dcrat | 0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305

Analysis

max time kernel
120s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Size

1.5MB
MD5

3b0a6949a267720496eb0e81fc9de90b
SHA1

06ffe0b8f18fa03019a913f641d0b16bef0a0bf8
SHA256

0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305
SHA512

3823fab092e42f949b1653c1bb20a908f2b9f48fdfb8f3b78944d9fd9c9721696bf519546bf4d1f268292733e668a9d211b2fc139eb5e1dfa6ce6c3e9f0690da
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRm:EzhWhCXQFN+0IEuQgyiVK+

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\Windows\\System32\\KBDINUK2\\spoolsv.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\Windows\\System32\\KBDINUK2\\spoolsv.exe\", \"C:\\Windows\\System32\\pnidui\\lsass.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\Windows\\System32\\KBDINUK2\\spoolsv.exe\", \"C:\\Windows\\System32\\pnidui\\lsass.exe\", \"C:\\Windows\\System32\\Microsoft.Uev.CabUtil\\taskhostw.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1436	schtasks.exe	82

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1200	powershell.exe
4836	powershell.exe
1080	powershell.exe
4680	powershell.exe
4928	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 10 IoCs

pid	Process
4208	SearchApp.exe
1612	SearchApp.exe
1824	SearchApp.exe
632	SearchApp.exe
1368	SearchApp.exe
3832	SearchApp.exe
1780	SearchApp.exe
336	SearchApp.exe
4188	SearchApp.exe
5000	SearchApp.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDINUK2\\spoolsv.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\pnidui\\lsass.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\pnidui\\lsass.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\Microsoft.Uev.CabUtil\\taskhostw.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\Microsoft.Uev.CabUtil\\taskhostw.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDINUK2\\spoolsv.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\KBDINUK2\f3b6ecef712a24	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\System32\pnidui\lsass.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\System32\pnidui\6203df4a6bafc7	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\KBDINUK2\RCXCDE1.tmp	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\pnidui\lsass.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\Microsoft.Uev.CabUtil\taskhostw.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\System32\KBDINUK2\spoolsv.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\System32\Microsoft.Uev.CabUtil\ea9f0e6c9e2dcd	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\KBDINUK2\spoolsv.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\pnidui\RCXCFF5.tmp	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\Microsoft.Uev.CabUtil\RCXD1FA.tmp	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\System32\Microsoft.Uev.CabUtil\taskhostw.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\38384e6a620884	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\RCXCBDC.tmp	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3864	schtasks.exe
4036	schtasks.exe
2376	schtasks.exe
1092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
4836	powershell.exe
4680	powershell.exe
4928	powershell.exe
1080	powershell.exe
1200	powershell.exe
4928	powershell.exe
1200	powershell.exe
4836	powershell.exe
4680	powershell.exe
1080	powershell.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe
4208	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	4208	SearchApp.exe
Token: SeDebugPrivilege	1612	SearchApp.exe
Token: SeDebugPrivilege	1824	SearchApp.exe
Token: SeDebugPrivilege	632	SearchApp.exe
Token: SeDebugPrivilege	1368	SearchApp.exe
Token: SeDebugPrivilege	3832	SearchApp.exe
Token: SeDebugPrivilege	1780	SearchApp.exe
Token: SeDebugPrivilege	336	SearchApp.exe
Token: SeDebugPrivilege	4188	SearchApp.exe
Token: SeDebugPrivilege	5000	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1200	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	87
