6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

Analysis

max time kernel
140s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
27-07-2021 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dp.exe
Size

763KB
MD5

0a50081a6cd37aea0945c91de91c5d97
SHA1

755309c6d9fa4cd13b6c867cde01cc1e0d415d00
SHA256

6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b
SHA512

f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

dp.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "2" dp.exe
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 3716 created 996 3716 svchost.exe dp.exe
PID 3716 created 2728 3716 svchost.exe dp.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

mpam-1d753155.exeMpSigStub.exempam-440c586a.exempsigstub.exe

pid process

4164 mpam-1d753155.exe
4192 MpSigStub.exe
4288 mpam-440c586a.exe
4324 mpsigstub.exe
Deletes itself 1 IoCs

Processes:

MsMpEng.exe

pid process

2600 MsMpEng.exe
Loads dropped DLL 1 IoCs

Processes:

MsMpEng.exe

pid process

2600 MsMpEng.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

dp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection dp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "2"	dp.exe

description	pid	process	target process
PID 3716 created 996	3716	svchost.exe	dp.exe
PID 3716 created 2728	3716	svchost.exe	dp.exe

pid	process
4164	mpam-1d753155.exe
4192	MpSigStub.exe
4288	mpam-440c586a.exe
4324	mpsigstub.exe

pid	process
2600	MsMpEng.exe

pid	process
2600	MsMpEng.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	dp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MsMpEng.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "\"%ProgramFiles%\\Windows Defender\\MSASCuiL.exe\""	MsMpEng.exe

Drops file in System32 directory 3 IoCs

Processes:

dp.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dp.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	dp.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dp.exe

Drops file in Windows directory 21 IoCs

Processes:

MpCmdRun.exempam-440c586a.exeMpCmdRun.exempam-1d753155.exempsigstub.exeMpSigStub.exeMpCmdRun.exe

description	ioc	process
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun.log	MpCmdRun.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exe	MpCmdRun.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\119.0.0.0_to_119.0.0.0_NISfull.vdm_source_NISbase.vdm._p	mpam-440c586a.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\gapaengine.dll	mpam-440c586a.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun-25-53C9D589-6B66-4F30-9BAB-9A0193B0BAFC.lock	MpCmdRun.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\MpSigStub.exe	mpam-1d753155.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpasbase.vdm	mpam-1d753155.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpasdlta.vdm	mpam-1d753155.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpavbase.vdm	mpam-1d753155.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpavdlta.vdm	mpam-1d753155.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\nisbase.vdm	mpam-440c586a.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\nisfull.vdm	mpsigstub.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun.log	MpCmdRun.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exe	MpCmdRun.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpSigStub.log	MpSigStub.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\mpsigstub.exe	mpam-440c586a.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpSigStub.log	mpsigstub.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MPTelemetrySubmit\client_manifest.txt	mpsigstub.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun.log	MpCmdRun.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpengine.dll	mpam-1d753155.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MPTelemetrySubmit\watson_manifest.txt	mpsigstub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

