753e58a658c285a7895f140b715ed733507949453de4869ce11307cc7e93f4de

Analysis

max time kernel
1652s
max time network
1599s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01/02/2024, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iediagcmd.exe
Size

503KB
MD5

8750d59a78373b1a1d833cb508edeb47
SHA1

b46e1feae746053f1f904244cd8726f25c956b22
SHA256

753e58a658c285a7895f140b715ed733507949453de4869ce11307cc7e93f4de
SHA512

1b085ad8dff18e31610603ca28a54c098eae546f157289126ac013bd2efd64d1a939be89deac48265f9218f6175b38fcd7a76e9c0ee7976bf580470b7281cd6d
SSDEEP

12288:5jQJGJ17jTmRpq1Zi2HFG2YIwgjrbp21ZZ:tQJGJIX07YIwwrdK

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2408	netsh.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF	dxdiag.exe
File opened for modification	C:\Windows\System32\azman.msc	mmc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_e15abe7d25aa2071\input.PNF	dxdiag.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupact.log	dxdiag.exe
File opened for modification	C:\Windows\setuperr.log	dxdiag.exe
File created	C:\Windows\rescache\_merged\1974107395\1233114614.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\734974073.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\3302449443.pri	netsh.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	BdeHdCfg.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\1647780687.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\1077508030.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	BdeHdCfg.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1051174594.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	BdeHdCfg.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	BdeHdCfg.exe
File created	C:\Windows\rescache\_merged\1476457207\3434258465.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\843930774.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\3370156234.pri	netsh.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	bcastdvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bcastdvr.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1064	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppUriHandlers\insiderppe.cloudapp.net\LastValidationAttemptTime = "133512898402270000"	AppHostRegistrationVerifier.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\support.microsoft.com\ = "124"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "124"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppUriHandlers	AppHostRegistrationVerifier.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppUriHandlers	AppHostRegistrationVerifier.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	AppHostRegistrationVerifier.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows	AppHostRegistrationVerifier.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppUriHandlers\insiderppe.cloudapp.net	AppHostRegistrationVerifier.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com\NumberOfSubd = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppUriHandlers\insiderppe.cloudapp.net	AppHostRegistrationVerifier.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "412977971"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	iediagcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	iediagcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	iediagcmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4936	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4268	dxdiag.exe
4268	dxdiag.exe
2760	iediagcmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4992	mmc.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3740	MicrosoftEdgeCP.exe
3740	MicrosoftEdgeCP.exe
3740	MicrosoftEdgeCP.exe
3740	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe
Token: SeSecurityPrivilege	2760	iediagcmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3184	helppane.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2760	iediagcmd.exe
2760	iediagcmd.exe
4268	dxdiag.exe
3184	helppane.exe
3184	helppane.exe
2404	MicrosoftEdge.exe
3740	MicrosoftEdgeCP.exe
4180	MicrosoftEdgeCP.exe
3740	MicrosoftEdgeCP.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe
4992	mmc.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 4268	2760	iediagcmd.exe	74
PID 2760 wrote to memory of 4268	2760	iediagcmd.exe	74
PID 2760 wrote to memory of 1064	2760	iediagcmd.exe	78
PID 2760 wrote to memory of 1064	2760	iediagcmd.exe	78
PID 2760 wrote to memory of 3704	2760	iediagcmd.exe	80
PID 2760 wrote to memory of 3704	2760	iediagcmd.exe	80
PID 2760 wrote to memory of 3844	2760	iediagcmd.exe	82
PID 2760 wrote to memory of 3844	2760	iediagcmd.exe	82
PID 2760 wrote to memory of 2408	2760	iediagcmd.exe	84
PID 2760 wrote to memory of 2408	2760	iediagcmd.exe	84
PID 2760 wrote to memory of 1628	2760	iediagcmd.exe	86
PID 2760 wrote to memory of 1628	2760	iediagcmd.exe	86
PID 2760 wrote to memory of 2304	2760	iediagcmd.exe	88
PID 2760 wrote to memory of 2304	2760	iediagcmd.exe	88
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 3740 wrote to memory of 1124	3740	MicrosoftEdgeCP.exe	101
PID 4152 wrote to memory of 760	4152	cmd.exe	124
PID 4152 wrote to memory of 760	4152	cmd.exe	124
PID 4152 wrote to memory of 3544	4152	cmd.exe	159
PID 4152 wrote to memory of 3544	4152	cmd.exe	159
PID 4152 wrote to memory of 4176	4152	cmd.exe	160
PID 4152 wrote to memory of 4176	4152	cmd.exe	160
PID 4152 wrote to memory of 2512	4152	cmd.exe	161
PID 4152 wrote to memory of 2512	4152	cmd.exe	161