PID 5096 wrote to memory of 1200	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	87
PID 5096 wrote to memory of 4836	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	88
PID 5096 wrote to memory of 4836	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	88
PID 5096 wrote to memory of 1080	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	89
PID 5096 wrote to memory of 1080	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	89
PID 5096 wrote to memory of 4680	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	90
PID 5096 wrote to memory of 4680	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	90
PID 5096 wrote to memory of 4928	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	91
PID 5096 wrote to memory of 4928	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	91
PID 5096 wrote to memory of 3948	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	96
PID 5096 wrote to memory of 3948	5096	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	96
PID 3948 wrote to memory of 3156	3948	cmd.exe	99
PID 3948 wrote to memory of 3156	3948	cmd.exe	99
PID 3948 wrote to memory of 4208	3948	cmd.exe	100
PID 3948 wrote to memory of 4208	3948	cmd.exe	100
PID 4208 wrote to memory of 2072	4208	SearchApp.exe	101
PID 4208 wrote to memory of 2072	4208	SearchApp.exe	101
PID 4208 wrote to memory of 3936	4208	SearchApp.exe	102
PID 4208 wrote to memory of 3936	4208	SearchApp.exe	102
PID 2072 wrote to memory of 1612	2072	WScript.exe	110
PID 2072 wrote to memory of 1612	2072	WScript.exe	110
PID 1612 wrote to memory of 3696	1612	SearchApp.exe	111
PID 1612 wrote to memory of 3696	1612	SearchApp.exe	111
PID 1612 wrote to memory of 2920	1612	SearchApp.exe	112
PID 1612 wrote to memory of 2920	1612	SearchApp.exe	112
PID 3696 wrote to memory of 1824	3696	WScript.exe	114
PID 3696 wrote to memory of 1824	3696	WScript.exe	114
PID 1824 wrote to memory of 4772	1824	SearchApp.exe	115
PID 1824 wrote to memory of 4772	1824	SearchApp.exe	115
PID 1824 wrote to memory of 4140	1824	SearchApp.exe	116
PID 1824 wrote to memory of 4140	1824	SearchApp.exe	116
PID 4772 wrote to memory of 632	4772	WScript.exe	117
PID 4772 wrote to memory of 632	4772	WScript.exe	117
PID 632 wrote to memory of 3848	632	SearchApp.exe	118
PID 632 wrote to memory of 3848	632	SearchApp.exe	118
PID 632 wrote to memory of 2744	632	SearchApp.exe	119
PID 632 wrote to memory of 2744	632	SearchApp.exe	119
PID 3848 wrote to memory of 1368	3848	WScript.exe	120
PID 3848 wrote to memory of 1368	3848	WScript.exe	120
PID 1368 wrote to memory of 2340	1368	SearchApp.exe	121
PID 1368 wrote to memory of 2340	1368	SearchApp.exe	121
PID 1368 wrote to memory of 3844	1368	SearchApp.exe	122
PID 1368 wrote to memory of 3844	1368	SearchApp.exe	122
PID 2340 wrote to memory of 3832	2340	WScript.exe	123
PID 2340 wrote to memory of 3832	2340	WScript.exe	123
PID 3832 wrote to memory of 2128	3832	SearchApp.exe	124
PID 3832 wrote to memory of 2128	3832	SearchApp.exe	124
PID 3832 wrote to memory of 4504	3832	SearchApp.exe	125
PID 3832 wrote to memory of 4504	3832	SearchApp.exe	125
PID 2128 wrote to memory of 1780	2128	WScript.exe	126
PID 2128 wrote to memory of 1780	2128	WScript.exe	126
PID 1780 wrote to memory of 4064	1780	SearchApp.exe	127
PID 1780 wrote to memory of 4064	1780	SearchApp.exe	127
PID 1780 wrote to memory of 876	1780	SearchApp.exe	128
PID 1780 wrote to memory of 876	1780	SearchApp.exe	128
PID 4064 wrote to memory of 336	4064	WScript.exe	129
PID 4064 wrote to memory of 336	4064	WScript.exe	129
PID 336 wrote to memory of 4088	336	SearchApp.exe	130
PID 336 wrote to memory of 4088	336	SearchApp.exe	130
PID 336 wrote to memory of 2996	336	SearchApp.exe	131
PID 336 wrote to memory of 2996	336	SearchApp.exe	131
PID 4088 wrote to memory of 4188	4088	WScript.exe	132
PID 4088 wrote to memory of 4188	4088	WScript.exe	132

