nymaim | 9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2022 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
Size

1.2MB
MD5

eca63d589dbf660d98a78af7fde075d9
SHA1

fd7fd24163c473f2a99964384229f39b5e5a0aa7
SHA256

9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35
SHA512

a6e4d122035ff34d135eaa0e1eae01279d5a6f7e57fc9bd7ff6c9114b5704623cc17dce16e6372e3c0718f3189af58e8a1e9d8495c2375a0b2f9f38b299c1ac1
SSDEEP

24576:XqdDP7NdjcejY6cFmB5Ekcl9fZ/IYqdCAhKlZPB0:Xq57Niejz+GEkcJQYqdR0ll

Score

10^/10

nymaim privateloader redline smokeloader 1 nigh backdoor discovery evasion infostealer loader main persistence spyware stealer trojan upx

Malware Config

Extracted

Family

privateloader

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

208.67.104.60

Attributes

payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

nymaim

45.15.156.54

85.31.46.167

Extracted

Family

redline

Botnet

80.76.51.172:19241

Attributes

auth_value
4b711fa6f9a5187b40500266349c0baf

Extracted

Family

redline

Botnet

Nigh

80.66.87.20:80

Attributes

auth_value
dab8506635d1dc134af4ebaedf4404eb

Signatures

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2676-184-0x0000000000470000-0x0000000000479000-memory.dmp	family_smokeloader
behavioral2/memory/4812-306-0x0000000000470000-0x0000000000479000-memory.dmp	family_smokeloader
behavioral2/memory/1032-309-0x0000000000470000-0x0000000000479000-memory.dmp	family_smokeloader

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1396-277-0x0000000000E80000-0x0000000000EA8000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Minor Policy\dI9_I6Gfr5yXRbcIRrqgit_Z.exe	family_redline
C:\Users\Admin\Pictures\Minor Policy\dI9_I6Gfr5yXRbcIRrqgit_Z.exe	family_redline
behavioral2/memory/3196-320-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

JLvDB3D38RiO0RoDYyZXn_Mu.exexzUjbor38MGMIJuvu58ublWE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JLvDB3D38RiO0RoDYyZXn_Mu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	xzUjbor38MGMIJuvu58ublWE.exe

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

c1AuCiSzTTdtrbvsFqSEWgHM.exe5H5kFxiBGjw0yGDY6tDSdoRb.exeDgyUKfSy9C3IWVJNGIa0cc17.exe9l5dUDkKyveORxwEYWoP2x6m.exeJLvDB3D38RiO0RoDYyZXn_Mu.exeis-7OU44.tmpehsearcher52.exeHUMANE~2.EXErSV2PaIW0w.exexzUjbor38MGMIJuvu58ublWE.exe

pid	process
4224	c1AuCiSzTTdtrbvsFqSEWgHM.exe
2676	5H5kFxiBGjw0yGDY6tDSdoRb.exe
1156	DgyUKfSy9C3IWVJNGIa0cc17.exe
3544	9l5dUDkKyveORxwEYWoP2x6m.exe
1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe
4532	is-7OU44.tmp
2748	ehsearcher52.exe
2548	HUMANE~2.EXE
2172	rSV2PaIW0w.exe
2664	xzUjbor38MGMIJuvu58ublWE.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Minor Policy\KiBg3iH0AW4gglsgkr7mEr6P.exe	upx
C:\Users\Admin\Pictures\Minor Policy\KiBg3iH0AW4gglsgkr7mEr6P.exe	upx
behavioral2/memory/1088-296-0x00000000009B0000-0x0000000001C4F000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xzUjbor38MGMIJuvu58ublWE.exeJLvDB3D38RiO0RoDYyZXn_Mu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xzUjbor38MGMIJuvu58ublWE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xzUjbor38MGMIJuvu58ublWE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JLvDB3D38RiO0RoDYyZXn_Mu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JLvDB3D38RiO0RoDYyZXn_Mu.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe9l5dUDkKyveORxwEYWoP2x6m.exeJLvDB3D38RiO0RoDYyZXn_Mu.exeHUMANE~2.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	9l5dUDkKyveORxwEYWoP2x6m.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	JLvDB3D38RiO0RoDYyZXn_Mu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	HUMANE~2.EXE

Loads dropped DLL 2 IoCs

Processes:

is-7OU44.tmpregsvr32.exe

pid process

4532 is-7OU44.tmp
3000 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4532	is-7OU44.tmp
3000	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DgyUKfSy9C3IWVJNGIa0cc17.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	DgyUKfSy9C3IWVJNGIa0cc17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	DgyUKfSy9C3IWVJNGIa0cc17.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

