.exe	B291.exe
PID 3680 wrote to memory of 984	3680	B291.exe	B291.exe
PID 3232 wrote to memory of 3376	3232		regsvr32.exe
PID 3232 wrote to memory of 3376	3232		regsvr32.exe
PID 3232 wrote to memory of 2600	3232		E1.exe
PID 3232 wrote to memory of 2600	3232		E1.exe
PID 3232 wrote to memory of 2600	3232		E1.exe
PID 4452 wrote to memory of 2600	4452	WerFault.exe	E1.exe
PID 4452 wrote to memory of 2600	4452	WerFault.exe	E1.exe
PID 3232 wrote to memory of 4396	3232		198B.exe
PID 3232 wrote to memory of 4396	3232		198B.exe
PID 3232 wrote to memory of 4396	3232		198B.exe
PID 3200 wrote to memory of 4396	3200	WerFault.exe	198B.exe
PID 3200 wrote to memory of 4396	3200	WerFault.exe	198B.exe
PID 3232 wrote to memory of 2960	3232		3F44.exe
PID 3232 wrote to memory of 2960	3232		3F44.exe
PID 3232 wrote to memory of 2960	3232		3F44.exe
PID 3148 wrote to memory of 2960	3148	WerFault.exe	3F44.exe
PID 3148 wrote to memory of 2960	3148	WerFault.exe	3F44.exe
PID 3232 wrote to memory of 824	3232		C1C3.exe
PID 3232 wrote to memory of 824	3232		C1C3.exe
PID 3232 wrote to memory of 824	3232		C1C3.exe
PID 2284 wrote to memory of 824	2284	WerFault.exe	C1C3.exe
PID 2284 wrote to memory of 824	2284	WerFault.exe	C1C3.exe
PID 3232 wrote to memory of 2264	3232		42CC.exe

C:\Users\Admin\AppData\Local\Temp\0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
"C:\Users\Admin\AppData\Local\Temp\0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:504

C:\Users\Admin\AppData\Local\Temp\0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe
"C:\Users\Admin\AppData\Local\Temp\0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5108

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 6ed6fe1f530f74ef56b5511b15f938aa AQL+qpu+CUG+hzZYwG6VUA.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
2⤵
PID:1100

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 6ed6fe1f530f74ef56b5511b15f938aa AQL+qpu+CUG+hzZYwG6VUA.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:4988

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 6ed6fe1f530f74ef56b5511b15f938aa AQL+qpu+CUG+hzZYwG6VUA.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:3200

C:\Users\Admin\AppData\Local\Temp\3DCA.exe
C:\Users\Admin\AppData\Local\Temp\3DCA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\3DCA.exe
C:\Users\Admin\AppData\Local\Temp\3DCA.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4808

C:\Users\Admin\AppData\Local\Temp\58E4.exe
C:\Users\Admin\AppData\Local\Temp\58E4.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 300
2⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4804 -ip 4804
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3312

C:\Users\Admin\AppData\Local\Temp\774B.exe
C:\Users\Admin\AppData\Local\Temp\774B.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Users\Admin\AppData\Local\Temp\8E4E.exe
C:\Users\Admin\AppData\Local\Temp\8E4E.exe
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 292
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4224 -ip 4224
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:476

C:\Users\Admin\AppData\Local\Temp\B291.exe
C:\Users\Admin\AppData\Local\Temp\B291.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\B291.exe
C:\Users\Admin\AppData\Local\Temp\B291.exe
2⤵
- Executes dropped EXE
PID:984

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D5E8.dll
1⤵
- Loads dropped DLL
PID:3376