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
"C:\Users\Admin\AppData\Local\Temp\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDINUK2\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\pnidui\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft.Uev.CabUtil\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1ypd3qTX0L.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3156
- - C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4208
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9ef50cd-55e0-40db-8461-3125a425b09a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1612
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f83160a8-7b74-4267-97a0-c015c1ee2ea4.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15ac83de-2b72-4f3b-a01e-6cd4014a6cf2.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11ded0df-e7a2-4ad1-bc17-42462ad18233.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59bccd63-c29f-4c81-9450-1781dea08aa1.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ece1eafa-08e0-489e-8ab8-80cf3156ec6d.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d17b291b-b0b8-479a-af49-229308894d92.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83a5c92f-b7ed-4de1-8349-96a3b20d1507.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ca7330e-9d0f-4bfa-88e1-1821c65e8226.vbs"
        20⤵
        
        PID:3012
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9197796-6776-4e66-8606-57274c01aea0.vbs"
        22⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7803b1db-9da9-4fa8-93ac-4728d19f9a9a.vbs"
        22⤵
        
        PID:4700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0082ad3f-2f32-425c-a0aa-8d99c30d0916.vbs"
        20⤵
        
        PID:4324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff06d781-8491-447a-9ad8-c000c2cfb2d2.vbs"
        18⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f386e43f-43c3-42bf-8299-98e0526a00ae.vbs"
        16⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4a4ccf6-d893-4c48-b686-a6a73d0ba312.vbs"
        14⤵
        
        PID:4504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\687d1dd1-7e07-417c-96e3-97ae2066bcfd.vbs"
        12⤵
        
        PID:3844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c42da31e-2c26-4aa6-832f-448cc9a542fd.vbs"
        10⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d94069ba-5489-4925-a635-7bcf9e448e49.vbs"
        8⤵
        
        PID:4140
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa1bb9aa-595b-4517-beba-a9d2a48d5511.vbs"
        6⤵
        
        PID:2920
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d701898f-f723-45fa-a6dd-7269ab7378d4.vbs"
      4⤵
      PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDINUK2\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\pnidui\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\Microsoft.Uev.CabUtil\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\11ded0df-e7a2-4ad1-bc17-42462ad18233.vbs

Filesize
773B

MD5
32ee48d9124a3a0fa6ff8d95e5d77872

SHA1
9851d56cf3c8c4027e6cddddbe876633de9de6d7

SHA256
eb4300eaa1f69424ea5ca3d4f54094203fd8a7c50d8d59a2038b18874c34d0c3

SHA512
e666759d6bbd7aadf870353e3ae6b7b9a85e74d78720203358c95764010b3e5d9cbba69b44f991dd437b962ff4a41266cdad306f392f74dec2b7690888896069

Download Submit
C:\Users\Admin\AppData\Local\Temp\15ac83de-2b72-4f3b-a01e-6cd4014a6cf2.vbs

Filesize
774B

MD5
4e48b1f2f94fdecba32c770d19595b38

SHA1
330992dce1433aadc190c11594b83d2e56a94c84

SHA256
0098c8eef497e6640d31b49558b56437047d6ca38d146b9b8b407c7bae0412e8

SHA512
74f974a013c535c2efa66eb874a2b7d90df062556c799cfa7f8aae970c2c9acf43d559fa9a7fef23fe941e919bae11eb49c08d656162cda91a266e8e2b6b5204

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ypd3qTX0L.bat

Filesize
262B

MD5
96c1f6a508df80492f8b5104b1d2d515

SHA1
89371914a22ce379d4f32864666120ac85802d88

SHA256
28943599069ae500a9474a1f3d6dd3379da54aaacd5b7109eed962c925b343df

SHA512
cbfabcf06758b00ba8287b4dcdaa138f2b354aac70abf5b452d487c589e7b6ef2f135ecfb05bce40e2910ff1354fc32605ded2306bf42f6830b78f116267b100

Download Submit
C:\Users\Admin\AppData\Local\Temp\59bccd63-c29f-4c81-9450-1781dea08aa1.vbs

