icedid | 50dd5611a6a93c3772eabc23038f4cb36900e3bbeae900efe4cf5a849a0b6b75

Analysis

max time kernel
1141s
max time network
1157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Webex-x64.appx
Size

30.7MB
MD5

77eab64c4951102dcde481f5e0ee6ec8
SHA1

06cb82fdd585cbaca00378bc62ae72d3bf573dec
SHA256

50dd5611a6a93c3772eabc23038f4cb36900e3bbeae900efe4cf5a849a0b6b75
SHA512

5ed2d38b70fb870c861ffbfeedab9017146c77e3653ae1d37e2b48ca1f10de56f289b947dff4dc48b926dde7a1dcac958cfb5f85e92633b3bc5bef9d3748b231
SSDEEP

786432:B91qv6X24krZclsEcTznscqDv0v7OAi3HON8MCqT:B91qS9krFPjwDcDj3NrCqT

Score

10^/10

icedid 43832328 banker loader persistence trojan upx

Malware Config

Extracted

Family

icedid

Campaign

43832328

ospertoolsbo.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 4 IoCs

flow	pid	Process
27	2592	powershell.exe
29	2592	powershell.exe
60	232	msiexec.exe
62	232	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4204	CiscoCollabHost.exe

Loads dropped DLL 3 IoCs

pid	Process
3592	rundll32.exe
3752	MsiExec.exe
3752	MsiExec.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4148-260-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx
behavioral2/memory/4148-261-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx
behavioral2/memory/4148-262-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx
behavioral2/memory/4148-263-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx
behavioral2/memory/4148-288-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx
behavioral2/memory/4148-291-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx
behavioral2/memory/4148-360-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx
behavioral2/memory/4148-676-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx
behavioral2/memory/4148-955-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx
behavioral2/memory/4148-1172-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx
behavioral2/memory/4148-1255-0x0000000000800000-0x0000000000BF4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CiscoSpark = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Webex\\Webex.lnk /minimized /autostartedWithWindows=true"	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick.2\qmldir	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\accessories\DSEAPluginController.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\api-ms-win-core-console-l1-1-0.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\dnsutils.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\imageformats\qsvg.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQml\plugins.qmltypes	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Fusion\RadioDelegate.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Extras\TumblerColumn.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\tbb.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\x86\dependencies\msvcp140_1.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\spark-windows-app-impl.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\WebView2Loader.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls\Private\ScrollViewHelper.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Imagine\Label.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Imagine\StackView.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\msvcp140_1.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\Qt5QuickShapes.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\wmlhost.exe	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\x86\dependencies\API-MS-Win-core-xstate-l2-1-0.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\x86\dependencies\api-ms-win-crt-time-l1-1-0.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls\Private\EditMenu_base.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls\Styles\Base\StatusBarStyle.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\SpinBox.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\x86\dependencies\api-ms-win-crt-utility-l1-1-0.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Universal\TabButton.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\api-ms-win-crt-locale-l1-1-0.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\KF5SyntaxHighlighting.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\x86\dependencies\api-ms-win-core-processthreads-l1-1-1.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\Qt\labs\calendar\MonthGrid.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Material\Page.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Material\plugins.qmltypes	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\x86\dependencies\api-ms-win-crt-private-l1-1-0.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\CiscoCollabHost.exe	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Imagine\Frame.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Universal\ApplicationWindow.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Universal\ToolBar.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\api-ms-win-core-namedpipe-l1-1-0.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\LambdaThreadSwitcher.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\CheckDelegate.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Fusion\SwitchIndicator.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Fusion\TabBar.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\x86\dependencies\api-ms-win-core-profile-l1-1-0.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Dialogs\qml\DefaultWindowDecoration.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Extras\plugins.qmltypes	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\api-ms-win-core-synch-l1-2-0.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\Qt\labs\settings\qmlsettingsplugin.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQml\Models.2\qmldir	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls\Private\TreeViewItemDelegateLoader.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Imagine\SplitView.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Universal\Dial.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\api-ms-win-crt-math-l1-1-0.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\MKLDNNPlugin.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls\Styles\Base\GaugeStyle.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Fusion\Frame.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Fusion\Label.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Universal\RoundButton.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Universal\qtquickcontrols2universalstyleplugin.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Shapes\qmlshapesplugin.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\x86\dependencies\concrt140.dll	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls\Private\TableViewSelection.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Fusion\ToolButton.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Universal\Pane.qml	Webex.exe
File opened for modification	C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\dependencies\QtQuick\Controls.2\Universal\MenuSeparator.qml	Webex.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI46A6.tmp	msiexec.exe
File created	C:\Windows\Installer\e591488.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e591488.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CA6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C09.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{526B4770-0C31-5418-A322-8478E9227F52}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e59148e.msi	msiexec.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1908	2560	WerFault.exe	103
2316	3848	WerFault.exe	114
2492	4468	WerFault.exe	119
1452	2228	WerFault.exe	123
4840	3936	WerFault.exe	126

