dcrat | 29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af

Analysis

max time kernel
112s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe
Size

203KB
MD5

cfef270ab5ce465d112890717e9be5a6
SHA1

38a935c3c1178a5ecb98232c92e3208f2fd39103
SHA256

29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af
SHA512

e37d52416e72dc9f1fc173da7d8d834baa28df1480edb2f23ae0075277e6bc92b4d8aeeba4e6a6f59e20908f53df36378ed6950ab198335b203dce490c01ece9
SSDEEP

3072:4XqLqhgTFZ5/VAGuI4bSaeHnbVVsD8Lgz2oaIrPBUwM9Mu+:4HhgTFZhGG94bSaAbHeQgjaIDJM9N+

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe2130.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\70793521-fdba-49c9-9884-ee71efcd077c\\2130.exe\" --AutoStart"	2130.exe
4272	schtasks.exe
3080	schtasks.exe

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4268-21-0x00000000022A0000-0x00000000023BB000-memory.dmp	family_djvu
behavioral1/memory/4404-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4404-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4404-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4404-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4404-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5108-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5108-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5108-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3636-224-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4616-363-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1572-59-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4520 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

2130.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 2130.exe
Deletes itself 1 IoCs

Processes:

pid process

3452
Executes dropped EXE 9 IoCs

Processes:

2130.exe2130.exe2130.exe2130.exe2EBE.exe62BF.exe9897.execidbhadAF3C.exe

pid process

4268 2130.exe
4404 2130.exe
2964 2130.exe
5108 2130.exe
4708 2EBE.exe
3120 62BF.exe
2800 9897.exe
1944 cidbhad
3636 AF3C.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4872 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4520	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	2130.exe

pid	process
3452

pid	process
4268	2130.exe
4404	2130.exe
2964	2130.exe
5108	2130.exe
4708	2EBE.exe
3120	62BF.exe
2800	9897.exe
1944	cidbhad
3636	AF3C.exe

pid	process
4872	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2130.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\70793521-fdba-49c9-9884-ee71efcd077c\\2130.exe\" --AutoStart"	2130.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

65 raw.githubusercontent.com
67 raw.githubusercontent.com
71 drive.google.com
72 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 api.2ip.ua
38 api.2ip.ua

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

flow	ioc
65	raw.githubusercontent.com
67	raw.githubusercontent.com
71	drive.google.com
72	drive.google.com

flow	ioc
37	api.2ip.ua
38	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

2130.exe2130.exe2EBE.exe9897.exe

description	pid	process	target process
PID 4268 set thread context of 4404	4268	2130.exe	2130.exe
PID 2964 set thread context of 5108	2964	2130.exe	2130.exe
PID 4708 set thread context of 1572	4708	2EBE.exe	RegAsm.exe
PID 2800 set thread context of 4972	2800	9897.exe	BitLockerToGo.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4612 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1484 5108 WerFault.exe 2130.exe
2312 4708 WerFault.exe 2EBE.exe

pid	process
4612	sc.exe

pid	pid_target	process	target process
1484	5108	WerFault.exe	2130.exe
2312	4708	WerFault.exe	2EBE.exe

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.execidbhad29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cidbhad
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cidbhad
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cidbhad
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4272 schtasks.exe
3080 schtasks.exe

pid	process
4272	schtasks.exe
3080	schtasks.exe

Modifies registry class 11 IoCs

Processes:

explorer.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{8AF4984A-55B5-4244-8702-D2C42E6ADA5F}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe

pid	process
3560	29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe
3560	29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.execidbhad

