dcrat | 4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe
Size

203KB
MD5

982a9f4eb6b6d45494c229728abc0562
SHA1

7ecd82d81511c1c778a882c4ac2457f9a45b91f0
SHA256

4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1
SHA512

844f81bac1ef583b37c238465c70ce9448b9e8465c1d4822fae8052ad22de56b84d70e4a8218be6c09370232629fb1d47fe8043621bb1e37ac3464f69bae4364
SSDEEP

3072:QYM3LqhgTikJM9rNxsr+Zm/rQSsK1LBg3V6HQ+sfwM199HIg:QYThgTikixNyj/roKXg3yNM1rHIg

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

BA0A.exeschtasks.exeschtasks.exe4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2a65e3fa-7378-4e26-89ae-e1ad33a235ed\\BA0A.exe\" --AutoStart"	BA0A.exe
4388	schtasks.exe
1372	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/348-21-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/348-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4960-22-0x0000000002480000-0x000000000259B000-memory.dmp	family_djvu
behavioral2/memory/348-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/348-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/348-396-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2816-402-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2816-407-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2816-409-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3096-488-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3928-614-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3844-760-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3844-768-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3844-769-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3844-772-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4704-52-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2156 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

3284

pid	process
2156	netsh.exe

pid	process
3284

Executes dropped EXE 13 IoCs

Processes:

BA0A.exeBA0A.exeC6BD.exeF957.exe2328.exeBA0A.exeBA0A.exeAAA9.exeAAA9.execsrss.exeinjector.exewindefender.exewindefender.exe

pid	process
4960	BA0A.exe
348	BA0A.exe
5092	C6BD.exe
1164	F957.exe
1064	2328.exe
1580	BA0A.exe
2816	BA0A.exe
3096	AAA9.exe
3928	AAA9.exe
3844	csrss.exe
2096	injector.exe
4800	windefender.exe
3420	windefender.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1908 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1908	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral2/memory/4800-767-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3420-770-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BA0A.exeAAA9.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2a65e3fa-7378-4e26-89ae-e1ad33a235ed\\BA0A.exe\" --AutoStart"	BA0A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	AAA9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

14 raw.githubusercontent.com
14 drive.google.com
20 raw.githubusercontent.com
22 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.2ip.ua
1 api.2ip.ua
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

flow	ioc
14	raw.githubusercontent.com
14	drive.google.com
20	raw.githubusercontent.com
22	drive.google.com

flow	ioc
5	api.2ip.ua
1	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

BA0A.exeC6BD.exe2328.exeBA0A.exe

description	pid	process	target process
PID 4960 set thread context of 348	4960	BA0A.exe	BA0A.exe
PID 5092 set thread context of 4704	5092	C6BD.exe	RegAsm.exe
PID 1064 set thread context of 4724	1064	2328.exe	BitLockerToGo.exe
PID 1580 set thread context of 2816	1580	BA0A.exe	BA0A.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

AAA9.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN AAA9.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	AAA9.exe

Drops file in Windows directory 4 IoCs

Processes:

AAA9.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	AAA9.exe
File created	C:\Windows\rss\csrss.exe	AAA9.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1984 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4584 5092 WerFault.exe C6BD.exe
1964 2816 WerFault.exe BA0A.exe

pid	process
1984	sc.exe

pid	pid_target	process	target process
4584	5092	WerFault.exe	C6BD.exe
1964	2816	WerFault.exe	BA0A.exe

Checks SCSI registry key(s) 3 TTPs 61 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4388 schtasks.exe
1372 schtasks.exe

pid	process
4388	schtasks.exe
1372	schtasks.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeAAA9.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	AAA9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	AAA9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	AAA9.exe

Modifies registry class 64 IoCs

Processes:

SearchHost.exeSearchHost.exeexplorer.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1042"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400280010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133529946565815127"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1042"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1042"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe

pid	process
3436	4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe
3436	4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284
3284