C:\Users\Admin\AppData\Local\Temp\E1.exe
C:\Users\Admin\AppData\Local\Temp\E1.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 292
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2600 -ip 2600
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\198B.exe
C:\Users\Admin\AppData\Local\Temp\198B.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 292
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4396 -ip 4396
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\3F44.exe
C:\Users\Admin\AppData\Local\Temp\3F44.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 292
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2960 -ip 2960
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\C1C3.exe
C:\Users\Admin\AppData\Local\Temp\C1C3.exe
1⤵
- Executes dropped EXE
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 292
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 824 -ip 824
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\42CC.exe
C:\Users\Admin\AppData\Local\Temp\42CC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com
2⤵
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com
2⤵
PID:3308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com
2⤵
PID:2980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com
2⤵
PID:3796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com
2⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\42CC.exe
C:\Users\Admin\AppData\Local\Temp\42CC.exe
2⤵
- Executes dropped EXE
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\42CC.exe.log
MD5
e3f5e106556e7b7a35a2ad38b1d340d1

SHA1
ff2ae660223a05b2249e2be1ca8acda8cecca270

SHA256
606cea503b47200ab760e8e2355963047e04925c54250ce24cd6291a5b7fc24b

SHA512
8f9db377e6375ca8077dbff26b3dbd00feed5bd5a3281e723e818394b4c3b86ac481c48909c580850ddcffa8e6bf546790ea520b1319c76e3b280ca0488c1459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
824cf8e8bed7f69f380617963bbbec50

SHA1
f54aa32e1113cb9c815b38670ae2f5880410afd6

SHA256
7faf409894ae9afb2955b867cf4c35b3fb1573d06f79de2bdb974a2d5b8053ed

SHA512
bd44e015ce01b08e867529da89e492ea7a673fe4d1786340e573f715d8f188b6a4cc02778e60c7332dc622586ae8f169a491760692d651b9b9e9f314d77ce194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cebe55db534734d01f8a4a40468acf96

SHA1
142353a9a6bbc2e7180588aa0519145792d8c93c

SHA256
bfbcd7dccc9c2380a44a152632c7a97b4668cf89e229c0f26662d709789fa3dc

SHA512
62d761f3e1e97934768a6edeec6fdab8cd1469494ee37ffea014c9f18869ea05f7a63ff0c555d74f7fa9be50467d8a135f0ba1db237afdb142dde930fd370112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1b9418d7095f27b47c0980c5d16e5437

SHA1
c2eaec0afb55a5c59996dca0eafd5177caef0368

SHA256
c67cbe344636bfe64e93a8a69e5935092fb7c803a534cf2e358f5dfe70ea7956

SHA512
485bbda0b58a40be9f7998907eb15007146a7df1031aa665b6cd8f4d36e340f580b996f8bfa7c0d783d07ecb65e59feb36f8fd6254ba0abe5495ed9e0b70876d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
703c1a2864df62ea132eac4e50b0fc68

SHA1
120353768702d0b8e84f59d7664471900d7d7a8b

SHA256
1ef64f97b8dbd8de2cedcabb93eae32faca07c2e6fb9fca309cf53db8c26aada

SHA512
01e94e1886414861b2961af138495407fc56f23814f7e7c7a702daa5bf9202889545f1cc53758a1ab71d94650bb21295758d1a8a4823fb073a44d5e7c4828fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ab30b8a28788b87605e8db6df4f89885

SHA1
4cd6a0a7542d2ed8f6eb7073469017cd1ab061f9

SHA256
7cbb7479842823caca6e75c5f0a6064f45695611214fa829530ff08c4fdbc72b

SHA512
2a7f7c9851285a3ea356fd2339fb4566efebb62a1cd65da2b1544b97051a06b58ca8f10b9849c24c941f5c51711ba1de76b5a5086fd02ff4198ed333d03d9261

Download Submit
C:\Users\Admin\AppData\Local\Temp\198B.exe
MD5
65ecbb1c38b4ac891d8a90870e115398

SHA1
78e3f1782d238b6375224a3ce7793b1cb08a95d4

SHA256
58c1b22873a1eab4f8a7cc5a26085a2968637eaa3f22e7cbe8032ad6f25bbd38

SHA512
a95b0ccaecdf007c4590efde4e56ec4e65b8d900e2070726393b912f4ef37b3761a641e7c85dfe8a9698f1bf9864afc8613d956e14414d5a0c78c00aa17a7dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\198B.exe
MD5
65ecbb1c38b4ac891d8a90870e115398

