Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 13:41
Static task
static1
Behavioral task
behavioral1
Sample
dp.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
dp.exe
Resource
win10v20210408
General
-
Target
dp.exe
-
Size
763KB
-
MD5
0a50081a6cd37aea0945c91de91c5d97
-
SHA1
755309c6d9fa4cd13b6c867cde01cc1e0d415d00
-
SHA256
6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b
-
SHA512
f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
dp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "2" dp.exe -
Registers COM server for autorun 1 TTPs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 3716 created 996 3716 svchost.exe dp.exe PID 3716 created 2728 3716 svchost.exe dp.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
mpam-1d753155.exeMpSigStub.exempam-440c586a.exempsigstub.exepid process 4164 mpam-1d753155.exe 4192 MpSigStub.exe 4288 mpam-440c586a.exe 4324 mpsigstub.exe -
Deletes itself 1 IoCs
Processes:
MsMpEng.exepid process 2600 MsMpEng.exe -
Loads dropped DLL 1 IoCs
Processes:
MsMpEng.exepid process 2600 MsMpEng.exe -
Processes:
dp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection dp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MsMpEng.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "\"%ProgramFiles%\\Windows Defender\\MSASCuiL.exe\"" MsMpEng.exe -
Drops file in System32 directory 3 IoCs
Processes:
dp.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol dp.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini dp.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol dp.exe -
Drops file in Windows directory 21 IoCs
Processes:
MpCmdRun.exempam-440c586a.exeMpCmdRun.exempam-1d753155.exempsigstub.exeMpSigStub.exeMpCmdRun.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun.log MpCmdRun.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exe MpCmdRun.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\119.0.0.0_to_119.0.0.0_NISfull.vdm_source_NISbase.vdm._p mpam-440c586a.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\gapaengine.dll mpam-440c586a.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun-25-53C9D589-6B66-4F30-9BAB-9A0193B0BAFC.lock MpCmdRun.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\MpSigStub.exe mpam-1d753155.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpasbase.vdm mpam-1d753155.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpasdlta.vdm mpam-1d753155.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpavbase.vdm mpam-1d753155.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpavdlta.vdm mpam-1d753155.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\nisbase.vdm mpam-440c586a.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\nisfull.vdm mpsigstub.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun.log MpCmdRun.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exe MpCmdRun.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpSigStub.log MpSigStub.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\mpsigstub.exe mpam-440c586a.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpSigStub.log mpsigstub.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MPTelemetrySubmit\client_manifest.txt mpsigstub.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun.log MpCmdRun.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpengine.dll mpam-1d753155.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MPTelemetrySubmit\watson_manifest.txt mpsigstub.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