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe

pid process

3436 4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

C6BD.exeRegAsm.exe2328.exepowershell.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeDebugPrivilege	5092	C6BD.exe
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeDebugPrivilege	4704	RegAsm.exe
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeDebugPrivilege	1064	2328.exe
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeShutdownPrivilege	3284
Token: SeCreatePagefilePrivilege	3284
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe
Token: SeShutdownPrivilege	1256	explorer.exe
Token: SeCreatePagefilePrivilege	1256	explorer.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

explorer.exe

pid	process
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exe

pid	process
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe
1256	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

explorer.exeStartMenuExperienceHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exe

pid	process
1256	explorer.exe
1452	StartMenuExperienceHost.exe
2776	SearchHost.exe
1256	explorer.exe
4652	SearchHost.exe
3656	SearchHost.exe
2928	SearchHost.exe
2668	SearchHost.exe
3416	SearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeBA0A.exeC6BD.execmd.exe2328.exeBA0A.exeBA0A.exeAAA9.exe

description	pid	process	target process
PID 3284 wrote to memory of 3896	3284		cmd.exe
PID 3284 wrote to memory of 3896	3284		cmd.exe
PID 3896 wrote to memory of 3164	3896	cmd.exe	reg.exe
PID 3896 wrote to memory of 3164	3896	cmd.exe	reg.exe
PID 3284 wrote to memory of 4960	3284		BA0A.exe
PID 3284 wrote to memory of 4960	3284		BA0A.exe
PID 3284 wrote to memory of 4960	3284		BA0A.exe
PID 4960 wrote to memory of 348	4960	BA0A.exe	BA0A.exe
PID 4960 wrote to memory of 348	4960	BA0A.exe	BA0A.exe
PID 4960 wrote to memory of 348	4960	BA0A.exe	BA0A.exe
PID 4960 wrote to memory of 348	4960	BA0A.exe	BA0A.exe
PID 4960 wrote to memory of 348	4960	BA0A.exe	BA0A.exe
PID 4960 wrote to memory of 348	4960	BA0A.exe	BA0A.exe
PID 4960 wrote to memory of 348	4960	BA0A.exe	BA0A.exe
PID 4960 wrote to memory of 348	4960	BA0A.exe	BA0A.exe
PID 4960 wrote to memory of 348	4960	BA0A.exe	BA0A.exe
PID 4960 wrote to memory of 348	4960	BA0A.exe	BA0A.exe
PID 3284 wrote to memory of 5092	3284		C6BD.exe
PID 3284 wrote to memory of 5092	3284		C6BD.exe
PID 3284 wrote to memory of 5092	3284		C6BD.exe
PID 5092 wrote to memory of 4704	5092	C6BD.exe	RegAsm.exe
PID 5092 wrote to memory of 4704	5092	C6BD.exe	RegAsm.exe
PID 5092 wrote to memory of 4704	5092	C6BD.exe	RegAsm.exe
PID 5092 wrote to memory of 4704	5092	C6BD.exe	RegAsm.exe
PID 5092 wrote to memory of 4704	5092	C6BD.exe	RegAsm.exe
PID 5092 wrote to memory of 4704	5092	C6BD.exe	RegAsm.exe
PID 5092 wrote to memory of 4704	5092	C6BD.exe	RegAsm.exe
PID 5092 wrote to memory of 4704	5092	C6BD.exe	RegAsm.exe
PID 3284 wrote to memory of 1164	3284		F957.exe
PID 3284 wrote to memory of 1164	3284		F957.exe
PID 3284 wrote to memory of 1164	3284		F957.exe
PID 3284 wrote to memory of 4628	3284		cmd.exe
PID 3284 wrote to memory of 4628	3284		cmd.exe
PID 4628 wrote to memory of 4660	4628	cmd.exe	reg.exe
PID 4628 wrote to memory of 4660	4628	cmd.exe	reg.exe
PID 3284 wrote to memory of 1064	3284		2328.exe
PID 3284 wrote to memory of 1064	3284		2328.exe
PID 1064 wrote to memory of 4724	1064	2328.exe	BitLockerToGo.exe
PID 1064 wrote to memory of 4724	1064	2328.exe	BitLockerToGo.exe
PID 1064 wrote to memory of 4724	1064	2328.exe	BitLockerToGo.exe
PID 1064 wrote to memory of 4724	1064	2328.exe	BitLockerToGo.exe
PID 1064 wrote to memory of 4724	1064	2328.exe	BitLockerToGo.exe
PID 348 wrote to memory of 1908	348	BA0A.exe	icacls.exe
PID 348 wrote to memory of 1908	348	BA0A.exe	icacls.exe
PID 348 wrote to memory of 1908	348	BA0A.exe	icacls.exe
PID 348 wrote to memory of 1580	348	BA0A.exe	BA0A.exe
PID 348 wrote to memory of 1580	348	BA0A.exe	BA0A.exe
PID 348 wrote to memory of 1580	348	BA0A.exe	BA0A.exe
PID 1580 wrote to memory of 2816	1580	BA0A.exe	BA0A.exe
PID 1580 wrote to memory of 2816	1580	BA0A.exe	BA0A.exe
PID 1580 wrote to memory of 2816	1580	BA0A.exe	BA0A.exe
PID 1580 wrote to memory of 2816	1580	BA0A.exe	BA0A.exe
PID 1580 wrote to memory of 2816	1580	BA0A.exe	BA0A.exe
PID 1580 wrote to memory of 2816	1580	BA0A.exe	BA0A.exe
PID 1580 wrote to memory of 2816	1580	BA0A.exe	BA0A.exe
PID 1580 wrote to memory of 2816	1580	BA0A.exe	BA0A.exe
PID 1580 wrote to memory of 2816	1580	BA0A.exe	BA0A.exe
PID 1580 wrote to memory of 2816	1580	BA0A.exe	BA0A.exe
PID 3284 wrote to memory of 3096	3284		AAA9.exe
PID 3284 wrote to memory of 3096	3284		AAA9.exe
PID 3284 wrote to memory of 3096	3284		AAA9.exe
PID 3096 wrote to memory of 4484	3096	AAA9.exe	powershell.exe
PID 3096 wrote to memory of 4484	3096	AAA9.exe	powershell.exe
PID 3096 wrote to memory of 4484	3096	AAA9.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe
"C:\Users\Admin\AppData\Local\Temp\4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A7AA.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\BA0A.exe
C:\Users\Admin\AppData\Local\Temp\BA0A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\BA0A.exe
C:\Users\Admin\AppData\Local\Temp\BA0A.exe
2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2a65e3fa-7378-4e26-89ae-e1ad33a235ed" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1908

