3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4

Analysis

max time kernel
1800s
max time network
1793s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
29-03-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner100.exe
Size

2.7MB
MD5

eae2347aaed97da4f802c0b32689f4eb
SHA1

a7a83d1ff7ec22d74d8415b95b3d57f1323699ce
SHA256

3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4
SHA512

65f3411a7e80ec6d1dfea40d644ca621f4de929d17e58a54e43030b58662fedba11f000928049b4d3d7ae6ec38003d62dd8109c330ceba588be96f598b35d7cd
SSDEEP

49152:+Ev7yMxM0ZzUjqhWBkZFOj3nscD6gLRZdjM0PcuzQ3zAlkVKd:+EvWMxHUjqPPOjXsngLjdjBPz+3

Score

10^/10

evasion persistence

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5000 created 1516	5000	WerFault.exe	60
PID 5076 created 1284	5076	WerFault.exe	69

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 5072 created 4456	5072	svchost.exe	123
PID 5072 created 1516	5072	svchost.exe	60
PID 5072 created 1284	5072	svchost.exe	69
PID 5072 created 212	5072	svchost.exe	141
PID 5072 created 1920	5072	svchost.exe	143

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
4484	tiucgvijebnv.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	miner100.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V0100001.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	tiucgvijebnv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3996 set thread context of 4532	3996	miner100.exe	95
PID 4484 set thread context of 540	4484	tiucgvijebnv.exe	132
PID 4484 set thread context of 4236	4484	tiucgvijebnv.exe	136
PID 4484 set thread context of 4572	4484	tiucgvijebnv.exe	137