Kills process with taskkill 1 IoCs

evasion

pid	Process
3360	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\webex\	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\webex	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\webex\WarnOnOpen = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\Registry\User\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\MIME\Database\Content Type\application/webex	Webex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\webex	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\Registry\User\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\webex	Webex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\webex\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\webex\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\Registry\User\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\webex\shell\open\command	Webex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\Registry\User\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.webex	Webex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\webex\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Cisco Spark\\CiscoCollabHost.exe"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\webex\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4708	powershell.exe
4708	powershell.exe
4776	PowerShell.exe
4776	PowerShell.exe
4336	PowerShell.exe
4336	PowerShell.exe
828	PowerShell.exe
828	PowerShell.exe
4996	PowerShell.exe
4996	PowerShell.exe
5112	Powershell.exe
5112	Powershell.exe
2592	powershell.exe
2592	powershell.exe
3592	rundll32.exe
3592	rundll32.exe
3592	rundll32.exe
3592	rundll32.exe
3592	rundll32.exe
3592	rundll32.exe
3592	rundll32.exe
3592	rundll32.exe
3384	Process not Found
3384	Process not Found
232	msiexec.exe
232	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3592	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4776	PowerShell.exe
Token: SeDebugPrivilege	4336	PowerShell.exe
Token: SeDebugPrivilege	828	PowerShell.exe
Token: SeDebugPrivilege	4996	PowerShell.exe
Token: SeDebugPrivilege	5112	Powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeShutdownPrivilege	5024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5024	msiexec.exe
Token: SeSecurityPrivilege	232	msiexec.exe
Token: SeCreateTokenPrivilege	5024	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5024	msiexec.exe
Token: SeLockMemoryPrivilege	5024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5024	msiexec.exe
Token: SeMachineAccountPrivilege	5024	msiexec.exe
Token: SeTcbPrivilege	5024	msiexec.exe
Token: SeSecurityPrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeLoadDriverPrivilege	5024	msiexec.exe
Token: SeSystemProfilePrivilege	5024	msiexec.exe
Token: SeSystemtimePrivilege	5024	msiexec.exe
Token: SeProfSingleProcessPrivilege	5024	msiexec.exe
Token: SeIncBasePriorityPrivilege	5024	msiexec.exe
Token: SeCreatePagefilePrivilege	5024	msiexec.exe
Token: SeCreatePermanentPrivilege	5024	msiexec.exe
Token: SeBackupPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeShutdownPrivilege	5024	msiexec.exe
Token: SeDebugPrivilege	5024	msiexec.exe
Token: SeAuditPrivilege	5024	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5024	msiexec.exe
Token: SeChangeNotifyPrivilege	5024	msiexec.exe
Token: SeRemoteShutdownPrivilege	5024	msiexec.exe
Token: SeUndockPrivilege	5024	msiexec.exe
Token: SeSyncAgentPrivilege	5024	msiexec.exe
Token: SeEnableDelegationPrivilege	5024	msiexec.exe
Token: SeManageVolumePrivilege	5024	msiexec.exe
Token: SeImpersonatePrivilege	5024	msiexec.exe
Token: SeCreateGlobalPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeDebugPrivilege	3360	taskkill.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2560	SearchApp.exe
3848	SearchApp.exe
4468	SearchApp.exe
2228	SearchApp.exe
3936	SearchApp.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 4776	4692	AiStubX64.exe	89
PID 4692 wrote to memory of 4776	4692	AiStubX64.exe	89
PID 4776 wrote to memory of 4336	4776	PowerShell.exe	91
PID 4776 wrote to memory of 4336	4776	PowerShell.exe	91
PID 4692 wrote to memory of 828	4692	AiStubX64.exe	92
PID 4692 wrote to memory of 828	4692	AiStubX64.exe	92
PID 828 wrote to memory of 4996	828	PowerShell.exe	94
PID 828 wrote to memory of 4996	828	PowerShell.exe	94
PID 4692 wrote to memory of 5112	4692	AiStubX64.exe	96
PID 4692 wrote to memory of 5112	4692	AiStubX64.exe	96
PID 4692 wrote to memory of 5112	4692	AiStubX64.exe	96
PID 5112 wrote to memory of 2592	5112	Powershell.exe	98
PID 5112 wrote to memory of 2592	5112	Powershell.exe	98
PID 5112 wrote to memory of 2592	5112	Powershell.exe	98
PID 2592 wrote to memory of 3592	2592	powershell.exe	100
PID 2592 wrote to memory of 3592	2592	powershell.exe	100
PID 2592 wrote to memory of 3592	2592	powershell.exe	100
PID 4692 wrote to memory of 4148	4692	AiStubX64.exe	101
PID 4692 wrote to memory of 4148	4692	AiStubX64.exe	101
PID 4692 wrote to memory of 4148	4692	AiStubX64.exe	101
PID 4692 wrote to memory of 4148	4692	AiStubX64.exe	101
PID 4692 wrote to memory of 4148	4692	AiStubX64.exe	101
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 4692 wrote to memory of 3852	4692	AiStubX64.exe	102
PID 3852 wrote to memory of 4148	3852	PsfRunDll32.exe	101
PID 3852 wrote to memory of 4148	3852	PsfRunDll32.exe	101
PID 3852 wrote to memory of 4148	3852	PsfRunDll32.exe	101
PID 3852 wrote to memory of 4148	3852	PsfRunDll32.exe	101
PID 3852 wrote to memory of 4148	3852	PsfRunDll32.exe	101
PID 3852 wrote to memory of 4148	3852	PsfRunDll32.exe	101
PID 3852 wrote to memory of 4148	3852	PsfRunDll32.exe	101
PID 3852 wrote to memory of 4148	3852	PsfRunDll32.exe	101
PID 3852 wrote to memory of 4148	3852	PsfRunDll32.exe	101
PID 4148 wrote to memory of 5024	4148	Webex.exe	106
PID 4148 wrote to memory of 5024	4148	Webex.exe	106
PID 4148 wrote to memory of 5024	4148	Webex.exe	106
PID 232 wrote to memory of 3752	232	msiexec.exe	111
PID 232 wrote to memory of 3752	232	msiexec.exe	111
PID 232 wrote to memory of 3752	232	msiexec.exe	111
PID 3752 wrote to memory of 3360	3752	MsiExec.exe	112
PID 3752 wrote to memory of 3360	3752	MsiExec.exe	112
PID 3752 wrote to memory of 3360	3752	MsiExec.exe	112
PID 232 wrote to memory of 252	232	msiexec.exe	118
PID 232 wrote to memory of 252	232	msiexec.exe	118
PID 4148 wrote to memory of 4204	4148	Webex.exe	129
PID 4148 wrote to memory of 4204	4148	Webex.exe	129