pid process

3560 29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe
1944 cidbhad

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

2EBE.exeRegAsm.exe9897.exepowershell.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeDebugPrivilege	4708	2EBE.exe
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeDebugPrivilege	1572	RegAsm.exe
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeDebugPrivilege	2800	9897.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeShutdownPrivilege	220	explorer.exe
Token: SeCreatePagefilePrivilege	220	explorer.exe
Token: SeShutdownPrivilege	220	explorer.exe
Token: SeCreatePagefilePrivilege	220	explorer.exe
Token: SeShutdownPrivilege	220	explorer.exe
Token: SeCreatePagefilePrivilege	220	explorer.exe
Token: SeShutdownPrivilege	220	explorer.exe
Token: SeCreatePagefilePrivilege	220	explorer.exe
Token: SeShutdownPrivilege	220	explorer.exe
Token: SeCreatePagefilePrivilege	220	explorer.exe
Token: SeShutdownPrivilege	220	explorer.exe
Token: SeCreatePagefilePrivilege	220	explorer.exe
Token: SeShutdownPrivilege	220	explorer.exe
Token: SeCreatePagefilePrivilege	220	explorer.exe
Token: SeShutdownPrivilege	220	explorer.exe
Token: SeCreatePagefilePrivilege	220	explorer.exe
Token: SeShutdownPrivilege	220	explorer.exe
Token: SeCreatePagefilePrivilege	220	explorer.exe
Token: SeShutdownPrivilege	4108	explorer.exe
Token: SeCreatePagefilePrivilege	4108	explorer.exe
Token: SeShutdownPrivilege	4108	explorer.exe
Token: SeCreatePagefilePrivilege	4108	explorer.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

explorer.exe

pid	process
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

explorer.exe

pid	process
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

2168 StartMenuExperienceHost.exe

pid	process
2168	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe2130.exe2130.exe2130.exe2EBE.execmd.exeAF3C.exe9897.exe