MsMpEng.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer MsMpEng.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName MsMpEng.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS MsMpEng.exe -
Processes:
MsMpEng.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE} MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE} MsMpEng.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
MpCmdRun.exeMsMpEng.exeMpCmdRun.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft MpCmdRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\CachedProxyBypass MsMpEng.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Token MpCmdRun.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Token\{922DF99B-F4C3-4B57-B70A-AA696443101A}\DeviceId = "0018000633D366AB" MpCmdRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\CachedProxy MsMpEng.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot MpCmdRun.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Token\{922DF99B-F4C3-4B57-B70A-AA696443101A}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000cb35b265870ecb47af3174bdeb244d0c00000000020000000000106600000001000020000000d6b89a6a3949a4263d7f63b8c210ddd8b33f77283bb08481b741c1c1bfcab4b2000000000e80000000020000200000001fdc9c5efca7bc48405ea6e88cbfcfaa077b58662124e1efcda5b568f2843708d0030000a8d046e90f3494853f8b5d83587f5e8faf69533d0f68cdfcdeff288e6011fe6ae082135ad89e793a8f22c302d1938391d30863dbff539938923491e1e3fd493712f547479a024c3bcb35106ef30fd5e3f40ecac7cde0263551684ade26992d7c7ed5c6839c96da960f5884b22935c1312db594529689b7b6f6573ce2ec9eaa50ae1ad7f608897f79d713b18313ec3c07f9908b7590d6ffae8da5ccfffc5c2582dae3f53d3e16943fb0a210c4c80437ec4510bbdc6947177148c1a5009be67f13a0de8146351f3ccd16257fca02a782f644ccd68a1c802ce145e929c40e36df18c38b1991a8f5eb947b13cfae4a788e6a389048c14c52121475cb6106316be4123ddc92d60de00a874ecbd2f6cfdbb3e4ffb9665eb85812d277969d4cdeafab7ca3afd6a24b5c8d22b7c30398d581a2fab636f2a5e982dd75ffcf570963944b7c15922101029a6f7ac9c8dba5aebf423e6862061c146787415f3284452baf63b04c302999982ff1f0dc9bf1f42134286084696a0b75e9d11895735fbc4e1ac5694c531b86d4718ed4b682ee90ca7365f4a17670301d7327bd14664420bb9f8c5f21fe4ee2b4750a0e449a89461480e4284e20ae910aa485abbbdd134b2b11b7427c14e26d79fbb74351a8b434db0ce3b5b7a1d1ac0cc183bf358ec4704c6546d445be412bce95d3edc20187278dcb0b0464231a637038d88ca98dfa77d8883b4f868806d501246f756beaa4996200c9a097315b132d870bef7807684c8aa7c571549a1f44870b0c619a2e3a6f9d08b87a2dc18d379c1663d0a612b0abdcc0d0a867f8a63e2e9637cc77bab928a84e1a232f58a17b5214f324355a3bc3e3392758dd738d240208b455169549b4d3a4a758ad314e2d25e8b5b446eae8155c07a5c2049e65d43e655223c502b9b5ade0cdfce1e65fd2ce5e07410b429fe3d89f5194f2ea2f2ee3d30a17a42cd1aa44f4cf64bee0709e255796507e4f4177dfdc581ffb5e90b1ff01eba4c8c9837e4878a5ecfc5491e5df5843a65419c4349e802c14ff287f0f5043ba3bc08257b483b8e3921531f336d915d6971121216be350d2d1e32a7739ca864fc7a3561cc6676c552c72aa89ddb68e87cdbc01d7e27f6cdfb9845a64e1fc6197a1d82b802ecc6bf3ad5bf7fa88e3b27a8fec3a4b95ac1f45ae8d7740dfee4c6acc820ddfbb7dfcf1db06b5cb669250ecb8ab21b15b682be3543c98aef56cdade64699a7aaef51016f47aae8bc519864c651b59d98b402cb63080622c2bca844a831623fa703814a11275e1df6fe714d43e547dc7982efea7023dcf31ef244e8a5a8658ea1a432e45e0e5244a20f2fa710e2cbb3b51fe314351058c945817219cb896d02a997c4058c1400000007678741df85887ec62023acde4bc6ff9da744679c58230f93a52adb768c2926f573d74587fa133d0f64771707467844d7a58f36021b7dfba691a5ef89408403a MpCmdRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\LastKnownGoodProxy = "1" MsMpEng.