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:AppsFolder\CiscoSystems.Webex_cvpb331a1f8hw!Webex
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\AI_STUBS\AiStubX64.exe
"C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\AI_STUBS\AiStubX64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -command "'Webex.exe', 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Webex\Webex.lnk', 'Webex', 'none', 'C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\AI_STUBS\Webex.0.ico', 'C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\', 1, 'none', 'none'" | "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -encodedcommand DQAKACAAIABwAGEAcgBhAG0AIAAoAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABUAGEAcgBnAGUAdABQAGEAdABoACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABEAGUAcwBjAHIAaQBwAHQAaQBvAG4ALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABBAHIAZwB1AG0AZQBuAHQAcwAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHYAYQBsAGkAZABhAHQAZQBzAGUAdAAoADEALAAzACwANwApAF0AIAAgACAAIAANAAoAIAAgACAAIABbAGkAbgB0AF0AIAAkAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ADEALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABIAG8AdABrAGUAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4ADQAKACAAIAApAA0ACgAgACAADQAKACAAIABpAGYAIAAoACAAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApACkADQAKACAAIAB7AA0ACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARgBpAGwAZQAgAC0ARgBvAHIAYwBlACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAANAAoAIAAgAH0ADQAKACAAIAANAAoAIAAgACQAVwBzAGgAUwBoAGUAbABsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAgACAAIAANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0ACAAPQAgACQAVwBzAGgAUwBoAGUAbABsAC4AQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0ACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAJABTAGgAbwByAHQAYwB1AHQALgBUAGEAcgBnAGUAdABQAGEAdABoACAAPQAgACQAVABhAHIAZwBlAHQAUABhAHQAaAANAAoAIAAgAGkAZgAoACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAUwBoAG8AcgB0AGMAdQB0AC4ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAPQAgACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAQQByAGcAdQBtAGUAbgB0AHMAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABTAGgAbwByAHQAYwB1AHQALgBBAHIAZwB1AG0AZQBuAHQAcwAgAD0AIAAkAEEAcgBnAHUAbQBlAG4AdABzACAAfQANAAoAIAAgAGkAZgAoACQASQBjAG8AbgBMAG8AYwBhAHQAaQBvAG4AIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAgAD0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgAC0AbgBlACAAJwBuAG8AbgBlACcAKQAgAHsAIAAkAHMAaABvAHIAdABjAHUAdAAuAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAA9ACAAJABXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAfQANAAoAIAAgAGkAZgAoACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAcwBoAG8AcgB0AGMAdQB0AC4AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAPQAgACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAAfQANAAoAIAAgAGkAZgAoACQASABvAHQAawBlAHkAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBIAG8AdABrAGUAeQAgAD0AIAAkAEgAbwB0AGsAZQB5ACAAfQANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0AC4AUwBhAHYAZQAoACkADQAKAA0ACgAgACAAaQBmACAAKAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4AIAAtAGUAcQAgACcAcgB1AG4AQQBzAEEAZABtAGkAbgAnACkADQAKACAAIAB7AA0ACgAgACAAIAAgACQAYgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAIAAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAAPQAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAALQBiAG8AcgAgADAAeAAyADAAIAAjAHMAZQB0ACAAYgB5AHQAZQAgADIAMQAgACgAMAB4ADEANQApACAAYgBpAHQAIAA2ACAAKAAwAHgAMgAwACkAIABPAE4AIAANAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAsACAAJABiAHkAdABlAHMAKQANAAoAIAAgAH0ADQAKAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -encodedcommand DQAKACAAIABwAGEAcgBhAG0AIAAoAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABUAGEAcgBnAGUAdABQAGEAdABoACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABEAGUAcwBjAHIAaQBwAHQAaQBvAG4ALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABBAHIAZwB1AG0AZQBuAHQAcwAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHYAYQBsAGkAZABhAHQAZQBzAGUAdAAoADEALAAzACwANwApAF0AIAAgACAAIAANAAoAIAAgACAAIABbAGkAbgB0AF0AIAAkAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ADEALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABIAG8AdABrAGUAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4ADQAKACAAIAApAA0ACgAgACAADQAKACAAIABpAGYAIAAoACAAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApACkADQAKACAAIAB7AA0ACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARgBpAGwAZQAgAC0ARgBvAHIAYwBlACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAANAAoAIAAgAH0ADQAKACAAIAANAAoAIAAgACQAVwBzAGgAUwBoAGUAbABsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAgACAAIAANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0ACAAPQAgACQAVwBzAGgAUwBoAGUAbABsAC4AQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0ACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAJABTAGgAbwByAHQAYwB1AHQALgBUAGEAcgBnAGUAdABQAGEAdABoACAAPQAgACQAVABhAHIAZwBlAHQAUABhAHQAaAANAAoAIAAgAGkAZgAoACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAUwBoAG8AcgB0AGMAdQB0AC4ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAPQAgACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAQQByAGcAdQBtAGUAbgB0AHMAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABTAGgAbwByAHQAYwB1AHQALgBBAHIAZwB1AG0AZQBuAHQAcwAgAD0AIAAkAEEAcgBnAHUAbQBlAG4AdABzACAAfQANAAoAIAAgAGkAZgAoACQASQBjAG8AbgBMAG8AYwBhAHQAaQBvAG4AIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAgAD0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgAC0AbgBlACAAJwBuAG8AbgBlACcAKQAgAHsAIAAkAHMAaABvAHIAdABjAHUAdAAuAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAA9ACAAJABXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAfQANAAoAIAAgAGkAZgAoACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAcwBoAG8AcgB0AGMAdQB0AC4AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAPQAgACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAAfQANAAoAIAAgAGkAZgAoACQASABvAHQAawBlAHkAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBIAG8AdABrAGUAeQAgAD0AIAAkAEgAbwB0AGsAZQB5ACAAfQANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0AC4AUwBhAHYAZQAoACkADQAKAA0ACgAgACAAaQBmACAAKAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4AIAAtAGUAcQAgACcAcgB1AG4AQQBzAEEAZABtAGkAbgAnACkADQAKACAAIAB7AA0ACgAgACAAIAAgACQAYgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAIAAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAAPQAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAALQBiAG8AcgAgADAAeAAyADAAIAAjAHMAZQB0ACAAYgB5AHQAZQAgADIAMQAgACgAMAB4ADEANQApACAAYgBpAHQAIAA2ACAAKAAwAHgAMgAwACkAIABPAE4AIAANAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAsACAAJABiAHkAdABlAHMAKQANAAoAIAAgAH0ADQAKAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -command "'Webex.exe', 'C:\Users\Admin\Desktop\Webex.lnk', 'Webex', 'none', 'C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\AI_STUBS\Webex.1.ico', 'C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\', 1, 'none', 'none'" | "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -encodedcommand DQAKACAAIABwAGEAcgBhAG0AIAAoAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABUAGEAcgBnAGUAdABQAGEAdABoACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABEAGUAcwBjAHIAaQBwAHQAaQBvAG4ALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABBAHIAZwB1AG0AZQBuAHQAcwAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHYAYQBsAGkAZABhAHQAZQBzAGUAdAAoADEALAAzACwANwApAF0AIAAgACAAIAANAAoAIAAgACAAIABbAGkAbgB0AF0AIAAkAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ADEALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABIAG8AdABrAGUAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4ADQAKACAAIAApAA0ACgAgACAADQAKACAAIABpAGYAIAAoACAAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApACkADQAKACAAIAB7AA0ACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARgBpAGwAZQAgAC0ARgBvAHIAYwBlACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAANAAoAIAAgAH0ADQAKACAAIAANAAoAIAAgACQAVwBzAGgAUwBoAGUAbABsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAgACAAIAANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0ACAAPQAgACQAVwBzAGgAUwBoAGUAbABsAC4AQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0ACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAJABTAGgAbwByAHQAYwB1AHQALgBUAGEAcgBnAGUAdABQAGEAdABoACAAPQAgACQAVABhAHIAZwBlAHQAUABhAHQAaAANAAoAIAAgAGkAZgAoACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAUwBoAG8AcgB0AGMAdQB0AC4ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAPQAgACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAQQByAGcAdQBtAGUAbgB0AHMAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABTAGgAbwByAHQAYwB1AHQALgBBAHIAZwB1AG0AZQBuAHQAcwAgAD0AIAAkAEEAcgBnAHUAbQBlAG4AdABzACAAfQANAAoAIAAgAGkAZgAoACQASQBjAG8AbgBMAG8AYwBhAHQAaQBvAG4AIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAgAD0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgAC0AbgBlACAAJwBuAG8AbgBlACcAKQAgAHsAIAAkAHMAaABvAHIAdABjAHUAdAAuAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAA9ACAAJABXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAfQANAAoAIAAgAGkAZgAoACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAcwBoAG8AcgB0AGMAdQB0AC4AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAPQAgACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAAfQANAAoAIAAgAGkAZgAoACQASABvAHQAawBlAHkAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBIAG8AdABrAGUAeQAgAD