MsMpEng.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	MsMpEng.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	MsMpEng.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MsMpEng.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MsMpEng.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}	MsMpEng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}	MsMpEng.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MpCmdRun.exeMsMpEng.exeMpCmdRun.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	MpCmdRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\CachedProxyBypass	MsMpEng.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Token	MpCmdRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Token\{922DF99B-F4C3-4B57-B70A-AA696443101A}\DeviceId = "0018000633D366AB"	MpCmdRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\CachedProxy	MsMpEng.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	MpCmdRun.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Token\{922DF99B-F4C3-4B57-B70A-AA696443101A}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000cb35b265870ecb47af3174bdeb244d0c00000000020000000000106600000001000020000000d6b89a6a3949a4263d7f63b8c210ddd8b33f77283bb08481b741c1c1bfcab4b2000000000e80000000020000200000001fdc9c5efca7bc48405ea6e88cbfcfaa077b58662124e1efcda5b568f2843708d0030000a8d046e90f3494853f8b5d83587f5e8faf69533d0f68cdfcdeff288e6011fe6ae082135ad89e793a8f22c302d1938391d30863dbff539938923491e1e3fd493712f547479a024c3bcb35106ef30fd5e3f40ecac7cde0263551684ade26992d7c7ed5c6839c96da960f5884b22935c1312db594529689b7b6f6573ce2ec9eaa50ae1ad7f608897f79d713b18313ec3c07f9908b7590d6ffae8da5ccfffc5c2582dae3f53d3e16943fb0a210c4c80437ec4510bbdc6947177148c1a5009be67f13a0de8146351f3ccd16257fca02a782f644ccd68a1c802ce145e929c40e36df18c38b1991a8f5eb947b13cfae4a788e6a389048c14c52121475cb6106316be4123ddc92d60de00a874ecbd2f6cfdbb3e4ffb9665eb85812d277969d4cdeafab7ca3afd6a24b5c8d22b7c30398d581a2fab636f2a5e982dd75ffcf570963944b7c15922101029a6f7ac9c8dba5aebf423e6862061c146787415f3284452baf63b04c302999982ff1f0dc9bf1f42134286084696a0b75e9d11895735fbc4e1ac5694c531b86d4718ed4b682ee90ca7365f4a17670301d7327bd14664420bb9f8c5f21fe4ee2b4750a0e449a89461480e4284e20ae910aa485abbbdd134b2b11b7427c14e26d79fbb74351a8b434db0ce3b5b7a1d1ac0cc183bf358ec4704c6546d445be412bce95d3edc20187278dcb0b0464231a637038d88ca98dfa77d8883b4f868806d501246f756beaa4996200c9a097315b132d870bef7807684c8aa7c571549a1f44870b0c619a2e3a6f9d08b87a2dc18d379c1663d0a612b0abdcc0d0a867f8a63e2e9637cc77bab928a84e1a232f58a17b5214f324355a3bc3e3392758dd738d240208b455169549b4d3a4a758ad314e2d25e8b5b446eae8155c07a5c2049e65d43e655223c502b9b5ade0cdfce1e65fd2ce5e07410b429fe3d89f5194f2ea2f2ee3d30a17a42cd1aa44f4cf64bee0709e255796507e4f4177dfdc581ffb5e90b1ff01eba4c8c9837e4878a5ecfc5491e5df5843a65419c4349e802c14ff287f0f5043ba3bc08257b483b8e3921531f336d915d6971121216be350d2d1e32a7739ca864fc7a3561cc6676c552c72aa89ddb68e87cdbc01d7e27f6cdfb9845a64e1fc6197a1d82b802ecc6bf3ad5bf7fa88e3b27a8fec3a4b95ac1f45ae8d7740dfee4c6acc820ddfbb7dfcf1db06b5cb669250ecb8ab21b15b682be3543c98aef56cdade64699a7aaef51016f47aae8bc519864c651b59d98b402cb63080622c2bca844a831623fa703814a11275e1df6fe714d43e547dc7982efea7023dcf31ef244e8a5a8658ea1a432e45e0e5244a20f2fa710e2cbb3b51fe314351058c945817219cb896d02a997c4058c1400000007678741df85887ec62023acde4bc6ff9da744679c58230f93a52adb768c2926f573d74587fa133d0f64771707467844d7a58f36021b7dfba691a5ef89408403a	MpCmdRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\LastKnownGoodProxy = "1"	MsMpEng.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	MpCmdRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\CachedProxyAccessType = "1"	MsMpEng.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsMpEng.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	MpCmdRun.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018000633D366AB = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000cb35b265870ecb47af3174bdeb244d0c0000000002000000000010660000000100002000000030509c8b561a000dcf16ea3ccb976694a30e72835e101acd7718667531d44299000000000e80000000020000200000000c277e30a9d13a4d1c62c67afdbdf68e05bbf6c633d7ddcb12f1556572b4c42c800000004292724011677b0aae24fd2bd581462f542f2d72099d034797b44372a5ab04046988bc900e7f40d9ee3943b7b3a59e787197af1dd39f0189c3aff5b5292bf1eff1c8c49fc4d559dcdfdebb573d671667725757fd0ac51f2dc64d30864075dd8c5c89cc223a39927f4277a5facf2cafd38dc69092cd3890b4c418c827920beed840000000b33e6946b03f33b1ab2b7ad5d90b4a91d989cf97419bca471e726616e4e53d61b7b409b88dcf9c0ae72e9465b9dd393be9e41150b20e929fe4159a5c9e71914c	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Token\{922DF99B-F4C3-4B57-B70A-AA696443101A}	MpCmdRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsMpEng.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	MpCmdRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsMpEng.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MpCmdRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Defender	MsMpEng.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MpCmdRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\DssCounter = "1"	MsMpEng.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Property	MpCmdRun.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL\Immersive\production\Token\{922DF99B-F4C3-4B57-B70A-AA696443101A}\ApplicationFlags = "1"	MpCmdRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsMpEng.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\IdentityCRL	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	MpCmdRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsMpEng.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MpCmdRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows Defender	MpCmdRun.exe