SHA1
78e3f1782d238b6375224a3ce7793b1cb08a95d4

SHA256
58c1b22873a1eab4f8a7cc5a26085a2968637eaa3f22e7cbe8032ad6f25bbd38

SHA512
a95b0ccaecdf007c4590efde4e56ec4e65b8d900e2070726393b912f4ef37b3761a641e7c85dfe8a9698f1bf9864afc8613d956e14414d5a0c78c00aa17a7dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DCA.exe
MD5
2f026a4e714a11325ce22490c0558e53

SHA1
89d742acc48ec9a94b2670925cfd31934b022a51

SHA256
0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f

SHA512
512f3d8f193116f67994c34ff8a95b71f032cb2a04be7efb910ebe1460c01e77e2619172f1522ea2de146858a86b0c12982b009ccde20ff46611dc7f1dadee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DCA.exe
MD5
2f026a4e714a11325ce22490c0558e53

SHA1
89d742acc48ec9a94b2670925cfd31934b022a51

SHA256
0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f

SHA512
512f3d8f193116f67994c34ff8a95b71f032cb2a04be7efb910ebe1460c01e77e2619172f1522ea2de146858a86b0c12982b009ccde20ff46611dc7f1dadee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DCA.exe
MD5
2f026a4e714a11325ce22490c0558e53

SHA1
89d742acc48ec9a94b2670925cfd31934b022a51

SHA256
0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f

SHA512
512f3d8f193116f67994c34ff8a95b71f032cb2a04be7efb910ebe1460c01e77e2619172f1522ea2de146858a86b0c12982b009ccde20ff46611dc7f1dadee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F44.exe
MD5
02bcc1be6e86bb1ea444c22e92f92f6d

SHA1
003ebfd705af00fc8d2d3c5ee7af100ac4efe76b

SHA256
4221ab17105125558ffd541f84ef73545c41520ba19eca571148e9b733211229

SHA512
5b63660fa5697e6712e8e138d34e7af5472efafed887f0d0a6f2f49fcf5ed0f079af906ecdc499aaabb1d45fc414f73658cd8844dc67153bea2e852b844a69b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F44.exe
MD5
02bcc1be6e86bb1ea444c22e92f92f6d

SHA1
003ebfd705af00fc8d2d3c5ee7af100ac4efe76b

SHA256
4221ab17105125558ffd541f84ef73545c41520ba19eca571148e9b733211229

SHA512
5b63660fa5697e6712e8e138d34e7af5472efafed887f0d0a6f2f49fcf5ed0f079af906ecdc499aaabb1d45fc414f73658cd8844dc67153bea2e852b844a69b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\42CC.exe
MD5
74e5ee47e3f1cec8ad5499d20d5e200d

SHA1
c50c297394c849aea972fb922c91117094be38f1

SHA256
15f47b7b5ca57126f9f9c51c3949e290553025c32c649fc5bd6ed9a2ff726278

SHA512
0f53351b879c09383087854fc26c95c64c23f43f5cd08ffd2da0fe4718a8c1c13fee4b48cdccee3278636e47304ccff46617b4958fa6eef3ce1c489e7a9afb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\42CC.exe
MD5
74e5ee47e3f1cec8ad5499d20d5e200d

SHA1
c50c297394c849aea972fb922c91117094be38f1

SHA256
15f47b7b5ca57126f9f9c51c3949e290553025c32c649fc5bd6ed9a2ff726278

SHA512
0f53351b879c09383087854fc26c95c64c23f43f5cd08ffd2da0fe4718a8c1c13fee4b48cdccee3278636e47304ccff46617b4958fa6eef3ce1c489e7a9afb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\42CC.exe
MD5
74e5ee47e3f1cec8ad5499d20d5e200d