0AIAAkAEgAbwB0AGsAZQB5ACAAfQANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0AC4AUwBhAHYAZQAoACkADQAKAA0ACgAgACAAaQBmACAAKAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4AIAAtAGUAcQAgACcAcgB1AG4AQQBzAEEAZABtAGkAbgAnACkADQAKACAAIAB7AA0ACgAgACAAIAAgACQAYgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAIAAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAAPQAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAALQBiAG8AcgAgADAAeAAyADAAIAAjAHMAZQB0ACAAYgB5AHQAZQAgADIAMQAgACgAMAB4ADEANQApACAAYgBpAHQAIAA2ACAAKAAwAHgAMgAwACkAIABPAE4AIAANAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAsACAAJABiAHkAdABlAHMAKQANAAoAIAAgAH0ADQAKAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -encodedcommand DQAKACAAIABwAGEAcgBhAG0AIAAoAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABUAGEAcgBnAGUAdABQAGEAdABoACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABEAGUAcwBjAHIAaQBwAHQAaQBvAG4ALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABBAHIAZwB1AG0AZQBuAHQAcwAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHYAYQBsAGkAZABhAHQAZQBzAGUAdAAoADEALAAzACwANwApAF0AIAAgACAAIAANAAoAIAAgACAAIABbAGkAbgB0AF0AIAAkAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ADEALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABIAG8AdABrAGUAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4ADQAKACAAIAApAA0ACgAgACAADQAKACAAIABpAGYAIAAoACAAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApACkADQAKACAAIAB7AA0ACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARgBpAGwAZQAgAC0ARgBvAHIAYwBlACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAANAAoAIAAgAH0ADQAKACAAIAANAAoAIAAgACQAVwBzAGgAUwBoAGUAbABsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAgACAAIAANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0ACAAPQAgACQAVwBzAGgAUwBoAGUAbABsAC4AQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0ACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAJABTAGgAbwByAHQAYwB1AHQALgBUAGEAcgBnAGUAdABQAGEAdABoACAAPQAgACQAVABhAHIAZwBlAHQAUABhAHQAaAANAAoAIAAgAGkAZgAoACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAUwBoAG8AcgB0AGMAdQB0AC4ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAPQAgACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAQQByAGcAdQBtAGUAbgB0AHMAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABTAGgAbwByAHQAYwB1AHQALgBBAHIAZwB1AG0AZQBuAHQAcwAgAD0AIAAkAEEAcgBnAHUAbQBlAG4AdABzACAAfQANAAoAIAAgAGkAZgAoACQASQBjAG8AbgBMAG8AYwBhAHQAaQBvAG4AIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAgAD0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgAC0AbgBlACAAJwBuAG8AbgBlACcAKQAgAHsAIAAkAHMAaABvAHIAdABjAHUAdAAuAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAA9ACAAJABXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAfQANAAoAIAAgAGkAZgAoACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAcwBoAG8AcgB0AGMAdQB0AC4AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAPQAgACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAAfQANAAoAIAAgAGkAZgAoACQASABvAHQAawBlAHkAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBIAG8AdABrAGUAeQAgAD0AIAAkAEgAbwB0AGsAZQB5ACAAfQANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0AC4AUwBhAHYAZQAoACkADQAKAA0ACgAgACAAaQBmACAAKAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4AIAAtAGUAcQAgACcAcgB1AG4AQQBzAEEAZABtAGkAbgAnACkADQAKACAAIAB7AA0ACgAgACAAIAAgACQAYgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAIAAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAAPQAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAALQBiAG8AcgAgADAAeAAyADAAIAAjAHMAZQB0ACAAYgB5AHQAZQAgADIAMQAgACgAMAB4ADEANQApACAAYgBpAHQAIAA2ACAAKAAwAHgAMgAwACkAIABPAE4AIAANAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAsACAAJABiAHkAdABlAHMAKQANAAoAIAAgAH0ADQAKAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file 'C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\NEW_User0_v2.ps1'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\NEW_User0_v2.ps1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\z.dll vcab /k chitos7685
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3592
- C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\Webex.exe
  "Webex.exe"
  2⤵
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\b713960b-5d13-4ad4-8842-f9e8f954d1d4.msi" /quiet /norestart
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe
    "C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe" /protocolUri="webex:///"
    3⤵
    - Executes dropped EXE
    PID:4204
- C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\PsfRunDll32.exe
  PsfRunDll32.exe "C:\Program Files\WindowsApps\CiscoSystems.Webex_2.10.1.26171_x64__cvpb331a1f8hw\PsfRuntime32.dll",#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3852