Modifies registry class 13 IoCs

Processes:

MsMpEng.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}"	MsMpEng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}"	MsMpEng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	MsMpEng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	MsMpEng.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32	MsMpEng.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\IMPLEMENTED CATEGORIES\DISABLED - {56FFCC30-D398-11D0-B2AE-00A0C908FA49}	MsMpEng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	MsMpEng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	MsMpEng.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\IMPLEMENTED CATEGORIES\DISABLED - {56FFCC30-D398-11D0-B2AE-00A0C908FA49}	MsMpEng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID	MsMpEng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	MsMpEng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}"	MsMpEng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	MsMpEng.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dp.exedp.exedp.exe

pid	process
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
2728	dp.exe
2728	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
2728	dp.exe
2728	dp.exe
2728	dp.exe
2728	dp.exe
996	dp.exe
996	dp.exe
2728	dp.exe
2728	dp.exe
996	dp.exe
996	dp.exe
2728	dp.exe
2728	dp.exe
3812	dp.exe
3812	dp.exe
996	dp.exe
996	dp.exe
2728	dp.exe
2728	dp.exe
996	dp.exe
996	dp.exe
2728	dp.exe
2728	dp.exe
996	dp.exe
996	dp.exe
2728	dp.exe
2728	dp.exe
996	dp.exe
996	dp.exe
2728	dp.exe
2728	dp.exe
996	dp.exe
996	dp.exe
2728	dp.exe
2728	dp.exe
996	dp.exe
996	dp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dp.exe

pid process

996 dp.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

MsMpEng.exe

pid process

2600 MsMpEng.exe

pid	process
2600	MsMpEng.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

dp.exesvchost.exedp.exeMsMpEng.exempsigstub.exe

description	pid	process
Token: SeDebugPrivilege	996	dp.exe
Token: SeAssignPrimaryTokenPrivilege	996	dp.exe
Token: SeIncreaseQuotaPrivilege	996	dp.exe
Token: 0	996	dp.exe
Token: SeTcbPrivilege	3716	svchost.exe
Token: SeTcbPrivilege	3716	svchost.exe
Token: SeDebugPrivilege	2728	dp.exe
Token: SeAssignPrimaryTokenPrivilege	2728	dp.exe
Token: SeIncreaseQuotaPrivilege	2728	dp.exe
Token: SeAssignPrimaryTokenPrivilege	2600	MsMpEng.exe
Token: SeIncreaseQuotaPrivilege	2600	MsMpEng.exe
Token: SeTcbPrivilege	2600	MsMpEng.exe
Token: SeSecurityPrivilege	2600	MsMpEng.exe
Token: SeTakeOwnershipPrivilege	2600	MsMpEng.exe
Token: SeLoadDriverPrivilege	2600	MsMpEng.exe
Token: SeIncBasePriorityPrivilege	2600	MsMpEng.exe
Token: SeBackupPrivilege	2600	MsMpEng.exe
Token: SeRestorePrivilege	2600	MsMpEng.exe
Token: SeShutdownPrivilege	2600	MsMpEng.exe
Token: SeDebugPrivilege	2600	MsMpEng.exe
Token: SeSystemEnvironmentPrivilege	2600	MsMpEng.exe
Token: SeChangeNotifyPrivilege	2600	MsMpEng.exe
Token: SeImpersonatePrivilege	2600	MsMpEng.exe
Token: SeDebugPrivilege	2600	MsMpEng.exe
Token: SeBackupPrivilege	2600	MsMpEng.exe
Token: SeRestorePrivilege	2600	MsMpEng.exe
Token: SeDebugPrivilege	2600	MsMpEng.exe
Token: SeBackupPrivilege	2600	MsMpEng.exe
Token: SeRestorePrivilege	2600	MsMpEng.exe
Token: SeBackupPrivilege	4324	mpsigstub.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dp.exeMSASCuiL.exe