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs MpCmdRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\CachedProxyAccessType = "1" MsMpEng.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsMpEng.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates MpCmdRun.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018000633D366AB = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000cb35b265870ecb47af3174bdeb244d0c0000000002000000000010660000000100002000000030509c8b561a000dcf16ea3ccb976694a30e72835e101acd7718667531d44299000000000e80000000020000200000000c277e30a9d13a4d1c62c67afdbdf68e05bbf6c633d7ddcb12f1556572b4c42c800000004292724011677b0aae24fd2bd581462f542f2d72099d034797b44372a5ab04046988bc900e7f40d9ee3943b7b3a59e787197af1dd39f0189c3aff5b5292bf1eff1c8c49fc4d559dcdfdebb573d671667725757fd0ac51f2dc64d30864075dd8c5c89cc223a39927f4277a5facf2cafd38dc69092cd3890b4c418c827920beed840000000b33e6946b03f33b1ab2b7ad5d90b4a91d989cf97419bca471e726616e4e53d61b7b409b88dcf9c0ae72e9465b9dd393be9e41150b20e929fe4159a5c9e71914c MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Token\{922DF99B-F4C3-4B57-B70A-AA696443101A} MpCmdRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsMpEng.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs MpCmdRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MsMpEng.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MpCmdRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Defender MsMpEng.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MpCmdRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\DssCounter = "1" MsMpEng.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Property MpCmdRun.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Token\{922DF99B-F4C3-4B57-B70A-AA696443101A}\ApplicationFlags = "1" MpCmdRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsMpEng.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E MpCmdRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsMpEng.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows Defender MpCmdRun.exe -
Modifies registry class 13 IoCs
Processes:
MsMpEng.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32 MsMpEng.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32 MsMpEng.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\IMPLEMENTED CATEGORIES\DISABLED - {56FFCC30-D398-11D0-B2AE-00A0C908FA49} MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP MsMpEng.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\IMPLEMENTED CATEGORIES\DISABLED - {56FFCC30-D398-11D0-B2AE-00A0C908FA49} MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP MsMpEng.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dp.exedp.exedp.exepid process 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 2728 dp.exe 2728 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 2728 dp.exe 2728 dp.exe 2728 dp.exe 2728 dp.exe 996 dp.exe 996 dp.exe 2728 dp.exe 2728 dp.exe 996 dp.exe 996 dp.exe 2728 dp.exe 2728 dp.exe 3812 dp.exe 3812 dp.exe 996 dp.exe 996 dp.exe 2728 dp.exe 2728 dp.exe 996 dp.exe 996 dp.exe 2728 dp.exe 2728 dp.exe 996 dp.exe 996 dp.exe 2728 dp.exe 2728 dp.exe 996 dp.exe 996 dp.exe 2728 dp.exe 2728 dp.exe 996 dp.exe 996 dp.exe 2728 dp.exe 2728 dp.exe 996 dp.exe 996 dp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dp.exepid process 996 dp.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