C:\Users\Admin\AppData\Local\Temp\iediagcmd.exe
"C:\Users\Admin\AppData\Local\Temp\iediagcmd.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\dxdiag.exe
  "C:\Windows\system32\dxdiag.exe" /x C:\Users\Admin\AppData\Local\Temp\dxdiag.xml
  2⤵
  - Registers COM server for autorun
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4268
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" /all
  2⤵
  - Gathers network information
  PID:1064
- C:\Windows\SYSTEM32\route.exe
  "route" print
  2⤵
  PID:3704
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" in tcp show global
  2⤵
  PID:3844
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall show rule name=all verbose
  2⤵
  - Modifies Windows Firewall
  - Drops file in Windows directory
  PID:2408
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" winsock show catalog
  2⤵
  PID:1628
- C:\Windows\SYSTEM32\makecab.exe
  "makecab.exe" /F "C:\Users\Admin\AppData\Local\Temp\iediag_makecab_directives.txt"
  2⤵
  PID:2304

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2916

C:\Windows\winhlp32.exe
"C:\Windows\winhlp32.exe"
1⤵
PID:1128

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3184

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1124

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:796

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4928

C:\Windows\hh.exe
"C:\Windows\hh.exe"
1⤵
PID:4372

C:\Windows\hh.exe
"C:\Windows\hh.exe"
1⤵
PID:2992

C:\Windows\HelpPane.exe
"C:\Windows\HelpPane.exe"
1⤵
PID:3672

C:\Windows\HelpPane.exe
"C:\Windows\HelpPane.exe"
1⤵
PID:4692

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:432

C:\Windows\sysmon.exe
"C:\Windows\sysmon.exe"
1⤵
PID:4148

C:\Windows\sysmon.exe
"C:\Windows\sysmon.exe"
1⤵
PID:4492

C:\Windows\splwow64.exe
"C:\Windows\splwow64.exe"
1⤵
PID:96

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\system32\rundll32.exe
  rundll32 adhapi
  2⤵
  PID:760
- C:\Windows\system32\rundll32.exe
  rundll32 appmgr.dll
  2⤵
  PID:3544
- C:\Windows\system32\rundll32.exe
  rundll32 appmgr.dll
  2⤵
  PID:4176
- C:\Windows\system32\rundll32.exe
  rundll32 AppResolver.dll
  2⤵
  PID:2512
- C:\Windows\system32\autochk.exe
  autochk
  2⤵
  PID:1120

C:\Windows\System32\acu.exe
"C:\Windows\System32\acu.exe" C:\Windows\System32\ActivationManager.dll
1⤵
PID:3704

C:\Windows\System32\acu.exe
"C:\Windows\System32\acu.exe"
1⤵
PID:1444

C:\Windows\System32\acu.exe
"C:\Windows\System32\acu.exe"
1⤵
PID:1944

C:\Windows\System32\alg.exe
"C:\Windows\System32\alg.exe"
1⤵
PID:4592

C:\Windows\System32\alg.exe
"C:\Windows\System32\alg.exe"
1⤵
PID:4828

C:\Windows\System32\AgentService.exe
"C:\Windows\System32\AgentService.exe"
1⤵
PID:3172

C:\Windows\System32\aitstatic.exe
"C:\Windows\System32\aitstatic.exe"
1⤵
PID:4684

C:\Windows\System32\aitstatic.exe
"C:\Windows\System32\aitstatic.exe"
1⤵
PID:3728

C:\Windows\System32\aitstatic.exe
"C:\Windows\System32\aitstatic.exe"
1⤵
PID:2108

C:\Windows\System32\alg.exe
"C:\Windows\System32\alg.exe"
1⤵
PID:4500

C:\Windows\System32\alg.exe
"C:\Windows\System32\alg.exe"
1⤵
PID:3820

C:\Windows\System32\alg.exe
"C:\Windows\System32\alg.exe"
1⤵
PID:1692

C:\Windows\System32\alg.exe
"C:\Windows\System32\alg.exe"
1⤵
PID:3336

C:\Windows\System32\appidpolicyconverter.exe
"C:\Windows\System32\appidpolicyconverter.exe"
1⤵
PID:2936

