dcrat | 198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201

Analysis

max time kernel
93s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe
Size

267KB
MD5

76421c2f8326e02b91c0556163581556
SHA1

bed7ccd1bde6583be756728e1e3844f62e016992
SHA256

198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201
SHA512

1521cec975f018fba9142cd5b99c0e78d7c7cc8fe91b8f008aba1f1efe1ae6ad18ea725f49ae552686ee03c1ccd05b65baf2436c22e638367a7d5d2266f739fd
SSDEEP

6144:t+dLIb/MVtGkeezG/R4TcM/sE1dreVTITT:eEwVt7jzG/mF1dreNY

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

https://affordcharmcropwo.shop/api

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exeB631.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a99c2a5b-44bd-4241-a79d-f152eb249702\\B631.exe\" --AutoStart"	B631.exe
3584	schtasks.exe
1900	schtasks.exe

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5108-21-0x00000000028F0000-0x0000000002A0B000-memory.dmp	family_djvu
behavioral1/memory/4680-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4680-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4680-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4680-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4680-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4212-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4212-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4212-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4828-279-0x0000000000400000-0x0000000000ECF000-memory.dmp	family_glupteba
behavioral1/memory/4828-292-0x0000000000400000-0x0000000000ECF000-memory.dmp	family_glupteba
behavioral1/memory/3712-419-0x0000000000400000-0x0000000000ECF000-memory.dmp	family_glupteba
behavioral1/memory/5084-619-0x0000000000400000-0x0000000000ECF000-memory.dmp	family_glupteba
behavioral1/memory/5084-671-0x0000000000400000-0x0000000000ECF000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1324-59-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4048 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

B631.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation B631.exe
Deletes itself 1 IoCs

Processes:

pid process

3496
Executes dropped EXE 11 IoCs

Processes:

B631.exeB631.exeB631.exeB631.exeC2F4.exeF475.exe2115.exe2D5A.exe2D5A.execsrss.exeinjector.exe

pid process

5108 B631.exe
4680 B631.exe
4964 B631.exe
4212 B631.exe
3748 C2F4.exe
4736 F475.exe
2752 2115.exe
4828 2D5A.exe
3712 2D5A.exe
5084 csrss.exe
560 injector.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4848 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4048	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	B631.exe

pid	process
3496

pid	process
5108	B631.exe
4680	B631.exe
4964	B631.exe
4212	B631.exe
3748	C2F4.exe
4736	F475.exe
2752	2115.exe
4828	2D5A.exe
3712	2D5A.exe
5084	csrss.exe
560	injector.exe

pid	process
4848	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral1/memory/3472-650-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

B631.exe2D5A.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a99c2a5b-44bd-4241-a79d-f152eb249702\\B631.exe\" --AutoStart"	B631.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	2D5A.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

78 raw.githubusercontent.com
79 raw.githubusercontent.com
82 drive.google.com
83 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 api.2ip.ua
34 api.2ip.ua

flow	ioc
78	raw.githubusercontent.com
79	raw.githubusercontent.com
82	drive.google.com
83	drive.google.com

flow	ioc
33	api.2ip.ua
34	api.2ip.ua

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

B631.exeB631.exeC2F4.exe2115.exe

description	pid	process	target process
PID 5108 set thread context of 4680	5108	B631.exe	B631.exe
PID 4964 set thread context of 4212	4964	B631.exe	B631.exe
PID 3748 set thread context of 1324	3748	C2F4.exe	RegAsm.exe
PID 2752 set thread context of 768	2752	2115.exe	BitLockerToGo.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

2D5A.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 2D5A.exe
Drops file in Windows directory 2 IoCs

Processes:

2D5A.exe

description ioc process

File opened for modification C:\Windows\rss 2D5A.exe
File created C:\Windows\rss\csrss.exe 2D5A.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1100 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1128 4212 WerFault.exe B631.exe
1216 3748 WerFault.exe C2F4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	2D5A.exe

description	ioc	process
File opened for modification	C:\Windows\rss	2D5A.exe
File created	C:\Windows\rss\csrss.exe	2D5A.exe

pid	process
1100	sc.exe

pid	pid_target	process	target process
1128	4212	WerFault.exe	B631.exe
1216	3748	WerFault.exe	C2F4.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1900 schtasks.exe
3584 schtasks.exe

pid	process
1900	schtasks.exe
3584	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe2D5A.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	2D5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	2D5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	2D5A.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeSearchApp.exeexplorer.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{9E18FBCC-B531-49CC-BD36-6A18250DE931}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{7FD1DB9F-3B1F-4AC0-8786-548E3FFEBD99}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{07E4CCAE-717E-466F-AECF-F57B56DD570B}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{45A07E2E-CCDF-4907-96B6-43EB95C36842}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe

pid	process
1180	198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe
1180	198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe

pid process

1180 198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

C2F4.exeRegAsm.exe2115.exepowershell.exeexplorer.exeexplorer.exe2D5A.exe

description	pid	process
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeDebugPrivilege	3748	C2F4.exe
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeDebugPrivilege	1324	RegAsm.exe
Token: SeDebugPrivilege	2752	2115.exe
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	4216	explorer.exe
Token: SeCreatePagefilePrivilege	4216	explorer.exe
Token: SeShutdownPrivilege	4216	explorer.exe
Token: SeCreatePagefilePrivilege	4216	explorer.exe
Token: SeShutdownPrivilege	4216	explorer.exe
Token: SeCreatePagefilePrivilege	4216	explorer.exe
Token: SeDebugPrivilege	4828	2D5A.exe
Token: SeImpersonatePrivilege	4828	2D5A.exe
Token: SeShutdownPrivilege	4216	explorer.exe
Token: SeCreatePagefilePrivilege	4216	explorer.exe
Token: SeShutdownPrivilege	4216	explorer.exe
Token: SeCreatePagefilePrivilege	4216	explorer.exe
Token: SeShutdownPrivilege	4216	explorer.exe
Token: SeCreatePagefilePrivilege	4216	explorer.exe
Token: SeShutdownPrivilege	4216	explorer.exe
Token: SeCreatePagefilePrivilege	4216	explorer.exe
Token: SeShutdownPrivilege	4216	explorer.exe
Token: SeCreatePagefilePrivilege	4216	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
3248	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

pid	process
432	StartMenuExperienceHost.exe
1808	StartMenuExperienceHost.exe
3152	StartMenuExperienceHost.exe
4436	SearchApp.exe
4648	StartMenuExperienceHost.exe
3420	SearchApp.exe
484	StartMenuExperienceHost.exe
1908	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeB631.exeB631.exeB631.exeC2F4.execmd.exe2D5A.exe2D5A.exe