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3324	sc.exe
2296	sc.exe
2960	sc.exe
2276	sc.exe
4892	sc.exe
1480	sc.exe
3572	sc.exe
1008	sc.exe
4736	sc.exe
4284	sc.exe
4648	sc.exe
2384	sc.exe
4344	sc.exe
2456	sc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 29 Mar 2024 02:08:38 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1711678117"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={46F539E6-9CBE-4B19-8491-3973AEBAFC92}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3996	miner100.exe
2428	powershell.exe
2428	powershell.exe
2428	powershell.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
4532	dialer.exe
4532	dialer.exe
3996	miner100.exe
3996	miner100.exe
3996	miner100.exe
4484	tiucgvijebnv.exe
4532	dialer.exe
4532	dialer.exe
4420	powershell.exe
4420	powershell.exe
4420	powershell.exe
4532	dialer.exe
4532	dialer.exe
5072	svchost.exe
4420	powershell.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4420	powershell.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4420	powershell.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4420	powershell.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe
4532	dialer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeIncreaseQuotaPrivilege	2428	powershell.exe
Token: SeSecurityPrivilege	2428	powershell.exe
Token: SeTakeOwnershipPrivilege	2428	powershell.exe
Token: SeLoadDriverPrivilege	2428	powershell.exe
Token: SeSystemProfilePrivilege	2428	powershell.exe
Token: SeSystemtimePrivilege	2428	powershell.exe
Token: SeProfSingleProcessPrivilege	2428	powershell.exe
Token: SeIncBasePriorityPrivilege	2428	powershell.exe
Token: SeCreatePagefilePrivilege	2428	powershell.exe
Token: SeBackupPrivilege	2428	powershell.exe
Token: SeRestorePrivilege	2428	powershell.exe
Token: SeShutdownPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeSystemEnvironmentPrivilege	2428	powershell.exe
Token: SeRemoteShutdownPrivilege	2428	powershell.exe
Token: SeUndockPrivilege	2428	powershell.exe
Token: SeManageVolumePrivilege	2428	powershell.exe
Token: 33	2428	powershell.exe
Token: 34	2428	powershell.exe
Token: 35	2428	powershell.exe
Token: 36	2428	powershell.exe
Token: SeShutdownPrivilege	4700	powercfg.exe
Token: SeCreatePagefilePrivilege	4700	powercfg.exe
Token: SeDebugPrivilege	3996	miner100.exe
Token: SeShutdownPrivilege	4908	powercfg.exe
Token: SeCreatePagefilePrivilege	4908	powercfg.exe
Token: SeShutdownPrivilege	4180	powercfg.exe
Token: SeCreatePagefilePrivilege	4180	powercfg.exe
Token: SeDebugPrivilege	4532	dialer.exe
Token: SeShutdownPrivilege	3664	powercfg.exe
Token: SeCreatePagefilePrivilege	3664	powercfg.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	4420	powershell.exe
Token: SeIncreaseQuotaPrivilege	4420	powershell.exe
Token: SeSecurityPrivilege	4420	powershell.exe
Token: SeTakeOwnershipPrivilege	4420	powershell.exe
Token: SeLoadDriverPrivilege	4420	powershell.exe
Token: SeSystemtimePrivilege	4420	powershell.exe
Token: SeBackupPrivilege	4420	powershell.exe
Token: SeRestorePrivilege	4420	powershell.exe
Token: SeShutdownPrivilege	4420	powershell.exe
Token: SeSystemEnvironmentPrivilege	4420	powershell.exe
Token: SeUndockPrivilege	4420	powershell.exe
Token: SeManageVolumePrivilege	4420	powershell.exe
Token: SeDebugPrivilege	1256	WerFault.exe
Token: SeShutdownPrivilege	4408	powercfg.exe
Token: SeCreatePagefilePrivilege	4408	powercfg.exe
Token: SeShutdownPrivilege	5088	powercfg.exe
Token: SeCreatePagefilePrivilege	5088	powercfg.exe
Token: SeDebugPrivilege	4484	tiucgvijebnv.exe
Token: SeShutdownPrivilege	1476	powercfg.exe
Token: SeCreatePagefilePrivilege	1476	powercfg.exe
Token: SeShutdownPrivilege	928	powercfg.exe
Token: SeCreatePagefilePrivilege	928	powercfg.exe
Token: SeDebugPrivilege	540	dialer.exe
Token: SeLockMemoryPrivilege	4572	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	2160	svchost.exe
Token: SeIncreaseQuotaPrivilege	2160	svchost.exe
Token: SeSecurityPrivilege	2160	svchost.exe
Token: SeTakeOwnershipPrivilege	2160	svchost.exe
Token: SeLoadDriverPrivilege	2160	svchost.exe
Token: SeSystemtimePrivilege	2160	svchost.exe
Token: SeBackupPrivilege	2160	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
344	dwm.exe
344	dwm.exe
344	dwm.exe
344	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 3348	2284	cmd.exe	82
PID 2284 wrote to memory of 3348	2284	cmd.exe	82
PID 3996 wrote to memory of 4532	3996	miner100.exe	95
PID 3996 wrote to memory of 4532	3996	miner100.exe	95
PID 3996 wrote to memory of 4532	3996	miner100.exe	95
PID 3996 wrote to memory of 4532	3996	miner100.exe	95
PID 3996 wrote to memory of 4532	3996	miner100.exe	95
PID 3996 wrote to memory of 4532	3996	miner100.exe	95
PID 3996 wrote to memory of 4532	3996	miner100.exe	95
PID 4532 wrote to memory of 608	4532	dialer.exe	5
PID 4532 wrote to memory of 660	4532	dialer.exe	7
PID 4532 wrote to memory of 804	4532	dialer.exe	10
PID 4532 wrote to memory of 916	4532	dialer.exe	13
PID 4532 wrote to memory of 996	4532	dialer.exe	14
PID 4532 wrote to memory of 344	4532	dialer.exe	15
PID 4532 wrote to memory of 388	4532	dialer.exe	16
PID 4532 wrote to memory of 392	4532	dialer.exe	17
PID 4532 wrote to memory of 712	4532	dialer.exe	18
PID 4532 wrote to memory of 1076	4532	dialer.exe	19
PID 4532 wrote to memory of 1136	4532	dialer.exe	21
PID 4532 wrote to memory of 1164	4532	dialer.exe	22
PID 4532 wrote to memory of 1172	4532	dialer.exe	23
PID 4532 wrote to memory of 1180	4532	dialer.exe	24
PID 4532 wrote to memory of 1200	4532	dialer.exe	25
PID 4532 wrote to memory of 1380	4532	dialer.exe	26
PID 4532 wrote to memory of 1404	4532	dialer.exe	27
PID 4532 wrote to memory of 1424	4532	dialer.exe	28
PID 4532 wrote to memory of 1556	4532	dialer.exe	29
PID 4532 wrote to memory of 1600	4532	dialer.exe	30
PID 4532 wrote to memory of 1636	4532	dialer.exe	31
PID 4532 wrote to memory of 1684	4532	dialer.exe	32
PID 4532 wrote to memory of 1772	4532	dialer.exe	33
PID 4532 wrote to memory of 1796	4532	dialer.exe	34
PID 4532 wrote to memory of 1808	4532	dialer.exe	35
PID 4532 wrote to memory of 1816	4532	dialer.exe	36
PID 4532 wrote to memory of 1892	4532	dialer.exe	37
PID 4532 wrote to memory of 2004	4532	dialer.exe	38
PID 4532 wrote to memory of 2060	4532	dialer.exe	39
PID 4532 wrote to memory of 2160	4532	dialer.exe	40
PID 4532 wrote to memory of 2256	4532	dialer.exe	41
PID 4532 wrote to memory of 2532	4532	dialer.exe	42
PID 4532 wrote to memory of 2548	4532	dialer.exe	43
PID 4532 wrote to memory of 2556	4532	dialer.exe	44
PID 4532 wrote to memory of 2584	4532	dialer.exe	45
PID 4532 wrote to memory of 2608	4532	dialer.exe	46
PID 4532 wrote to memory of 2740	4532	dialer.exe	47
PID 4532 wrote to memory of 2776	4532	dialer.exe	48
PID 4532 wrote to memory of 2784	4532	dialer.exe	49
PID 4532 wrote to memory of 2812	4532	dialer.exe	50
PID 4532 wrote to memory of 2832	4532	dialer.exe	51
PID 4532 wrote to memory of 2896	4532	dialer.exe	52
PID 4532 wrote to memory of 424	4532	dialer.exe	53
PID 4532 wrote to memory of 3116	4532	dialer.exe	54
PID 4532 wrote to memory of 3296	4532	dialer.exe	55
PID 4532 wrote to memory of 3948	4532	dialer.exe	58
PID 4532 wrote to memory of 1516	4532	dialer.exe	60
PID 4532 wrote to memory of 4684	4532	dialer.exe	61
PID 4532 wrote to memory of 4856	4532	dialer.exe	63
PID 660 wrote to memory of 2776	660	lsass.exe	48
PID 4532 wrote to memory of 448	4532	dialer.exe	64
PID 4532 wrote to memory of 3364	4532	dialer.exe	65
PID 4532 wrote to memory of 4176	4532	dialer.exe	66
PID 4532 wrote to memory of 4444	4532	dialer.exe	67
PID 4532 wrote to memory of 3576	4532	dialer.exe	68