C:\Windows\System32\appidpolicyconverter.exe
"C:\Windows\System32\appidpolicyconverter.exe"
1⤵
PID:1848

C:\Windows\System32\appidcertstorecheck.exe
"C:\Windows\System32\appidcertstorecheck.exe"
1⤵
PID:4196

C:\Windows\System32\appidcertstorecheck.exe
"C:\Windows\System32\appidcertstorecheck.exe"
1⤵
PID:4852

C:\Windows\System32\AppHostRegistrationVerifier.exe
"C:\Windows\System32\AppHostRegistrationVerifier.exe"
1⤵
- Modifies registry class
PID:4728

C:\Windows\System32\AppHostRegistrationVerifier.exe
"C:\Windows\System32\AppHostRegistrationVerifier.exe"
1⤵
PID:3276

C:\Windows\System32\AppHostRegistrationVerifier.exe
"C:\Windows\System32\AppHostRegistrationVerifier.exe"
1⤵
- Modifies registry class
PID:2776

C:\Windows\System32\AppHostRegistrationVerifier.exe
"C:\Windows\System32\AppHostRegistrationVerifier.exe"
1⤵
- Modifies registry class
PID:1248

C:\Windows\System32\appidtel.exe
"C:\Windows\System32\appidtel.exe"
1⤵
PID:4280

C:\Windows\System32\appidtel.exe
"C:\Windows\System32\appidtel.exe"
1⤵
PID:2448

C:\Windows\System32\ApplicationFrameHost.exe
"C:\Windows\System32\ApplicationFrameHost.exe"
1⤵
PID:2940

C:\Windows\System32\ApplySettingsTemplateCatalog.exe
"C:\Windows\System32\ApplySettingsTemplateCatalog.exe"
1⤵
PID:1296

C:\Windows\System32\ApplySettingsTemplateCatalog.exe
"C:\Windows\System32\ApplySettingsTemplateCatalog.exe"
1⤵
PID:4428

C:\Windows\System32\ApplySettingsTemplateCatalog.exe
"C:\Windows\System32\ApplySettingsTemplateCatalog.exe"
1⤵
PID:2572

C:\Windows\System32\ApplySettingsTemplateCatalog.exe
"C:\Windows\System32\ApplySettingsTemplateCatalog.exe"
1⤵
PID:4840

C:\Windows\System32\ApproveChildRequest.exe
"C:\Windows\System32\ApproveChildRequest.exe"
1⤵
PID:4224

C:\Windows\System32\ApproveChildRequest.exe
"C:\Windows\System32\ApproveChildRequest.exe"
1⤵
PID:1428

C:\Windows\System32\ApproveChildRequest.exe
"C:\Windows\System32\ApproveChildRequest.exe"
1⤵
PID:4276

C:\Windows\System32\ApproveChildRequest.exe
"C:\Windows\System32\ApproveChildRequest.exe"
1⤵
PID:3444

C:\Windows\System32\ApproveChildRequest.exe
"C:\Windows\System32\ApproveChildRequest.exe"
1⤵
PID:5004

C:\Windows\System32\AppVClient.exe
"C:\Windows\System32\AppVClient.exe"
1⤵
PID:888

C:\Windows\System32\AppVClient.exe
"C:\Windows\System32\AppVClient.exe"
1⤵
PID:3360

C:\Windows\System32\autochk.exe
"C:\Windows\System32\autochk.exe"
1⤵
PID:3372

C:\Windows\System32\autoconv.exe
"C:\Windows\System32\autoconv.exe"
1⤵
PID:2868

C:\Windows\System32\autofmt.exe
"C:\Windows\System32\autofmt.exe"
1⤵
PID:4136

C:\Windows\System32\AxInstUI.exe
"C:\Windows\System32\AxInstUI.exe"
1⤵
PID:2120

C:\Windows\System32\AxInstUI.exe
"C:\Windows\System32\AxInstUI.exe"
1⤵
PID:1300

C:\Windows\System32\AxInstUI.exe
"C:\Windows\System32\AxInstUI.exe"
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:2948

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\azman.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4992

C:\Windows\System32\baaupdate.exe
"C:\Windows\System32\baaupdate.exe"
1⤵
PID:3988

C:\Windows\System32\baaupdate.exe
"C:\Windows\System32\baaupdate.exe"
1⤵
PID:5044

