3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4

Analysis

max time kernel
1810s
max time network
1607s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
29-03-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner100.exe
Size

2.7MB
MD5

eae2347aaed97da4f802c0b32689f4eb
SHA1

a7a83d1ff7ec22d74d8415b95b3d57f1323699ce
SHA256

3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4
SHA512

65f3411a7e80ec6d1dfea40d644ca621f4de929d17e58a54e43030b58662fedba11f000928049b4d3d7ae6ec38003d62dd8109c330ceba588be96f598b35d7cd
SSDEEP

49152:+Ev7yMxM0ZzUjqhWBkZFOj3nscD6gLRZdjM0PcuzQ3zAlkVKd:+EvWMxHUjqPPOjXsngLjdjBPz+3

Score

10^/10

evasion persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1644 created 3636	1644	svchost.exe	119
PID 1644 created 4992	1644	svchost.exe	121

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2188	tiucgvijebnv.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V0100001.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	miner100.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V0100001.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4996 set thread context of 4260	4996	miner100.exe	92

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	DllHost.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\2900507189.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	explorer.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4268	sc.exe
1248	sc.exe
3692	sc.exe
1536	sc.exe
4612	sc.exe
860	sc.exe
4920	sc.exe
3772	sc.exe
1748	sc.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 29 Mar 2024 02:06:03 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1711677961"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={64F16656-E991-4235-B882-BEA71EF42A34}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133529782112836936"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80703004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000008665c09c7d81da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80703004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000eae13a9c7d81da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80702004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000009d75ec5ea164da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4996	miner100.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4260	dialer.exe
4260	dialer.exe
4996	miner100.exe
4996	miner100.exe
4996	miner100.exe
4260	dialer.exe
4260	dialer.exe
2188	tiucgvijebnv.exe
4596	powershell.exe
4596	powershell.exe
4260	dialer.exe
4260	dialer.exe
1644	svchost.exe
1644	svchost.exe
4596	powershell.exe
4260	dialer.exe
4260	dialer.exe
4596	powershell.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4596	powershell.exe
4596	powershell.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeIncreaseQuotaPrivilege	1504	powershell.exe
Token: SeSecurityPrivilege	1504	powershell.exe
Token: SeTakeOwnershipPrivilege	1504	powershell.exe
Token: SeLoadDriverPrivilege	1504	powershell.exe
Token: SeSystemProfilePrivilege	1504	powershell.exe
Token: SeSystemtimePrivilege	1504	powershell.exe
Token: SeProfSingleProcessPrivilege	1504	powershell.exe
Token: SeIncBasePriorityPrivilege	1504	powershell.exe
Token: SeCreatePagefilePrivilege	1504	powershell.exe
Token: SeBackupPrivilege	1504	powershell.exe
Token: SeRestorePrivilege	1504	powershell.exe
Token: SeShutdownPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeSystemEnvironmentPrivilege	1504	powershell.exe
Token: SeRemoteShutdownPrivilege	1504	powershell.exe
Token: SeUndockPrivilege	1504	powershell.exe
Token: SeManageVolumePrivilege	1504	powershell.exe
Token: 33	1504	powershell.exe
Token: 34	1504	powershell.exe
Token: 35	1504	powershell.exe
Token: 36	1504	powershell.exe
Token: SeDebugPrivilege	4996	miner100.exe
Token: SeShutdownPrivilege	3404	powercfg.exe
Token: SeCreatePagefilePrivilege	3404	powercfg.exe
Token: SeShutdownPrivilege	524	powercfg.exe
Token: SeCreatePagefilePrivilege	524	powercfg.exe
Token: SeShutdownPrivilege	3840	powercfg.exe
Token: SeCreatePagefilePrivilege	3840	powercfg.exe
Token: SeShutdownPrivilege	4904	powercfg.exe
Token: SeCreatePagefilePrivilege	4904	powercfg.exe