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:344

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Modifies data under HKEY_USERS
PID:996

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1076

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1136
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1172

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1180

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1404
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1808

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1816

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1892

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2004

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2060

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2256

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2740

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2812

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2832

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\miner100.exe
  "C:\Users\Admin\AppData\Local\Temp\miner100.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3348
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1008
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3324
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2456
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4892
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4180
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4532
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "OPAGMGUY"
    3⤵
    - Launches sc.exe
    PID:2384
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "OPAGMGUY" binpath= "C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2296
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2960
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "OPAGMGUY"
    3⤵
    - Launches sc.exe
    PID:4344
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1516 -s 864
  2⤵
  PID:4240
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1516 -s 976
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:5000

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4856

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:3364

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4176

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4444

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:1284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1284 -s 864
  2⤵
  PID:2628
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1284 -s 388
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:5076

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2044

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:216

C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe
C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2748
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:456
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1452
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4736
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3872
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1480
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4284
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4456
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4456 -s 468
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1256
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4328
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:752
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2348
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:756
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4236
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4876

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:212
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 212 -s 376
  2⤵
  PID:2232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1920
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1920 -s 212
  2⤵
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER47D7.tmp.txt

Filesize
12KB

MD5
dfffee583ab0ddd6b41121c32eef9151

SHA1
285e3b57d517f6a519a3d9f13083d23ac1fcaccc

SHA256
4ea1d69fa9449878dc4a515757a6c0e39d10905b3d2d81fed3a2863b2e4b913d

SHA512
456e1e0903ac125d1f332e8cc6dd1db9b9dc80cd2cc7b89048e120f783f30bc341a83db7e368a799cd6ffcbc34b05cd8c8278d755d7e2fc2be35c54714a280a2

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D06.tmp.csv

Filesize
34KB

MD5
00615bc775ad3dad9ec9861e68a76123

SHA1
1b63fd4fbcda1e1a431fe9b3bb9a55e63a54bf96

SHA256
05da1d020460055ad7366fd733ec2461e597caa114514f9bfc6e5b7032fe004e

SHA512
28d9c47211e34d7e6f8494fec4431ef970322206fd4af6be75173c179259c579a75cdfbdae695874407091eabab2e65fd5e32941b9b043a9394f90999b843ec1

