3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637

Analysis

max time kernel
297s
max time network
297s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11/04/2023, 07:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Size

2.4MB
MD5

a62505758e85f40fa06345da8af15d21
SHA1

21f1f6c7e18985baeb9082c3ccb7f30bdd32867a
SHA256

3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637
SHA512

8c712db84b35f977caa4f87efad7b54f6340c6efa46c4a9a222947cb917f32a122bc9f34c3f85f91927b511f1c372471a2db25b9668289733ac1f7dace747014
SSDEEP

24576:FkfiQkUbTO8OwvQZGrpl9Y1fHUDNsk8scl9VgXRP1O8l7Y5q6Q3k4U+A4lZVQ8C7:qfiXGr1fdCTeP/Kq6P4V7WyvOkEm92w

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jvlbsdhzhh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hroqfbdcbjn\\Jvlbsdhzhh.exe\""	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jvlbsdhzhh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hroqfbdcbjn\\Jvlbsdhzhh.exe\""	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1020 set thread context of 1200	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	69
PID 4272 set thread context of 4136	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	84

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\2900507189.pri	explorer.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133213918512507559"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e70704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000f61e57e3576cd90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e70704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000001ce8fee2576cd90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e70702004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000dab248a35a45d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4912	powershell.exe
4912	powershell.exe
4912	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeDebugPrivilege	1200	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeIncreaseQuotaPrivilege	1200	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe
Token: SeIncreaseQuotaPrivilege	1200	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe
Token: SeDebugPrivilege	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeDebugPrivilege	4136	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe
Token: SeShutdownPrivilege	5076	explorer.exe
Token: SeCreatePagefilePrivilege	5076	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5056	SearchUI.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 4912	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	67
PID 1020 wrote to memory of 4912	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	67
PID 1020 wrote to memory of 4912	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	67
PID 1020 wrote to memory of 1200	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	69
PID 1020 wrote to memory of 1200	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	69
PID 1020 wrote to memory of 1200	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	69
PID 1020 wrote to memory of 1200	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	69
PID 1020 wrote to memory of 1200	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	69
PID 1020 wrote to memory of 1200	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	69
PID 1020 wrote to memory of 1200	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	69
PID 1020 wrote to memory of 1200	1020	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	69
PID 5076 wrote to memory of 5096	5076	explorer.exe	74
PID 5076 wrote to memory of 5096	5076	explorer.exe	74
PID 4272 wrote to memory of 2556	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	81
PID 4272 wrote to memory of 2556	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	81
PID 4272 wrote to memory of 2556	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	81
PID 4272 wrote to memory of 4136	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	84
PID 4272 wrote to memory of 4136	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	84
PID 4272 wrote to memory of 4136	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	84
PID 4272 wrote to memory of 4136	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	84
PID 4272 wrote to memory of 4136	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	84
PID 4272 wrote to memory of 4136	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	84
PID 4272 wrote to memory of 4136	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	84
PID 4272 wrote to memory of 4136	4272	3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe	84

C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
"C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
  C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Enumerates connected drives
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:5096
- - C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
    "C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
      C:\Users\Admin\AppData\Local\Temp\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4136

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3f9f8d6e19536d323a9bd32dd11c50f6998649dd5e3f00f946d03fed81783637.exe.log

Filesize
1KB

MD5
5c01a57bb6376dc958d99ed7a67870ff

SHA1
d092c7dfd148ac12b086049d215e6b00bd78628d

SHA256
cb8fd245425e915bfc5ff411f26303f7cb4a30ed37f2ea4a2f0a12501aa5f2a4

SHA512
e4e3a4b74f8e209573cce58b572c1f71653e6f4df98f98c5a1cecdf76c9ffb91d5e6994c89df41c9f3613a0584301a56ca922ab7497a434e108b28dcd7d33038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
b42b8394f52b01b93879625688c3d79d

SHA1
3ed5877ab13e7655482c19e8b7511f8b2bfcdbb3

SHA256
b7b0a0ab5e777b74a8d7ec285804091eb3a4c71fcc2c57cddfa8541d05409cdd

SHA512
86357e54c29ee9c107b5655d457121f35117565fae4fdd018e56079eb7ca012e4afe0a5d5562bc2996b932b02450ad0fbb7f27047315b524138a0fe08c4f79c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
21acbfa581fdec5a961587378a969032

