metasploit | 11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-06-2022 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
Size

175KB
MD5

77b76cd9351ac9d3cfc7fb5a7ddd505c
SHA1

9fac5e34d44b515538f9c4343b9c15304b127aba
SHA256

11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c
SHA512

5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 45 IoCs

Processes:

MsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exe

pid	process
1128	MsTwClient.exe
3540	MsTwClient.exe
100	MsTwClient.exe
1508	MsTwClient.exe
728	MsTwClient.exe
4548	MsTwClient.exe
5084	MsTwClient.exe
840	MsTwClient.exe
2120	MsTwClient.exe
4496	MsTwClient.exe
4772	MsTwClient.exe
4312	MsTwClient.exe
3736	MsTwClient.exe
1408	MsTwClient.exe
1912	MsTwClient.exe
2836	MsTwClient.exe
5104	MsTwClient.exe
3412	MsTwClient.exe
4852	MsTwClient.exe
2160	MsTwClient.exe
2156	MsTwClient.exe
1736	MsTwClient.exe
500	MsTwClient.exe
3968	MsTwClient.exe
1412	MsTwClient.exe
4584	MsTwClient.exe
1076	MsTwClient.exe
4256	MsTwClient.exe
2616	MsTwClient.exe
220	MsTwClient.exe
4016	MsTwClient.exe
2440	MsTwClient.exe
3248	MsTwClient.exe
2412	MsTwClient.exe
4792	MsTwClient.exe
3756	MsTwClient.exe
4480	MsTwClient.exe
3148	MsTwClient.exe
3356	MsTwClient.exe
5024	MsTwClient.exe
4532	MsTwClient.exe
1488	MsTwClient.exe
2408	MsTwClient.exe
4892	MsTwClient.exe
5012	MsTwClient.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4300-131-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4300-133-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4300-134-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4300-135-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4300-139-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/3540-146-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/3540-149-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1508-156-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1508-159-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4548-166-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4548-169-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/840-176-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/840-179-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4496-186-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4496-189-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4312-196-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4312-199-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1408-206-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1408-209-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2836-216-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2836-219-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/3412-226-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/3412-229-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2160-236-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2160-239-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1736-246-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1736-249-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/3968-256-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/3968-259-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4584-266-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4584-269-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4256-276-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4256-279-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/220-284-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/220-286-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/220-285-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/220-287-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/220-290-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2440-297-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2440-300-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2412-307-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2412-308-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/2412-311-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/3756-318-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/3756-321-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/3148-328-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/3148-331-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/5024-338-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/5024-341-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1488-348-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1488-351-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4892-357-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/4892-359-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	MsTwClient.exe

Maps connected drives based on registry 3 TTPs 46 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exe11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsTwClient.exe

Drops file in System32 directory 46 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File opened for modification	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe
File created	C:\Windows\SysWOW64\MsTwClient.exe	MsTwClient.exe

Suspicious use of SetThreadContext 23 IoCs

Processes:

11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exe

description	pid	process	target process
PID 4476 set thread context of 4300	4476	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
PID 1128 set thread context of 3540	1128	MsTwClient.exe	MsTwClient.exe
PID 100 set thread context of 1508	100	MsTwClient.exe	MsTwClient.exe
PID 728 set thread context of 4548	728	MsTwClient.exe	MsTwClient.exe
PID 5084 set thread context of 840	5084	MsTwClient.exe	MsTwClient.exe
PID 2120 set thread context of 4496	2120	MsTwClient.exe	MsTwClient.exe
PID 4772 set thread context of 4312	4772	MsTwClient.exe	MsTwClient.exe
PID 3736 set thread context of 1408	3736	MsTwClient.exe	MsTwClient.exe
PID 1912 set thread context of 2836	1912	MsTwClient.exe	MsTwClient.exe
PID 5104 set thread context of 3412	5104	MsTwClient.exe	MsTwClient.exe
PID 4852 set thread context of 2160	4852	MsTwClient.exe	MsTwClient.exe
PID 2156 set thread context of 1736	2156	MsTwClient.exe	MsTwClient.exe
PID 500 set thread context of 3968	500	MsTwClient.exe	MsTwClient.exe
PID 1412 set thread context of 4584	1412	MsTwClient.exe	MsTwClient.exe
PID 1076 set thread context of 4256	1076	MsTwClient.exe	MsTwClient.exe
PID 2616 set thread context of 220	2616	MsTwClient.exe	MsTwClient.exe
PID 4016 set thread context of 2440	4016	MsTwClient.exe	MsTwClient.exe
PID 3248 set thread context of 2412	3248	MsTwClient.exe	MsTwClient.exe
PID 4792 set thread context of 3756	4792	MsTwClient.exe	MsTwClient.exe
PID 4480 set thread context of 3148	4480	MsTwClient.exe	MsTwClient.exe
PID 3356 set thread context of 5024	3356	MsTwClient.exe	MsTwClient.exe
PID 4532 set thread context of 1488	4532	MsTwClient.exe	MsTwClient.exe
PID 2408 set thread context of 4892	2408	MsTwClient.exe	MsTwClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 23 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsTwClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exeMsTwClient.exe