JLvDB3D38RiO0RoDYyZXn_Mu.exexzUjbor38MGMIJuvu58ublWE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JLvDB3D38RiO0RoDYyZXn_Mu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xzUjbor38MGMIJuvu58ublWE.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ipinfo.io
17 ipinfo.io
131 ipinfo.io
132 ipinfo.io
140 ipinfo.io

flow	ioc
16	ipinfo.io
17	ipinfo.io
131	ipinfo.io
132	ipinfo.io
140	ipinfo.io

Drops file in System32 directory 8 IoCs

Processes:

9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exexzUjbor38MGMIJuvu58ublWE.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
File opened for modification	C:\Windows\System32\GroupPolicy	xzUjbor38MGMIJuvu58ublWE.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	xzUjbor38MGMIJuvu58ublWE.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	xzUjbor38MGMIJuvu58ublWE.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	xzUjbor38MGMIJuvu58ublWE.exe
File opened for modification	C:\Windows\System32\GroupPolicy	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

JLvDB3D38RiO0RoDYyZXn_Mu.exexzUjbor38MGMIJuvu58ublWE.exe

pid process

1276 JLvDB3D38RiO0RoDYyZXn_Mu.exe
2664 xzUjbor38MGMIJuvu58ublWE.exe

pid	process
1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe
2664	xzUjbor38MGMIJuvu58ublWE.exe

Drops file in Program Files directory 14 IoCs

Processes:

is-7OU44.tmpJLvDB3D38RiO0RoDYyZXn_Mu.exe

description	ioc	process
File created	C:\Program Files (x86)\ehSearcher\is-03D3O.tmp	is-7OU44.tmp
File created	C:\Program Files (x86)\ehSearcher\is-7C018.tmp	is-7OU44.tmp
File opened for modification	C:\Program Files (x86)\ehSearcher\unins000.dat	is-7OU44.tmp
File created	C:\Program Files (x86)\ehSearcher\is-JFG5B.tmp	is-7OU44.tmp
File created	C:\Program Files (x86)\ehSearcher\is-3450D.tmp	is-7OU44.tmp
File created	C:\Program Files (x86)\ehSearcher\is-F3Q6T.tmp	is-7OU44.tmp
File created	C:\Program Files (x86)\ehSearcher\is-T1CMV.tmp	is-7OU44.tmp
File opened for modification	C:\Program Files (x86)\ehSearcher\ehsearcher52.exe	is-7OU44.tmp
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	JLvDB3D38RiO0RoDYyZXn_Mu.exe
File created	C:\Program Files (x86)\ehSearcher\is-F97D2.tmp	is-7OU44.tmp
File created	C:\Program Files (x86)\ehSearcher\is-9S4VA.tmp	is-7OU44.tmp
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	JLvDB3D38RiO0RoDYyZXn_Mu.exe
File created	C:\Program Files (x86)\ehSearcher\unins000.dat	is-7OU44.tmp
File created	C:\Program Files (x86)\ehSearcher\is-3GSQP.tmp	is-7OU44.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1744	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2660	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
5116	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1564	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4324	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4112	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
208	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2132	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4340	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3868	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1904	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1036	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3196	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2244	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4596	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1864	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3336	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3120	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3896	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1768	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2140	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3984	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2660	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4348	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
5116	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4884	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1692	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2632	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4156	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3300	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1840	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2956	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2152	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3908	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3548	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4968	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2764	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3196	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4528	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4084	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2168	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2184	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4636	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1892	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2212	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1744	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4620	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3524	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4016	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4124	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1304	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
668	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3692	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4728	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4192	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4932	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4592	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4036	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3896	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4864	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
2828	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4744	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
4720	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3300	3436	WerFault.exe	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5H5kFxiBGjw0yGDY6tDSdoRb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5H5kFxiBGjw0yGDY6tDSdoRb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5H5kFxiBGjw0yGDY6tDSdoRb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5H5kFxiBGjw0yGDY6tDSdoRb.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2084 schtasks.exe
4348 schtasks.exe

pid	process
2084	schtasks.exe
4348	schtasks.exe

Modifies registry class 1 IoCs

Processes:

9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exeJLvDB3D38RiO0RoDYyZXn_Mu.exe5H5kFxiBGjw0yGDY6tDSdoRb.exeehsearcher52.exexzUjbor38MGMIJuvu58ublWE.exe

pid	process
3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe
1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe
1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe
1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe
1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe
1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe
2676	5H5kFxiBGjw0yGDY6tDSdoRb.exe
2676	5H5kFxiBGjw0yGDY6tDSdoRb.exe
2748	ehsearcher52.exe
2748	ehsearcher52.exe
2748	ehsearcher52.exe
2748	ehsearcher52.exe
2748	ehsearcher52.exe
2748	ehsearcher52.exe
700
700
700
700
700
700
700
700
700
700
2664	xzUjbor38MGMIJuvu58ublWE.exe
2664	xzUjbor38MGMIJuvu58ublWE.exe
2664	xzUjbor38MGMIJuvu58ublWE.exe
2664	xzUjbor38MGMIJuvu58ublWE.exe
700
700
700
700
700
700
2664	xzUjbor38MGMIJuvu58ublWE.exe
2664	xzUjbor38MGMIJuvu58ublWE.exe
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