Filesize
774B

MD5
388a8e9820bb6053b923d6f03962a180

SHA1
0715138caa50c930803d9b6c3e6ec767bf7d04d5

SHA256
821ac6032151db1af5e322eccb1f3e1b477b11955fa2a339f8d440d1e14ae534

SHA512
8dbf9441971fa36ae8fb43c7e9f3dcf035c5321952eee98bcbce1c8c36376835bbeebc107c44c8ec93a0b203ac4b678c39bf11d584f3e8a8108052b4ff024ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ca7330e-9d0f-4bfa-88e1-1821c65e8226.vbs

Filesize
774B

MD5
843b165c6d4a8e1a701722adb2f21b20

SHA1
4fd43465687acec8358090ba8291b26db95ec3d6

SHA256
da0503fe534ab946e8018e2fd488314b876831f975034f64d63c7df6731c5e2e

SHA512
d10a8c2d5438d54e6c63088a025b8a63e5e36bb583dae43de45aa06330d29b8e8e9774468af881063b37b7d6813b7d24a1319787e64ec753941ae9ad4e7e4e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\83a5c92f-b7ed-4de1-8349-96a3b20d1507.vbs

Filesize
773B

MD5
c11e14e1f1d3877d8ffd9e01b865fe88

SHA1
2be65c16da6886f8029849e142202f19cc906189

SHA256
0431bea554e141d82ce168236c1eecb4dbe6b912a7c5b4e2b88f601b20522ca5

SHA512
1eaf0d7337a79058392722e8b8a40308b303f1d3cfb2b06b67a878635bfea2660085c8f02dd00d447af8365918c81ce5364deba7e53adb6f2ab38a28c3dd72d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gou3qbxa.4en.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d17b291b-b0b8-479a-af49-229308894d92.vbs

Filesize
774B

MD5
0081eb22e183a16bfcdaebb79a07280b

SHA1
f17eeeefd1d9490ce0022512df45c592e2894db2

SHA256
ebea6c56259e646292960092a2cf47f3578a6879b3926262657e1ac141995c1c

SHA512
cea313f95334263956af8d9703c4d976d1b297cec8d365e85ad4950132edf2c57fe6a73602a0cb024249a5b6eb1f9e37db8939a28939f216b149f0c8fe51ed71

Download Submit
C:\Users\Admin\AppData\Local\Temp\d701898f-f723-45fa-a6dd-7269ab7378d4.vbs

Filesize
550B

MD5
d48a1da84dbab38e7347ae29deaac417

SHA1
ba971b7055d27b3f9fa150b9bfb3e7535b14a747

SHA256
11d431131f09cbd4c56c0110fe6a02935f7f6726f16cbdbf4ff5e82d8385cd5c

SHA512
3d848480e5851a5896b9c81376aee5c08287d090ebdc7b819634da5fbda9419d50dcc1ce919481237aecd9d167898ccbfa15a39ea189dce299aa30fe88f32b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9197796-6776-4e66-8606-57274c01aea0.vbs

Filesize
774B

MD5
b2041a4693ba207e90a095184599f678

SHA1
c5b32e4bc53f2320f30351922b9079df84e3de00

SHA256
435b8978c7df4d984fd495f827f687c44dd1c991ef0b4b63dd8dfa106655e623

SHA512
ea2dedccb9633efb4121afb6609d18e618e95ab8fa69cc61b4830cad669cd83fc7906ba94b054854f0339027f56a1ccd9d0ae4406c1ddc7ab62c3f2b9304ca20

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9ef50cd-55e0-40db-8461-3125a425b09a.vbs

Filesize
774B

MD5
73d24e254954360a2e7f5e9220e48b0d

SHA1
9ecd101163e190aff112e3f731f2d28536b368c4

SHA256
fa590a55df09d86dfb40adf754c48465cb48f25a9d67b4fb8578ad4bfd4ba712

SHA512
969879d4c268b9eb9ca49830a22716e82b579a43156f165a25c3167f5f8202873023ee9d99402b34ffc838b298f7d5b57ad79bdc8a6ae7093fc74da06a8e70de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ece1eafa-08e0-489e-8ab8-80cf3156ec6d.vbs