C:\Users\Admin\AppData\Local\Temp\BA0A.exe
"C:\Users\Admin\AppData\Local\Temp\BA0A.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\BA0A.exe
"C:\Users\Admin\AppData\Local\Temp\BA0A.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 604
5⤵
- Program crash
PID:1964

C:\Users\Admin\AppData\Local\Temp\C6BD.exe
C:\Users\Admin\AppData\Local\Temp\C6BD.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 840
2⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5092 -ip 5092
1⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\F957.exe
C:\Users\Admin\AppData\Local\Temp\F957.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FBAA.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\2328.exe
C:\Users\Admin\AppData\Local\Temp\2328.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\AAA9.exe
C:\Users\Admin\AppData\Local\Temp\AAA9.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Users\Admin\AppData\Local\Temp\AAA9.exe
"C:\Users\Admin\AppData\Local\Temp\AAA9.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:4524

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1764

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:3844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4480

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:4388

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:1240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5016

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:2096

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:1372

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:4308

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2816 -ip 2816
1⤵
PID:1856

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2776

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2928

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:3420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
df0c92a9ef49dfe0f92c9fb1a0c5bc13

SHA1
eebf3614a4dfc57a400b637b2bcc269fbfaf7e9d

SHA256
c7b8b32700190ca14510507a3487283471f8c4067fa327a4509ccb0b45eae9ce

SHA512
52a71341aa603a76092f7945d845b3b23423689c063bfb70e363467909bc9c10cff59e415e48bb966efe13e59b0da873d9103c3c555334338d88afb48d9d4688

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\FF3ES9OD\www.bing[1].xml
Filesize
2KB

MD5
badc6b63d92ee77b0189f811cfe670a5

SHA1
f82258c5b9757361d9b658671b6261545d3dd5c5

SHA256
fd15d53d39622e3b6fd7334e67a433f40b267c8aac7227476b03c146bb04f099

SHA512
18713ff3348def9db84e0edabbbbb893844490f5e2eb4768f454a941900b61c8d15485ee0173ac377a61a708620698e61c1b1581ede806c47b8a960b690e09bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2328.exe
Filesize
30.6MB

MD5
ff35671d54d612772b0c22c141a3056e

SHA1
d005a27cd48556bf17eb9c2b43af49b67347cc0e

SHA256
2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

SHA512
9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7AA.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAA9.exe
Filesize
4.1MB

