goldenspy | e2f55047a690ed67d5e3a5f90679576e3cca6ceac36bce39dc60b4748a176a09

Analysis

max time kernel
147s
max time network
99s
platform
windows10_x64
resource
win10v200430
submitted
02-07-2020 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoldenSpy.exe
Size

371KB
MD5

cd896ff09e0930ce4d0da2c83bb2a3d0
SHA1

2fab274b4691920b507057d2b70af65a458fa3d7
SHA256

e2f55047a690ed67d5e3a5f90679576e3cca6ceac36bce39dc60b4748a176a09
SHA512

feec2c8644bfcdf8555bb3209ac15812722f8066fb95733fd5eb39a7f28167da6e26086eb5b1794b0ef7a6b46474bf2cc9bfcbdc87d3d9dea87822fc7e8e3a6a

Score

10^/10

goldenspy backdoor discovery trojan

Malware Config

Signatures

GoldenSpy
Backdoor spotted in June 2020 being distributed with the Chinese "Intelligent Tax" software.
trojan backdoor goldenspy

GoldenSpy Payload 58 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload

Suspicious use of NtCreateProcessExOtherParentProcess 25 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1524 created 692	1524	WerFault.exe	svm.exe
PID 2172 created 1944	2172	WerFault.exe	svm.exe
PID 2812 created 2532	2812	WerFault.exe	svm.exe
PID 976 created 3888	976	WerFault.exe	svm.exe
PID 3412 created 3824	3412	WerFault.exe	svm.exe
PID 420 created 2276	420	WerFault.exe	svm.exe
PID 1008 created 1012	1008	WerFault.exe	svm.exe
PID 1200 created 1596	1200	WerFault.exe	svm.exe
PID 3012 created 1048	3012	WerFault.exe	svm.exe
PID 1736 created 2236	1736	WerFault.exe	svm.exe
PID 1732 created 500	1732	WerFault.exe	svm.exe
PID 1596 created 1892	1596	WerFault.exe	svm.exe
PID 2536 created 2540	2536	WerFault.exe	svm.exe
PID 1620 created 3476	1620	WerFault.exe	svm.exe
PID 3024 created 3456	3024	WerFault.exe	svm.exe
PID 3928 created 644	3928	WerFault.exe	svm.exe
PID 3912 created 3428	3912	WerFault.exe	svm.exe
PID 872 created 3744	872	WerFault.exe	svm.exe
PID 1880 created 4024	1880	WerFault.exe	svm.exe
PID 2120 created 1560	2120	WerFault.exe	svm.exe
PID 1512 created 3392	1512	WerFault.exe	svm.exe
PID 3908 created 2180	3908	WerFault.exe	svm.exe
PID 3108 created 3456	3108	WerFault.exe	svm.exe
PID 1204 created 2280	1204	WerFault.exe	svm.exe
PID 828 created 972	828	WerFault.exe	svm.exe

Executes dropped EXE 57 IoCs

Processes:

svm.exesvmm.exesvm.exesvmm.exesvm.exesvmm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exeAWX.exe

pid	process
3156	svm.exe
588	svmm.exe
868	svm.exe
912	svmm.exe
692	svm.exe
1088	svmm.exe
1868	svm.exe
1944	svm.exe
2428	svm.exe
2532	svm.exe
3736	svm.exe
3888	svm.exe
3976	svm.exe
3824	svm.exe
2140	svm.exe
2276	svm.exe
736	svm.exe
1012	svm.exe
1152	svm.exe
1596	svm.exe
2108	svm.exe
1048	svm.exe
3936	svm.exe
2236	svm.exe
852	svm.exe
500	svm.exe
1924	svm.exe
1892	svm.exe
1960	svm.exe
2540	svm.exe
2496	svm.exe
3476	svm.exe
3908	svm.exe
3456	svm.exe
3620	svm.exe
644	svm.exe
1360	svm.exe
3428	svm.exe
828	svm.exe
3744	svm.exe
2288	svm.exe
4024	svm.exe
1340	svm.exe
1560	svm.exe
3584	svm.exe
3392	svm.exe
2564	svm.exe
2180	svm.exe
776	svm.exe
3456	svm.exe
1364	svm.exe
2280	svm.exe
3828	svm.exe
972	svm.exe
2680	svm.exe
2104	svm.exe
1560	AWX.exe

Loads dropped DLL 4 IoCs

Processes:

GoldenSpy.exe

pid process

4024 GoldenSpy.exe
4024 GoldenSpy.exe
4024 GoldenSpy.exe
4024 GoldenSpy.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 57 IoCs