MsMpEng.exepid process 2600 MsMpEng.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
dp.exesvchost.exedp.exeMsMpEng.exempsigstub.exedescription pid process Token: SeDebugPrivilege 996 dp.exe Token: SeAssignPrimaryTokenPrivilege 996 dp.exe Token: SeIncreaseQuotaPrivilege 996 dp.exe Token: 0 996 dp.exe Token: SeTcbPrivilege 3716 svchost.exe Token: SeTcbPrivilege 3716 svchost.exe Token: SeDebugPrivilege 2728 dp.exe Token: SeAssignPrimaryTokenPrivilege 2728 dp.exe Token: SeIncreaseQuotaPrivilege 2728 dp.exe Token: SeAssignPrimaryTokenPrivilege 2600 MsMpEng.exe Token: SeIncreaseQuotaPrivilege 2600 MsMpEng.exe Token: SeTcbPrivilege 2600 MsMpEng.exe Token: SeSecurityPrivilege 2600 MsMpEng.exe Token: SeTakeOwnershipPrivilege 2600 MsMpEng.exe Token: SeLoadDriverPrivilege 2600 MsMpEng.exe Token: SeIncBasePriorityPrivilege 2600 MsMpEng.exe Token: SeBackupPrivilege 2600 MsMpEng.exe Token: SeRestorePrivilege 2600 MsMpEng.exe Token: SeShutdownPrivilege 2600 MsMpEng.exe Token: SeDebugPrivilege 2600 MsMpEng.exe Token: SeSystemEnvironmentPrivilege 2600 MsMpEng.exe Token: SeChangeNotifyPrivilege 2600 MsMpEng.exe Token: SeImpersonatePrivilege 2600 MsMpEng.exe Token: SeDebugPrivilege 2600 MsMpEng.exe Token: SeBackupPrivilege 2600 MsMpEng.exe Token: SeRestorePrivilege 2600 MsMpEng.exe Token: SeDebugPrivilege 2600 MsMpEng.exe Token: SeBackupPrivilege 2600 MsMpEng.exe Token: SeRestorePrivilege 2600 MsMpEng.exe Token: SeBackupPrivilege 4324 mpsigstub.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
dp.exeMSASCuiL.exepid process 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 2332 MSASCuiL.exe 2332 MSASCuiL.exe 2332 MSASCuiL.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
dp.exeMSASCuiL.exepid process 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 2332 MSASCuiL.exe 2332 MSASCuiL.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe 996 dp.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
svchost.exedp.exeMsMpEng.exeMpCmdRun.exeMpCmdRun.exeMpCmdRun.exempam-1d753155.exempam-440c586a.exedescription pid process target process PID 3716 wrote to memory of 2728 3716 svchost.exe dp.exe PID 3716 wrote to memory of 2728 3716 svchost.exe dp.exe PID 3716 wrote to memory of 2728 3716 svchost.exe dp.exe PID 3716 wrote to memory of 3812 3716 svchost.exe dp.exe PID 3716 wrote to memory of 3812 3716 svchost.exe dp.exe PID 3716 wrote to memory of 3812 3716 svchost.exe dp.exe PID 996 wrote to memory of 2332 996 dp.exe MSASCuiL.exe PID 996 wrote to memory of 2332 996 dp.exe MSASCuiL.exe PID 2600 wrote to memory of 2608 2600 MsMpEng.exe MpCmdRun.exe PID 2600 wrote to memory of 2608 2600 MsMpEng.exe MpCmdRun.exe PID 2608 wrote to memory of 1200 2608 MpCmdRun.exe MpCmdRun.exe PID 2608 wrote to memory of 1200 2608 MpCmdRun.exe MpCmdRun.exe PID 2600 wrote to memory of 2144 2600 MsMpEng.exe MpCmdRun.exe PID 2600 wrote to memory of 2144 2600 MsMpEng.exe MpCmdRun.exe PID 2600 wrote to memory of 2260 2600 MsMpEng.exe MpCmdRun.exe PID 2600 wrote to memory of 2260 2600 MsMpEng.exe MpCmdRun.exe PID 2260 wrote to memory of 1900 2260 MpCmdRun.exe MpCmdRun.exe PID 2260 wrote to memory of 1900 2260 MpCmdRun.exe MpCmdRun.exe PID 2600 wrote