C:\Windows\System32\baaupdate.exe
"C:\Windows\System32\baaupdate.exe"
1⤵
PID:3820

C:\Windows\System32\baaupdate.exe
"C:\Windows\System32\baaupdate.exe"
1⤵
PID:2276

C:\Windows\System32\backgroundTaskHost.exe
"C:\Windows\System32\backgroundTaskHost.exe"
1⤵
PID:3336

C:\Windows\System32\backgroundTaskHost.exe
"C:\Windows\System32\backgroundTaskHost.exe"
1⤵
PID:1892

C:\Windows\System32\BackgroundTransferHost.exe
"C:\Windows\System32\BackgroundTransferHost.exe"
1⤵
PID:1316

C:\Windows\System32\BackgroundTransferHost.exe
"C:\Windows\System32\BackgroundTransferHost.exe"
1⤵
PID:1372

C:\Windows\System32\backgroundTaskHost.exe
"C:\Windows\System32\backgroundTaskHost.exe"
1⤵
PID:3848

C:\Windows\System32\baaupdate.exe
"C:\Windows\System32\baaupdate.exe"
1⤵
PID:4004

C:\Windows\System32\AxInstUI.exe
"C:\Windows\System32\AxInstUI.exe"
1⤵
PID:4196

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe"
1⤵
- Checks processor information in registry
PID:4524

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe"
1⤵
PID:424

C:\Windows\System32\bcdboot.exe
"C:\Windows\System32\bcdboot.exe"
1⤵
PID:1124

C:\Windows\System32\bcdboot.exe
"C:\Windows\System32\bcdboot.exe"
1⤵
PID:2088

C:\Windows\System32\bcdboot.exe
"C:\Windows\System32\bcdboot.exe"
1⤵
PID:2240

C:\Windows\System32\bdechangepin.exe
"C:\Windows\System32\bdechangepin.exe"
1⤵
PID:4664

C:\Windows\System32\BdeHdCfg.exe
"C:\Windows\System32\BdeHdCfg.exe"
1⤵
- Drops file in Windows directory
PID:4276

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3636

C:\Windows\System32\BitLockerWizardElev.exe
"C:\Windows\System32\BitLockerWizardElev.exe" \\?\Volume{e9e35ac9-0000-0000-0000-d01200000000}\ T
1⤵
PID:976

C:\Windows\System32\setspn.exe
"C:\Windows\System32\setspn.exe"
1⤵
PID:3716

C:\Windows\System32\setspn.exe
"C:\Windows\System32\setspn.exe"
1⤵
PID:224

C:\Windows\System32\setspn.exe
"C:\Windows\System32\setspn.exe"
1⤵
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\acu.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DNDP7OJQ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\ZVUBGSID\support.microsoft[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\ZVUBGSID\support.microsoft[1].xml

Filesize
17B

MD5
3ff4d575d1d04c3b54f67a6310f2fc95

SHA1
1308937c1a46e6c331d5456bcd4b2182dc444040

SHA256
021a5868b6c9e8beba07848ba30586c693f87ac02ee2ccaa0f26b7163c0c6b44

SHA512
2b26501c4bf86ed66e941735c49ac445d683ad49ed94c5d87cc96228081ae2c8f4a8f44a2a5276b9f4b0962decfce6b9eeee38e42262ce8d865d5df0df7ec3d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\2540KTDI\favicon-32x32[1].png

Filesize
631B

MD5
fb2ed9313c602f40b7a2762acc15ff89

SHA1
8a390d07a8401d40cbc1a16d873911fa4cb463f5

SHA256
b241d02fab4b17291af37993eb249f9303eb5897610abafac4c9f6aa6a878369

SHA512
9cbcf5c7b8409494f6d543434ecaff42de8a2d0632a17931062d7d1cc130d43e61162eedb0965b545e65e0687ded4d4b51e29631568af34b157a7d02a3852508

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\PYMD2OKF\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF9CF7A8B6D35AADA2.TMP

Filesize
20KB

MD5
10899dedece9876f6cf842303686c565

SHA1
0ee64e1c72d719d23f5204cc33d3955b7c4caab7

SHA256
fa6d05067aac40be6636bd3dc945685b62848313d54c0ab11d1e3c2b63417f32

SHA512
f346c99d5dd0bdd1a899dcb98fd1de1bb88ae2523a47c4eabe698a7dd546594439ad4a6e1b229d8e0f2b36e384c1e25cb39459a1dd570c6d101fa54e966d1455