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2560
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2560 -s 3688
  2⤵
  - Program crash
  PID:1908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2560 -ip 2560
1⤵
PID:2928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57646AB80C74BF602C497B96DE415804
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\system32\\taskkill.exe" /F /IM CiscoCollabHost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 38136A8F6C9AAABF5C686BE447F0264F
  2⤵
  PID:252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3848
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3848 -s 3584
  2⤵
  - Program crash
  PID:2316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3848 -ip 3848
1⤵
PID:1364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4468
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4468 -s 4020
  2⤵
  - Program crash
  PID:2492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4468 -ip 4468
1⤵
PID:2104

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2228 -s 3632
  2⤵
  - Program crash
  PID:1452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 2228 -ip 2228
1⤵
PID:3472

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3936
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3936 -s 3652
  2⤵
  - Program crash
  PID:4840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3936 -ip 3936
1⤵
PID:1964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59148b.rbs

Filesize
24KB

MD5
b21d5e51205af4a39369f16d7d1e2c86

SHA1
fed74d24da2438d4c67157f7305d36baf4329da3

SHA256
cdc5dcd6e7ed4fe12470782cb8709174f4e58bebb21bfc96f468c588af014feb

SHA512
9cd39a9ac6b26859f18599776860cffe6322b8c93be323bc6e4b72bb068ab6c82edd34d27b801131bfa554acba75ee418bc117160aafbe32db0f2140bb76f0e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
129ef357da7b93fdeafe9ebb2d3d04cf

SHA1
35a1c59f03e598f7ce079c946cec86f06f59282a

SHA256
99bc7316becf6734e49ebabd025829dda16b7ce80431661cba1312bd4ebab594

SHA512
46e60e2889eb342bee3b418d58c985f69a566681c949042c30ec27da05b49b81c9b4cade8a93aadc4b6f292f5fb61b1ab29e18a0962ccc5f5522e6e9599a198a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e62e02ee9c90b7adfb2eefe7efa04f

SHA1
9bc1eda86f7f95345c2a3901288b6867447dee6b

SHA256
cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

SHA512
3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e62e02ee9c90b7adfb2eefe7efa04f

SHA1
9bc1eda86f7f95345c2a3901288b6867447dee6b

SHA256
cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

SHA512
3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b856bda56945fa7252034b16c0189f0

SHA1
df2d4ff8394cc57a8c399bfb5602679bfdcde06b

SHA256
ffc29461bd43b0ffffa1c06c260f5089cce205cab26a1a1032b924272b718205

SHA512
8843b6d91163d345e2aded8143d941388852ed3d4aa39ced89a3cf8a50bb908681624a7008c0b82359736cc3222f7908a1c34442028491921d243c0581aeb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b856bda56945fa7252034b16c0189f0

SHA1
df2d4ff8394cc57a8c399bfb5602679bfdcde06b

SHA256
ffc29461bd43b0ffffa1c06c260f5089cce205cab26a1a1032b924272b718205

SHA512
8843b6d91163d345e2aded8143d941388852ed3d4aa39ced89a3cf8a50bb908681624a7008c0b82359736cc3222f7908a1c34442028491921d243c0581aeb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb4744b1d925faeb8aa7ec3dd64eb9cf

SHA1
2a3a1758d5c4b6425409aab57658fa06a9895943

SHA256
8b19206f34a4bd4c2c66c35d835f81508576c9be41ec129a1f76c5415a0458de

SHA512
c8dc5880cc1abef16d8edc6b61ebd0bf20e8932772f39da5ff6c27668ddd6b719d5231eb17d590fca5a2cfc57f3556241a5c7c9d6d08539a5a7bced565fad317

Download Submit
C:\Users\Admin\AppData\Local\Packages\CiscoSystems.Webex_cvpb331a1f8hw\LocalCache\Roaming\z.dll

Filesize
735.1MB

MD5
d5db1b691664306a4e510ad939ce3f48

SHA1
6b370aa5282498d19a378b31150540e8b57dd604

SHA256
fe6a666303df10860251ab5da5cfd98ccaa422ecbe8f16012faf39904477fbad

SHA512
9c1575c9be463ccc5f5c3dd3c6c702b498ef6242167381a14008b4e6e50b7ada7f2bfd6561782e420c4902c1c7ed44360a41736590b61a78cc097b233b2ac3a7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel

Filesize
36KB

MD5
fb5f8866e1f4c9c1c7f4d377934ff4b2

SHA1
d0a329e387fb7bcba205364938417a67dbb4118a

SHA256
1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

SHA512
0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133358334624140516.txt

Filesize
77KB

MD5
20ff2383bdcbf1ecd1fca9cf2f9489b5

SHA1
b2a6fd03a170e6dd106fbb69287875d2639c1124

SHA256
cb2ca7e54a0b91b7d72c388f87a8777fab4acffd63c9f4455c9e6aba63418b13

SHA512
f7498488b2e358e236f73e5583e3a630f6f6e776c8ee3f067ed066b611eb139a6423a1b35659875aaa1eba1542f54bb568720c23375bc95d722de75d4120c737