Token: SeDebugPrivilege	4260	dialer.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeAuditPrivilege	2304	svchost.exe
Token: SeAuditPrivilege	2304	svchost.exe
Token: SeAuditPrivilege	2088	svchost.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe
Token: SeTakeOwnershipPrivilege	3948	RuntimeBroker.exe
Token: SeRestorePrivilege	3948	RuntimeBroker.exe
Token: SeShutdownPrivilege	660	explorer.exe
Token: SeCreatePagefilePrivilege	660	explorer.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
1004	dwm.exe
1004	dwm.exe
1004	dwm.exe
1004	dwm.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe
660	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3752	SearchUI.exe
2884	SearchUI.exe
1388	SearchUI.exe
1068	SearchUI.exe
4556	SearchUI.exe
4180	SearchUI.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3948	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 660	4940	cmd.exe	81
PID 4940 wrote to memory of 660	4940	cmd.exe	81
PID 4996 wrote to memory of 4260	4996	miner100.exe	92
PID 4996 wrote to memory of 4260	4996	miner100.exe	92
PID 4996 wrote to memory of 4260	4996	miner100.exe	92
PID 4996 wrote to memory of 4260	4996	miner100.exe	92
PID 4996 wrote to memory of 4260	4996	miner100.exe	92
PID 4996 wrote to memory of 4260	4996	miner100.exe	92
PID 4996 wrote to memory of 4260	4996	miner100.exe	92
PID 4260 wrote to memory of 596	4260	dialer.exe	5
PID 4260 wrote to memory of 652	4260	dialer.exe	7
PID 652 wrote to memory of 2564	652	lsass.exe	44
PID 4260 wrote to memory of 736	4260	dialer.exe	8
PID 652 wrote to memory of 2564	652	lsass.exe	44
PID 4260 wrote to memory of 908	4260	dialer.exe	13
PID 4260 wrote to memory of 1004	4260	dialer.exe	14
PID 4260 wrote to memory of 408	4260	dialer.exe	15
PID 4260 wrote to memory of 508	4260	dialer.exe	16
PID 4260 wrote to memory of 1036	4260	dialer.exe	17
PID 4260 wrote to memory of 1072	4260	dialer.exe	19
PID 4260 wrote to memory of 1080	4260	dialer.exe	20
PID 4260 wrote to memory of 1216	4260	dialer.exe	21
PID 4260 wrote to memory of 1232	4260	dialer.exe	22
PID 4260 wrote to memory of 1304	4260	dialer.exe	23
PID 4260 wrote to memory of 1360	4260	dialer.exe	24
PID 4260 wrote to memory of 1376	4260	dialer.exe	25
PID 4260 wrote to memory of 1392	4260	dialer.exe	26
PID 4260 wrote to memory of 1524	4260	dialer.exe	27
PID 4260 wrote to memory of 1548	4260	dialer.exe	28
PID 4260 wrote to memory of 1612	4260	dialer.exe	29
PID 4260 wrote to memory of 1620	4260	dialer.exe	30
PID 4260 wrote to memory of 1672	4260	dialer.exe	31
PID 4260 wrote to memory of 1724	4260	dialer.exe	32
PID 4260 wrote to memory of 1792	4260	dialer.exe	33
PID 4260 wrote to memory of 1808	4260	dialer.exe	34
PID 4260 wrote to memory of 1916	4260	dialer.exe	35
PID 4260 wrote to memory of 1956	4260	dialer.exe	36
PID 4260 wrote to memory of 1428	4260	dialer.exe	37
PID 4260 wrote to memory of 1660	4260	dialer.exe	38
PID 4260 wrote to memory of 2088	4260	dialer.exe	39
PID 4260 wrote to memory of 2260	4260	dialer.exe	40
PID 4260 wrote to memory of 2268	4260	dialer.exe	41
PID 4260 wrote to memory of 2304	4260	dialer.exe	42
PID 4260 wrote to memory of 2532	4260	dialer.exe	43
PID 4260 wrote to memory of 2564	4260	dialer.exe	44
PID 4260 wrote to memory of 2572	4260	dialer.exe	45
PID 4260 wrote to memory of 2596	4260	dialer.exe	46
PID 4260 wrote to memory of 2608	4260	dialer.exe	47
PID 4260 wrote to memory of 2616	4260	dialer.exe	48
PID 4260 wrote to memory of 2748	4260	dialer.exe	49
PID 4260 wrote to memory of 3116	4260	dialer.exe	50
PID 4260 wrote to memory of 3124	4260	dialer.exe	51
PID 4260 wrote to memory of 3156	4260	dialer.exe	52
PID 4260 wrote to memory of 3244	4260	dialer.exe	53
PID 4260 wrote to memory of 3372	4260	dialer.exe	54
PID 4260 wrote to memory of 3948	4260	dialer.exe	57
PID 4260 wrote to memory of 2312	4260	dialer.exe	59
PID 652 wrote to memory of 2564	652	lsass.exe	44
PID 4260 wrote to memory of 4692	4260	dialer.exe	60
PID 4260 wrote to memory of 4104	4260	dialer.exe	62
PID 4260 wrote to memory of 2644	4260	dialer.exe	63
PID 4260 wrote to memory of 2040	4260	dialer.exe	64
PID 652 wrote to memory of 2564	652	lsass.exe	44
PID 4260 wrote to memory of 4384	4260	dialer.exe	65