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D26.tmp.txt

Filesize
12KB

MD5
da79ab7c2bc907956ba33e34c6081134

SHA1
2103f877fb2a5163d7baf971101a60565d9c0e1d

SHA256
00a24dce7164e97c4c77f80803264f14c16cde878d5347cd66b421d5fd63a159

SHA512
7a8316766f7f70d0d1ee1ed05928ead45c6e00d931bc9c880f03cc96af9962112cfb7ed25cae2780816f3ae8a6128e10be2863f61865690de735913eee7bea8f

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD57F.tmp.csv

Filesize
32KB

MD5
904fa5e68a61697ff6c4a6167f462517

SHA1
0d048888a45e3c6a12144229f8848cc09cde4b19

SHA256
9e4dd56eff0f323861d5084284e7b84b29dbc7fb8672f9353e5ba78f5d55aba7

SHA512
ff7f9c59f40d1a2289abbeb22ad1e1847b3b8f7b33461e7af5fe894c0c1e3f63db6746fee7e190bcd45d50e261f8e6df3d661454700bf5c6560191626c328596

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5AE.tmp.txt

Filesize
12KB

MD5
1c27b1cb08793c9984daf51063343c35

SHA1
c493a17d2a0db2d50242b5c15bb0591f54845ac6

SHA256
775dee74b4fb1d34a206f2273e3becbec6f004656daf3352e7f3d4bf73da7ed4

SHA512
bcbbe5153c04c49a80ba864b6c437ab134767a8b93fb92e9cae7777f92ea7c6c91a63c12247d5e1b3134c47e43120d4a1d7f16fd2f79ef53ff9c3796bb526996

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD969.tmp.csv

Filesize
32KB

MD5
24569e0d8a1160433568eb987a989312

SHA1
3b1d64ab84093f317e35cb615074b2c1967bf798

SHA256
4791f92beebf896c2066d2b35f7926f6a7a551a421220b9aadbb7100c90e6a7a

SHA512
e6c8ce98cf40b38dc70d84079ca618f718d0347443d2a0afd4602c81852dc0bece1f76609204710e51d81b530d741387224e6733876a1d4f338953bdcf154c18

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD989.tmp.txt

Filesize
12KB

MD5
404cd6b03c95516a6a5938b34c8957e3

SHA1
e19d3890995c87aff212ef3d0e4c20733b6279db

SHA256
f39bc9b3df0a186a07f642647f3ced60d74676d2e17e7cf2cdf16072aeb80e3b

SHA512
55716d1264dde926b88baebe04a6384c142f84d7b2f86d9b0c3bbefde0ee355674194fbefba8b790262c90f43f60dbf8c546f6fa8d516bbc18392e8c75972171

Download Submit
C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe

Filesize
2.7MB

MD5
eae2347aaed97da4f802c0b32689f4eb

SHA1
a7a83d1ff7ec22d74d8415b95b3d57f1323699ce

SHA256
3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4

SHA512
65f3411a7e80ec6d1dfea40d644ca621f4de929d17e58a54e43030b58662fedba11f000928049b4d3d7ae6ec38003d62dd8109c330ceba588be96f598b35d7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edu5f5y1.hoc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
d6d01d7e78d84c1c6cf6a52233dfe28a

SHA1
890626895aa755e0b9b613b1f9166d365abcf00a

SHA256
002de5a927710ce3864eafebbcde09ef63b0a501c2f43a17ee52311d15b62669

SHA512
be23d1831e1f08046edd87df82d589e503c35b9480859a6ce5f50dff995c949d0accbff0fca28b42854d8552c188f9f392dba9ffe4d7e4d6d2e8cbfff29780e3

Download Submit
memory/344-90-0x0000029B6F730000-0x0000029B6F75B000-memory.dmp

Filesize
172KB

Download
memory/344-94-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/344-104-0x0000029B6F730000-0x0000029B6F75B000-memory.dmp

Filesize
172KB

Download
memory/388-97-0x00000203821C0000-0x00000203821EB000-memory.dmp

Filesize
172KB

Download
memory/388-101-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/388-108-0x00000203821C0000-0x00000203821EB000-memory.dmp