pid	process
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
2332	MSASCuiL.exe
2332	MSASCuiL.exe
2332	MSASCuiL.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

dp.exeMSASCuiL.exe

pid	process
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
2332	MSASCuiL.exe
2332	MSASCuiL.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe
996	dp.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

svchost.exedp.exeMsMpEng.exeMpCmdRun.exeMpCmdRun.exeMpCmdRun.exempam-1d753155.exempam-440c586a.exe

description	pid	process	target process
PID 3716 wrote to memory of 2728	3716	svchost.exe	dp.exe
PID 3716 wrote to memory of 2728	3716	svchost.exe	dp.exe
PID 3716 wrote to memory of 2728	3716	svchost.exe	dp.exe
PID 3716 wrote to memory of 3812	3716	svchost.exe	dp.exe
PID 3716 wrote to memory of 3812	3716	svchost.exe	dp.exe
PID 3716 wrote to memory of 3812	3716	svchost.exe	dp.exe
PID 996 wrote to memory of 2332	996	dp.exe	MSASCuiL.exe
PID 996 wrote to memory of 2332	996	dp.exe	MSASCuiL.exe
PID 2600 wrote to memory of 2608	2600	MsMpEng.exe	MpCmdRun.exe
PID 2600 wrote to memory of 2608	2600	MsMpEng.exe	MpCmdRun.exe
PID 2608 wrote to memory of 1200	2608	MpCmdRun.exe	MpCmdRun.exe
PID 2608 wrote to memory of 1200	2608	MpCmdRun.exe	MpCmdRun.exe
PID 2600 wrote to memory of 2144	2600	MsMpEng.exe	MpCmdRun.exe
PID 2600 wrote to memory of 2144	2600	MsMpEng.exe	MpCmdRun.exe
PID 2600 wrote to memory of 2260	2600	MsMpEng.exe	MpCmdRun.exe
PID 2600 wrote to memory of 2260	2600	MsMpEng.exe	MpCmdRun.exe
PID 2260 wrote to memory of 1900	2260	MpCmdRun.exe	MpCmdRun.exe
PID 2260 wrote to memory of 1900	2260	MpCmdRun.exe	MpCmdRun.exe
PID 2600 wrote to memory of 4016	2600	MsMpEng.exe	MpCmdRun.exe
PID 2600 wrote to memory of 4016	2600	MsMpEng.exe	MpCmdRun.exe
PID 1900 wrote to memory of 4164	1900	MpCmdRun.exe	mpam-1d753155.exe
PID 1900 wrote to memory of 4164	1900	MpCmdRun.exe	mpam-1d753155.exe
PID 4164 wrote to memory of 4192	4164	mpam-1d753155.exe	MpSigStub.exe
PID 4164 wrote to memory of 4192	4164	mpam-1d753155.exe	MpSigStub.exe
PID 1900 wrote to memory of 4288	1900	MpCmdRun.exe	mpam-440c586a.exe
PID 1900 wrote to memory of 4288	1900	MpCmdRun.exe	mpam-440c586a.exe
PID 4288 wrote to memory of 4324	4288	mpam-440c586a.exe	mpsigstub.exe
PID 4288 wrote to memory of 4324	4288	mpam-440c586a.exe	mpsigstub.exe

C:\Users\Admin\AppData\Local\Temp\dp.exe
"C:\Users\Admin\AppData\Local\Temp\dp.exe"
1⤵
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\dp.exe
"C:\Users\Admin\AppData\Local\Temp\dp.exe" /SYS 0
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Users\Admin\AppData\Local\Temp\dp.exe
"C:\Users\Admin\AppData\Local\Temp\dp.exe" /TI 0
3⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
PID:3812

C:\Program Files\Windows Defender\MSASCuiL.exe
"C:\Program Files\Windows Defender\MSASCuiL.exe"
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2332

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3156

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3520

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1196

C:\Program Files\Windows Defender\MsMpEng.exe
"C:\Program Files\Windows Defender\MsMpEng.exe"
1⤵
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges
2⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke
3⤵
- Drops file in Windows directory
PID:1200

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate
2⤵
PID:2144

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges
2⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges -Reinvoke
3⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exe
"C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exe" /q WD
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\MpSigStub.exe
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\MpSigStub.exe /stub 1.1.17800.4 /payload 1.343.1753.0 /program C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exe /q WD
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4192