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEDiag.json

Filesize
24KB

MD5
1ed7e45c3a740289be52eaf765d7174c

SHA1
a490eb171afd26bd88d4cfa34253f8742e272112

SHA256
8c76f06d78f8e7a42e04bafbf3392ccc3b9ac3031b2bcb21528418b7ede56550

SHA512
7767e54a1ba79257bdd1420dae927f898f2a025f18d08ee5ad43e96cd297ca5050564d2b504a19442efb8113c10226bbac63c4b46141ed113201d4613243c094

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEDiag.xml

Filesize
2.2MB

MD5
b64317c730818fc8859236ccd6396855

SHA1
d29a4a9dd6ffde9d388e1e1766cd1b82c2722466

SHA256
e63c6481ba97f0c04b5eacec9e48360cbf285c18164e28176a6031af9a09e547

SHA512
fb9545fe96bb104d36d333d7a2cd45479c3cc9f370d7a7b4b86c458b906691d22e1249d2fa0b2764b4517a76649bc798b80d68b0e5273459b492988e32f76309

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxdiag.xml

Filesize
171KB

MD5
c70cb1e9eb83dd32a8455972021e6321

SHA1
6808d88ab3a60f5436b3bcb0326e978bea4f3140

SHA256
32bd700c852e7bd9fc081a566ad720aedaac355a59e5e919604f7a5189ec2250

SHA512
b2c54e34df5beeaa8e7d8d7bee3d38bd7aa8eefe79837d4d2f6f1d3b696fc3d336e7663c5ba77c2c0702e197f60eb46adbaf0940a31e7cbe18a9e286551f43ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\iediag_makecab_directives.txt

Filesize
515B

MD5
14c148857af11ebcee263a2fb2b359ee

SHA1
710cb526ed69db7fdcc5da6b49241f70101e12fb

SHA256
810a37010bd4e6eed276310610dc4ebc7cc91535edf65e6ba6d9ed6edbe793ac

SHA512
d47ff7bdb40d518cf8daed410f29fea0f990457ed2da25ff2840a3bdcda77abe0b1b9948198a105a217fadbd4e4eed80fd0eb4338db7202892b9b4b910189e12