Processes:

svm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AWX[1].exe	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\req[1]	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svm.exe

Drops file in Program Files directory 2 IoCs

Processes:

GoldenSpy.exesvm.exe

description	ioc	process
File created	C:\Program Files (x86)\svm\svm.exe	GoldenSpy.exe
File opened for modification	C:\Program Files (x86)\svm\log\20200702-svm.log	svm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 25 IoCs

Processes:

pid	pid_target	process	target process
1524	692	WerFault.exe	svm.exe
2172	1944	WerFault.exe	svm.exe
2812	2532	WerFault.exe	svm.exe
976	3888	WerFault.exe	svm.exe
3412	3824	WerFault.exe	svm.exe
420	2276	WerFault.exe	svm.exe
1008	1012	WerFault.exe	svm.exe
1200	1596	WerFault.exe	svm.exe
3012	1048	WerFault.exe	svm.exe
1736	2236	WerFault.exe	svm.exe
1732	500	WerFault.exe	svm.exe
1596	1892	WerFault.exe	svm.exe
2536	2540	WerFault.exe	svm.exe
1620	3476	WerFault.exe	svm.exe
3024	3456	WerFault.exe	svm.exe
3928	644	WerFault.exe	svm.exe
3912	3428	WerFault.exe	svm.exe
872	3744	WerFault.exe	svm.exe
1880	4024	WerFault.exe	svm.exe
2120	1560	WerFault.exe	svm.exe
1512	3392	WerFault.exe	svm.exe
3908	2180	WerFault.exe	svm.exe
3108	3456	WerFault.exe	svm.exe
1204	2280	WerFault.exe	svm.exe
828	972	WerFault.exe	svm.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2980 taskkill.exe
2496 taskkill.exe
3936 taskkill.exe
3676 taskkill.exe

pid	process
2980	taskkill.exe
2496	taskkill.exe
3936	taskkill.exe
3676	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exesvm.exeAWX.exesvm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AWX.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GoldenSpy.exesvmm.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
4024	GoldenSpy.exe
4024	GoldenSpy.exe
4024	GoldenSpy.exe
4024	GoldenSpy.exe
1088	svmm.exe
1088	svmm.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1088	svmm.exe
1088	svmm.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe
1088	svmm.exe
1088	svmm.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
1088	svmm.exe
1088	svmm.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

description	pid	process
Token: SeRestorePrivilege	1524	WerFault.exe
Token: SeBackupPrivilege	1524	WerFault.exe
Token: SeDebugPrivilege	1524	WerFault.exe
Token: SeDebugPrivilege	2172	WerFault.exe
Token: SeDebugPrivilege	2812	WerFault.exe
Token: SeDebugPrivilege	976	WerFault.exe
Token: SeDebugPrivilege	3412	WerFault.exe
Token: SeDebugPrivilege	420	WerFault.exe
Token: SeDebugPrivilege	1008	WerFault.exe
Token: SeDebugPrivilege	1200	WerFault.exe
Token: SeDebugPrivilege	3012	WerFault.exe
Token: SeDebugPrivilege	1736	WerFault.exe
Token: SeDebugPrivilege	1732	WerFault.exe
Token: SeDebugPrivilege	1596	WerFault.exe
Token: SeDebugPrivilege	2536	WerFault.exe
Token: SeDebugPrivilege	1620	WerFault.exe
Token: SeDebugPrivilege	3024	WerFault.exe
Token: SeDebugPrivilege	3928	WerFault.exe
Token: SeDebugPrivilege	3912	WerFault.exe
Token: SeDebugPrivilege	872	WerFault.exe
Token: SeDebugPrivilege	1880	WerFault.exe
Token: SeDebugPrivilege	2120	WerFault.exe
Token: SeDebugPrivilege	1512	WerFault.exe
Token: SeDebugPrivilege	3908	WerFault.exe
Token: SeDebugPrivilege	3108	WerFault.exe
Token: SeDebugPrivilege	1204	WerFault.exe
Token: SeDebugPrivilege	828	WerFault.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	3676	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GoldenSpy.exesvmm.exe