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1004
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:660

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:736

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1072
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1392
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:3124

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1612

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1808

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1956

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:1660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2532

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2564

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2572

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2616

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3116

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3244

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\miner100.exe
  "C:\Users\Admin\AppData\Local\Temp\miner100.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:660
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3772
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1748
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3692
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4268
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4260
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "OPAGMGUY"
    3⤵
    - Launches sc.exe
    PID:4612
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "OPAGMGUY" binpath= "C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1248
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4920
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "OPAGMGUY"
    3⤵
    - Launches sc.exe
    PID:860
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:920
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3372 -s 7544
  2⤵
  PID:3876

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2312
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2312 -s 872
  2⤵
  PID:5080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4104

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:2040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4384

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4344

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:2068

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:5064
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5064 -s 864
  2⤵
  PID:2880

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4540

C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe
C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2188
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4672

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Windows\System32\mobsync.exe
C:\Windows\System32\mobsync.exe -Embedding
1⤵
PID:928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:3636
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3636 -s 612
  2⤵
  PID:2492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4992
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4992 -s 596
  2⤵
  PID:372

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_d933544bb1849471d20420de9b7ea63ee0261f_41822faa_cab_017c365d\WER20A4.tmp.appcompat.txt

Filesize
6KB

MD5
f46275f9c0b7d57378a712b3b5213b0c

SHA1
deabdaf020ce95f5f0edec43711719873975b44a

SHA256
523bbacd7e59ce4231693d2e486f2c2f551265328c7c8f2b178d3c5a7d2a20ae

SHA512
9747d174735fcbbfa8e1957f9b0760db7ffeb563b27e565db4fe54ad74bb83409b3ba5adce5a022fbe0a5b7d17b8ddc9eed231117fd6316e675082e354e7cf54

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C51.tmp.txt

Filesize
12KB

MD5
f29d95f77d90ee8c378bf411ba23ac81

SHA1
e94b487aea09ea14b8a68cef9927041571614b25

SHA256
d1bbe6651be3ea9988e2b6fa3e3b4ec9efc8bc208b474096d33a38c9765ba59c

SHA512
b37626068d500b62b0a616119c6135d4e18711bdef90e2404d85b5e76c0f7837b6fe5f65c458915deffe815f9d8fa11d61d0a22a318a1926427f9ed9c37b3ace

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AD7.tmp.csv

Filesize
32KB

MD5
e4689bfe4916d92ff8604d5f0c1ee738

SHA1
cd85cd9a04861e4c777bab22c05013f46763ee94

SHA256
c6432e3532b77d24eca5a3b60f0b0a92fbba37d36a622c31a012f3b320032914

SHA512
34b4d35202a611af662342471b0287f8e5f9211813710f56fea65b4fbf437f1f2b01012ec5efd2ed4746e655830507479b02d3f936f62e89e8417b5b2ca924ad

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B07.tmp.txt

Filesize
12KB

MD5
3068fd65fda07b4c3eb59a400a3381f5

SHA1
0831eaa68533b09bb4a7630be71eaa39e9e7a1e5

SHA256
32ccf947c50fa55d71e2afaa18d3f5afb3ee3eaa750261698c3b37176e5b3bb1

SHA512
f5d29dd358efc6d485e37380f0d840306f29b01446c2b5d208a37b1b579de5d1a8239ebe1d1f19f9b17ba7db27f3b868badb1e935c3c3e7f720eb62dc2348172

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA326.tmp.csv

Filesize
32KB

MD5
7a3ac8cd653a0eb7a62a0424eed8bbfa

SHA1
85a7d4afd415accd5b84c0cfe95b820f595abd09

SHA256
b9204aa310d0880ae1c220429b1aa5c6e5ee80a65d0f586abb86f63aa99bd2f9

SHA512
33f42d46b04b8e9a3214421843b3c85eb89343a78d5083d755907574ea6e7f224d67fee8c3c1cac92f46ad7d2c2c5928fe2a1040cbd8beff761cfd70069b1f4d