description	pid	process	target process
PID 3496 wrote to memory of 1648	3496		cmd.exe
PID 3496 wrote to memory of 1648	3496		cmd.exe
PID 1648 wrote to memory of 2216	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 2216	1648	cmd.exe	reg.exe
PID 3496 wrote to memory of 5108	3496		B631.exe
PID 3496 wrote to memory of 5108	3496		B631.exe
PID 3496 wrote to memory of 5108	3496		B631.exe
PID 5108 wrote to memory of 4680	5108	B631.exe	B631.exe
PID 5108 wrote to memory of 4680	5108	B631.exe	B631.exe
PID 5108 wrote to memory of 4680	5108	B631.exe	B631.exe
PID 5108 wrote to memory of 4680	5108	B631.exe	B631.exe
PID 5108 wrote to memory of 4680	5108	B631.exe	B631.exe
PID 5108 wrote to memory of 4680	5108	B631.exe	B631.exe
PID 5108 wrote to memory of 4680	5108	B631.exe	B631.exe
PID 5108 wrote to memory of 4680	5108	B631.exe	B631.exe
PID 5108 wrote to memory of 4680	5108	B631.exe	B631.exe
PID 5108 wrote to memory of 4680	5108	B631.exe	B631.exe
PID 4680 wrote to memory of 4848	4680	B631.exe	icacls.exe
PID 4680 wrote to memory of 4848	4680	B631.exe	icacls.exe
PID 4680 wrote to memory of 4848	4680	B631.exe	icacls.exe
PID 4680 wrote to memory of 4964	4680	B631.exe	B631.exe
PID 4680 wrote to memory of 4964	4680	B631.exe	B631.exe
PID 4680 wrote to memory of 4964	4680	B631.exe	B631.exe
PID 4964 wrote to memory of 4212	4964	B631.exe	B631.exe
PID 4964 wrote to memory of 4212	4964	B631.exe	B631.exe
PID 4964 wrote to memory of 4212	4964	B631.exe	B631.exe
PID 4964 wrote to memory of 4212	4964	B631.exe	B631.exe
PID 4964 wrote to memory of 4212	4964	B631.exe	B631.exe
PID 4964 wrote to memory of 4212	4964	B631.exe	B631.exe
PID 4964 wrote to memory of 4212	4964	B631.exe	B631.exe
PID 4964 wrote to memory of 4212	4964	B631.exe	B631.exe
PID 4964 wrote to memory of 4212	4964	B631.exe	B631.exe
PID 4964 wrote to memory of 4212	4964	B631.exe	B631.exe
PID 3496 wrote to memory of 3748	3496		C2F4.exe
PID 3496 wrote to memory of 3748	3496		C2F4.exe
PID 3496 wrote to memory of 3748	3496		C2F4.exe
PID 3748 wrote to memory of 1324	3748	C2F4.exe	RegAsm.exe
PID 3748 wrote to memory of 1324	3748	C2F4.exe	RegAsm.exe
PID 3748 wrote to memory of 1324	3748	C2F4.exe	RegAsm.exe
PID 3748 wrote to memory of 1324	3748	C2F4.exe	RegAsm.exe
PID 3748 wrote to memory of 1324	3748	C2F4.exe	RegAsm.exe
PID 3748 wrote to memory of 1324	3748	C2F4.exe	RegAsm.exe
PID 3748 wrote to memory of 1324	3748	C2F4.exe	RegAsm.exe
PID 3748 wrote to memory of 1324	3748	C2F4.exe	RegAsm.exe
PID 3496 wrote to memory of 4736	3496		F475.exe
PID 3496 wrote to memory of 4736	3496		F475.exe
PID 3496 wrote to memory of 4736	3496		F475.exe
PID 3496 wrote to memory of 1772	3496		cmd.exe
PID 3496 wrote to memory of 1772	3496		cmd.exe
PID 1772 wrote to memory of 2904	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 2904	1772	cmd.exe	reg.exe
PID 3496 wrote to memory of 2752	3496		2115.exe
PID 3496 wrote to memory of 2752	3496		2115.exe
PID 3496 wrote to memory of 4828	3496		2D5A.exe
PID 3496 wrote to memory of 4828	3496		2D5A.exe
PID 3496 wrote to memory of 4828	3496		2D5A.exe
PID 4828 wrote to memory of 4436	4828	2D5A.exe	powershell.exe
PID 4828 wrote to memory of 4436	4828	2D5A.exe	powershell.exe
PID 4828 wrote to memory of 4436	4828	2D5A.exe	powershell.exe
PID 3712 wrote to memory of 2920	3712	2D5A.exe	powershell.exe
PID 3712 wrote to memory of 2920	3712	2D5A.exe	powershell.exe
PID 3712 wrote to memory of 2920	3712	2D5A.exe	powershell.exe
PID 3712 wrote to memory of 1568	3712	2D5A.exe	cmd.exe
PID 3712 wrote to memory of 1568	3712	2D5A.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe
"C:\Users\Admin\AppData\Local\Temp\198c9b20feddedfddb616676b4d100996d583b29314f8046de476e47b6a98201.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A3B2.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\B631.exe
C:\Users\Admin\AppData\Local\Temp\B631.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\B631.exe
C:\Users\Admin\AppData\Local\Temp\B631.exe
2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a99c2a5b-44bd-4241-a79d-f152eb249702" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4848

C:\Users\Admin\AppData\Local\Temp\B631.exe
"C:\Users\Admin\AppData\Local\Temp\B631.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\B631.exe
"C:\Users\Admin\AppData\Local\Temp\B631.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 568
5⤵
- Program crash
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4212 -ip 4212
1⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\C2F4.exe
C:\Users\Admin\AppData\Local\Temp\C2F4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 828
2⤵
- Program crash
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3748 -ip 3748
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\F475.exe
C:\Users\Admin\AppData\Local\Temp\F475.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F65A.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\2115.exe
C:\Users\Admin\AppData\Local\Temp\2115.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\2D5A.exe
C:\Users\Admin\AppData\Local\Temp\2D5A.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Users\Admin\AppData\Local\Temp\2D5A.exe
"C:\Users\Admin\AppData\Local\Temp\2D5A.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:1568