Download Submit
memory/1124-424-0x0000025C36B30000-0x0000025C36B32000-memory.dmp

Filesize
8KB

Download
memory/1124-452-0x0000025C35AF0000-0x0000025C35AF2000-memory.dmp

Filesize
8KB

Download
memory/1124-620-0x0000025C326E0000-0x0000025C326F0000-memory.dmp

Filesize
64KB

Download
memory/1124-619-0x0000025C326E0000-0x0000025C326F0000-memory.dmp

Filesize
64KB

Download
memory/1124-618-0x0000025C326E0000-0x0000025C326F0000-memory.dmp

Filesize
64KB

Download
memory/1124-616-0x0000025C326E0000-0x0000025C326F0000-memory.dmp

Filesize
64KB

Download
memory/1124-615-0x0000025C326E0000-0x0000025C326F0000-memory.dmp

Filesize
64KB

Download
memory/1124-614-0x0000025C326E0000-0x0000025C326F0000-memory.dmp

Filesize
64KB

Download
memory/1124-264-0x0000025C33700000-0x0000025C33800000-memory.dmp

Filesize
1024KB

Download
memory/1124-293-0x0000025C35BA0000-0x0000025C35BA2000-memory.dmp

Filesize
8KB

Download
memory/1124-301-0x0000025C35BE0000-0x0000025C35BE2000-memory.dmp

Filesize
8KB

Download
memory/1124-304-0x0000025C35C20000-0x0000025C35C22000-memory.dmp

Filesize
8KB

Download
memory/1124-308-0x0000025C35DA0000-0x0000025C35DA2000-memory.dmp

Filesize
8KB

Download
memory/1124-313-0x0000025C36000000-0x0000025C36002000-memory.dmp

Filesize
8KB

Download
memory/1124-317-0x0000025C36020000-0x0000025C36022000-memory.dmp

Filesize
8KB

Download
memory/1124-320-0x0000025C360E0000-0x0000025C360E2000-memory.dmp

Filesize
8KB

Download
memory/1124-613-0x0000025C326E0000-0x0000025C326F0000-memory.dmp

Filesize
64KB

Download
memory/1124-352-0x0000025C36820000-0x0000025C36840000-memory.dmp

Filesize
128KB

Download
memory/1124-376-0x0000025C37300000-0x0000025C37400000-memory.dmp

Filesize
1024KB

Download
memory/1124-380-0x0000025C36C00000-0x0000025C36C20000-memory.dmp

Filesize
128KB

Download
memory/1124-409-0x0000025C20300000-0x0000025C20400000-memory.dmp

Filesize
1024KB

Download
memory/1124-586-0x0000025C37060000-0x0000025C37062000-memory.dmp

Filesize
8KB

Download
memory/1124-583-0x0000025C36FE0000-0x0000025C36FE2000-memory.dmp

Filesize
8KB

Download
memory/1124-526-0x0000025C382D0000-0x0000025C383D0000-memory.dmp

Filesize
1024KB

Download
memory/1124-435-0x0000025C36EB0000-0x0000025C36EB2000-memory.dmp

Filesize
8KB

Download
memory/1124-499-0x0000025C382D0000-0x0000025C383D0000-memory.dmp

Filesize
1024KB

Download
memory/1124-453-0x0000025C36E20000-0x0000025C36E40000-memory.dmp

Filesize
128KB

Download
memory/1124-467-0x0000025C381D0000-0x0000025C382D0000-memory.dmp

Filesize
1024KB

Download
memory/1124-460-0x0000025C35B40000-0x0000025C35B42000-memory.dmp

Filesize
8KB

Download
memory/1444-1269-0x00007FF83D9F0000-0x00007FF83E3DC000-memory.dmp

Filesize
9.9MB

Download
memory/1444-1266-0x00007FF83D9F0000-0x00007FF83E3DC000-memory.dmp

Filesize
9.9MB

Download
memory/1944-1270-0x00007FF83D9F0000-0x00007FF83E3DC000-memory.dmp

Filesize
9.9MB

Download
memory/1944-1267-0x00007FF83D9F0000-0x00007FF83E3DC000-memory.dmp

Filesize
9.9MB

Download
memory/2404-129-0x000002123BB00000-0x000002123BB10000-memory.dmp

Filesize
64KB

Download
memory/2404-437-0x0000021241EA0000-0x0000021241EA1000-memory.dmp

Filesize
4KB

Download
memory/2404-439-0x0000021241EB0000-0x0000021241EB1000-memory.dmp

Filesize
4KB

Download
memory/2404-148-0x000002123C0F0000-0x000002123C0F2000-memory.dmp

Filesize
8KB

Download
memory/2760-52-0x00007FF83EAC0000-0x00007FF83F4AC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-9-0x000002A49B2B0000-0x000002A49B2C0000-memory.dmp

Filesize
64KB

Download
memory/2760-77-0x000002A49B2B0000-0x000002A49B2C0000-memory.dmp

Filesize
64KB

Download
memory/2760-76-0x000002A49B2B0000-0x000002A49B2C0000-memory.dmp

Filesize
64KB

Download
memory/2760-25-0x000002A4B6C40000-0x000002A4B7166000-memory.dmp

Filesize
5.1MB

Download
memory/2760-7-0x000002A49B2B0000-0x000002A49B2C0000-memory.dmp

Filesize
64KB

Download
memory/2760-6-0x00007FF83EAC0000-0x00007FF83F4AC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-3-0x00007FF6CDA60000-0x00007FF6CDAE4000-memory.dmp

Filesize
528KB

Download
memory/2760-112-0x00007FF83EAC0000-0x00007FF83F4AC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-10-0x000002A49B2B0000-0x000002A49B2C0000-memory.dmp

Filesize
64KB

Download
memory/2760-13-0x000002A4B6540000-0x000002A4B6702000-memory.dmp

Filesize
1.8MB

Download
memory/2760-80-0x000002A49B2B0000-0x000002A49B2C0000-memory.dmp

Filesize
64KB

Download
memory/2760-14-0x000002A49B2B0000-0x000002A49B2C0000-memory.dmp

Filesize
64KB

Download
memory/2760-79-0x000002A49B2B0000-0x000002A49B2C0000-memory.dmp

Filesize
64KB

Download
memory/3704-1268-0x00007FF83D9F0000-0x00007FF83E3DC000-memory.dmp

Filesize
9.9MB

Download
memory/3704-1263-0x00007FF83D9F0000-0x00007FF83E3DC000-memory.dmp

Filesize
9.9MB

Download
memory/3704-1262-0x000001C4C1C20000-0x000001C4C1C2C000-memory.dmp

Filesize
48KB

Download