SHA1
c50c297394c849aea972fb922c91117094be38f1

SHA256
15f47b7b5ca57126f9f9c51c3949e290553025c32c649fc5bd6ed9a2ff726278

SHA512
0f53351b879c09383087854fc26c95c64c23f43f5cd08ffd2da0fe4718a8c1c13fee4b48cdccee3278636e47304ccff46617b4958fa6eef3ce1c489e7a9afb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\58E4.exe
MD5
5c43af858cebe82b1ad78c645061cc44

SHA1
5babb64955d52797a58604a9aef14d689e90d35f

SHA256
621af9ea3a44e4fab71237e384a0ca3808339d2d566a1b0144af74fe9d48bd02

SHA512
2d2c7e9483b0b13dd8cabbbc5d1218fe0acdac78f1c676c8fc302e91c3d11cf44ea5f2c3ea53bbfa125e60769f1c99b0da9e27fc05c7f2a743116915aec39c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\58E4.exe
MD5
5c43af858cebe82b1ad78c645061cc44

SHA1
5babb64955d52797a58604a9aef14d689e90d35f

SHA256
621af9ea3a44e4fab71237e384a0ca3808339d2d566a1b0144af74fe9d48bd02

SHA512
2d2c7e9483b0b13dd8cabbbc5d1218fe0acdac78f1c676c8fc302e91c3d11cf44ea5f2c3ea53bbfa125e60769f1c99b0da9e27fc05c7f2a743116915aec39c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\774B.exe
MD5
004f56332aac2e8fca2e4f77691d6167

SHA1
f199337bcc743fe8c2b604e97e9e67e418125a9b

SHA256
9ab80fd9ceb29028bdb57a30f8275c8385a6657aef9576b2d73d738229e3f83e

SHA512
8d79115115a586e36ee9d441b95374151612829e9d0b2dfe43b2f53c064f574e4dc08fb3120d984c11fd65872ed18b470a72cdd71ffd557f31510674c27820e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\774B.exe
MD5
004f56332aac2e8fca2e4f77691d6167

SHA1
f199337bcc743fe8c2b604e97e9e67e418125a9b

SHA256
9ab80fd9ceb29028bdb57a30f8275c8385a6657aef9576b2d73d738229e3f83e

SHA512
8d79115115a586e36ee9d441b95374151612829e9d0b2dfe43b2f53c064f574e4dc08fb3120d984c11fd65872ed18b470a72cdd71ffd557f31510674c27820e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E4E.exe
MD5
36a3976a7678715fffe2300f0ae8a21a

SHA1
d941d30a3a600d9f2bdb4b8fed77addd7f15806d

SHA256
27098e89b511cd37b5aad597d2e3875d5f6ca232b6bc057cef67adc24243d33e

SHA512
7447d26f2bfca5084a4652745a6aadfb90a9068198f00f411a6eb48be12473fde8a458814eb43328c7964f0dad685eea0012be37144c9c2a2dc5613326fc446c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E4E.exe
MD5
36a3976a7678715fffe2300f0ae8a21a

SHA1
d941d30a3a600d9f2bdb4b8fed77addd7f15806d

SHA256
27098e89b511cd37b5aad597d2e3875d5f6ca232b6bc057cef67adc24243d33e

SHA512
7447d26f2bfca5084a4652745a6aadfb90a9068198f00f411a6eb48be12473fde8a458814eb43328c7964f0dad685eea0012be37144c9c2a2dc5613326fc446c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B291.exe
MD5
cc89c9356c9f724eb762fe9d45e2fe41

SHA1
289b505ba0cf4c1f5cd6c056513c5d529d11b00c

SHA256
b0812fff521f813169223b9ddc2aa62cb0fae99b5c4f2e4dee19d5c35fac48bf

SHA512
96258812fa795bfd75a0f66a5c8b4d9affba97137957c376c94ad33be61093f3473ca11de2bb6d9012d572a1c3c7e055d083ed74007294447bbfebf62138cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B291.exe
MD5
cc89c9356c9f724eb762fe9d45e2fe41