description	pid	process	target process
PID 3452 wrote to memory of 4712	3452		cmd.exe
PID 3452 wrote to memory of 4712	3452		cmd.exe
PID 4712 wrote to memory of 2368	4712	cmd.exe	reg.exe
PID 4712 wrote to memory of 2368	4712	cmd.exe	reg.exe
PID 3452 wrote to memory of 4268	3452		2130.exe
PID 3452 wrote to memory of 4268	3452		2130.exe
PID 3452 wrote to memory of 4268	3452		2130.exe
PID 4268 wrote to memory of 4404	4268	2130.exe	2130.exe
PID 4268 wrote to memory of 4404	4268	2130.exe	2130.exe
PID 4268 wrote to memory of 4404	4268	2130.exe	2130.exe
PID 4268 wrote to memory of 4404	4268	2130.exe	2130.exe
PID 4268 wrote to memory of 4404	4268	2130.exe	2130.exe
PID 4268 wrote to memory of 4404	4268	2130.exe	2130.exe
PID 4268 wrote to memory of 4404	4268	2130.exe	2130.exe
PID 4268 wrote to memory of 4404	4268	2130.exe	2130.exe
PID 4268 wrote to memory of 4404	4268	2130.exe	2130.exe
PID 4268 wrote to memory of 4404	4268	2130.exe	2130.exe
PID 4404 wrote to memory of 4872	4404	2130.exe	icacls.exe
PID 4404 wrote to memory of 4872	4404	2130.exe	icacls.exe
PID 4404 wrote to memory of 4872	4404	2130.exe	icacls.exe
PID 4404 wrote to memory of 2964	4404	2130.exe	2130.exe
PID 4404 wrote to memory of 2964	4404	2130.exe	2130.exe
PID 4404 wrote to memory of 2964	4404	2130.exe	2130.exe
PID 2964 wrote to memory of 5108	2964	2130.exe	2130.exe
PID 2964 wrote to memory of 5108	2964	2130.exe	2130.exe
PID 2964 wrote to memory of 5108	2964	2130.exe	2130.exe
PID 2964 wrote to memory of 5108	2964	2130.exe	2130.exe
PID 2964 wrote to memory of 5108	2964	2130.exe	2130.exe
PID 2964 wrote to memory of 5108	2964	2130.exe	2130.exe
PID 2964 wrote to memory of 5108	2964	2130.exe	2130.exe
PID 2964 wrote to memory of 5108	2964	2130.exe	2130.exe
PID 2964 wrote to memory of 5108	2964	2130.exe	2130.exe
PID 2964 wrote to memory of 5108	2964	2130.exe	2130.exe
PID 3452 wrote to memory of 4708	3452		2EBE.exe
PID 3452 wrote to memory of 4708	3452		2EBE.exe
PID 3452 wrote to memory of 4708	3452		2EBE.exe
PID 4708 wrote to memory of 1572	4708	2EBE.exe	RegAsm.exe
PID 4708 wrote to memory of 1572	4708	2EBE.exe	RegAsm.exe
PID 4708 wrote to memory of 1572	4708	2EBE.exe	RegAsm.exe
PID 4708 wrote to memory of 1572	4708	2EBE.exe	RegAsm.exe
PID 4708 wrote to memory of 1572	4708	2EBE.exe	RegAsm.exe
PID 4708 wrote to memory of 1572	4708	2EBE.exe	RegAsm.exe
PID 4708 wrote to memory of 1572	4708	2EBE.exe	RegAsm.exe
PID 4708 wrote to memory of 1572	4708	2EBE.exe	RegAsm.exe
PID 3452 wrote to memory of 3120	3452		62BF.exe
PID 3452 wrote to memory of 3120	3452		62BF.exe
PID 3452 wrote to memory of 3120	3452		62BF.exe
PID 3452 wrote to memory of 3676	3452		cmd.exe
PID 3452 wrote to memory of 3676	3452		cmd.exe
PID 3676 wrote to memory of 656	3676	cmd.exe	reg.exe
PID 3676 wrote to memory of 656	3676	cmd.exe	reg.exe
PID 3452 wrote to memory of 2800	3452		9897.exe
PID 3452 wrote to memory of 2800	3452		9897.exe
PID 3452 wrote to memory of 3636	3452		AF3C.exe
PID 3452 wrote to memory of 3636	3452		AF3C.exe
PID 3452 wrote to memory of 3636	3452		AF3C.exe
PID 3636 wrote to memory of 4268	3636	AF3C.exe	powershell.exe
PID 3636 wrote to memory of 4268	3636	AF3C.exe	powershell.exe
PID 3636 wrote to memory of 4268	3636	AF3C.exe	powershell.exe
PID 2800 wrote to memory of 4972	2800	9897.exe	BitLockerToGo.exe
PID 2800 wrote to memory of 4972	2800	9897.exe	BitLockerToGo.exe
PID 2800 wrote to memory of 4972	2800	9897.exe	BitLockerToGo.exe
PID 2800 wrote to memory of 4972	2800	9897.exe	BitLockerToGo.exe
PID 2800 wrote to memory of 4972	2800	9897.exe	BitLockerToGo.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe
"C:\Users\Admin\AppData\Local\Temp\29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AC4D.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\2130.exe
C:\Users\Admin\AppData\Local\Temp\2130.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\2130.exe
C:\Users\Admin\AppData\Local\Temp\2130.exe
2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\70793521-fdba-49c9-9884-ee71efcd077c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4872

C:\Users\Admin\AppData\Local\Temp\2130.exe
"C:\Users\Admin\AppData\Local\Temp\2130.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\2130.exe
"C:\Users\Admin\AppData\Local\Temp\2130.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 568
5⤵
- Program crash
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5108 -ip 5108
1⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\2EBE.exe
C:\Users\Admin\AppData\Local\Temp\2EBE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 836
2⤵
- Program crash
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4708 -ip 4708
1⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\62BF.exe
C:\Users\Admin\AppData\Local\Temp\62BF.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\64C4.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\9897.exe
C:\Users\Admin\AppData\Local\Temp\9897.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:4972

C:\Users\Admin\AppData\Roaming\cidbhad
C:\Users\Admin\AppData\Roaming\cidbhad
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1944