C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exe
"C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exe" /q WD
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\mpsigstub.exe
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\mpsigstub.exe /stub 1.1.14500.5 /payload 119.0.0.0 /program C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exe /q WD
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" GetDeviceTicket -AccessKey 1D4F51A7-FE7E-AB4B-AA55-7C6F1679FF09
2⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4016

C:\Program Files\Windows Defender\mpuxsrv.exe
"C:\Program Files\Windows Defender\mpuxsrv.exe" -Embedding
1⤵
PID:4484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpasbase.vdm
MD5
30891107645e22f49dbef57780b98c5e

SHA1
e7b81e55cfbdd047be1d81b30b9382456af175fe

SHA256
35df40739964935e5ed44260d5156addf78de662b3af4bf3a4ab5fc1215ad9cb

SHA512
2ec6f73174fdc0b2af0fc450c9f4646fe9a09265c74cd1013634e055f733ebd01da2eca40b3e2577379b13ffb3d187b10f1b5ee90c1ad3383543ae67304d1d75

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpasdlta.vdm
MD5
3fa8dd64e02baf5fb222597f295caee8

SHA1
f850a4cfc61cb8b11daf8196ea97b85798e234a3

SHA256
3882dcec7a2c7cc0c3e4485e2ae5dcc092e048faa83601700ddd7809723fd963

SHA512
87bd70a1177fedac0978c0a7b110bc6d65b2a92bc4f275ce6a3b5904deb858416f4839d25e34986e2b83a38202e24fc4c69631e038eecc4f703c2a28ba3e82f8

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpavbase.vdm
MD5
4c6072ad516f39f5d956065ba215e4d3

SHA1
243b70bc18dd97194ce77c89e47c62364ab9394d

SHA256
fda6dbc11a33245ad47acaf6bd730db73a607e65dda3fe2f075b2d1de3eaa3c2

SHA512
cd11ec324856c650d28388bef44ebaf81f4abf2e1e50a2922be68e1e4bf431ee838e16a8caafde53821879f554910873e59b17e636e1ff099d6109f993274daf

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpavdlta.vdm
MD5
e4b35da5a802560cf186feffb1f52325

SHA1
134cd3629d0cd9f73e9c1ed7f22ef0f503664c29

SHA256
528e18a2b3699d45623469c287447a0caf98931dbe7fbca3a7008cdcc1b632a7

SHA512
8a37bfeb48c5022ab8a62244a6123557d110e09729e43129d64239d09a7bd898903d9dd30a414ea27b94d7428f2172a01c427a3a9ea365446228ac079c58372a

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpengine.dll
MD5
9f7bf1158ce47439b777116763c4947f

SHA1
f2501dfbe32c93e588d35702f9b98b25401993ca

SHA256
a233f52b558bc4bd3abc0c3538148915ccbfb372bd996ffa8087e75a7524c47d

SHA512
4eeb443625eda9409f2b8e1a19b68dc30e097cbe29938c564b09db4d13d1b486682cc0ab5afd7f67c165b6a47165e59441689bdf1375a8d4591481ab4d2f8e9b

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\MpSigStub.exe
MD5
5221b7a59665153028fb57761ce560b9

SHA1
d65eae951fe09f39555951970ad03737520c7b12

SHA256
0bc408c801441239f72d7df3dd6edbcdfb5313d6ae5a04c0a13e8c2dfc39f6d8

SHA512
55bf54dd7f416b11a6f253b1ddef13422610f8870592ea3f97b40b390b52d0eaf9e689f166415a73a71b617f393cd08337e3c10009a8184fe60431475ea8e130

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\MpSigStub.exe
MD5
5221b7a59665153028fb57761ce560b9

SHA1
d65eae951fe09f39555951970ad03737520c7b12

SHA256
0bc408c801441239f72d7df3dd6edbcdfb5313d6ae5a04c0a13e8c2dfc39f6d8

SHA512
55bf54dd7f416b11a6f253b1ddef13422610f8870592ea3f97b40b390b52d0eaf9e689f166415a73a71b617f393cd08337e3c10009a8184fe60431475ea8e130

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpasbase.vdm
MD5
30891107645e22f49dbef57780b98c5e