5H5kFxiBGjw0yGDY6tDSdoRb.exe

pid process

2676 5H5kFxiBGjw0yGDY6tDSdoRb.exe

pid	process
2676	5H5kFxiBGjw0yGDY6tDSdoRb.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

HUMANE~2.EXEpowershell.exe

description	pid	process
Token: SeDebugPrivilege	2548	HUMANE~2.EXE
Token: SeShutdownPrivilege	700
Token: SeCreatePagefilePrivilege	700
Token: SeShutdownPrivilege	700
Token: SeCreatePagefilePrivilege	700
Token: SeDebugPrivilege	780	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exec1AuCiSzTTdtrbvsFqSEWgHM.exeis-7OU44.tmp9l5dUDkKyveORxwEYWoP2x6m.exeDgyUKfSy9C3IWVJNGIa0cc17.exeehsearcher52.exeJLvDB3D38RiO0RoDYyZXn_Mu.exeHUMANE~2.EXE

description	pid	process	target process
PID 3436 wrote to memory of 4224	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	c1AuCiSzTTdtrbvsFqSEWgHM.exe
PID 3436 wrote to memory of 4224	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	c1AuCiSzTTdtrbvsFqSEWgHM.exe
PID 3436 wrote to memory of 4224	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	c1AuCiSzTTdtrbvsFqSEWgHM.exe
PID 3436 wrote to memory of 1276	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	JLvDB3D38RiO0RoDYyZXn_Mu.exe
PID 3436 wrote to memory of 1276	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	JLvDB3D38RiO0RoDYyZXn_Mu.exe
PID 3436 wrote to memory of 1276	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	JLvDB3D38RiO0RoDYyZXn_Mu.exe
PID 3436 wrote to memory of 2676	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	5H5kFxiBGjw0yGDY6tDSdoRb.exe
PID 3436 wrote to memory of 2676	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	5H5kFxiBGjw0yGDY6tDSdoRb.exe
PID 3436 wrote to memory of 2676	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	5H5kFxiBGjw0yGDY6tDSdoRb.exe
PID 3436 wrote to memory of 1156	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	DgyUKfSy9C3IWVJNGIa0cc17.exe
PID 3436 wrote to memory of 1156	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	DgyUKfSy9C3IWVJNGIa0cc17.exe
PID 3436 wrote to memory of 3544	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	9l5dUDkKyveORxwEYWoP2x6m.exe
PID 3436 wrote to memory of 3544	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	9l5dUDkKyveORxwEYWoP2x6m.exe
PID 3436 wrote to memory of 3544	3436	9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe	9l5dUDkKyveORxwEYWoP2x6m.exe
PID 4224 wrote to memory of 4532	4224	c1AuCiSzTTdtrbvsFqSEWgHM.exe	is-7OU44.tmp
PID 4224 wrote to memory of 4532	4224	c1AuCiSzTTdtrbvsFqSEWgHM.exe	is-7OU44.tmp
PID 4224 wrote to memory of 4532	4224	c1AuCiSzTTdtrbvsFqSEWgHM.exe	is-7OU44.tmp
PID 4532 wrote to memory of 2748	4532	is-7OU44.tmp	ehsearcher52.exe
PID 4532 wrote to memory of 2748	4532	is-7OU44.tmp	ehsearcher52.exe
PID 4532 wrote to memory of 2748	4532	is-7OU44.tmp	ehsearcher52.exe
PID 3544 wrote to memory of 3000	3544	9l5dUDkKyveORxwEYWoP2x6m.exe	regsvr32.exe
PID 3544 wrote to memory of 3000	3544	9l5dUDkKyveORxwEYWoP2x6m.exe	regsvr32.exe
PID 3544 wrote to memory of 3000	3544	9l5dUDkKyveORxwEYWoP2x6m.exe	regsvr32.exe
PID 1156 wrote to memory of 2548	1156	DgyUKfSy9C3IWVJNGIa0cc17.exe	HUMANE~2.EXE
PID 1156 wrote to memory of 2548	1156	DgyUKfSy9C3IWVJNGIa0cc17.exe	HUMANE~2.EXE
PID 1156 wrote to memory of 2548	1156	DgyUKfSy9C3IWVJNGIa0cc17.exe	HUMANE~2.EXE
PID 2748 wrote to memory of 2172	2748	ehsearcher52.exe	rSV2PaIW0w.exe
PID 2748 wrote to memory of 2172	2748	ehsearcher52.exe	rSV2PaIW0w.exe
PID 2748 wrote to memory of 2172	2748	ehsearcher52.exe	rSV2PaIW0w.exe
PID 1276 wrote to memory of 2664	1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe	xzUjbor38MGMIJuvu58ublWE.exe
PID 1276 wrote to memory of 2664	1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe	xzUjbor38MGMIJuvu58ublWE.exe
PID 1276 wrote to memory of 2664	1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe	xzUjbor38MGMIJuvu58ublWE.exe
PID 1276 wrote to memory of 2084	1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe	schtasks.exe
PID 1276 wrote to memory of 2084	1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe	schtasks.exe
PID 1276 wrote to memory of 2084	1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe	schtasks.exe
PID 1276 wrote to memory of 4348	1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe	schtasks.exe
PID 1276 wrote to memory of 4348	1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe	schtasks.exe
PID 1276 wrote to memory of 4348	1276	JLvDB3D38RiO0RoDYyZXn_Mu.exe	schtasks.exe
PID 2548 wrote to memory of 780	2548	HUMANE~2.EXE	powershell.exe
PID 2548 wrote to memory of 780	2548	HUMANE~2.EXE	powershell.exe
PID 2548 wrote to memory of 780	2548	HUMANE~2.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe
"C:\Users\Admin\AppData\Local\Temp\9c5fc66cf2ee1f1fe36dacdf26edc34beb1b80eb9ffc1f60c87f8bb743f8ee35.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 544
2⤵
- Program crash
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 544
2⤵
- Program crash
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 840
2⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 860
2⤵
- Program crash
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 544
2⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1116
2⤵
- Program crash
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1408
2⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1452
2⤵
- Program crash
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1800
2⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1900
2⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1816
2⤵
- Program crash
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1788
2⤵
- Program crash
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1804
2⤵
- Program crash
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1892
2⤵
- Program crash
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1880
2⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1628
2⤵
- Program crash
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1800
2⤵
- Program crash
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2016
2⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2024
2⤵
- Program crash
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1968
2⤵
- Program crash
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1788
2⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1532
2⤵
- Program crash
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1900
2⤵
- Program crash
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1872
2⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2032
2⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2020
2⤵
- Program crash
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1824
2⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1928
2⤵
- Program crash
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2064
2⤵
- Program crash
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2052
2⤵
- Program crash
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2096
2⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2120
2⤵
- Program crash
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2196
2⤵
- Program crash
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2204
2⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2300
2⤵
- Program crash
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2264
2⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2052
2⤵
- Program crash
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2216
2⤵
- Program crash
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2016
2⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2132
2⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2324
2⤵
- Program crash
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1788
2⤵
- Program crash
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1844
2⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2228
2⤵
- Program crash
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2388
2⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2400
2⤵
- Program crash
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2416
2⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2044
2⤵
- Program crash
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1968
2⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2128
2⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2324
2⤵
- Program crash
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 3308
2⤵
- Program crash
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 3048
2⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 3048
2⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 3056
2⤵
- Program crash
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 3552
2⤵
- Program crash
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 3592
2⤵
- Program crash
PID:4592