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe

Filesize
119KB

MD5
ea3da79a7be71fbaaa0680f5292db62c

SHA1
3168c6dd524eb78d2f0539b9f5c760b53a30a6e3

SHA256
6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728

SHA512
36e360dc06be6e629eacb4b3c2c7105f41c782dde10c078c9f3becf2a8372bfacf54cc6ede0138f71ffbba2da9c0bd9ec875f185fffb77df4f7a9d38391190dc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe

Filesize
119KB

MD5
ea3da79a7be71fbaaa0680f5292db62c

SHA1
3168c6dd524eb78d2f0539b9f5c760b53a30a6e3

SHA256
6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728

SHA512
36e360dc06be6e629eacb4b3c2c7105f41c782dde10c078c9f3becf2a8372bfacf54cc6ede0138f71ffbba2da9c0bd9ec875f185fffb77df4f7a9d38391190dc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe

Filesize
119KB

MD5
ea3da79a7be71fbaaa0680f5292db62c

SHA1
3168c6dd524eb78d2f0539b9f5c760b53a30a6e3

SHA256
6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728

SHA512
36e360dc06be6e629eacb4b3c2c7105f41c782dde10c078c9f3becf2a8372bfacf54cc6ede0138f71ffbba2da9c0bd9ec875f185fffb77df4f7a9d38391190dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_23sn4uae.nqu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b713960b-5d13-4ad4-8842-f9e8f954d1d4.msi

Filesize
1.0MB

MD5
c126a5201963cf587a95196a89d3342b

SHA1
d4b68fc3f98b4a27a516c0ffb9a2fb1211f07954

SHA256
639f1ef70a46400a9fcb3894c9414448a728f18fe588acb51d2066e15153bf2c

SHA512
5d040c205253dcd7119aa532e5e7cf3f16dcabcb9a9b1ea30868e209693b24f2ab4d10055f304ff7d3fc7d5eaa0f1fc8f71fc838606c662d24316db86a526336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Webex\Webex.lnk

Filesize
2KB

MD5
539a04c4f13892b1b9699816c0b8291a

SHA1
7231cc6ea1c623c0d4b11f9a021358d25384aca2

SHA256
10fcfde8227d8d7057c305a7dd8e6b85e00aedd8d5a97391fcfff9fcab808e6e

SHA512
1ef00e463dcf581cc8501433cf566ec28db231ab55428fae9f33265ff658bd4f3c978c2ccf7a210f05e64c1d6477607c0fac6fea6dff58483762053ab9e7ba83

Download Submit
C:\Users\Admin\AppData\Roaming\z.dll

Filesize
735.1MB

MD5
d5db1b691664306a4e510ad939ce3f48

SHA1
6b370aa5282498d19a378b31150540e8b57dd604

SHA256
fe6a666303df10860251ab5da5cfd98ccaa422ecbe8f16012faf39904477fbad

SHA512
9c1575c9be463ccc5f5c3dd3c6c702b498ef6242167381a14008b4e6e50b7ada7f2bfd6561782e420c4902c1c7ed44360a41736590b61a78cc097b233b2ac3a7

Download Submit
C:\Users\Admin\Desktop\Webex.lnk

Filesize
1KB

MD5
b1e42cc7fb2928206346b1d37971a332

SHA1
ee96330d9fdb4185a4531763c6d23496adf41238

SHA256
b9fa3a7217b000b9338291469937ed7e59f6ab18d1fd025b5cb37ce790c2624d

SHA512
ffe2dd398487e3b24291d23fb4bbedc73bce5077cf5efe9301d2070fc1f21c60cde6b4db729a6771afb9afbd426051f9bcfd79ef7ed8b6b859548406cbd0020f

Download Submit
C:\Windows\Installer\MSI1CA6.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI1CA6.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI2C09.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI2C09.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\e591488.msi

Filesize
1.0MB

MD5
c126a5201963cf587a95196a89d3342b

SHA1
d4b68fc3f98b4a27a516c0ffb9a2fb1211f07954

SHA256
639f1ef70a46400a9fcb3894c9414448a728f18fe588acb51d2066e15153bf2c

SHA512
5d040c205253dcd7119aa532e5e7cf3f16dcabcb9a9b1ea30868e209693b24f2ab4d10055f304ff7d3fc7d5eaa0f1fc8f71fc838606c662d24316db86a526336

Download Submit
memory/828-211-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/828-193-0x000001A5C29E0000-0x000001A5C29F0000-memory.dmp

Filesize
64KB

Download
memory/828-182-0x000001A5C29E0000-0x000001A5C29F0000-memory.dmp

Filesize
64KB

Download
memory/828-180-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/828-181-0x000001A5C29E0000-0x000001A5C29F0000-memory.dmp