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA346.tmp.txt

Filesize
12KB

MD5
1f54c57910bfcceafdfbfb4b98615ebb

SHA1
481ab720e57856d79eff592a87480973da917ca7

SHA256
2cb397c549ebae77557c2318f8ea2d4b65f47545f05779b3c6c7cea4b0ca232b

SHA512
a1f237cabac26f22677f79628100527f1e45b070bba739fb3c785f005111c6a863e820ac4589b71cfd40b35b2cc60d0bfdc197c75db59d2774db657972375d86

Download Submit
C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe

Filesize
2.7MB

MD5
eae2347aaed97da4f802c0b32689f4eb

SHA1
a7a83d1ff7ec22d74d8415b95b3d57f1323699ce

SHA256
3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4

SHA512
65f3411a7e80ec6d1dfea40d644ca621f4de929d17e58a54e43030b58662fedba11f000928049b4d3d7ae6ec38003d62dd8109c330ceba588be96f598b35d7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lxc2gtzz.go3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
25.5MB

MD5
e7aa528e40620327d0dc8af47e48367e

SHA1
80101f279e202c554fea06681e0ad3524a1f577b

SHA256
86392c025bcfd87a171be7e215548bf381a1f56134f185a6f163e633d0a146d8

SHA512
c209583069cb0da5020383dd5c47f86306067e02fe118c478080525783d472cd2800e098f90fc7219c9851ae1e2e969f670ced5dd023628d3057f478aeacee84

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
8265adfc87478d7655277f05271f2557

SHA1
f63ad60ccfc7fea209ca96f180c60bbc4955c053

SHA256
a19e345757cf816d307db61ee78d4c0f3e9aaf1eb4f54be3b6d8f49e21676125

SHA512
77bc468b115523ac089c35a42657328407487cf342a375827cb270bff34a2fc53bb7559438add818079e6b6bfc33509a890f6d4e3e64be6ab20126775589399b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
0882693c87df97d3fe479bbc039c232b

SHA1
82320ead7ae2b4aed747d32173b150904cc7fd82

SHA256
b3a44948eaf6c82d04876da53029e95aebaa6035c5dd78a578b67c17f48d6d0c

SHA512
dc6cd649c7fcd21f0575e1e83c11af6628c50895dcfe43e016547fd65fc30e40c8489f38b23f1261624fa9448c903c9ac43c850c23655ad2934b4607aada3cf1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
3da7f5ddbd174f9f9a05a170b4ee2478

SHA1
48e9871f54b7bfd0e8d82723c517168b302bbfff

SHA256
6dd94ceffc62b89a4ca196ceb711e43c6ffa6951510246792aac4b150470b8c5

SHA512
d2e3b2b5b212bbf63012c667bfed85ad32045765603898567af0d5c0090291afc66d78139afe6601a9e8105b6784dccdbdc52da54b81944cc7fdef5ee34376dc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
25.5MB

MD5
77e280f26d82993cd417c583bf36a7d4

SHA1
4fae7a6e683c21499d45e5df562c5808ae7722d9

SHA256
64897d198377ccbc15de77c25aa5f493ab8a285651f703c60f64fe9646424cd2

SHA512
2d2bf3f687848f2cc487e514241e8115df23b998281cea05427a2f89a582604b8ba2bc4f829ee03dbf27106ea534d5c1682e5611510af57d53e21ee197cb6d27

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
aa134b58055806ea4c4dcadf95a35f08

SHA1
388710d9a5640a51f48c6d7fa1e9ce67a5a776b3

SHA256
be23b358d185ad416c7b6e1e447a45b4fbbcff496f88c6f7e00f93f063ef3ad9

SHA512
c563c512351213859a097325eb48dd28d4763695a5de46e761b67f050b6a8243d8d4aee9b33a6eee7783ec4e93ace5cbed2b68b5d459e9f21855af03567f855e

Download Submit
memory/408-98-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/408-101-0x0000025F248A0000-0x0000025F248CB000-memory.dmp

Filesize
172KB

Download
memory/408-95-0x0000025F248A0000-0x0000025F248CB000-memory.dmp

Filesize
172KB

Download
memory/508-107-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/508-105-0x000001193FF50000-0x000001193FF7B000-memory.dmp

Filesize
172KB

Download
memory/596-70-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/596-64-0x000001B4E0720000-0x000001B4E0744000-memory.dmp