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4272

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1104

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:3584

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3608

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:560

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:1900

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:5116

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:1100

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3492

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:432

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:484

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4788

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4864

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2804

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1216

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1604

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4956

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4240

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2308

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2248

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4268

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4072

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4232

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3336

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:916

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
4305f3b83ea7e48583ca9863f6a51c75

SHA1
83587d71d6baeca1bc553f67a84c399789c91cb5

SHA256
2251e0ab16b12b3590efe8b9793dc002345123f8a9dd98c4c31c957995b99273

SHA512
94c77f16fa66618ed073af0157d191efd39b9ef78ff7113a224117c8156594b36076b40ab7aafb8ec534dd82a069339486b693c8d672e431e2330be4a4c4eea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
5af567c759fef113629aa6a5f9313c19

SHA1
ec2b770e5edf09d6e11a8702cc9645a365c84ae9

SHA256
ebe5f590c9dc20144385b6d7abf6715ccf37b46a3a0d2b53bed9cdc3ec50be68

SHA512
2a1f82e0935f0ed228e3e64fb675c221ad26bfd7073fa9b4198f492ae9091a249420d00e9d1b112ff4810ab433a9c5b30f6c396f3944737827715d8cbbc99621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
ce6c73e90308666da791421811ed5dc2

SHA1
1983aef384427a03b47f2a0cdbff9f733a0be2ca

SHA256
00239d0e245750bd78a5300a157af7859ce98554cfc1fdc565b93291dc04d234

SHA512
3bde72f8b50fb433a026bfc1abdd9d096b86fcb63685bc5ff9e62840badeaa0d1f582536df28300d2e4939f95b106f3c0721aa173b2e11b5ee88f3619a579bb6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDDM1QX5\microsoft.windows[1].xml
Filesize
96B

MD5
2415f1b0b1e5150e9f1e871081fd1fad

SHA1
a79e4bfddc3daf75f059fda3547bd18282d993f7

SHA256
3eff25035403aba506d0dbf69c76a22fa90ec66d2094cbf39bc5267a850902ae

SHA512
5d05da9ec1471dbf91f0c474c8db3897130543ff3c4da70724ce3a36adc38f628264c3dae4f54caef493f7593a0986a944dda0e19e947f3dfc34fc16fbd3e6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2115.exe
Filesize
30.6MB

MD5
ff35671d54d612772b0c22c141a3056e

SHA1
d005a27cd48556bf17eb9c2b43af49b67347cc0e

SHA256
2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

SHA512
9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D5A.exe
Filesize
4.2MB

MD5
584c497505124d06cf5f0d97257527c5

SHA1
46e5d86b2e4efaec285e23acd8a1825b707fa3d7

SHA256
bd63d276dd1c49db677a5e32cf36f11c4140fe66840baf18e6bf3f960f0ce3da

SHA512
131e8df05d075f5781d379e3a3edd4aa74c2b0340768dcdb0bc66e97a41c521d88b74e22bf00dd8659b6d3c172d5a85c258ab593d4cf931599fab262d5815f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3B2.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\B631.exe
Filesize
765KB

MD5
d0df7f3f1876beb6c7081d224eb92795

SHA1
ecd9cbe697ce1c7e798e088d2c82c8a6bbf9f958

SHA256
f8f078090823e52e8ddff7b987ba9723fb9f5d450c65785c18d5e9c9c19f7df5

SHA512
960744969e8c56fe97dffce592753c45963002efadb771dc5c7d8edf3444c4a90068ac43076b40596740196fc5639ab773b1db7554a8cd6174f7574e9234d028

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2F4.exe
Filesize
392KB

MD5
89ec2c6bf09ed9a38bd11acb2a41cd1b

SHA1
408549982b687ca8dd5efb0e8b704a374bd8909d

SHA256
da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

SHA512
c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F475.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3rvnfwq.cx2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
e37be76cf6412b91d740c5e2972cc8f1