C:\Users\Admin\Pictures\Minor Policy\9l5dUDkKyveORxwEYWoP2x6m.exe
"C:\Users\Admin\Pictures\Minor Policy\9l5dUDkKyveORxwEYWoP2x6m.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s ~Bu5XRMs.A
3⤵
- Loads dropped DLL
PID:3000

C:\Users\Admin\Pictures\Minor Policy\5H5kFxiBGjw0yGDY6tDSdoRb.exe
"C:\Users\Admin\Pictures\Minor Policy\5H5kFxiBGjw0yGDY6tDSdoRb.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2676

C:\Users\Admin\Pictures\Minor Policy\JLvDB3D38RiO0RoDYyZXn_Mu.exe
"C:\Users\Admin\Pictures\Minor Policy\JLvDB3D38RiO0RoDYyZXn_Mu.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\Documents\xzUjbor38MGMIJuvu58ublWE.exe
"C:\Users\Admin\Documents\xzUjbor38MGMIJuvu58ublWE.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Users\Admin\Pictures\Minor Policy\UacCqD6LL6e0804zS3d5lQ86.exe
"C:\Users\Admin\Pictures\Minor Policy\UacCqD6LL6e0804zS3d5lQ86.exe"
4⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 340
5⤵
PID:3980

C:\Users\Admin\Pictures\Minor Policy\a3bnm83tK5KNT6N2CNH_1Bmz.exe
"C:\Users\Admin\Pictures\Minor Policy\a3bnm83tK5KNT6N2CNH_1Bmz.exe"
4⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\is-OH96L.tmp\is-MLIPM.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OH96L.tmp\is-MLIPM.tmp" /SL4 $3D0056 "C:\Users\Admin\Pictures\Minor Policy\a3bnm83tK5KNT6N2CNH_1Bmz.exe" 2121683 52736
5⤵
PID:2092

C:\Program Files (x86)\ehSearcher\ehsearcher52.exe
"C:\Program Files (x86)\ehSearcher\ehsearcher52.exe"
6⤵
PID:1744