description	pid	process	target process
PID 4476 wrote to memory of 4300	4476	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
PID 4476 wrote to memory of 4300	4476	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
PID 4476 wrote to memory of 4300	4476	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
PID 4476 wrote to memory of 4300	4476	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
PID 4476 wrote to memory of 4300	4476	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
PID 4476 wrote to memory of 4300	4476	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
PID 4476 wrote to memory of 4300	4476	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
PID 4300 wrote to memory of 1128	4300	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	MsTwClient.exe
PID 4300 wrote to memory of 1128	4300	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	MsTwClient.exe
PID 4300 wrote to memory of 1128	4300	11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe	MsTwClient.exe
PID 1128 wrote to memory of 3540	1128	MsTwClient.exe	MsTwClient.exe
PID 1128 wrote to memory of 3540	1128	MsTwClient.exe	MsTwClient.exe
PID 1128 wrote to memory of 3540	1128	MsTwClient.exe	MsTwClient.exe
PID 1128 wrote to memory of 3540	1128	MsTwClient.exe	MsTwClient.exe
PID 1128 wrote to memory of 3540	1128	MsTwClient.exe	MsTwClient.exe
PID 1128 wrote to memory of 3540	1128	MsTwClient.exe	MsTwClient.exe
PID 1128 wrote to memory of 3540	1128	MsTwClient.exe	MsTwClient.exe
PID 3540 wrote to memory of 100	3540	MsTwClient.exe	MsTwClient.exe
PID 3540 wrote to memory of 100	3540	MsTwClient.exe	MsTwClient.exe
PID 3540 wrote to memory of 100	3540	MsTwClient.exe	MsTwClient.exe
PID 100 wrote to memory of 1508	100	MsTwClient.exe	MsTwClient.exe
PID 100 wrote to memory of 1508	100	MsTwClient.exe	MsTwClient.exe
PID 100 wrote to memory of 1508	100	MsTwClient.exe	MsTwClient.exe
PID 100 wrote to memory of 1508	100	MsTwClient.exe	MsTwClient.exe
PID 100 wrote to memory of 1508	100	MsTwClient.exe	MsTwClient.exe
PID 100 wrote to memory of 1508	100	MsTwClient.exe	MsTwClient.exe
PID 100 wrote to memory of 1508	100	MsTwClient.exe	MsTwClient.exe
PID 1508 wrote to memory of 728	1508	MsTwClient.exe	MsTwClient.exe
PID 1508 wrote to memory of 728	1508	MsTwClient.exe	MsTwClient.exe
PID 1508 wrote to memory of 728	1508	MsTwClient.exe	MsTwClient.exe
PID 728 wrote to memory of 4548	728	MsTwClient.exe	MsTwClient.exe
PID 728 wrote to memory of 4548	728	MsTwClient.exe	MsTwClient.exe
PID 728 wrote to memory of 4548	728	MsTwClient.exe	MsTwClient.exe
PID 728 wrote to memory of 4548	728	MsTwClient.exe	MsTwClient.exe
PID 728 wrote to memory of 4548	728	MsTwClient.exe	MsTwClient.exe
PID 728 wrote to memory of 4548	728	MsTwClient.exe	MsTwClient.exe
PID 728 wrote to memory of 4548	728	MsTwClient.exe	MsTwClient.exe
PID 4548 wrote to memory of 5084	4548	MsTwClient.exe	MsTwClient.exe
PID 4548 wrote to memory of 5084	4548	MsTwClient.exe	MsTwClient.exe
PID 4548 wrote to memory of 5084	4548	MsTwClient.exe	MsTwClient.exe
PID 5084 wrote to memory of 840	5084	MsTwClient.exe	MsTwClient.exe
PID 5084 wrote to memory of 840	5084	MsTwClient.exe	MsTwClient.exe
PID 5084 wrote to memory of 840	5084	MsTwClient.exe	MsTwClient.exe
PID 5084 wrote to memory of 840	5084	MsTwClient.exe	MsTwClient.exe
PID 5084 wrote to memory of 840	5084	MsTwClient.exe	MsTwClient.exe
PID 5084 wrote to memory of 840	5084	MsTwClient.exe	MsTwClient.exe
PID 5084 wrote to memory of 840	5084	MsTwClient.exe	MsTwClient.exe
PID 840 wrote to memory of 2120	840	MsTwClient.exe	MsTwClient.exe
PID 840 wrote to memory of 2120	840	MsTwClient.exe	MsTwClient.exe
PID 840 wrote to memory of 2120	840	MsTwClient.exe	MsTwClient.exe
PID 2120 wrote to memory of 4496	2120	MsTwClient.exe	MsTwClient.exe
PID 2120 wrote to memory of 4496	2120	MsTwClient.exe	MsTwClient.exe
PID 2120 wrote to memory of 4496	2120	MsTwClient.exe	MsTwClient.exe
PID 2120 wrote to memory of 4496	2120	MsTwClient.exe	MsTwClient.exe
PID 2120 wrote to memory of 4496	2120	MsTwClient.exe	MsTwClient.exe
PID 2120 wrote to memory of 4496	2120	MsTwClient.exe	MsTwClient.exe
PID 2120 wrote to memory of 4496	2120	MsTwClient.exe	MsTwClient.exe
PID 4496 wrote to memory of 4772	4496	MsTwClient.exe	MsTwClient.exe
PID 4496 wrote to memory of 4772	4496	MsTwClient.exe	MsTwClient.exe
PID 4496 wrote to memory of 4772	4496	MsTwClient.exe	MsTwClient.exe
PID 4772 wrote to memory of 4312	4772	MsTwClient.exe	MsTwClient.exe
PID 4772 wrote to memory of 4312	4772	MsTwClient.exe	MsTwClient.exe
PID 4772 wrote to memory of 4312	4772	MsTwClient.exe	MsTwClient.exe
PID 4772 wrote to memory of 4312	4772	MsTwClient.exe	MsTwClient.exe