C:\Users\Admin\AppData\Local\Temp\AF3C.exe
C:\Users\Admin\AppData\Local\Temp\AF3C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Users\Admin\AppData\Local\Temp\AF3C.exe
"C:\Users\Admin\AppData\Local\Temp\AF3C.exe"
2⤵
PID:4616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:396

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4736

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:2928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3912

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:4272

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:1572

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:3080

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:1028

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:4612

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:756

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4188

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3324

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2516

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4728

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
59e81183e22d6940a35f6ed67fd7284f

SHA1
f89e79506bb55e28e917700270d43ced58a3f359

SHA256
1f5e75b95a0642292425b320843958d8f55ff50f8a5556ac85d325b14e62521d

SHA512
afffc6628906c57cf29ecac595978793c182389734178dc2c73bf839a42f877cd6541fd5419670b415f14ed7a3c3e0256b48f9f43636c2d96f513fe1d2326257

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
cbb7e5bb1b4fab159a3938a2fc7a599d

SHA1
102d09d20ad7bee0869e182939383810b1ae7648

SHA256
8dcc70b0784bb9d1e6fc49c3f6941d49d74a4cc2418bca8c019daf71479c8259

SHA512
f2b1cb7285923fbee004255a0a309504338fd79a8a5348ebe7c47fc37833f7d42579036684223f97f2cd24d5ac1d6528ab66294ed4dc0f0d1f5a4566843a996c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
7b9d3179c37c45480f2f5be0d173e41d

SHA1
f72e350337c7d1614cdfe98c6c56c4a354b9529f

SHA256
390f96b667138f3bbdf86328c251cc62278e02b4b9b1b75aa52cfe41aa6c2ade

SHA512
a095d7f7c7ef1ba87d9da8abe158a8611b280b58ec39d8a300956402f63475dafc5861f9ce7ec21ea17ee21336e9ad0fd2cb7a2600552de0d57def3b4cd56768

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4VHCF0PY\microsoft.windows[1].xml
Filesize
97B

MD5
b00643a38637847dab98bfa6c2d53f4e

SHA1
983055bd38dff9849c550ae053cd3592db217147

SHA256
a64b8e9193f1537d2bb5f68c17018abf732832ebe4885933819f019ff9410841

SHA512
9acf44ec12ef307e812442dfd45408a6d6db702b698ae1b47b9ea8643fb0747d38baae833e8e1b9d2b540c1bfb5e2e34698c7cf6cb73555075a17fd0da7db9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2130.exe
Filesize
732KB

MD5
b083f4e64b747efd38ec736c231e04bd

SHA1
2f92f6177f7a0648b12d0d5826ce30d20de92c3a

SHA256
b3a7c556f5971016f0ba97d5cf78b5d1a4e750f2be82898166526721092de3d4

SHA512
93e7a201aa0de2c75d38d893b24f9e8cf9f46c23867b06270ca0d7964676c9c4ee4d76e929890b71a668d6934f377035ce946e2d228b37c4c2964e1aa4cab4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EBE.exe
Filesize
392KB

MD5
89ec2c6bf09ed9a38bd11acb2a41cd1b

SHA1
408549982b687ca8dd5efb0e8b704a374bd8909d

SHA256
da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

SHA512
c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\62BF.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\9897.exe
Filesize
30.6MB

MD5
ff35671d54d612772b0c22c141a3056e

SHA1
d005a27cd48556bf17eb9c2b43af49b67347cc0e

SHA256
2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

SHA512
9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC4D.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF3C.exe
Filesize
4.1MB

MD5
7091c95d0e653c2e7d850f88f5bba15c

SHA1
392393b21629fdf7fb2de6c9bfd3b682a895e4b9

SHA256
d81632251a3226bc66d8b12af2d823c1987b22846889deed45a8dde6832d6638

SHA512
56ebc586f24c75d701110a18b243ebf5c6dabc2003e78cd9014b1626de2ffe24d56479c89d59c9daa493e96560bb8dca3713be0a78d51d7a1fef803acad7fdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qway1ec5.vas.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Roaming\cidbhad
Filesize
203KB