C:\Users\Admin\Pictures\Minor Policy\KiBg3iH0AW4gglsgkr7mEr6P.exe
"C:\Users\Admin\Pictures\Minor Policy\KiBg3iH0AW4gglsgkr7mEr6P.exe"
4⤵
PID:1088

C:\Users\Admin\Pictures\Minor Policy\OSOxsXR1HQ1NlYsvOyI_SX7s.exe
"C:\Users\Admin\Pictures\Minor Policy\OSOxsXR1HQ1NlYsvOyI_SX7s.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
4⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\is-J2FC7.tmp\OSOxsXR1HQ1NlYsvOyI_SX7s.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J2FC7.tmp\OSOxsXR1HQ1NlYsvOyI_SX7s.tmp" /SL5="$10212,11860388,791040,C:\Users\Admin\Pictures\Minor Policy\OSOxsXR1HQ1NlYsvOyI_SX7s.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
5⤵
PID:4808

C:\Users\Admin\Pictures\Minor Policy\x5xwtI3zb_1GBIskWa1DM34d.exe
"C:\Users\Admin\Pictures\Minor Policy\x5xwtI3zb_1GBIskWa1DM34d.exe"
4⤵
PID:4296

C:\Windows\SysWOW64\at.exe
at 3874982763784yhwgdfg78234789s42809374918uf
5⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Florist.hopp & ping -n 5 localhost
5⤵
PID:5044

C:\Users\Admin\Pictures\Minor Policy\rS9ERVOuVkyntYQegzSoRrFD.exe
"C:\Users\Admin\Pictures\Minor Policy\rS9ERVOuVkyntYQegzSoRrFD.exe"
4⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\is-09E0L.tmp\rS9ERVOuVkyntYQegzSoRrFD.tmp
"C:\Users\Admin\AppData\Local\Temp\is-09E0L.tmp\rS9ERVOuVkyntYQegzSoRrFD.tmp" /SL5="$1021C,140559,56832,C:\Users\Admin\Pictures\Minor Policy\rS9ERVOuVkyntYQegzSoRrFD.exe"
5⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\is-E125D.tmp\PowerOff.exe
"C:\Users\Admin\AppData\Local\Temp\is-E125D.tmp\PowerOff.exe" /S /UID=95
6⤵
PID:3508

C:\Users\Admin\Pictures\Minor Policy\_AstX9gq3XmSblZuRyQxea9F.exe
"C:\Users\Admin\Pictures\Minor Policy\_AstX9gq3XmSblZuRyQxea9F.exe"
4⤵
PID:1548

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s ~Bu5XRMs.A
5⤵
PID:388

C:\Users\Admin\Pictures\Minor Policy\pqvn2ZFEVpI8BVxrgLk9ztes.exe
"C:\Users\Admin\Pictures\Minor Policy\pqvn2ZFEVpI8BVxrgLk9ztes.exe"
4⤵
PID:4812

C:\Users\Admin\Pictures\Minor Policy\dI9_I6Gfr5yXRbcIRrqgit_Z.exe
"C:\Users\Admin\Pictures\Minor Policy\dI9_I6Gfr5yXRbcIRrqgit_Z.exe"
4⤵
PID:1396

C:\Users\Admin\Pictures\Minor Policy\YiKtFZJ_79WKHZwX6bhVv7CF.exe
"C:\Users\Admin\Pictures\Minor Policy\YiKtFZJ_79WKHZwX6bhVv7CF.exe"
4⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HUMANE~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HUMANE~2.EXE
5⤵
PID:4688

C:\Users\Admin\Pictures\Minor Policy\l4X4cC1IE46ILnYnmizDmpMc.exe
"C:\Users\Admin\Pictures\Minor Policy\l4X4cC1IE46ILnYnmizDmpMc.exe"
4⤵
PID:2928

C:\Users\Admin\Pictures\Minor Policy\PuEJ5l6mOhzioR8XUAIq2YSy.exe
"C:\Users\Admin\Pictures\Minor Policy\PuEJ5l6mOhzioR8XUAIq2YSy.exe"
4⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SETUP_~1.EXE
5⤵
PID:4908

C:\Users\Admin\Pictures\Minor Policy\664lDs3CkTdjtJJILzDZFRQ9.exe
"C:\Users\Admin\Pictures\Minor Policy\664lDs3CkTdjtJJILzDZFRQ9.exe"
4⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\7zS77CB.tmp\Install.exe
.\Install.exe
5⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\7zSA275.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:4628

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2084

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4348

C:\Users\Admin\Pictures\Minor Policy\DgyUKfSy9C3IWVJNGIa0cc17.exe
"C:\Users\Admin\Pictures\Minor Policy\DgyUKfSy9C3IWVJNGIa0cc17.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HUMANE~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HUMANE~2.EXE
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Users\Admin\AppData\Local\Temp\Gsjzlkevcnkzmjhgzkwmpyljhumanengineering_s.exe
"C:\Users\Admin\AppData\Local\Temp\Gsjzlkevcnkzmjhgzkwmpyljhumanengineering_s.exe"
4⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HUMANE~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HUMANE~2.EXE
4⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HUMANE~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HUMANE~2.EXE
4⤵
PID:3196