SHA1
0df127b5f40da11f600abb08a0c925d165c6cafd

SHA256
0525e0933f4481411d21341940b339014a82fa2787b04e6c9f531227c2e09611

SHA512
891040c0abedc2240972680106f03cfe81cf7f1c0c93bfceeec1f32866d590fb3258cab835a0c7fd780ae6dd1b96aa0e54b0e8bb890d55cadb068a6db8f42b15

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
d7efe018b5e8fb941d152457af4aa4a7

SHA1
e00032df4864370ae17ec4107681d47a22ad99a2

SHA256
d0434006755ce22de1b45d54c3a7e5d5448f6d30d868d517b9167243302aa99d

SHA512
d82098b35f1c8eeff1faab0aeec90e311c0bcde8636f0a5f59e3e96bd06728a53130f5e35a18b8d2457a828d31b246b96116c811f7dbf71a3cbf3bf98289a4f2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
c1fd5616313566edbda6d3b99068064b

SHA1
5dd0448088e4308f071899843cb6d29571632ba7

SHA256
bab1633e2c6041b93833b09fdc4f4c17b8f00450f872418eec92c91a23f1a629

SHA512
c0939b97b2f797b3a8b961b11605235c9438a862d085e3e22bfd98074b4ee3bf893c8b8dd66cb8122c341deb59651793d37085b6cdc421c1187bd8be54895dca

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
90ee0ad2f9855c3f35bd1d3561432d7c

SHA1
20148f7abaae8d128bce0bfc4050cb9c7e02ffb8

SHA256
49328543104119648aa26b3ff106192949181bffc24c6c658d8cd5a481df9edd

SHA512
fe953aebc2cb549bc4e5766b49a33571e3a420b0343d034c7369be6e4b4f2ee90a3f27a8bfdecf2ff58918acabce8c3b65cab5f8ae5ed75bc7c2ccc067efe628

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
46f7845fb1b3ad2889f6eaaf066a5d6a

SHA1
b20262fb4005fc69eed8491aae2d60179b406af5

SHA256
c5b97b524df423b5c5a2cc864cef52ef5e6cf6b61d9dc49ee557e9c6b078cd7e

SHA512
b915e1d80a4211de0b948a7812ad65086d29c454f9272b0dcf447a0325a0e9157fcff2319c85eea88317a9db9344b65c9472da5e977adc115fce0ab79e571869

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/768-427-0x0000000000AC0000-0x0000000000B0B000-memory.dmp

Filesize
300KB

Download
memory/768-422-0x0000000000AC0000-0x0000000000B0B000-memory.dmp

Filesize
300KB

Download
memory/1180-3-0x0000000000400000-0x0000000000AEC000-memory.dmp

Filesize
6.9MB

Download
memory/1180-2-0x0000000000C90000-0x0000000000C9B000-memory.dmp

Filesize
44KB

Download
memory/1180-1-0x0000000000D50000-0x0000000000E50000-memory.dmp

Filesize
1024KB

Download
memory/1180-5-0x0000000000400000-0x0000000000AEC000-memory.dmp

Filesize
6.9MB

Download
memory/1216-681-0x0000025DC0D20000-0x0000025DC0D40000-memory.dmp

Filesize
128KB

Download
memory/1324-100-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-62-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/1324-65-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-66-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/1324-67-0x0000000006540000-0x0000000006B58000-memory.dmp

Filesize
6.1MB

Download
memory/1324-68-0x00000000057D0000-0x00000000058DA000-memory.dmp

Filesize
1.0MB

Download
memory/1324-64-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/1324-70-0x0000000005700000-0x0000000005712000-memory.dmp

Filesize
72KB

Download
memory/1324-71-0x0000000005760000-0x000000000579C000-memory.dmp

Filesize
240KB

Download
memory/1324-72-0x00000000058E0000-0x000000000592C000-memory.dmp

Filesize
304KB

Download
memory/1324-73-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/1324-74-0x0000000007C90000-0x0000000007CE0000-memory.dmp

Filesize
320KB

Download
memory/1324-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1324-61-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/2016-448-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/2752-425-0x00007FF6E6340000-0x00007FF6E828C000-memory.dmp

Filesize
31.3MB

Download
memory/2752-261-0x00007FF6E6340000-0x00007FF6E828C000-memory.dmp

Filesize
31.3MB

Download
memory/2752-370-0x00007FF6E6340000-0x00007FF6E828C000-memory.dmp

Filesize
31.3MB

Download
memory/2804-673-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/3248-336-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/3420-468-0x000001B857260000-0x000001B857280000-memory.dmp