Filesize
774B

MD5
476afb2c94bbcc1548016f926f9d71df

SHA1
d9e4526864a776c3f54d2e25163abd497a45dcda

SHA256
9dfb4e0dbe2ea4db853f5a12c6da9c9c4d204cc498e34dbe0c95b1283cdb6e87

SHA512
7ce2ccb931323695923a1fc58a6903a3ed55cc6199a50db6e29fe2a961b0a9dca75493067820817e55fa13005d0e1cb435cbfeb52a5d3b3169aa1ecec3ab1cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\f83160a8-7b74-4267-97a0-c015c1ee2ea4.vbs

Filesize
774B

MD5
4a0c4986edd9f7bdd3bf14ab9f2a9fe4

SHA1
38e95f958b1cb2e0b9cc2ae1d39bcb298bb92185

SHA256
623262cc8ff150ca618765b566119eafa1cd1af1bf4fb662363e39c3efd63bd6

SHA512
6ab002bf337f27dcd7fce01065b7e9a84b1c9d1ddcee031ea132e7502ddca2a0545878a438bc25db888ec2c53ddbd57fee380efdf79e5eb9aaacf65f915dfebd

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe

Filesize
1.5MB

MD5
3b0a6949a267720496eb0e81fc9de90b

SHA1
06ffe0b8f18fa03019a913f641d0b16bef0a0bf8

SHA256
0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305

SHA512
3823fab092e42f949b1653c1bb20a908f2b9f48fdfb8f3b78944d9fd9c9721696bf519546bf4d1f268292733e668a9d211b2fc139eb5e1dfa6ce6c3e9f0690da

Download Submit
memory/1368-178-0x0000000000F30000-0x0000000000F42000-memory.dmp

Filesize
72KB

Download
memory/1612-144-0x000000001B200000-0x000000001B212000-memory.dmp

Filesize
72KB

Download
memory/4188-223-0x0000000001460000-0x0000000001472000-memory.dmp

Filesize
72KB

Download
memory/4208-131-0x0000000001A30000-0x0000000001A42000-memory.dmp

Filesize
72KB

Download
memory/4836-75-0x000001C86AD40000-0x000001C86AD62000-memory.dmp

Filesize
136KB

Download
memory/5096-12-0x000000001B830000-0x000000001B838000-memory.dmp

Filesize
32KB

Download
memory/5096-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/5096-25-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-106-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-24-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-21-0x000000001BFC0000-0x000000001BFC8000-memory.dmp

Filesize
32KB

Download
memory/5096-20-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/5096-18-0x000000001B890000-0x000000001B898000-memory.dmp

Filesize
32KB

Download
memory/5096-17-0x000000001B880000-0x000000001B88C000-memory.dmp

Filesize
48KB

Download
memory/5096-16-0x000000001B870000-0x000000001B878000-memory.dmp

Filesize
32KB

Download
memory/5096-15-0x000000001B860000-0x000000001B86A000-memory.dmp

Filesize
40KB

Download
memory/5096-14-0x000000001B850000-0x000000001B85C000-memory.dmp

Filesize
48KB

Download
memory/5096-13-0x000000001B840000-0x000000001B84A000-memory.dmp

Filesize
40KB

Download
memory/5096-49-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-11-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/5096-10-0x000000001B810000-0x000000001B820000-memory.dmp

Filesize
64KB

Download
memory/5096-9-0x000000001B800000-0x000000001B80C000-memory.dmp

Filesize
48KB

Download
memory/5096-8-0x000000001B7F0000-0x000000001B7F8000-memory.dmp

Filesize
32KB

Download
memory/5096-6-0x0000000002DE0000-0x0000000002DEA000-memory.dmp

Filesize
40KB

Download
memory/5096-7-0x0000000002E00000-0x0000000002E0C000-memory.dmp

Filesize
48KB

Download
memory/5096-5-0x0000000002DF0000-0x0000000002DFC000-memory.dmp

Filesize
48KB

Download
memory/5096-3-0x0000000002CB0000-0x0000000002CB8000-memory.dmp

Filesize
32KB

Download
memory/5096-4-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

Filesize
72KB

Download
memory/5096-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-1-0x0000000000A20000-0x0000000000B9E000-memory.dmp

Filesize
1.5MB

Download