C:\Users\Admin\Pictures\Minor Policy\c1AuCiSzTTdtrbvsFqSEWgHM.exe
"C:\Users\Admin\Pictures\Minor Policy\c1AuCiSzTTdtrbvsFqSEWgHM.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224

C:\Users\Admin\AppData\Local\Temp\is-HVAF1.tmp\is-7OU44.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HVAF1.tmp\is-7OU44.tmp" /SL4 $B005C "C:\Users\Admin\Pictures\Minor Policy\c1AuCiSzTTdtrbvsFqSEWgHM.exe" 2121683 52736
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4532

C:\Program Files (x86)\ehSearcher\ehsearcher52.exe
"C:\Program Files (x86)\ehSearcher\ehsearcher52.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Roaming\{cd0d74c0-1ab4-11ed-b686-806e6f6e6963}\rSV2PaIW0w.exe
5⤵
- Executes dropped EXE
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ehsearcher52.exe" /f & erase "C:\Program Files (x86)\ehSearcher\ehsearcher52.exe" & exit
5⤵
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 3592
2⤵
- Program crash
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1988
2⤵
- Program crash
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1524
2⤵
- Program crash
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1960
2⤵
- Program crash
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1688
2⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2088
2⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1524
2⤵
- Program crash
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1524
2⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 3440
2⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 3396
2⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 3476
2⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3436 -ip 3436
1⤵
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3436 -ip 3436
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3436 -ip 3436
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3436 -ip 3436
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3436 -ip 3436
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3436 -ip 3436
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3436 -ip 3436
1⤵
PID:240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3436 -ip 3436
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3436 -ip 3436
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3436 -ip 3436
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3436 -ip 3436
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3436 -ip 3436
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3436 -ip 3436
1⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3436 -ip 3436
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3436 -ip 3436
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3436 -ip 3436
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3436 -ip 3436
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3436 -ip 3436
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3436 -ip 3436
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3436 -ip 3436
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3436 -ip 3436
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3436 -ip 3436
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3436 -ip 3436
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3436 -ip 3436
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3436 -ip 3436
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3436 -ip 3436
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3436 -ip 3436
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 3436 -ip 3436
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3436 -ip 3436
1⤵
PID:4216

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AE7C.dll
2⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 3436 -ip 3436
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3436 -ip 3436
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 3436 -ip 3436
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3436 -ip 3436
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 3436 -ip 3436
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 3436 -ip 3436
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 3436 -ip 3436
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 3436 -ip 3436
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 3436 -ip 3436
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 3436 -ip 3436
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3436 -ip 3436
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 3436 -ip 3436
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 3436 -ip 3436
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 3436 -ip 3436
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 3436 -ip 3436
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 3436 -ip 3436
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3436 -ip 3436
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 3436 -ip 3436
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 3436 -ip 3436
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 3436 -ip 3436
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 3436 -ip 3436
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3436 -ip 3436
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3436 -ip 3436
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3436 -ip 3436
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3436 -ip 3436
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3436 -ip 3436
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3436 -ip 3436
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3436 -ip 3436
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3436 -ip 3436
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3436 -ip 3436
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 3436 -ip 3436
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3436 -ip 3436
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 3436 -ip 3436
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3436 -ip 3436
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 3436 -ip 3436
1⤵
PID:4112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3436 -ip 3436
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3436 -ip 3436
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 3436 -ip 3436
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 1032 -ip 1032
1⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\9834.exe
C:\Users\Admin\AppData\Local\Temp\9834.exe
1⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\9834.exe
C:\Users\Admin\AppData\Local\Temp\9834.exe
2⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 3436 -ip 3436
1⤵
PID:312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ehSearcher\ehsearcher52.exe
Filesize
3.8MB

MD5
4cc16eec4381530bdb795c9fa17ba3f8

SHA1
3b4eb1619a3e1c8d4465221470d0fd940f7ec683

SHA256
d52dc40dd610d74d79f67f8715da387ec1e5c107f53f6920b080598d81350a72

SHA512
c7645661b243e55f1312d63e1e95bb5911ff4f14369cc25f16e01ef88f433a6aba028030b42568a03f7eafc3369fbed2b61e683f05768bc28239661afd45a182

Download Submit
C:\Program Files (x86)\ehSearcher\ehsearcher52.exe
Filesize
3.8MB

MD5
4cc16eec4381530bdb795c9fa17ba3f8

SHA1
3b4eb1619a3e1c8d4465221470d0fd940f7ec683

SHA256
d52dc40dd610d74d79f67f8715da387ec1e5c107f53f6920b080598d81350a72

SHA512
c7645661b243e55f1312d63e1e95bb5911ff4f14369cc25f16e01ef88f433a6aba028030b42568a03f7eafc3369fbed2b61e683f05768bc28239661afd45a182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
300B