SHA1
e7b81e55cfbdd047be1d81b30b9382456af175fe

SHA256
35df40739964935e5ed44260d5156addf78de662b3af4bf3a4ab5fc1215ad9cb

SHA512
2ec6f73174fdc0b2af0fc450c9f4646fe9a09265c74cd1013634e055f733ebd01da2eca40b3e2577379b13ffb3d187b10f1b5ee90c1ad3383543ae67304d1d75

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpasdlta.vdm
MD5
3fa8dd64e02baf5fb222597f295caee8

SHA1
f850a4cfc61cb8b11daf8196ea97b85798e234a3

SHA256
3882dcec7a2c7cc0c3e4485e2ae5dcc092e048faa83601700ddd7809723fd963

SHA512
87bd70a1177fedac0978c0a7b110bc6d65b2a92bc4f275ce6a3b5904deb858416f4839d25e34986e2b83a38202e24fc4c69631e038eecc4f703c2a28ba3e82f8

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpavbase.vdm
MD5
4c6072ad516f39f5d956065ba215e4d3

SHA1
243b70bc18dd97194ce77c89e47c62364ab9394d

SHA256
fda6dbc11a33245ad47acaf6bd730db73a607e65dda3fe2f075b2d1de3eaa3c2

SHA512
cd11ec324856c650d28388bef44ebaf81f4abf2e1e50a2922be68e1e4bf431ee838e16a8caafde53821879f554910873e59b17e636e1ff099d6109f993274daf

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpavdlta.vdm
MD5
e4b35da5a802560cf186feffb1f52325

SHA1
134cd3629d0cd9f73e9c1ed7f22ef0f503664c29

SHA256
528e18a2b3699d45623469c287447a0caf98931dbe7fbca3a7008cdcc1b632a7

SHA512
8a37bfeb48c5022ab8a62244a6123557d110e09729e43129d64239d09a7bd898903d9dd30a414ea27b94d7428f2172a01c427a3a9ea365446228ac079c58372a

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\7ED27C6C-A4E7-442F-9EDF-99C76B48D1FC\mpengine.dll
MD5
9f7bf1158ce47439b777116763c4947f

SHA1
f2501dfbe32c93e588d35702f9b98b25401993ca

SHA256
a233f52b558bc4bd3abc0c3538148915ccbfb372bd996ffa8087e75a7524c47d

SHA512
4eeb443625eda9409f2b8e1a19b68dc30e097cbe29938c564b09db4d13d1b486682cc0ab5afd7f67c165b6a47165e59441689bdf1375a8d4591481ab4d2f8e9b

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun.log
MD5
676a6b308d082c7118ed82be06c91fc3

SHA1
f88f3414f6f1d4ad128f921f7cee51b0c2d27ada

SHA256
1cac2b7a0fb0ff12318778ba07443e3497c47c65bd39f339680f5e1611ca0535

SHA512
db5e8a5bf33f05576d17ad40c85fa62fc1239e73aa5f91ee11b44b2f3134c81e8d56f1576c62be110775ac546779d2dc2620f47cd627d545986a81902c3c54b2

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpCmdRun.log
MD5
da456a1d1465d6eb847cd6348a30f2ee

SHA1
9cf83a411769a45cff46ee0bece62f8a3b59cbdb

SHA256
3a0eac69c12d6e8ca563836d60be2da8c8e0ec43abcbc1c40f34b5ef90c8725b

SHA512
ef9b5d30121f3b5343e66ea695c3454731b6a25fa5645e5af2b832b2d76baf410622fb6946317dc0b1628e5c5ce5f2b08cd15109b797279eb1c960ddeb8302ba

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\MpSigStub.log
MD5
82167e5348e26fcb4188a35f50697658

SHA1
106a70e8b4c7261d2ab9e1d9fd0cbd5cd386e6ba

SHA256
6f4b5b20cef6c889628a19dc744490f43c0eee18e2481e374ee7cc705350b8d5

SHA512
0248ec4d10c8627c1e20635de01920128d613756d62b0c505fd97b3c0af49868ae7272b1c3fdcdb2782d6cb7e4671ee18be4e50d312c38a121e9d939eeb17cec

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exe
MD5
fcbc053b969c69d333b74612b58f002e