Filesize
144KB

Download
memory/596-69-0x000001B4E0750000-0x000001B4E077B000-memory.dmp

Filesize
172KB

Download
memory/596-73-0x00007FFB2E125000-0x00007FFB2E126000-memory.dmp

Filesize
4KB

Download
memory/652-71-0x00000274BBAC0000-0x00000274BBAEB000-memory.dmp

Filesize
172KB

Download
memory/652-76-0x00000274BBAC0000-0x00000274BBAEB000-memory.dmp

Filesize
172KB

Download
memory/652-75-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/736-81-0x000002D711B30000-0x000002D711B5B000-memory.dmp

Filesize
172KB

Download
memory/736-85-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/908-87-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/908-82-0x0000024F9D3A0000-0x0000024F9D3CB000-memory.dmp

Filesize
172KB

Download
memory/908-109-0x0000024F9D3A0000-0x0000024F9D3CB000-memory.dmp

Filesize
172KB

Download
memory/1004-89-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/1004-86-0x000001FA601A0000-0x000001FA601CB000-memory.dmp

Filesize
172KB

Download
memory/1036-106-0x00000200956D0000-0x00000200956FB000-memory.dmp

Filesize
172KB

Download
memory/1036-112-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/1036-115-0x00000200956D0000-0x00000200956FB000-memory.dmp

Filesize
172KB

Download
memory/1072-111-0x000001D5B38C0000-0x000001D5B38EB000-memory.dmp

Filesize
172KB

Download
memory/1072-120-0x000001D5B38C0000-0x000001D5B38EB000-memory.dmp

Filesize
172KB

Download
memory/1072-117-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/1080-126-0x0000021E253A0000-0x0000021E253CB000-memory.dmp

Filesize
172KB

Download
memory/1080-113-0x0000021E253A0000-0x0000021E253CB000-memory.dmp

Filesize
172KB

Download
memory/1080-119-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/1216-128-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/1216-124-0x000002564CDA0000-0x000002564CDCB000-memory.dmp

Filesize
172KB

Download
memory/1216-131-0x000002564CDA0000-0x000002564CDCB000-memory.dmp

Filesize
172KB

Download
memory/1232-129-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/1232-125-0x000002B781660000-0x000002B78168B000-memory.dmp