MD5
bf034518c3427206cc85465dc2e296e5

SHA1
ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

SHA256
e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

SHA512
c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
d6b0775dc8b065f63eb1c316f861073c

SHA1
06053ace4e90b7b5e5ffd5ea60c508757332669a

SHA256
41417649008fbe3872c14d033ea49da0b91898f24030b98f2d587626c3a95d4f

SHA512
1bbf1436625d5a62f58ee44ac7dffa65291c727b6129990e0677edced90489ba051a6a325d99b8a232c532b41e7b4af49423d33a911dfab8ba56a93a5b63876c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\98E4B9E09258E3C5F565FA64983EE15B
Filesize
1KB

MD5
e4edba3e0c91c58fc5c57405177e3b10

SHA1
7abd3d6033adc4b3b473cd9191d07671a121425d

SHA256
2632ec603c7cdcaf12d30a9a5c99abece91354e4b113b8d3dd5f6aa9ef066601

SHA512
f6e2346942b7dd1abed11b067cf1dd1b9c6c9b2748a31fd82a80ed7a0e7690b19c29d74111b1b632e247201f5e92fd30d88db87ea512205f68bc2f5f5bf15496

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_6B030DB581A2D8F9B2266D9F23F1AFB5
Filesize
278B

MD5
7e494400c537690b661e0e91d1f7ea74

SHA1
a4e6d94d2bd236852c9cbcff7af66b0ca067038a

SHA256
7a99c1b932505452306d08b3ca42a10412c8a649987594bedc0abb6e76af2147

SHA512
1cb475b59ef515c548c4d2ce8e8b77e67c409a8e4a38179909b61354bc8de4bbd1404a147b2dd64aeea92a7a21d10be2b634d36e5f2b9b8f27f0dbf762199393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
1KB

MD5
c20311c1420493add61cf1793e6793e3

SHA1
4675c432b85c3ace32c5e61d5d0b959bdaf176dd

SHA256
0c1783030daa4162cd8db453dfe056aab92d204e21f148e7965faaa383054d27

SHA512
aaedc0bb9e2297f121cc9b9e5fdd8ef96c11f51e3ce42f27799d2491bbe66dad1f5ad8ea245dcf540ce20858aafe28b3589be35b59f83b3392369ba36beeac15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B55A05DF158DA292513D680FF42729C8
Filesize
1KB

MD5
5548cbbbbf08120d7c901043c6f77068

SHA1
f07450faee6809942d276ef7b8906daf15d102b2

SHA256
8724f614923f1bb5ec711151faf31e86481c850f5f98c9f3f70e30f45d124284

SHA512
790778850dae0a819d7bb53127e23717991508a67101be3e0473fa4e94f7d369ceec7d4896b595971ade8a272d8389faf97bb3039e141489724104afbb5d6b20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CD39ADF7806918A174DD06515F1280A5
Filesize
345B

MD5
5917a160a107d8bb9ec96552332ef7c7

SHA1
abf28b9076e1b905964a49059bd4c37e8b9656a5

SHA256
8f2b02205d882fd73fe07298c3386d75501d9045951b05865975e25e985e3c80

SHA512
100e0f9526f06c03844475cc4ca3857730ed371b3ee8c3fbe8ee561b59711f27f645d5080d214ec3225b1d8cfadb824264645250146d522a8f8fb0678afb1736

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
b0a15b6d9d33f36d5444ba78deaa44e7

SHA1
830f421744711156175474a30d8c3f7b62790c61

SHA256
386cf92493cba65f931350ede36cd4288747ecb6f606872a8574e9be9dabfb44

SHA512
d3dc15af32159adb13da66c0ffeeaf7d2c6d9bcfd647e5895110152fb83a225898304f77202a6178d4ac0fd7b78447646750e6ef0c5d4b56e2edaf0b976b5bdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
3c6b24614530347c70700af38a9a1bd8

SHA1
89a5bf0123b58b0e72c59bc4ba71e817f81b4c7f

SHA256
46e439e94d10bc571df3abe69f7f95321b4f63f0569722bc549db7860e1b724d

SHA512
8e0d8487fd03b5de22230f19bfe0a96fb9c6142656978b190823da129cee5863352cc9b0e11200d595b14d3ebe87bb468d0ca4b0b272bb5b500d4999541e9596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
75ec030c18eb4700bbca2f468d7c78bd

SHA1
59f0b87238479f51260c02c02c76617f521bf70b

SHA256
0a8fb8a5e0adc99c19a401bed2234d4c459efd60936f05bc18857b39083b311e

SHA512
6c35ee0f25e99ad0a9b5c04d0dc02aabece6a92d4f4b065764b58521e75ad0d55df8045169b47c1d8a700f46973bf2c9e2a3a657c6130143e6174fdfba6b35fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\98E4B9E09258E3C5F565FA64983EE15B
Filesize
540B