MD5
ba5b3587a2c3f8d688e8c1d77e6ec18b

SHA1
becedc93b291eff49d3579b402f2c9a21e7a86eb

SHA256
bc66acc532cca746af116cc1c2bad1ccf565fb5320f8ec059428780a32b10a95

SHA512
1805da9811cc3a8881a7be1ee6c193b072851be40123800464756078abfd9c06ada2211760afa41a45aa783932054bd4eaa77ed836784fc6dd2c4dd02f1f0824

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA0A.exe
Filesize
733KB

MD5
cc4b213535ca360dbf9d08590939972d

SHA1
a1ac443d9c2f2a809b01fc7968235a9b9992f89b

SHA256
33b7a85c7b3ba67d21e108440ea3a755639875314fce7c922865e723479aeb38

SHA512
9de6129de378164c5454a8833a31bbaeb9c7718d9f149a141d014c72a55d25207be7826124def4fd7e2a02e9178287e5ac912c9bc0abcbf896ebf3311ea77eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6BD.exe
Filesize
392KB

MD5
89ec2c6bf09ed9a38bd11acb2a41cd1b

SHA1
408549982b687ca8dd5efb0e8b704a374bd8909d

SHA256
da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

SHA512
c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F957.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfywpicr.cib.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
a92acf49852478d937d7bd7ee0420022

SHA1
ce8aab7630d89c3fee2630569757ab3524b1991f

SHA256
5ca48eda7444ad1e505369ff550301a82ebbe86cc048706271672711d5a4701a

SHA512
788e0fc1b4c0ad65b3ac7fb543dc0d4c81a94df0db151b54a56bae87a331d1e6b423189b2a9f1a439a66417179fe007697a551b77d9c81e81e37cfe703a829cd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
880f7f006f903be7531c89c86a1eb4a0

SHA1
50e67b8a77f47a3b8f901d0886d42027008604ad

SHA256
06162cf4bffce1a86ae836a6cfa6e23ffb645edc818249ce193c7b66e84daa6c

SHA512
91af15697da59121e3284053723c27baca6c77d0a616c00d7c23c9f662b36e56fc0b377c20c1823b5b33b70756c3979509855c841fcc3f7c20cbe7768ca9250e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
509e469597056e469309542e6c06c4c6

SHA1
6378a63895b7d37a031f96d4c378eed42edf9d28

SHA256
37b08ee09ad2c64158bec07c7a84d41f7ca405c71251235936ddfa64f256a141

SHA512
99b6670731a99f6d5504e817930d7100028ed921c0d3e664e046d348f7c952c28999e79e93a14a64bf493e0ce62832834cd8a7c6a4820f490cbac1b419e6e2d0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
c6955351bb9b5f505e1de05540591a93

SHA1
e93c299365d3c5855d835251cda3542a728156bc

SHA256
f303d42d41c664b253adc7486446d68433ae325ca5318c0c70ef8f477befba16

SHA512
28d95f71373f94379704ca9a5aae1db214be6d94e79239752f11e6a06eb7b00ca0c6890f879ec36388ae79c124b4086e783774d5d8a1ff595bf9480d129a76f2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
ec148db47034ffa51a3393c8cde8ea3f

SHA1
8b23cf2e4f80d31e7ef2dd16313db9ffe7ef3187

SHA256
ff0bf46af89a1438bd1045366a93487cef7884d903c1a77f4f035c6be66e6d8c

SHA512
26a3a9184ab09969845e7a4ac9d45a540aece05de595f9cee0dc33b67691fc596085359a7ae99e3b23b073879c1dc85197b8c0dd9ca59aa8e38d7e4fa24923a5

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/348-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/348-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/348-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/348-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/348-396-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1064-182-0x00007FF7695A0000-0x00007FF76B4EC000-memory.dmp

Filesize
31.3MB

Download
memory/1064-177-0x00007FF7695A0000-0x00007FF76B4EC000-memory.dmp

Filesize
31.3MB

Download
memory/1164-106-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-117-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-126-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-128-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-127-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-124-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-123-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-121-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-122-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-120-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-116-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-118-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-75-0x00000000009A0000-0x0000000001685000-memory.dmp

Filesize
12.9MB

Download
memory/1164-84-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1164-85-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1164-86-0x00000000009A0000-0x0000000001685000-memory.dmp

Filesize
12.9MB

Download
memory/1164-87-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/1164-88-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/1164-89-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/1164-90-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/1164-91-0x00000000009A0000-0x0000000001685000-memory.dmp