SHA1
289b505ba0cf4c1f5cd6c056513c5d529d11b00c

SHA256
b0812fff521f813169223b9ddc2aa62cb0fae99b5c4f2e4dee19d5c35fac48bf

SHA512
96258812fa795bfd75a0f66a5c8b4d9affba97137957c376c94ad33be61093f3473ca11de2bb6d9012d572a1c3c7e055d083ed74007294447bbfebf62138cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B291.exe
MD5
cc89c9356c9f724eb762fe9d45e2fe41

SHA1
289b505ba0cf4c1f5cd6c056513c5d529d11b00c

SHA256
b0812fff521f813169223b9ddc2aa62cb0fae99b5c4f2e4dee19d5c35fac48bf

SHA512
96258812fa795bfd75a0f66a5c8b4d9affba97137957c376c94ad33be61093f3473ca11de2bb6d9012d572a1c3c7e055d083ed74007294447bbfebf62138cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1C3.exe
MD5
d2a7e15bafee524ad1f0eb7174fca6e6

SHA1
e0e3cbd32d832a4a1462b05f65cdee2fea6364c1

SHA256
d463ce5d8b949fdb1a369aacc3e30f2bd89719c05a4960640dc42ac15b2bea0b

SHA512
1b051668254ef42a66b156572dbbf8cfff35c34a3965e994700623e385aee9fa24a94a411be5ff9e0dd1cb32a61bf9e44804b32b8bc2f1062e5ebbe4e4c0ddbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1C3.exe
MD5
d2a7e15bafee524ad1f0eb7174fca6e6

SHA1
e0e3cbd32d832a4a1462b05f65cdee2fea6364c1

SHA256
d463ce5d8b949fdb1a369aacc3e30f2bd89719c05a4960640dc42ac15b2bea0b

SHA512
1b051668254ef42a66b156572dbbf8cfff35c34a3965e994700623e385aee9fa24a94a411be5ff9e0dd1cb32a61bf9e44804b32b8bc2f1062e5ebbe4e4c0ddbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5E8.dll
MD5
218d08982a5265df0cbc15074f75ff77

SHA1
246e82834bad1f1fb2cd4bb89c53fdb0c680e1fa

SHA256
b6b771c2a6791c43c9eeddaf9970d78a375d3b69661393fe084d930f18059602

SHA512
8ad4ede73141e8619255e0b8b5f15959a1d92f72858541d2f95103c8a5f88751ba62c5f95ac92dcab99ea152c0f72c2bd2e675d8c71e1bf69174dfb6072383bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5E8.dll
MD5
218d08982a5265df0cbc15074f75ff77

SHA1
246e82834bad1f1fb2cd4bb89c53fdb0c680e1fa

SHA256
b6b771c2a6791c43c9eeddaf9970d78a375d3b69661393fe084d930f18059602

SHA512
8ad4ede73141e8619255e0b8b5f15959a1d92f72858541d2f95103c8a5f88751ba62c5f95ac92dcab99ea152c0f72c2bd2e675d8c71e1bf69174dfb6072383bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1.exe
MD5
0b31b956a499a5409d5a0c91e2c21365

SHA1
23fe51d6aa8abe604e625c35577527e838f3492b

SHA256
2b8b768eeffd26b5aee05c3e1d309c6c9f94a62d2ba8a230695305008cbfb985

SHA512
61eedac151509d55ea29aca0fb4664cef322f4378b6b279add309e2e586e6c2d3b65e3296386d11e25f18197b6196e8520ee0dabb12d57ebe1e229ce017e23a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1.exe
MD5
0b31b956a499a5409d5a0c91e2c21365