to memory of 4016 2600 MsMpEng.exe MpCmdRun.exe PID 2600 wrote to memory of 4016 2600 MsMpEng.exe MpCmdRun.exe PID 1900 wrote to memory of 4164 1900 MpCmdRun.exe mpam-1d753155.exe PID 1900 wrote to memory of 4164 1900 MpCmdRun.exe mpam-1d753155.exe PID 4164 wrote to memory of 4192 4164 mpam-1d753155.exe MpSigStub.exe PID 4164 wrote to memory of 4192 4164 mpam-1d753155.exe MpSigStub.exe PID 1900 wrote to memory of 4288 1900 MpCmdRun.exe mpam-440c586a.exe PID 1900 wrote to memory of 4288 1900 MpCmdRun.exe mpam-440c586a.exe PID 4288 wrote to memory of 4324 4288 mpam-440c586a.exe mpsigstub.exe PID 4288 wrote to memory of 4324 4288 mpam-440c586a.exe mpsigstub.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dp.exe"C:\Users\Admin\AppData\Local\Temp\dp.exe"1⤵
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dp.exe"C:\Users\Admin\AppData\Local\Temp\dp.exe" /SYS 02⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\dp.exe"C:\Users\Admin\AppData\Local\Temp\dp.exe" /TI 03⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Windows Defender\MSASCuiL.exe"C:\Program Files\Windows Defender\MSASCuiL.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Program Files\Windows Defender\MsMpEng.exe"C:\Program Files\Windows Defender\MsMpEng.exe"1⤵
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke3⤵
- Drops file in Windows directory
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate2⤵
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges -Reinvoke3⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exe"C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exe" /q WD4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\MpSigStub.exeC:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\MpSigStub.exe /stub 1.1.17800.4 /payload 1.343.1753.0 /program C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exe /q WD5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exe"C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exe" /q WD4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\mpsigstub.exeC:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\mpsigstub.exe /stub 1.1.14500.5 /payload 119.0.0.0 /program C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exe /q WD5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" GetDeviceTicket -AccessKey 1D4F51A7-FE7E-AB4B-AA55-7C6F1679FF092⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Program Files\Windows Defender\mpuxsrv.exe"C:\Program Files\Windows Defender\mpuxsrv.exe" -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpasbase.vdmMD5
30891107645e22f49dbef57780b98c5e
SHA1e7b81e55cfbdd047be1d81b30b9382456af175fe
SHA25635df40739964935e5ed44260d5156addf78de662b3af4bf3a4ab5fc1215ad9cb
SHA5122ec6f73174fdc0b2af0fc450c9f4646fe9a09265c74cd1013634e055f733ebd01da2eca40b3e2577379b13ffb3d187b10f1b5ee90c1ad3383543ae67304d1d75
-
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpasdlta.vdmMD5
3fa8dd64e02baf5fb222597f295caee8
SHA1f850a4cfc61cb8b11daf8196ea97b85798e234a3
SHA2563882dcec7a2c7cc0c3e4485e2ae5dcc092e048faa83601700ddd7809723fd963
SHA51287bd70a1177fedac0978c0a7b110bc6d65b2a92bc4f275ce6a3b5904deb858416f4839d25e34986e2b83a38202e24fc4c69631e038eecc4f703c2a28ba3e82f8
-
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpavbase.vdmMD5
4c6072ad516f39f5d956065ba215e4d3
SHA1243b70bc18dd97194ce77c89e47c62364ab9394d
SHA256fda6dbc11a33245ad47acaf6bd730db73a607e65dda3fe2f075b2d1de3eaa3c2