Filesize
12.9MB

Download
memory/1164-92-0x00000000009A0000-0x0000000001685000-memory.dmp

Filesize
12.9MB

Download
memory/1164-94-0x0000000001A10000-0x0000000001A50000-memory.dmp

Filesize
256KB

Download
memory/1164-93-0x0000000001A10000-0x0000000001A50000-memory.dmp

Filesize
256KB

Download
memory/1164-95-0x0000000001A10000-0x0000000001A50000-memory.dmp

Filesize
256KB

Download
memory/1164-96-0x0000000001A10000-0x0000000001A50000-memory.dmp

Filesize
256KB

Download
memory/1164-119-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-99-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-100-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-98-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-101-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-102-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-103-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-104-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-114-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-105-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-107-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-108-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-109-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-110-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-111-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-112-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-113-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/1164-115-0x0000000004210000-0x0000000004310000-memory.dmp

Filesize
1024KB

Download
memory/2776-478-0x000001A570A60000-0x000001A570A80000-memory.dmp

Filesize
128KB

Download
memory/2776-485-0x000001A571060000-0x000001A571160000-memory.dmp

Filesize
1024KB

Download
memory/2816-402-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-407-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-409-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2928-662-0x000001F2B6C10000-0x000001F2B6D10000-memory.dmp

Filesize
1024KB

Download
memory/2928-659-0x000001F2B6BD0000-0x000001F2B6BF0000-memory.dmp

Filesize
128KB

Download
memory/3096-488-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3284-4-0x0000000003310000-0x0000000003326000-memory.dmp

Filesize
88KB

Download
memory/3284-436-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/3420-770-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3436-1-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/3436-2-0x0000000002380000-0x000000000238B000-memory.dmp

Filesize
44KB

Download
memory/3436-5-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3436-3-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3844-760-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3844-768-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3844-769-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3844-772-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3928-614-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4704-129-0x00000000731A0000-0x0000000073951000-memory.dmp

Filesize
7.7MB

Download
memory/4704-59-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/4704-56-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/4704-55-0x00000000056F0000-0x0000000005C96000-memory.dmp

Filesize
5.6MB

Download
memory/4704-52-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4704-66-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/4704-60-0x00000000062C0000-0x00000000068D8000-memory.dmp

Filesize
6.1MB

Download
memory/4704-67-0x0000000006CE0000-0x0000000006EA2000-memory.dmp

Filesize
1.8MB

Download
memory/4704-57-0x00000000731A0000-0x0000000073951000-memory.dmp

Filesize
7.7MB

Download
memory/4704-63-0x00000000054A0000-0x00000000054DC000-memory.dmp

Filesize
240KB

Download
memory/4704-97-0x00000000731A0000-0x0000000073951000-memory.dmp

Filesize
7.7MB

Download
memory/4704-74-0x0000000007340000-0x0000000007390000-memory.dmp

Filesize
320KB

Download
memory/4704-58-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/4704-64-0x00000000054F0000-0x000000000553C000-memory.dmp

Filesize
304KB

Download
memory/4704-61-0x0000000005550000-0x000000000565A000-memory.dmp

Filesize
1.0MB

Download
memory/4704-68-0x00000000073E0000-0x000000000790C000-memory.dmp

Filesize
5.2MB

Download
memory/4704-62-0x0000000005440000-0x0000000005452000-memory.dmp

Filesize
72KB

Download
memory/4724-184-0x0000000000A00000-0x0000000000A4B000-memory.dmp

Filesize
300KB

Download
memory/4724-181-0x0000000000A00000-0x0000000000A4B000-memory.dmp

Filesize
300KB

Download
memory/4800-767-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4960-22-0x0000000002480000-0x000000000259B000-memory.dmp

Filesize
1.1MB

Download
memory/4960-20-0x00000000022C0000-0x0000000002358000-memory.dmp

Filesize
608KB

Download
memory/5092-65-0x00000000731A0000-0x0000000073951000-memory.dmp

Filesize
7.7MB

Download
memory/5092-54-0x00000000032B0000-0x00000000052B0000-memory.dmp

Filesize
32.0MB

Download
memory/5092-46-0x0000000000C30000-0x0000000000C94000-memory.dmp

Filesize
400KB

Download
memory/5092-47-0x00000000731A0000-0x0000000073951000-memory.dmp

Filesize
7.7MB

Download
memory/5092-49-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/5092-48-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download