SHA1
23fe51d6aa8abe604e625c35577527e838f3492b

SHA256
2b8b768eeffd26b5aee05c3e1d309c6c9f94a62d2ba8a230695305008cbfb985

SHA512
61eedac151509d55ea29aca0fb4664cef322f4378b6b279add309e2e586e6c2d3b65e3296386d11e25f18197b6196e8520ee0dabb12d57ebe1e229ce017e23a3

Download Submit
memory/504-149-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/504-148-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/824-232-0x0000000000000000-mapping.dmp

Download
memory/824-236-0x0000000002630000-0x0000000002669000-memory.dmp

Filesize
228KB

Download
memory/824-235-0x0000000000B4C000-0x0000000000B78000-memory.dmp

Filesize
176KB

Download
memory/984-208-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/984-201-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/984-212-0x0000000004C24000-0x0000000004C26000-memory.dmp

Filesize
8KB

Download
memory/984-211-0x0000000005F60000-0x0000000005F61000-memory.dmp

Filesize
4KB

Download
memory/984-210-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/984-209-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/984-207-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/984-206-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/984-192-0x0000000000000000-mapping.dmp

Download
memory/984-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-205-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/984-204-0x0000000004C23000-0x0000000004C24000-memory.dmp

Filesize
4KB

Download
memory/984-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-202-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/984-198-0x0000000002470000-0x000000000248C000-memory.dmp

Filesize
112KB

Download
memory/984-199-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/984-200-0x0000000004BA0000-0x0000000004BBB000-memory.dmp

Filesize
108KB

Download
memory/984-203-0x0000000004C22000-0x0000000004C23000-memory.dmp

Filesize
4KB

Download
memory/1100-153-0x0000000000000000-mapping.dmp

Download
memory/1460-151-0x000001FA51C20000-0x000001FA51C30000-memory.dmp

Filesize
64KB

Download
memory/1460-150-0x000001FA51540000-0x000001FA51550000-memory.dmp

Filesize
64KB

Download
memory/1460-152-0x000001FA54320000-0x000001FA54324000-memory.dmp

Filesize
16KB

Download
memory/2264-242-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/2264-237-0x0000000000000000-mapping.dmp

Download
memory/2264-240-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2264-252-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/2600-220-0x00000000026A0000-0x0000000002723000-memory.dmp

Filesize
524KB

Download
memory/2600-216-0x0000000000000000-mapping.dmp

Download
memory/2600-219-0x0000000000B9B000-0x0000000000C13000-memory.dmp

Filesize
480KB

Download
memory/2960-226-0x0000000000000000-mapping.dmp

Download
memory/2960-229-0x0000000000800000-0x000000000084F000-memory.dmp

Filesize
316KB

Download
memory/2960-230-0x0000000002280000-0x000000000230F000-memory.dmp

Filesize
572KB

Download
memory/2980-290-0x0000000000000000-mapping.dmp

Download
memory/2980-305-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/2980-306-0x0000000006B92000-0x0000000006B93000-memory.dmp

Filesize
4KB

Download
memory/3168-253-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/3168-260-0x0000000009920000-0x0000000009921000-memory.dmp

Filesize
4KB

Download
memory/3168-265-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3168-264-0x000000000ABE0000-0x000000000ABE1000-memory.dmp

Filesize
4KB

Download
memory/3168-262-0x0000000008CA0000-0x0000000008CA1000-memory.dmp

Filesize
4KB

Download
memory/3168-261-0x0000000008C50000-0x0000000008C51000-memory.dmp

Filesize
4KB

Download
memory/3168-258-0x0000000008770000-0x0000000008771000-memory.dmp

Filesize
4KB

Download
memory/3168-256-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/3168-255-0x0000000004DD2000-0x0000000004DD3000-memory.dmp

Filesize
4KB

Download
memory/3168-254-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3168-251-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/3168-249-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/3168-248-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/3168-247-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/3168-246-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3168-245-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3168-244-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3168-243-0x0000000000000000-mapping.dmp