Filesize
128KB

Download
memory/3420-465-0x000001B8572A0000-0x000001B8572C0000-memory.dmp

Filesize
128KB

Download
memory/3420-469-0x000001B857880000-0x000001B8578A0000-memory.dmp

Filesize
128KB

Download
memory/3472-650-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3496-246-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/3496-4-0x00000000010C0000-0x00000000010D6000-memory.dmp

Filesize
88KB

Download
memory/3560-631-0x00000244BEF90000-0x00000244BEFB0000-memory.dmp

Filesize
128KB

Download
memory/3560-629-0x00000244BEFD0000-0x00000244BEFF0000-memory.dmp

Filesize
128KB

Download
memory/3560-632-0x00000244BF3A0000-0x00000244BF3C0000-memory.dmp

Filesize
128KB

Download
memory/3712-419-0x0000000000400000-0x0000000000ECF000-memory.dmp

Filesize
10.8MB

Download
memory/3748-56-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3748-53-0x0000000000650000-0x00000000006B4000-memory.dmp

Filesize
400KB

Download
memory/3748-54-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3748-55-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3748-63-0x0000000002A70000-0x0000000004A70000-memory.dmp

Filesize
32.0MB

Download
memory/3748-69-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3972-660-0x00000269C8920000-0x00000269C8940000-memory.dmp

Filesize
128KB

Download
memory/3972-664-0x00000269C8CF0000-0x00000269C8D10000-memory.dmp

Filesize
128KB

Download
memory/3972-662-0x00000269C88E0000-0x00000269C8900000-memory.dmp

Filesize
128KB

Download
memory/4212-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4212-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4212-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4436-342-0x000002B0FAF70000-0x000002B0FAF90000-memory.dmp

Filesize
128KB

Download
memory/4436-344-0x000002B0FAF30000-0x000002B0FAF50000-memory.dmp

Filesize
128KB

Download
memory/4436-346-0x000002B0FB340000-0x000002B0FB360000-memory.dmp

Filesize
128KB

Download
memory/4680-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4680-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4680-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4680-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4680-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4736-105-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-101-0x0000000000F30000-0x0000000000F62000-memory.dmp

Filesize
200KB

Download
memory/4736-125-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-127-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-126-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-128-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-129-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-130-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-132-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-131-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-133-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-114-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-115-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-116-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-117-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-113-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-112-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-111-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-109-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-110-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-108-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-107-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-106-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-123-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-103-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-104-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-102-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-124-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-99-0x0000000000F30000-0x0000000000F62000-memory.dmp

Filesize
200KB

Download
memory/4736-98-0x0000000000F30000-0x0000000000F62000-memory.dmp

Filesize
200KB

Download
memory/4736-97-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4736-96-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4736-94-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4736-91-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4736-93-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/4736-89-0x0000000000F80000-0x0000000001C65000-memory.dmp

Filesize
12.9MB

Download
memory/4736-92-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/4736-90-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/4736-118-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-119-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-120-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-121-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-122-0x0000000003EA0000-0x0000000003FA0000-memory.dmp

Filesize
1024KB

Download
memory/4736-88-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4736-83-0x0000000000F80000-0x0000000001C65000-memory.dmp

Filesize
12.9MB

Download
memory/4788-613-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/4828-292-0x0000000000400000-0x0000000000ECF000-memory.dmp

Filesize
10.8MB

Download
memory/4828-279-0x0000000000400000-0x0000000000ECF000-memory.dmp

Filesize
10.8MB

Download
memory/4864-652-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/4884-621-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/4964-39-0x0000000002630000-0x00000000026C8000-memory.dmp

Filesize
608KB

Download
memory/5084-619-0x0000000000400000-0x0000000000ECF000-memory.dmp

Filesize
10.8MB

Download
memory/5084-671-0x0000000000400000-0x0000000000ECF000-memory.dmp

Filesize
10.8MB

Download
memory/5108-21-0x00000000028F0000-0x0000000002A0B000-memory.dmp

Filesize
1.1MB

Download
memory/5108-20-0x00000000026B0000-0x000000000274E000-memory.dmp

Filesize
632KB

Download