Filesize
172KB

Download
memory/392-102-0x0000027467FD0000-0x0000027467FFB000-memory.dmp

Filesize
172KB

Download
memory/392-105-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/392-113-0x0000027467FD0000-0x0000027467FFB000-memory.dmp

Filesize
172KB

Download
memory/424-291-0x000001BF1A170000-0x000001BF1A19B000-memory.dmp

Filesize
172KB

Download
memory/448-321-0x0000016FE5600000-0x0000016FE562B000-memory.dmp

Filesize
172KB

Download
memory/608-328-0x00000172BD2E0000-0x00000172BD30B000-memory.dmp

Filesize
172KB

Download
memory/608-68-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/608-65-0x00000172BD2B0000-0x00000172BD2D4000-memory.dmp

Filesize
144KB

Download
memory/608-67-0x00000172BD2E0000-0x00000172BD30B000-memory.dmp

Filesize
172KB

Download
memory/608-69-0x00007FFA4DBF5000-0x00007FFA4DBF6000-memory.dmp

Filesize
4KB

Download
memory/660-73-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/660-70-0x0000024803D50000-0x0000024803D7B000-memory.dmp

Filesize
172KB

Download
memory/712-122-0x00000225AC4C0000-0x00000225AC4EB000-memory.dmp

Filesize
172KB

Download
memory/712-115-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/712-111-0x00000225AC4C0000-0x00000225AC4EB000-memory.dmp

Filesize
172KB

Download
memory/804-77-0x000001BED3450000-0x000001BED347B000-memory.dmp

Filesize
172KB

Download
memory/804-79-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/916-85-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/916-82-0x0000025F1FAB0000-0x0000025F1FADB000-memory.dmp

Filesize
172KB

Download
memory/996-86-0x0000019727E60000-0x0000019727E8B000-memory.dmp

Filesize
172KB

Download
memory/996-87-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1076-116-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1076-112-0x000001970B040000-0x000001970B06B000-memory.dmp

Filesize
172KB

Download
memory/1076-126-0x000001970B040000-0x000001970B06B000-memory.dmp

Filesize
172KB

Download
memory/1136-125-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1136-153-0x0000015ABFF90000-0x0000015ABFFBB000-memory.dmp

Filesize
172KB

Download
memory/1136-120-0x0000015ABFF90000-0x0000015ABFFBB000-memory.dmp

Filesize
172KB

Download
memory/1164-129-0x000001CBC8FA0000-0x000001CBC8FCB000-memory.dmp

Filesize
172KB

Download
memory/1164-128-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1164-123-0x000001CBC8FA0000-0x000001CBC8FCB000-memory.dmp

Filesize
172KB

Download
memory/1172-127-0x00000126CC540000-0x00000126CC56B000-memory.dmp

Filesize
172KB

Download
memory/1172-135-0x00000126CC540000-0x00000126CC56B000-memory.dmp

Filesize
172KB

Download
memory/1172-133-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1180-140-0x000001F2AE770000-0x000001F2AE79B000-memory.dmp