C:\Users\Admin\AppData\Local\Temp\11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
"C:\Users\Admin\AppData\Local\Temp\11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe
"C:\Users\Admin\AppData\Local\Temp\11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c.exe"
2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Users\Admin\AppData\Local\Temp\11B76F~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Users\Admin\AppData\Local\Temp\11B76F~1.EXE
4⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
6⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
8⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
10⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
12⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
14⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4312

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3736

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
16⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1408

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1912

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
18⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2836

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5104

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
20⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3412

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4852

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
22⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2160

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2156

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
24⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1736

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:500

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
26⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3968

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1412

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
28⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4584

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1076

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
30⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4256

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2616

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
32⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:220

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4016

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
34⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2440

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3248

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
36⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2412

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4792

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
38⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3756

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4480

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
40⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3148

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3356

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
42⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5024

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4532

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
44⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1488

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2408

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\SysWOW64\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
46⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4892

C:\Windows\SysWOW64\MsTwClient.exe
"C:\Windows\system32\MsTwClient.exe" C:\Windows\SysWOW64\MSTWCL~1.EXE
47⤵
- Executes dropped EXE
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
C:\Windows\SysWOW64\MsTwClient.exe
Filesize
175KB

MD5
77b76cd9351ac9d3cfc7fb5a7ddd505c

SHA1
9fac5e34d44b515538f9c4343b9c15304b127aba

SHA256
11b76f59452efbca118b8ebc2478be84c70945a851911a1a5b7220691af6704c

SHA512
5581df002694ad755ad1954bc2c81ab9ce275b99fc7c355971378de103caf20e8e337fcb07189dd11a35e58fd6bebf221c965be3d6723c0e789b3c20a9d7f6a5