Download
memory/3232-154-0x0000000000F70000-0x0000000000F86000-memory.dmp

Filesize
88KB

Download
memory/3232-161-0x0000000004320000-0x0000000004336000-memory.dmp

Filesize
88KB

Download
memory/3308-283-0x00000000070A2000-0x00000000070A3000-memory.dmp

Filesize
4KB

Download
memory/3308-282-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/3308-269-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/3308-268-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/3308-266-0x0000000000000000-mapping.dmp

Download
memory/3376-231-0x0000000000640000-0x0000000000671000-memory.dmp

Filesize
196KB

Download
memory/3376-213-0x0000000000000000-mapping.dmp

Download
memory/3612-172-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3612-173-0x000000001B650000-0x000000001B652000-memory.dmp

Filesize
8KB

Download
memory/3612-185-0x000000001B652000-0x000000001B654000-memory.dmp

Filesize
8KB

Download
memory/3612-186-0x000000001CBC0000-0x000000001CBC1000-memory.dmp

Filesize
4KB

Download
memory/3612-176-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/3612-187-0x000000001D820000-0x000000001D821000-memory.dmp

Filesize
4KB

Download
memory/3612-188-0x000000001CA40000-0x000000001CA41000-memory.dmp

Filesize
4KB

Download
memory/3612-177-0x000000001B590000-0x000000001B591000-memory.dmp

Filesize
4KB

Download
memory/3612-175-0x000000001C3E0000-0x000000001C3E1000-memory.dmp

Filesize
4KB

Download
memory/3612-167-0x0000000000000000-mapping.dmp

Download
memory/3612-174-0x0000000002B00000-0x0000000002B1B000-memory.dmp

Filesize
108KB

Download
memory/3612-170-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3612-184-0x000000001B5D0000-0x000000001B5D1000-memory.dmp

Filesize
4KB

Download
memory/3612-182-0x000000001C6F0000-0x000000001C6F1000-memory.dmp

Filesize
4KB

Download
memory/3652-352-0x00000000049D2000-0x00000000049D3000-memory.dmp

Filesize
4KB

Download
memory/3652-336-0x0000000000000000-mapping.dmp

Download
memory/3652-351-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/3680-195-0x0000000002130000-0x0000000002152000-memory.dmp

Filesize
136KB

Download
memory/3680-197-0x0000000002160000-0x0000000002190000-memory.dmp

Filesize
192KB

Download
memory/3680-189-0x0000000000000000-mapping.dmp

Download
memory/3796-329-0x00000000046F2000-0x00000000046F3000-memory.dmp

Filesize
4KB

Download
memory/3796-328-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/3796-313-0x0000000000000000-mapping.dmp

Download
memory/4224-181-0x0000000000A4D000-0x0000000000A5E000-memory.dmp

Filesize
68KB

Download
memory/4224-178-0x0000000000000000-mapping.dmp

Download
memory/4224-183-0x0000000000A10000-0x0000000000A19000-memory.dmp

Filesize
36KB

Download
memory/4396-224-0x0000000000ADC000-0x0000000000B2B000-memory.dmp

Filesize
316KB

Download
memory/4396-225-0x0000000002680000-0x000000000270F000-memory.dmp

Filesize
572KB

Download
memory/4396-221-0x0000000000000000-mapping.dmp

Download
memory/4804-166-0x0000000000680000-0x0000000000693000-memory.dmp

Filesize
76KB

Download
memory/4804-165-0x0000000000550000-0x000000000055D000-memory.dmp

Filesize
52KB

Download
memory/4804-162-0x0000000000000000-mapping.dmp

Download
memory/4808-158-0x0000000000000000-mapping.dmp

Download
memory/4880-365-0x0000000000000000-mapping.dmp

Download
memory/4880-375-0x0000000005880000-0x0000000005E98000-memory.dmp

Filesize
6.1MB

Download
memory/4968-155-0x0000000000000000-mapping.dmp

Download
memory/5108-146-0x0000000000000000-mapping.dmp

Download
memory/5108-147-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download