MD5
cfef270ab5ce465d112890717e9be5a6

SHA1
38a935c3c1178a5ecb98232c92e3208f2fd39103

SHA256
29ba327d0efa6634eae78ee3763580e8743f986207059d67269600026dce37af

SHA512
e37d52416e72dc9f1fc173da7d8d834baa28df1480edb2f23ae0075277e6bc92b4d8aeeba4e6a6f59e20908f53df36378ed6950ab198335b203dce490c01ece9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
e6e14bb18378fc95e3e0a16c852e511d

SHA1
df38dda6164522ae9b74e960227974b75d42b264

SHA256
8a15f48718c5039d5c9eb7b59b08c0354b5f0ddab426aec92e08c371b2c75f01

SHA512
77fdceef88c1dd9c5bb43d3a0bbaf1c1cea896b879c5b42d4978e4fe29f4a29ac9f1025f84f6b127fabcec1017bd165edaa756dc2aee6ccca1effd8a30ea20dd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
eb9ecd6188771d12f4bbe813dcfbee54

SHA1
587658f881c64806d445de25e74be54411c6cf8b

SHA256
a39743785f0b9ae38bfb6a5122ed5e50e6a331b10c2161015f163260dd5878c8

SHA512
1a071603ba1447eb7859ec902be1114ce5a64b407d19e388926e8d8735ade731e3be66ff81f2b6c1785206b00cb1124563aabe731ac6bdb1926ea75c1d480d1f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
b0d47096edae55ef1a7669e85fc04a39

SHA1
ed2998fbe98ca477d46047af6c6dc85292f38fd9

SHA256
480cf24880d795126b890accad7963080f76c105ffb71a3552e332db61fe1d06

SHA512
433859184367fd7b1de46110716088cb774a6297446c6ad12d29dd320f6d03b3e5514bdbd701b52218fc3dd3474caef0162d42af8fcfabba980a2f413a2a25f4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
5b9eda91149bd80984b9973274ffe2ec

SHA1
b9a7196ed02d395320f14870f2395e90bb8d744a

SHA256
c13f54a63630437cd92f3f602859ed6c79ca09a3b35086ed88e0bcdfd9afbcdd

SHA512
ce699a2b260c96b882cb395af3bd31b1e1d3e34969d35a2ca408916fdd18e3dd33c8181b951ae0f09a0cc7eb3bbc9dd85c2a9ded73d9849c178b003f0f06b3b7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
4e1aa15c2f5d278126096d7e9c87b19b

SHA1
c3f36943ed8af797dbecbeb304b951e1f208b57d

SHA256
b0976618b06816f7ec4a55692413f6d7f0d18dfdcd1dbad19f41cdb458f7642c

SHA512
a049b23a1a2b6eb73a243ee3dcfae5a309d0db6e9bfa726ed0d505469059155aa3ddde6f285c021a0fc9d5096df438514492ab9d0d64898d940c8d7e8a8567d3

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/220-183-0x0000000000E10000-0x0000000000E26000-memory.dmp

Filesize
88KB

Download
memory/1572-68-0x00000000066C0000-0x0000000006CD8000-memory.dmp

Filesize
6.1MB

Download
memory/1572-69-0x00000000060A0000-0x00000000061AA000-memory.dmp

Filesize
1.0MB

Download
memory/1572-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1572-101-0x0000000007E00000-0x000000000832C000-memory.dmp

Filesize
5.2MB

Download
memory/1572-62-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/1572-63-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/1572-64-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-66-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/1572-65-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/1572-118-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-74-0x0000000006F30000-0x0000000006F80000-memory.dmp

Filesize
320KB

Download
memory/1572-98-0x0000000007320000-0x00000000074E2000-memory.dmp

Filesize
1.8MB

Download
memory/1572-70-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/1572-71-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/1572-72-0x0000000005910000-0x000000000595C000-memory.dmp