description	pid	process	target process
PID 4024 wrote to memory of 3156	4024	GoldenSpy.exe	svm.exe
PID 4024 wrote to memory of 3156	4024	GoldenSpy.exe	svm.exe
PID 4024 wrote to memory of 3156	4024	GoldenSpy.exe	svm.exe
PID 4024 wrote to memory of 588	4024	GoldenSpy.exe	svmm.exe
PID 4024 wrote to memory of 588	4024	GoldenSpy.exe	svmm.exe
PID 4024 wrote to memory of 588	4024	GoldenSpy.exe	svmm.exe
PID 4024 wrote to memory of 868	4024	GoldenSpy.exe	svm.exe
PID 4024 wrote to memory of 868	4024	GoldenSpy.exe	svm.exe
PID 4024 wrote to memory of 868	4024	GoldenSpy.exe	svm.exe
PID 4024 wrote to memory of 912	4024	GoldenSpy.exe	svmm.exe
PID 4024 wrote to memory of 912	4024	GoldenSpy.exe	svmm.exe
PID 4024 wrote to memory of 912	4024	GoldenSpy.exe	svmm.exe
PID 1088 wrote to memory of 1868	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1868	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1868	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2428	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2428	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2428	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3736	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3736	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3736	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3976	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3976	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3976	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2140	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2140	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2140	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 736	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 736	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 736	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1152	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1152	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1152	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2108	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2108	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2108	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3936	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3936	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3936	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 852	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 852	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 852	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1924	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1924	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1924	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1960	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1960	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1960	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2496	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2496	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2496	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3908	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3908	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3908	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3620	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3620	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 3620	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1360	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1360	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 1360	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 828	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 828	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 828	1088	svmm.exe	svm.exe
PID 1088 wrote to memory of 2288	1088	svmm.exe	svm.exe

C:\Users\Admin\AppData\Local\Temp\GoldenSpy.exe
"C:\Users\Admin\AppData\Local\Temp\GoldenSpy.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -i
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Program Files (x86)\svm\svmm.exe
  "C:\Program Files (x86)\svm\svmm.exe" -i
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Program Files (x86)\svm\svmm.exe
  "C:\Program Files (x86)\svm\svmm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:912

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 700
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524

C:\Program Files (x86)\svm\svmm.exe
"C:\Program Files (x86)\svm\svmm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:2680

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 668
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 964
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 668
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3412

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:420

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 668
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1008

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1200

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 920
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1736

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 500 -s 904
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1732

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1596

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 684
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2536

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1620

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3024

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 668
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3928

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3912

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 668
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:872

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 668
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1880

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2120

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 684
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1512

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 668
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3908

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3108

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1204

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 668
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:828

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2104
- C:\Windows\TEMP\AWX.exe
  C:\Windows\TEMP\AWX.exe
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM svmm.exe /IM svm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM svmm.exe /IM svm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM svmm.exe /IM svm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM svmm.exe /IM svm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" C:\Program Files (x86)
    3⤵
    PID:644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /q C:\Windows\TEMP\AWX.exe
    3⤵
    PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\svm\log\20200702-svm.log

MD5
734a8d39bcf635a647b543bf05c234cd

SHA1
ae5126387623224256d4c0053e78bccd1d079d2a

SHA256
509adcc9b33c3df2c4cc602bee898849918ff793de9d297f5a8434a1b4abf623

SHA512
e5b4071df34b226d85351ca8a3b9c1711507831e8c6e5467b0eebc3c4d014ef49334def9168c9b6e5c0a07383c5e31f6c06300794f35a1f0288b4076ffc5c4c6

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svmm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svmm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svmm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Program Files (x86)\svm\svmm.exe

MD5
42117d18cd9f8597533fee5ad530564f

SHA1
21045213f9ed383467ca9596107fe6df96fcc845

SHA256
285714ff750fe1b3343593b2efb7fc3e8229e755c128759faedc5654deae879a

SHA512
faa3575de6d0fcad608500cf7fdc2eead49990095cf4a4730c9332faeb56fac58d76bd229437ca83c476d658717839edff4a52c3bf3c083e32e2b67bbbc941e1

Download Submit
C:\Windows\TEMP\AWX.exe

MD5
429a1c5756efaab8af3bcee37cccc31f

SHA1
4a398f91cce12c8152ae0d3d4bed751c804223e2

SHA256
5684427b6cd6752bea95cdde7772b28ba0051be97045eef8224a63b5f3da3398

SHA512
a3bbf9c662f256ecc1fdf351365b93a519c9b09d0ac598871ae371f29cb67fb3b497aa001bfad1b013f34a00e79ee672d71d4a2fe371ca63a1a89e84bd1ecc3f