SHA512cd11ec324856c650d28388bef44ebaf81f4abf2e1e50a2922be68e1e4bf431ee838e16a8caafde53821879f554910873e59b17e636e1ff099d6109f993274daf
-
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpavdlta.vdmMD5
e4b35da5a802560cf186feffb1f52325
SHA1134cd3629d0cd9f73e9c1ed7f22ef0f503664c29
SHA256528e18a2b3699d45623469c287447a0caf98931dbe7fbca3a7008cdcc1b632a7
SHA5128a37bfeb48c5022ab8a62244a6123557d110e09729e43129d64239d09a7bd898903d9dd30a414ea27b94d7428f2172a01c427a3a9ea365446228ac079c58372a
-
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpengine.dllMD5
9f7bf1158ce47439b777116763c4947f
SHA1f2501dfbe32c93e588d35702f9b98b25401993ca
SHA256a233f52b558bc4bd3abc0c3538148915ccbfb372bd996ffa8087e75a7524c47d
SHA5124eeb443625eda9409f2b8e1a19b68dc30e097cbe29938c564b09db4d13d1b486682cc0ab5afd7f67c165b6a47165e59441689bdf1375a8d4591481ab4d2f8e9b
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\MpSigStub.exeMD5
5221b7a59665153028fb57761ce560b9
SHA1d65eae951fe09f39555951970ad03737520c7b12
SHA2560bc408c801441239f72d7df3dd6edbcdfb5313d6ae5a04c0a13e8c2dfc39f6d8
SHA51255bf54dd7f416b11a6f253b1ddef13422610f8870592ea3f97b40b390b52d0eaf9e689f166415a73a71b617f393cd08337e3c10009a8184fe60431475ea8e130
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\MpSigStub.exeMD5
5221b7a59665153028fb57761ce560b9
SHA1d65eae951fe09f39555951970ad03737520c7b12
SHA2560bc408c801441239f72d7df3dd6edbcdfb5313d6ae5a04c0a13e8c2dfc39f6d8
SHA51255bf54dd7f416b11a6f253b1ddef13422610f8870592ea3f97b40b390b52d0eaf9e689f166415a73a71b617f393cd08337e3c10009a8184fe60431475ea8e130
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpasbase.vdmMD5
30891107645e22f49dbef57780b98c5e
SHA1e7b81e55cfbdd047be1d81b30b9382456af175fe
SHA25635df40739964935e5ed44260d5156addf78de662b3af4bf3a4ab5fc1215ad9cb
SHA5122ec6f73174fdc0b2af0fc450c9f4646fe9a09265c74cd1013634e055f733ebd01da2eca40b3e2577379b13ffb3d187b10f1b5ee90c1ad3383543ae67304d1d75
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpasdlta.vdmMD5
3fa8dd64e02baf5fb222597f295caee8
SHA1f850a4cfc61cb8b11daf8196ea97b85798e234a3
SHA2563882dcec7a2c7cc0c3e4485e2ae5dcc092e048faa83601700ddd7809723fd963
SHA51287bd70a1177fedac0978c0a7b110bc6d65b2a92bc4f275ce6a3b5904deb858416f4839d25e34986e2b83a38202e24fc4c69631e038eecc4f703c2a28ba3e82f8
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpavbase.vdmMD5
4c6072ad516f39f5d956065ba215e4d3
SHA1243b70bc18dd97194ce77c89e47c62364ab9394d
SHA256fda6dbc11a33245ad47acaf6bd730db73a607e65dda3fe2f075b2d1de3eaa3c2
SHA512cd11ec324856c650d28388bef44ebaf81f4abf2e1e50a2922be68e1e4bf431ee838e16a8caafde53821879f554910873e59b17e636e1ff099d6109f993274daf
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpavdlta.vdmMD5
e4b35da5a802560cf186feffb1f52325
SHA1134cd3629d0cd9f73e9c1ed7f22ef0f503664c29
SHA256528e18a2b3699d45623469c287447a0caf98931dbe7fbca3a7008cdcc1b632a7
SHA5128a37bfeb48c5022ab8a62244a6123557d110e09729e43129d64239d09a7bd898903d9dd30a414ea27b94d7428f2172a01c427a3a9ea365446228ac079c58372a
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpengine.dllMD5
9f7bf1158ce47439b777116763c4947f
SHA1f2501dfbe32c93e588d35702f9b98b25401993ca
SHA256a233f52b558bc4bd3abc0c3538148915ccbfb372bd996ffa8087e75a7524c47d
SHA5124eeb443625eda9409f2b8e1a19b68dc30e097cbe29938c564b09db4d13d1b486682cc0ab5afd7f67c165b6a47165e59441689bdf1375a8d4591481ab4d2f8e9b
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun.logMD5