SHA1
ccace15fceb11656490407604fc18b0222d45850

SHA256
a77e6b0635d2cf24dcce5c5723d918255d7565cff0b24b721c66035bbdd3ff57

SHA512
59edb19090f9267a8f5b2d18ae5b11c7a42b8f9d9922ac25531bd710b0f2c29f78289863633331315db7edc4877a928f5911a799900cf62fb9f9df0065225b53

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-1d753155.exe
MD5
fcbc053b969c69d333b74612b58f002e

SHA1
ccace15fceb11656490407604fc18b0222d45850

SHA256
a77e6b0635d2cf24dcce5c5723d918255d7565cff0b24b721c66035bbdd3ff57

SHA512
59edb19090f9267a8f5b2d18ae5b11c7a42b8f9d9922ac25531bd710b0f2c29f78289863633331315db7edc4877a928f5911a799900cf62fb9f9df0065225b53

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exe
MD5
99dd4797f8ef652df680e387b662ef5e

SHA1
12dfbedba2d3144392cd709991429c5342726a72

SHA256
ce48b8ed76bcf4440ed4691d0f2009d25f8af5b1338ac92b9251e168af110154

SHA512
2417f0e97fea413505fea112b6b4af350bed18234866aeb1cc17b414fe788295c5cb2d2a3f5f12f50bfe1729ccc370d0f9686a7cdb7c129c4faf6a8b8802955a

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-440c586a.exe
MD5
99dd4797f8ef652df680e387b662ef5e

SHA1
12dfbedba2d3144392cd709991429c5342726a72

SHA256
ce48b8ed76bcf4440ed4691d0f2009d25f8af5b1338ac92b9251e168af110154

SHA512
2417f0e97fea413505fea112b6b4af350bed18234866aeb1cc17b414fe788295c5cb2d2a3f5f12f50bfe1729ccc370d0f9686a7cdb7c129c4faf6a8b8802955a

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\119.0.0.0_to_119.0.0.0_NISfull.vdm_source_NISbase.vdm._p
MD5
f1ae21a45e215fd62fa4c3061f3174b3

SHA1
756950994617a6ef87a228b1c9b90a276e0eb836

SHA256
518edf57cf5e4bdde6eb52c8eaf4aaefb42396e3c1e3adefacef7bef03f41538

SHA512
a0bf2cc30d26c885f4e541f164db8173a6b7eb49fbe4ea43e4c0e26257e9ca02bbd84a1f1c1239249b6c48bb4ab9320b3fd9c9ead88ad2aa34c9a483e1cb1b99

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\gapaengine.dll
MD5
d437d5d8fbe46b88cf15e9d3e2c1beda

SHA1
28daf460b5928eef8724c7fd6e7c82525adfb5f3

SHA256
b1c03b224d6779738548f04f29e1cbca02f74c714a7383c5d32cc76aadcf86be

SHA512
cad48a6069e07cd3c3cded8c5bb787b6c7d915d5c8d667882ffb4e1c72c5009239d9d56c4ee3f433ebd8096592f60c685bb9ed29bdf5f2fbde65f43837a89332

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\mpsigstub.exe
MD5
38d39de143de95b58244bbfbad1cf372

SHA1
a92fa1376c528b0a06f18b1166ced0ab9b9d3d11

SHA256
0bb339c22fb53e6bc8f8475590d8549f5432f45cf61337db15d0d2ff552324bb

SHA512
00e417d81fa3c9449d29c5f7f46c8ec85617b473a6929848f9dedc663f7e37e1cda1be840564d06611b1af4096cfc468c62ec7b8a5eb376277214af513055220

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\mpsigstub.exe
MD5
38d39de143de95b58244bbfbad1cf372

SHA1
a92fa1376c528b0a06f18b1166ced0ab9b9d3d11

SHA256
0bb339c22fb53e6bc8f8475590d8549f5432f45cf61337db15d0d2ff552324bb

SHA512
00e417d81fa3c9449d29c5f7f46c8ec85617b473a6929848f9dedc663f7e37e1cda1be840564d06611b1af4096cfc468c62ec7b8a5eb376277214af513055220

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\nisbase.vdm
MD5
9a6128d06cfe7ea0ba2ad2da0e2b32a6

SHA1
734ede7610d0cb639090295aea9e943608172a94

SHA256
3894139c40e3cf39212954fbad25b45d3f6d88e1816a90272829627fce153a3c

SHA512
2c4f767bba75b2a04b8f2f074c016468cfb18782eb8fe3365424b79e383782909ee551031d6c6c263ed925e8c8d91788dc2a6168234037d549792f126c69b0e3