Filesize
64KB

Download
memory/2228-924-0x0000015B593F0000-0x0000015B59410000-memory.dmp

Filesize
128KB

Download
memory/2228-922-0x0000015B58F50000-0x0000015B58F70000-memory.dmp

Filesize
128KB

Download
memory/2228-920-0x0000015B58F90000-0x0000015B58FB0000-memory.dmp

Filesize
128KB

Download
memory/2560-272-0x0000025A852E0000-0x0000025A85300000-memory.dmp

Filesize
128KB

Download
memory/2560-276-0x0000025A858E0000-0x0000025A85900000-memory.dmp

Filesize
128KB

Download
memory/2560-274-0x0000025A852C0000-0x0000025A852E0000-memory.dmp

Filesize
128KB

Download
memory/2592-235-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/2592-245-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/2592-239-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/2592-236-0x00000217E7F10000-0x00000217E80D2000-memory.dmp

Filesize
1.8MB

Download
memory/3384-247-0x00007FFD61FC1000-0x00007FFD61FC2000-memory.dmp

Filesize
4KB

Download
memory/3384-248-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3384-265-0x00007FFD61FC1000-0x00007FFD61FC2000-memory.dmp

Filesize
4KB

Download
memory/3592-243-0x000001AD725E0000-0x000001AD725E4000-memory.dmp

Filesize
16KB

Download
memory/3592-246-0x00000004901D0000-0x000000049025A000-memory.dmp

Filesize
552KB

Download
memory/3848-321-0x0000022F09020000-0x0000022F09040000-memory.dmp

Filesize
128KB

Download
memory/3848-319-0x0000022F09060000-0x0000022F09080000-memory.dmp

Filesize
128KB

Download
memory/3848-323-0x0000022F094C0000-0x0000022F094E0000-memory.dmp

Filesize
128KB

Download
memory/3936-943-0x0000014B27160000-0x0000014B27180000-memory.dmp

Filesize
128KB

Download
memory/3936-941-0x0000014B271A0000-0x0000014B271C0000-memory.dmp

Filesize
128KB

Download
memory/3936-945-0x0000014B27580000-0x0000014B275A0000-memory.dmp

Filesize
128KB

Download
memory/4148-259-0x000000006DDD0000-0x000000006DDE0000-memory.dmp

Filesize
64KB

Download
memory/4148-1172-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4148-263-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4148-291-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4148-262-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4148-261-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4148-260-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4148-1255-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4148-1254-0x000000006DDD0000-0x000000006DDE0000-memory.dmp

Filesize
64KB

Download
memory/4148-360-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4148-955-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4148-288-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4148-676-0x0000000000800000-0x0000000000BF4000-memory.dmp

Filesize
4.0MB

Download
memory/4336-173-0x00000145B0420000-0x00000145B0430000-memory.dmp

Filesize
64KB

Download
memory/4336-176-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/4336-163-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/4468-829-0x000002939C5A0000-0x000002939C5C0000-memory.dmp

Filesize
128KB

Download
memory/4468-767-0x000002939C190000-0x000002939C1B0000-memory.dmp

Filesize
128KB

Download
memory/4468-664-0x000002939C1D0000-0x000002939C1F0000-memory.dmp

Filesize
128KB

Download
memory/4692-214-0x00007FFD22B20000-0x00007FFD22B30000-memory.dmp

Filesize
64KB

Download
memory/4692-212-0x00007FF647AE0000-0x00007FF647AF0000-memory.dmp

Filesize
64KB

Download
memory/4692-1257-0x00007FFD62B20000-0x00007FFD62BDE000-memory.dmp

Filesize
760KB

Download
memory/4692-1256-0x00007FF647AE0000-0x00007FF647AF0000-memory.dmp

Filesize
64KB

Download
memory/4692-237-0x00007FFD62B20000-0x00007FFD62BDE000-memory.dmp

Filesize
760KB

Download
memory/4692-213-0x00007FFD62B20000-0x00007FFD62BDE000-memory.dmp

Filesize
760KB

Download
memory/4708-145-0x000001B3EE780000-0x000001B3EE790000-memory.dmp

Filesize
64KB

Download
memory/4708-144-0x000001B3EE780000-0x000001B3EE790000-memory.dmp

Filesize
64KB

Download
memory/4708-148-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/4708-146-0x000001B3EE780000-0x000001B3EE790000-memory.dmp

Filesize
64KB

Download
memory/4708-142-0x000001B3EF5F0000-0x000001B3EF612000-memory.dmp

Filesize
136KB

Download
memory/4708-143-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/4776-162-0x000001C444280000-0x000001C444290000-memory.dmp

Filesize
64KB

Download
memory/4776-151-0x000001C444280000-0x000001C444290000-memory.dmp

Filesize
64KB

Download
memory/4776-150-0x000001C444280000-0x000001C444290000-memory.dmp

Filesize
64KB

Download
memory/4776-149-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/4776-179-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/4996-201-0x000001CED3750000-0x000001CED3760000-memory.dmp

Filesize
64KB

Download
memory/4996-200-0x000001CED3750000-0x000001CED3760000-memory.dmp

Filesize
64KB

Download
memory/4996-194-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/4996-208-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/5112-238-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/5112-255-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download
memory/5112-224-0x00007FFD458D0000-0x00007FFD46391000-memory.dmp

Filesize
10.8MB

Download