676a6b308d082c7118ed82be06c91fc3
SHA1f88f3414f6f1d4ad128f921f7cee51b0c2d27ada
SHA2561cac2b7a0fb0ff12318778ba07443e3497c47c65bd39f339680f5e1611ca0535
SHA512db5e8a5bf33f05576d17ad40c85fa62fc1239e73aa5f91ee11b44b2f3134c81e8d56f1576c62be110775ac546779d2dc2620f47cd627d545986a81902c3c54b2
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun.logMD5
da456a1d1465d6eb847cd6348a30f2ee
SHA19cf83a411769a45cff46ee0bece62f8a3b59cbdb
SHA2563a0eac69c12d6e8ca563836d60be2da8c8e0ec43abcbc1c40f34b5ef90c8725b
SHA512ef9b5d30121f3b5343e66ea695c3454731b6a25fa5645e5af2b832b2d76baf410622fb6946317dc0b1628e5c5ce5f2b08cd15109b797279eb1c960ddeb8302ba
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpSigStub.logMD5
82167e5348e26fcb4188a35f50697658
SHA1106a70e8b4c7261d2ab9e1d9fd0cbd5cd386e6ba
SHA2566f4b5b20cef6c889628a19dc744490f43c0eee18e2481e374ee7cc705350b8d5
SHA5120248ec4d10c8627c1e20635de01920128d613756d62b0c505fd97b3c0af49868ae7272b1c3fdcdb2782d6cb7e4671ee18be4e50d312c38a121e9d939eeb17cec
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exeMD5
fcbc053b969c69d333b74612b58f002e
SHA1ccace15fceb11656490407604fc18b0222d45850
SHA256a77e6b0635d2cf24dcce5c5723d918255d7565cff0b24b721c66035bbdd3ff57
SHA51259edb19090f9267a8f5b2d18ae5b11c7a42b8f9d9922ac25531bd710b0f2c29f78289863633331315db7edc4877a928f5911a799900cf62fb9f9df0065225b53
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exeMD5
fcbc053b969c69d333b74612b58f002e
SHA1ccace15fceb11656490407604fc18b0222d45850
SHA256a77e6b0635d2cf24dcce5c5723d918255d7565cff0b24b721c66035bbdd3ff57
SHA51259edb19090f9267a8f5b2d18ae5b11c7a42b8f9d9922ac25531bd710b0f2c29f78289863633331315db7edc4877a928f5911a799900cf62fb9f9df0065225b53
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exeMD5
99dd4797f8ef652df680e387b662ef5e
SHA112dfbedba2d3144392cd709991429c5342726a72
SHA256ce48b8ed76bcf4440ed4691d0f2009d25f8af5b1338ac92b9251e168af110154
SHA5122417f0e97fea413505fea112b6b4af350bed18234866aeb1cc17b414fe788295c5cb2d2a3f5f12f50bfe1729ccc370d0f9686a7cdb7c129c4faf6a8b8802955a
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exeMD5
99dd4797f8ef652df680e387b662ef5e
SHA112dfbedba2d3144392cd709991429c5342726a72
SHA256ce48b8ed76bcf4440ed4691d0f2009d25f8af5b1338ac92b9251e168af110154
SHA5122417f0e97fea413505fea112b6b4af350bed18234866aeb1cc17b414fe788295c5cb2d2a3f5f12f50bfe1729ccc370d0f9686a7cdb7c129c4faf6a8b8802955a
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\119.0.0.0_to_119.0.0.0_NISfull.vdm_source_NISbase.vdm._pMD5
f1ae21a45e215fd62fa4c3061f3174b3
SHA1756950994617a6ef87a228b1c9b90a276e0eb836
SHA256518edf57cf5e4bdde6eb52c8eaf4aaefb42396e3c1e3adefacef7bef03f41538
SHA512a0bf2cc30d26c885f4e541f164db8173a6b7eb49fbe4ea43e4c0e26257e9ca02bbd84a1f1c1239249b6c48bb4ab9320b3fd9c9ead88ad2aa34c9a483e1cb1b99
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\gapaengine.dllMD5
d437d5d8fbe46b88cf15e9d3e2c1beda
SHA128daf460b5928eef8724c7fd6e7c82525adfb5f3
SHA256b1c03b224d6779738548f04f29e1cbca02f74c714a7383c5d32cc76aadcf86be
SHA512cad48a6069e07cd3c3cded8c5bb787b6c7d915d5c8d667882ffb4e1c72c5009239d9d56c4ee3f433ebd8096592f60c685bb9ed29bdf5f2fbde65f43837a89332
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\mpsigstub.exeMD5
38d39de143de95b58244bbfbad1cf372
SHA1a92fa1376c528b0a06f18b1166ced0ab9b9d3d11
SHA2560bb339c22fb53e6bc8f8475590d8549f5432f45cf61337db15d0d2ff552324bb