Filesize
172KB

Download
memory/1232-136-0x000002B781660000-0x000002B78168B000-memory.dmp

Filesize
172KB

Download
memory/1304-135-0x00007FFAEE110000-0x00007FFAEE120000-memory.dmp

Filesize
64KB

Download
memory/1304-130-0x0000023B6CED0000-0x0000023B6CEFB000-memory.dmp

Filesize
172KB

Download
memory/1304-140-0x0000023B6CED0000-0x0000023B6CEFB000-memory.dmp

Filesize
172KB

Download
memory/1360-144-0x000001850DED0000-0x000001850DEFB000-memory.dmp

Filesize
172KB

Download
memory/1376-149-0x000002873F910000-0x000002873F93B000-memory.dmp

Filesize
172KB

Download
memory/1392-155-0x000001AF33950000-0x000001AF3397B000-memory.dmp

Filesize
172KB

Download
memory/1428-215-0x0000000001C80000-0x0000000001CAB000-memory.dmp

Filesize
172KB

Download
memory/1504-7-0x0000029AD2AB0000-0x0000029AD2B26000-memory.dmp

Filesize
472KB

Download
memory/1504-4-0x0000029ABA3E0000-0x0000029ABA402000-memory.dmp

Filesize
136KB

Download
memory/1504-18-0x00007FFB11530000-0x00007FFB11F1C000-memory.dmp

Filesize
9.9MB

Download
memory/1504-21-0x0000029AD2820000-0x0000029AD2830000-memory.dmp

Filesize
64KB

Download
memory/1504-22-0x0000029AD2820000-0x0000029AD2830000-memory.dmp

Filesize
64KB

Download
memory/1504-50-0x00007FFB11530000-0x00007FFB11F1C000-memory.dmp

Filesize
9.9MB

Download
memory/1504-46-0x0000029AD2820000-0x0000029AD2830000-memory.dmp

Filesize
64KB

Download
memory/1504-23-0x0000029AD2820000-0x0000029AD2830000-memory.dmp

Filesize
64KB

Download
memory/1524-159-0x00000223B34D0000-0x00000223B34FB000-memory.dmp

Filesize
172KB

Download
memory/1548-164-0x0000021051190000-0x00000210511BB000-memory.dmp

Filesize
172KB

Download
memory/1612-169-0x000002A845990000-0x000002A8459BB000-memory.dmp

Filesize
172KB

Download
memory/1620-175-0x00000243C6D30000-0x00000243C6D5B000-memory.dmp

Filesize
172KB

Download
memory/1660-220-0x000001EF70530000-0x000001EF7055B000-memory.dmp

Filesize
172KB

Download
memory/1672-179-0x000001D6F83A0000-0x000001D6F83CB000-memory.dmp

Filesize
172KB

Download
memory/1724-184-0x00000226CEBC0000-0x00000226CEBEB000-memory.dmp

Filesize
172KB

Download
memory/1792-211-0x000001BCB6380000-0x000001BCB63AB000-memory.dmp

Filesize
172KB

Download
memory/1808-190-0x000001E79B360000-0x000001E79B38B000-memory.dmp

Filesize
172KB

Download
memory/1916-194-0x000001F82E7D0000-0x000001F82E7FB000-memory.dmp

Filesize
172KB

Download
memory/1956-198-0x000001A3952F0000-0x000001A39531B000-memory.dmp

Filesize
172KB

Download
memory/2040-318-0x000002A02A0A0000-0x000002A02A0CB000-memory.dmp

Filesize
172KB

Download
memory/2088-225-0x000001FDE8DB0000-0x000001FDE8DDB000-memory.dmp

Filesize
172KB

Download
memory/2260-230-0x0000018A75070000-0x0000018A7509B000-memory.dmp

Filesize
172KB

Download
memory/2268-234-0x00000123019A0000-0x00000123019CB000-memory.dmp

Filesize
172KB

Download
memory/2304-239-0x00000148CA4B0000-0x00000148CA4DB000-memory.dmp

Filesize
172KB

Download
memory/2532-266-0x00000266672A0000-0x00000266672CB000-memory.dmp

Filesize
172KB

Download
memory/2564-244-0x000001B539CB0000-0x000001B539CDB000-memory.dmp

Filesize
172KB

Download
memory/2572-250-0x0000014C08230000-0x0000014C0825B000-memory.dmp

Filesize
172KB

Download
memory/2596-255-0x000002A0C0A80000-0x000002A0C0AAB000-memory.dmp

Filesize
172KB

Download
memory/2608-260-0x000001E0343C0000-0x000001E0343EB000-memory.dmp

Filesize
172KB

Download
memory/2616-264-0x000002697DA20000-0x000002697DA4B000-memory.dmp

Filesize
172KB

Download
memory/2644-314-0x000002D0D49D0000-0x000002D0D49FB000-memory.dmp

Filesize
172KB

Download
memory/2748-322-0x000002670C130000-0x000002670C15B000-memory.dmp

Filesize
172KB

Download
memory/3116-270-0x000002638DE00000-0x000002638DE2B000-memory.dmp

Filesize
172KB

Download
memory/3124-276-0x0000021CA87A0000-0x0000021CA87CB000-memory.dmp

Filesize
172KB

Download
memory/3156-282-0x0000020B3F0F0000-0x0000020B3F11B000-memory.dmp

Filesize
172KB

Download
memory/3244-287-0x00000290D9D90000-0x00000290D9DBB000-memory.dmp

Filesize
172KB

Download
memory/3372-291-0x0000000000CD0000-0x0000000000CFB000-memory.dmp

Filesize
172KB

Download
memory/3372-295-0x00007FFB2E125000-0x00007FFB2E126000-memory.dmp

Filesize
4KB

Download
memory/3948-298-0x000001C0126A0000-0x000001C0126CB000-memory.dmp

Filesize
172KB

Download
memory/4104-309-0x0000022489960000-0x000002248998B000-memory.dmp

Filesize
172KB

Download
memory/4260-54-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4260-56-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4260-53-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4260-320-0x00007FFB2E080000-0x00007FFB2E25B000-memory.dmp

Filesize
1.9MB

Download
memory/4260-52-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4260-51-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4260-57-0x00007FFB2E080000-0x00007FFB2E25B000-memory.dmp

Filesize
1.9MB

Download
memory/4260-59-0x00007FFB2DE40000-0x00007FFB2DEEE000-memory.dmp

Filesize
696KB

Download
memory/4260-61-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4596-97-0x00007FFB11530000-0x00007FFB11F1C000-memory.dmp

Filesize
9.9MB

Download
memory/4596-202-0x0000022743D60000-0x0000022743D70000-memory.dmp

Filesize
64KB

Download
memory/4596-206-0x0000022743D60000-0x0000022743D70000-memory.dmp

Filesize
64KB

Download
memory/4692-305-0x000001FADCDA0000-0x000001FADCDCB000-memory.dmp

Filesize
172KB

Download