SHA1
6b20c91193fe978e98c2376bae3d3a55da26a142

SHA256
a9588730f207204752b42ecabeef0762107089cb35076819715d6e13f6ddf37a

SHA512
9ee6deac03cd604d47ac4169c9ca731907f9e0c9ebc8cff650b78f182f3f4af4b45868b3a43cea395aefca5b2567774e81f6a6c6c2972d53d4842bca2883d03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2m4hdder.dvv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1020-119-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/1020-122-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/1020-121-0x0000000006490000-0x00000000067E0000-memory.dmp

Filesize
3.3MB

Download
memory/1020-120-0x0000000006460000-0x0000000006482000-memory.dmp

Filesize
136KB

Download
memory/1020-118-0x00000000051B0000-0x0000000005238000-memory.dmp

Filesize
544KB

Download
memory/1020-116-0x0000000000360000-0x00000000005CE000-memory.dmp

Filesize
2.4MB

Download
memory/1020-117-0x0000000004EF0000-0x000000000509A000-memory.dmp

Filesize
1.7MB

Download
memory/1020-150-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/1200-218-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-196-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-1844-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/1200-224-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-222-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-220-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-216-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-214-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-158-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1200-212-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-161-0x00000000053B0000-0x00000000054B8000-memory.dmp

Filesize
1.0MB

Download
memory/1200-162-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-163-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-165-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-167-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-168-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/1200-170-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-172-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-174-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-176-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-178-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-180-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-182-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-184-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-186-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-188-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-190-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-192-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-194-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-210-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-198-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-200-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-202-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-204-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-206-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/1200-208-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/2556-5495-0x00000000069E0000-0x00000000069F0000-memory.dmp

Filesize
64KB

Download
memory/2556-5520-0x00000000069E0000-0x00000000069F0000-memory.dmp

Filesize
64KB

Download
memory/2556-5519-0x00000000069E0000-0x00000000069F0000-memory.dmp

Filesize
64KB

Download
memory/2556-5498-0x0000000007FB0000-0x0000000007FFB000-memory.dmp

Filesize
300KB

Download
memory/2556-5496-0x00000000069E0000-0x00000000069F0000-memory.dmp

Filesize
64KB

Download
memory/4136-8427-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4136-5696-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4272-5491-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4272-5518-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4272-5490-0x0000000006860000-0x0000000006BB0000-memory.dmp

Filesize
3.3MB

Download
memory/4912-128-0x00000000042F0000-0x0000000004300000-memory.dmp

Filesize
64KB

Download
memory/4912-132-0x0000000007AC0000-0x0000000007B0B000-memory.dmp

Filesize
300KB

Download
memory/4912-148-0x00000000094B0000-0x0000000009B28000-memory.dmp

Filesize
6.5MB

Download
memory/4912-149-0x0000000008BD0000-0x0000000008BEA000-memory.dmp

Filesize
104KB

Download
memory/4912-127-0x00000000042F0000-0x0000000004300000-memory.dmp

Filesize
64KB

Download
memory/4912-131-0x0000000007A90000-0x0000000007AAC000-memory.dmp

Filesize
112KB

Download
memory/4912-126-0x0000000006D40000-0x0000000007368000-memory.dmp

Filesize
6.2MB

Download
memory/4912-133-0x0000000007DF0000-0x0000000007E66000-memory.dmp

Filesize
472KB

Download
memory/4912-129-0x0000000007410000-0x0000000007476000-memory.dmp

Filesize
408KB

Download
memory/4912-151-0x00000000042F0000-0x0000000004300000-memory.dmp

Filesize
64KB

Download
memory/4912-125-0x00000000042A0000-0x00000000042D6000-memory.dmp

Filesize
216KB

Download
memory/4912-152-0x00000000042F0000-0x0000000004300000-memory.dmp

Filesize
64KB

Download
memory/4912-130-0x0000000007480000-0x00000000074E6000-memory.dmp

Filesize
408KB

Download