Filesize
172KB

Download
memory/1200-144-0x0000024EE69E0000-0x0000024EE6A0B000-memory.dmp

Filesize
172KB

Download
memory/1380-159-0x0000023FDC800000-0x0000023FDC82B000-memory.dmp

Filesize
172KB

Download
memory/1404-165-0x0000027D2F170000-0x0000027D2F19B000-memory.dmp

Filesize
172KB

Download
memory/1424-171-0x0000024DF04D0000-0x0000024DF04FB000-memory.dmp

Filesize
172KB

Download
memory/1556-176-0x00000251197D0000-0x00000251197FB000-memory.dmp

Filesize
172KB

Download
memory/1600-180-0x000002070ACD0000-0x000002070ACFB000-memory.dmp

Filesize
172KB

Download
memory/1636-185-0x00000177D07F0000-0x00000177D081B000-memory.dmp

Filesize
172KB

Download
memory/1684-189-0x00000239700B0000-0x00000239700DB000-memory.dmp

Filesize
172KB

Download
memory/1772-216-0x000001326EA60000-0x000001326EA8B000-memory.dmp

Filesize
172KB

Download
memory/1796-194-0x0000019C87200000-0x0000019C8722B000-memory.dmp

Filesize
172KB

Download
memory/1808-199-0x000001A929FB0000-0x000001A929FDB000-memory.dmp

Filesize
172KB

Download
memory/1816-221-0x000001875C2B0000-0x000001875C2DB000-memory.dmp

Filesize
172KB

Download
memory/1892-204-0x0000027699C00000-0x0000027699C2B000-memory.dmp

Filesize
172KB

Download
memory/2004-210-0x0000000001420000-0x000000000144B000-memory.dmp

Filesize
172KB

Download
memory/2060-213-0x00000141109D0000-0x00000141109FB000-memory.dmp

Filesize
172KB

Download
memory/2160-242-0x000001D317550000-0x000001D31757B000-memory.dmp

Filesize
172KB

Download
memory/2256-225-0x000001E904C40000-0x000001E904C6B000-memory.dmp

Filesize
172KB

Download
memory/2428-9-0x000001A59C9A0000-0x000001A59CA16000-memory.dmp

Filesize
472KB

Download
memory/2428-45-0x000001A5841D0000-0x000001A5841E0000-memory.dmp

Filesize
64KB

Download
memory/2428-22-0x000001A5841D0000-0x000001A5841E0000-memory.dmp

Filesize
64KB

Download
memory/2428-4-0x000001A59C7F0000-0x000001A59C812000-memory.dmp

Filesize
136KB

Download
memory/2428-6-0x000001A5841D0000-0x000001A5841E0000-memory.dmp

Filesize
64KB

Download
memory/2428-5-0x00007FFA30E30000-0x00007FFA3181C000-memory.dmp

Filesize
9.9MB

Download
memory/2428-49-0x00007FFA30E30000-0x00007FFA3181C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-246-0x000002716E660000-0x000002716E68B000-memory.dmp

Filesize
172KB

Download
memory/2548-231-0x000001B0F7440000-0x000001B0F746B000-memory.dmp

Filesize
172KB

Download
memory/2556-286-0x000001BAC42A0000-0x000001BAC42CB000-memory.dmp

Filesize
172KB

Download
memory/2584-251-0x000001FA8C5E0000-0x000001FA8C60B000-memory.dmp

Filesize
172KB

Download
memory/2608-255-0x0000021A4EC90000-0x0000021A4ECBB000-memory.dmp

Filesize
172KB

Download
memory/2740-265-0x0000025F5F9C0000-0x0000025F5F9EB000-memory.dmp

Filesize
172KB

Download
memory/2776-260-0x0000020E69FD0000-0x0000020E69FFB000-memory.dmp

Filesize
172KB

Download
memory/2784-269-0x00000166A0A80000-0x00000166A0AAB000-memory.dmp

Filesize
172KB

Download
memory/2812-273-0x000001AD4E190000-0x000001AD4E1BB000-memory.dmp

Filesize
172KB

Download
memory/2832-277-0x00000190432C0000-0x00000190432EB000-memory.dmp

Filesize
172KB

Download
memory/2896-281-0x000001EEF3B60000-0x000001EEF3B8B000-memory.dmp

Filesize
172KB

Download
memory/3116-295-0x0000017AA76D0000-0x0000017AA76FB000-memory.dmp

Filesize
172KB

Download
memory/3296-300-0x0000000000AD0000-0x0000000000AFB000-memory.dmp

Filesize
172KB

Download
memory/3296-303-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/3364-324-0x0000024DF4C10000-0x0000024DF4C3B000-memory.dmp

Filesize
172KB

Download
memory/3948-307-0x0000013406BC0000-0x0000013406BEB000-memory.dmp

Filesize
172KB

Download
memory/4420-117-0x000001E845E40000-0x000001E845E50000-memory.dmp

Filesize
64KB

Download
memory/4420-99-0x00007FFA30E30000-0x00007FFA3181C000-memory.dmp

Filesize
9.9MB

Download
memory/4420-149-0x000001E845E40000-0x000001E845E50000-memory.dmp

Filesize
64KB

Download
memory/4444-333-0x0000017535810000-0x000001753583B000-memory.dmp

Filesize
172KB

Download
memory/4532-235-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-52-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4532-55-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4532-51-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4532-50-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4532-53-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4532-57-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-58-0x00007FFA4D200000-0x00007FFA4D2AE000-memory.dmp

Filesize
696KB

Download
memory/4532-60-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4684-311-0x00000222684D0000-0x00000222684FB000-memory.dmp

Filesize
172KB

Download
memory/4856-316-0x0000025581800000-0x000002558182B000-memory.dmp

Filesize
172KB

Download