SHA51200e417d81fa3c9449d29c5f7f46c8ec85617b473a6929848f9dedc663f7e37e1cda1be840564d06611b1af4096cfc468c62ec7b8a5eb376277214af513055220
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\mpsigstub.exeMD5
38d39de143de95b58244bbfbad1cf372
SHA1a92fa1376c528b0a06f18b1166ced0ab9b9d3d11
SHA2560bb339c22fb53e6bc8f8475590d8549f5432f45cf61337db15d0d2ff552324bb
SHA51200e417d81fa3c9449d29c5f7f46c8ec85617b473a6929848f9dedc663f7e37e1cda1be840564d06611b1af4096cfc468c62ec7b8a5eb376277214af513055220
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\nisbase.vdmMD5
9a6128d06cfe7ea0ba2ad2da0e2b32a6
SHA1734ede7610d0cb639090295aea9e943608172a94
SHA2563894139c40e3cf39212954fbad25b45d3f6d88e1816a90272829627fce153a3c
SHA5122c4f767bba75b2a04b8f2f074c016468cfb18782eb8fe3365424b79e383782909ee551031d6c6c263ed925e8c8d91788dc2a6168234037d549792f126c69b0e3
-
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\nisfull.vdmMD5
fdacc5d41b5baf2edaf8efb71231fdb8
SHA193c10ca1ddf39e37902aad59050f5b142ad2a5f6
SHA256ae4c863d063d86b820d2acce3eb95d9312f54a972a9541a55c71ca4a0322f8f1
SHA51210fc8532f60762f102fdabfc8046d0da88cc23e3d3212cbb4e7d41427dd3677c567aaf0b4d50a848de26845a6c1f4f681d93da805f56d9b641d3ef16a3f190b3
-
C:\Windows\TEMP\MpCmdRun.logMD5
5c081b4d4fda44c56c8d7e301dd3e4e7
SHA1de91740cd32fa99f30817ec15bde584a552f7f3d
SHA2569086302e1d852aae7d0caf36820d9518833227c4eb86bab8a1df179d5fb97e7e
SHA512e78195495762dac5d2e6ced59bc1aadcda2948fe16808ed642ca0903700a220a0d16901c4bb9db69dd5aa633b7f371ef569ea5722e5c0b5740fd52ee9a851e86
-
C:\Windows\TEMP\MpCmdRun.logMD5
ef5141646e74de9ff636c6cf73836707
SHA125dfbc09a3ccc5d8ccf562b9dc5f7f938234fc70
SHA25621cf856ec696637e24eddfe6d8f2fcdfb9b09b2741ae8c804307b4e181fc2db5
SHA512c2aa60893e85e85e2fac2d852b1a6bfc43de68e2215b16de908f3035b81784e14cb1fa84292b1554ffd6970bd569b419b6d2736e44b35543e753011792d65193
-
\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpengine.dllMD5
9f7bf1158ce47439b777116763c4947f
SHA1f2501dfbe32c93e588d35702f9b98b25401993ca
SHA256a233f52b558bc4bd3abc0c3538148915ccbfb372bd996ffa8087e75a7524c47d
SHA5124eeb443625eda9409f2b8e1a19b68dc30e097cbe29938c564b09db4d13d1b486682cc0ab5afd7f67c165b6a47165e59441689bdf1375a8d4591481ab4d2f8e9b
-
memory/1200-120-0x0000000000000000-mapping.dmp
-
memory/1900-125-0x0000000000000000-mapping.dmp
-
memory/2144-121-0x0000000000000000-mapping.dmp
-
memory/2260-123-0x0000000000000000-mapping.dmp
-
memory/2332-116-0x0000000000000000-mapping.dmp
-
memory/2600-164-0x0000024E89250000-0x0000024E8935D000-memory.dmpFilesize
1.1MB
-
memory/2600-165-0x0000024E8B8E0000-0x0000024E8B9ED000-memory.dmpFilesize
1.1MB
-
memory/2600-161-0x0000024EA8E90000-0x0000024EA8F90000-memory.dmpFilesize
1024KB
-
memory/2600-117-0x0000024E88990000-0x0000024E889D0000-memory.dmpFilesize
256KB
-
memory/2600-118-0x0000024E8C520000-0x0000024E8C57E000-memory.dmpFilesize
376KB
-
memory/2600-163-0x0000024EA8F90000-0x0000024EA9190000-memory.dmpFilesize
2.0MB
-
memory/2600-162-0x0000024E89260000-0x0000024E8936D000-memory.dmpFilesize
1.1MB
-
memory/2608-119-0x0000000000000000-mapping.dmp
-
memory/2728-114-0x0000000000000000-mapping.dmp
-
memory/3812-115-0x0000000000000000-mapping.dmp
-
memory/4016-127-0x0000000000000000-mapping.dmp
-
memory/4164-129-0x0000000000000000-mapping.dmp
-
memory/4192-132-0x0000000000000000-mapping.dmp
-
memory/4288-146-0x0000000000000000-mapping.dmp
-
memory/4324-151-0x0000000000000000-mapping.dmp