Download Submit
C:\Windows\Temp\AWX.exe

MD5
429a1c5756efaab8af3bcee37cccc31f

SHA1
4a398f91cce12c8152ae0d3d4bed751c804223e2

SHA256
5684427b6cd6752bea95cdde7772b28ba0051be97045eef8224a63b5f3da3398

SHA512
a3bbf9c662f256ecc1fdf351365b93a519c9b09d0ac598871ae371f29cb67fb3b497aa001bfad1b013f34a00e79ee672d71d4a2fe371ca63a1a89e84bd1ecc3f

Download Submit
\Users\Admin\AppData\Local\Temp\nsh8F2C.tmp\processwork.dll

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
\Users\Admin\AppData\Local\Temp\nsh8F2C.tmp\processwork.dll

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
\Users\Admin\AppData\Local\Temp\nsh8F2C.tmp\processwork.dll

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
\Users\Admin\AppData\Local\Temp\nsh8F2C.tmp\processwork.dll

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
memory/420-42-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/588-7-0x0000000000000000-mapping.dmp

Download
memory/644-261-0x0000000000000000-mapping.dmp

Download
memory/736-43-0x0000000000000000-mapping.dmp

Download
memory/776-185-0x0000000000000000-mapping.dmp

Download
memory/828-152-0x0000000000000000-mapping.dmp

Download
memory/828-200-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

Filesize
4KB

Download
memory/828-198-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/852-113-0x0000000000000000-mapping.dmp

Download
memory/868-10-0x0000000000000000-mapping.dmp

Download
memory/872-156-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/912-11-0x0000000000000000-mapping.dmp

Download
memory/976-32-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/976-31-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/1008-47-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/1008-46-0x0000000003A20000-0x0000000003A21000-memory.dmp

Filesize
4KB

Download
memory/1152-48-0x0000000000000000-mapping.dmp

Download
memory/1200-51-0x0000000003A00000-0x0000000003A01000-memory.dmp

Filesize
4KB

Download
memory/1200-52-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/1204-194-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/1340-162-0x0000000000000000-mapping.dmp

Download
memory/1360-147-0x0000000000000000-mapping.dmp

Download
memory/1364-190-0x0000000000000000-mapping.dmp

Download
memory/1512-177-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1524-16-0x0000000003750000-0x0000000003751000-memory.dmp

Filesize
4KB

Download
memory/1524-17-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/1560-253-0x0000000000000000-mapping.dmp

Download
memory/1596-123-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/1596-122-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1620-133-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/1620-132-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/1620-136-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/1732-117-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/1736-63-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/1736-61-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download
memory/1868-18-0x0000000000000000-mapping.dmp

Download
memory/1880-161-0x0000000003D10000-0x0000000003D11000-memory.dmp

Filesize
4KB

Download
memory/1880-160-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/1924-118-0x0000000000000000-mapping.dmp

Download
memory/1960-124-0x0000000000000000-mapping.dmp

Download
memory/2108-53-0x0000000000000000-mapping.dmp

Download
memory/2120-165-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/2120-169-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/2140-38-0x0000000000000000-mapping.dmp

Download
memory/2172-21-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/2172-22-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/2288-157-0x0000000000000000-mapping.dmp

Download
memory/2428-23-0x0000000000000000-mapping.dmp

Download
memory/2496-129-0x0000000000000000-mapping.dmp

Download
memory/2496-257-0x0000000000000000-mapping.dmp

Download
memory/2536-127-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/2564-178-0x0000000000000000-mapping.dmp

Download
memory/2680-250-0x0000000000000000-mapping.dmp

Download
memory/2812-26-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/2812-27-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/2980-256-0x0000000000000000-mapping.dmp

Download
memory/3024-141-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3024-140-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/3156-4-0x0000000000000000-mapping.dmp

Download
memory/3412-37-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/3584-173-0x0000000000000000-mapping.dmp

Download
memory/3620-142-0x0000000000000000-mapping.dmp

Download
memory/3676-259-0x0000000000000000-mapping.dmp

Download
memory/3736-28-0x0000000000000000-mapping.dmp

Download
memory/3828-195-0x0000000000000000-mapping.dmp

Download
memory/3844-262-0x0000000000000000-mapping.dmp

Download
memory/3908-137-0x0000000000000000-mapping.dmp

Download
memory/3908-182-0x0000000003E10000-0x0000000003E11000-memory.dmp

Filesize
4KB

Download
memory/3912-151-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/3936-258-0x0000000000000000-mapping.dmp

Download
memory/3936-58-0x0000000000000000-mapping.dmp

Download
memory/3976-33-0x0000000000000000-mapping.dmp

Download