Filesize
304KB

Download
memory/1572-73-0x0000000006230000-0x0000000006296000-memory.dmp

Filesize
408KB

Download
memory/1748-276-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/1944-188-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1944-605-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2800-222-0x00007FF739F70000-0x00007FF73BEBC000-memory.dmp

Filesize
31.3MB

Download
memory/2800-189-0x00007FF739F70000-0x00007FF73BEBC000-memory.dmp

Filesize
31.3MB

Download
memory/2964-39-0x00000000021E0000-0x0000000002281000-memory.dmp

Filesize
644KB

Download
memory/3120-122-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-132-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/3120-90-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/3120-94-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3120-96-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/3120-93-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/3120-97-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/3120-99-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/3120-100-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/3120-91-0x0000000000CB0000-0x0000000001995000-memory.dmp

Filesize
12.9MB

Download
memory/3120-102-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-105-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-104-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-103-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-106-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-107-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-108-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-109-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-111-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-110-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-112-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-114-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-113-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-116-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-89-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3120-119-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-117-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-121-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-120-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-83-0x0000000000CB0000-0x0000000001995000-memory.dmp

Filesize
12.9MB

Download
memory/3120-123-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-124-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-125-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-126-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-127-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-129-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-130-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-131-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/3120-133-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/3120-92-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/3120-128-0x0000000003F00000-0x0000000004000000-memory.dmp

Filesize
1024KB

Download
memory/3120-134-0x0000000000CB0000-0x0000000001995000-memory.dmp

Filesize
12.9MB

Download
memory/3120-88-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/3452-177-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3452-4-0x00000000031E0000-0x00000000031F6000-memory.dmp

Filesize
88KB

Download
memory/3560-2-0x0000000002280000-0x000000000228B000-memory.dmp

Filesize
44KB

Download
memory/3560-1-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/3560-5-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3560-3-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3636-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3908-613-0x0000028FF0FB0000-0x0000028FF0FD0000-memory.dmp

Filesize
128KB

Download
memory/3908-616-0x0000028FF1380000-0x0000028FF13A0000-memory.dmp

Filesize
128KB

Download
memory/3908-615-0x0000028FF0F70000-0x0000028FF0F90000-memory.dmp

Filesize
128KB

Download
memory/4268-20-0x0000000002200000-0x0000000002297000-memory.dmp

Filesize
604KB

Download
memory/4268-21-0x00000000022A0000-0x00000000023BB000-memory.dmp

Filesize
1.1MB

Download
memory/4404-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4404-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4404-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4404-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4404-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4408-368-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/4588-288-0x000001B693560000-0x000001B693580000-memory.dmp

Filesize
128KB

Download
memory/4588-290-0x000001B693520000-0x000001B693540000-memory.dmp

Filesize
128KB

Download
memory/4588-292-0x000001B693930000-0x000001B693950000-memory.dmp

Filesize
128KB

Download
memory/4616-363-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4708-55-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4708-67-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/4708-56-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/4708-61-0x0000000002840000-0x0000000004840000-memory.dmp

Filesize
32.0MB

Download
memory/4708-54-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/4708-53-0x0000000000310000-0x0000000000374000-memory.dmp

Filesize
400KB

Download
memory/4924-381-0x000001FF64D50000-0x000001FF64D70000-memory.dmp

Filesize
128KB

Download
memory/4924-379-0x000001FF649D0000-0x000001FF649F0000-memory.dmp

Filesize
128KB

Download
memory/4924-377-0x000001FF649B0000-0x000001FF649D0000-memory.dmp

Filesize
128KB

Download
memory/4924-375-0x000001FF649F0000-0x000001FF64A10000-memory.dmp

Filesize
128KB

Download
memory/4972-221-0x0000000001000000-0x000000000104B000-memory.dmp

Filesize
300KB

Download
memory/4972-219-0x0000000001000000-0x000000000104B000-memory.dmp

Filesize
300KB

Download
memory/5108-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5108-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5108-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download