Download Submit
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{505121EE-B845-4C55-9185-6C207CD3E795}\nisfull.vdm
MD5
fdacc5d41b5baf2edaf8efb71231fdb8

SHA1
93c10ca1ddf39e37902aad59050f5b142ad2a5f6

SHA256
ae4c863d063d86b820d2acce3eb95d9312f54a972a9541a55c71ca4a0322f8f1

SHA512
10fc8532f60762f102fdabfc8046d0da88cc23e3d3212cbb4e7d41427dd3677c567aaf0b4d50a848de26845a6c1f4f681d93da805f56d9b641d3ef16a3f190b3

Download Submit
C:\Windows\TEMP\MpCmdRun.log
MD5
5c081b4d4fda44c56c8d7e301dd3e4e7

SHA1
de91740cd32fa99f30817ec15bde584a552f7f3d

SHA256
9086302e1d852aae7d0caf36820d9518833227c4eb86bab8a1df179d5fb97e7e

SHA512
e78195495762dac5d2e6ced59bc1aadcda2948fe16808ed642ca0903700a220a0d16901c4bb9db69dd5aa633b7f371ef569ea5722e5c0b5740fd52ee9a851e86

Download Submit
C:\Windows\TEMP\MpCmdRun.log
MD5
ef5141646e74de9ff636c6cf73836707

SHA1
25dfbc09a3ccc5d8ccf562b9dc5f7f938234fc70

SHA256
21cf856ec696637e24eddfe6d8f2fcdfb9b09b2741ae8c804307b4e181fc2db5

SHA512
c2aa60893e85e85e2fac2d852b1a6bfc43de68e2215b16de908f3035b81784e14cb1fa84292b1554ffd6970bd569b419b6d2736e44b35543e753011792d65193

Download Submit
\ProgramData\Microsoft\Windows Defender\Definition Updates\{96C95780-2D61-4492-9730-D33D204FF1A1}\mpengine.dll
MD5
9f7bf1158ce47439b777116763c4947f

SHA1
f2501dfbe32c93e588d35702f9b98b25401993ca

SHA256
a233f52b558bc4bd3abc0c3538148915ccbfb372bd996ffa8087e75a7524c47d

SHA512
4eeb443625eda9409f2b8e1a19b68dc30e097cbe29938c564b09db4d13d1b486682cc0ab5afd7f67c165b6a47165e59441689bdf1375a8d4591481ab4d2f8e9b

Download Submit
memory/1200-120-0x0000000000000000-mapping.dmp

Download
memory/1900-125-0x0000000000000000-mapping.dmp

Download
memory/2144-121-0x0000000000000000-mapping.dmp

Download
memory/2260-123-0x0000000000000000-mapping.dmp

Download
memory/2332-116-0x0000000000000000-mapping.dmp

Download
memory/2600-164-0x0000024E89250000-0x0000024E8935D000-memory.dmp

Filesize
1.1MB

Download
memory/2600-165-0x0000024E8B8E0000-0x0000024E8B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2600-161-0x0000024EA8E90000-0x0000024EA8F90000-memory.dmp

Filesize
1024KB

Download
memory/2600-117-0x0000024E88990000-0x0000024E889D0000-memory.dmp

Filesize
256KB

Download
memory/2600-118-0x0000024E8C520000-0x0000024E8C57E000-memory.dmp

Filesize
376KB

Download
memory/2600-163-0x0000024EA8F90000-0x0000024EA9190000-memory.dmp

Filesize
2.0MB

Download
memory/2600-162-0x0000024E89260000-0x0000024E8936D000-memory.dmp

Filesize
1.1MB

Download
memory/2608-119-0x0000000000000000-mapping.dmp

Download
memory/2728-114-0x0000000000000000-mapping.dmp

Download
memory/3812-115-0x0000000000000000-mapping.dmp

Download
memory/4016-127-0x0000000000000000-mapping.dmp

Download
memory/4164-129-0x0000000000000000-mapping.dmp

Download
memory/4192-132-0x0000000000000000-mapping.dmp

Download
memory/4288-146-0x0000000000000000-mapping.dmp

Download
memory/4324-151-0x0000000000000000-mapping.dmp

Download