Download Submit
memory/100-147-0x0000000000000000-mapping.dmp

Download
memory/220-280-0x0000000000000000-mapping.dmp

Download
memory/220-290-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/220-284-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/220-286-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/220-285-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/220-287-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/500-247-0x0000000000000000-mapping.dmp

Download
memory/728-157-0x0000000000000000-mapping.dmp

Download
memory/840-170-0x0000000000000000-mapping.dmp

Download
memory/840-179-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/840-176-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1076-267-0x0000000000000000-mapping.dmp

Download
memory/1128-136-0x0000000000000000-mapping.dmp

Download
memory/1408-200-0x0000000000000000-mapping.dmp

Download
memory/1408-206-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1408-209-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1412-257-0x0000000000000000-mapping.dmp

Download
memory/1488-342-0x0000000000000000-mapping.dmp

Download
memory/1488-348-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1488-351-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-150-0x0000000000000000-mapping.dmp

Download
memory/1508-156-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-159-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1736-240-0x0000000000000000-mapping.dmp

Download
memory/1736-246-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1736-249-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1912-207-0x0000000000000000-mapping.dmp

Download
memory/2120-177-0x0000000000000000-mapping.dmp

Download
memory/2156-237-0x0000000000000000-mapping.dmp

Download
memory/2160-239-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2160-236-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2160-230-0x0000000000000000-mapping.dmp

Download
memory/2408-349-0x0000000000000000-mapping.dmp

Download
memory/2412-308-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2412-307-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2412-311-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2412-301-0x0000000000000000-mapping.dmp

Download
memory/2440-297-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2440-300-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2440-291-0x0000000000000000-mapping.dmp

Download
memory/2616-277-0x0000000000000000-mapping.dmp

Download
memory/2836-210-0x0000000000000000-mapping.dmp

Download
memory/2836-219-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2836-216-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3148-328-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3148-322-0x0000000000000000-mapping.dmp

Download
memory/3148-331-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3248-298-0x0000000000000000-mapping.dmp

Download
memory/3356-329-0x0000000000000000-mapping.dmp

Download
memory/3412-229-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3412-226-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3412-220-0x0000000000000000-mapping.dmp

Download
memory/3540-149-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3540-140-0x0000000000000000-mapping.dmp

Download
memory/3540-146-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3736-197-0x0000000000000000-mapping.dmp

Download
memory/3756-321-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3756-312-0x0000000000000000-mapping.dmp

Download
memory/3756-318-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3968-256-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3968-250-0x0000000000000000-mapping.dmp

Download
memory/3968-259-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4016-288-0x0000000000000000-mapping.dmp

Download
memory/4256-270-0x0000000000000000-mapping.dmp

Download
memory/4256-276-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4256-279-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4300-139-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4300-135-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4300-134-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4300-133-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4300-131-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4300-130-0x0000000000000000-mapping.dmp

Download
memory/4312-190-0x0000000000000000-mapping.dmp

Download
memory/4312-196-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4312-199-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4480-319-0x0000000000000000-mapping.dmp

Download
memory/4496-180-0x0000000000000000-mapping.dmp

Download
memory/4496-189-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4496-186-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4532-339-0x0000000000000000-mapping.dmp

Download
memory/4548-169-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4548-160-0x0000000000000000-mapping.dmp

Download
memory/4548-166-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4584-269-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4584-260-0x0000000000000000-mapping.dmp

Download
memory/4584-266-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4772-187-0x0000000000000000-mapping.dmp

Download
memory/4792-309-0x0000000000000000-mapping.dmp

Download
memory/4852-227-0x0000000000000000-mapping.dmp

Download
memory/4892-352-0x0000000000000000-mapping.dmp

Download
memory/4892-357-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4892-359-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5012-358-0x0000000000000000-mapping.dmp

Download
memory/5024-341-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5024-338-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5024-332-0x0000000000000000-mapping.dmp

Download
memory/5084-167-0x0000000000000000-mapping.dmp

Download
memory/5104-217-0x0000000000000000-mapping.dmp

Download