MD5
f581f6cead23b8bd7e2de6575e41e828

SHA1
5c0ea342a50ea4b6c69789e3f9711a4f00e0d971

SHA256
7c4d91e9c6f869475b5a9dd65d42b1b8b834aebc8fcc0bcc57a3380f09148a27

SHA512
0d507b70cf10631152aca27f55eeb5fdc6040e71e07a89515c3b9e3d858b998c3b6a7c934d1be915168feb90ece5ea0d8b6cfde5a019ac05428e71614a31e7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_6B030DB581A2D8F9B2266D9F23F1AFB5
Filesize
426B

MD5
135f74a36119744dd4e209c9dac854bf

SHA1
2eb688bedd3de78b6172dfb1a66201abeee561d4

SHA256
2fe156139ffddba13d32c8c007cc9d623b9a762917f97ae577e702e29ba03362

SHA512
79cb7371356d62134099997ab4f9cac1321f5b0d4163b0eab119028dcc30e9649e6cd8650c4b19c6f00e989325d4400af83783ab1d059063d83eb4592888ff99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
492B

MD5
c923a889dde735a401048f57a7f9f782

SHA1
703b05f2f27b2e3f9e5d66637e165782c60ca57b

SHA256
03bc7569ab43f07bff9b4e1916c169e23cc45a2bdcdcbb88c73a5db2d28e8c9e

SHA512
a762dacfb0d0c010e6e3d7a2c67776f1c6a417fe600793e8f75d16b6f9f607257485cf437b79a2d1246bc61a04a2f965ad69bf71e08ae1225f277c232620bd72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B55A05DF158DA292513D680FF42729C8
Filesize
532B

MD5
8dfddfc214a3f52857afbda3a6c9c1a6

SHA1
6fc350a22b65ac9bfc8919348ab914d7c37cb8f3

SHA256
40ae2ce8b15f5fa950f4aec75a564a6082e4382b180da9fd2bf03a1a335d0a13

SHA512
4facb2bee8df6d394c7d51bcf0901e75a8248600eff85bdd41382a2804ff43bdd7a6b7da9e0cb7e084542490a9fd7f6c8ca4272b7fc82cc7118bdc1115a44fbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CD39ADF7806918A174DD06515F1280A5
Filesize
548B

MD5
190acfb1ded4b7bc9916636ddb106b59

SHA1
4e4b6514f9633e7b7c79c36de86d4a17ea6f05ce

SHA256
dbc298560aa6ba88e35cd675186d7ef7b52105d58c6ee92291805516062ba91d

SHA512
0e7431538fc55a9e954c98977a017dfa0245cf62c8638c9ad9c2206a3726f022c84c8d0fb3cfc97d23a410ad5c08a0f8a780be4724c4846fa86fd20641c2b8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HUMANE~2.EXE
Filesize
80.2MB

MD5
78844a0394b64e82697febb0f626a2a5

SHA1
b307402b7c3ee663da7cd9a0a7a57d5880b8e242

SHA256
f7f63c2c173fbbe5c3b4e436d00234e5a778c64fbb6442981ae52ebb4127df4b

SHA512
22ff14cf104d41b50b000d36b30b8d8a3a83e6336d63f6bef7ff1b0badab5bb5fc8167f42ef756802a54b6e1a1159335ee9cc065b87c15f82bcecb033323d5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HUMANE~2.EXE
Filesize
81.7MB

MD5
915fc5dc63d247391a64531b8c5b6559

SHA1
778ae1b6d7b74df4f4adad358ba43b603aa8d74f

SHA256
7d37ed88ee1f4f6b0169b0ae27954eb73b007373f710857c3d20a5334449efc1

SHA512
f07adc86bb23fa0ce4d45b26626e137e4941d2eb979a95eaa7a8d5d108a51c6b2b9e6385613d893255c62702ac84ffe8c08bdba55c60dfb5d0dbc178afea32e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GLS6S.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HVAF1.tmp\is-7OU44.tmp
Filesize
657KB

MD5
7cd12c54a9751ca6eee6ab0c85fb68f5

SHA1
76562e9b7888b6d20d67addb5a90b68b54a51987

SHA256
e82cabb027db8846c3430be760f137afa164c36f9e1b93a6e34c96de0b2c5a5f

SHA512
27ba5d2f719aaac2ead6fb42f23af3aa866f75026be897cd2f561f3e383904e89e6043bd22b4ae24f69787bd258a68ff696c09c03d656cbf7c79c2a52d8d82cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HVAF1.tmp\is-7OU44.tmp
Filesize
657KB

MD5
7cd12c54a9751ca6eee6ab0c85fb68f5

SHA1
76562e9b7888b6d20d67addb5a90b68b54a51987

SHA256
e82cabb027db8846c3430be760f137afa164c36f9e1b93a6e34c96de0b2c5a5f

SHA512
27ba5d2f719aaac2ead6fb42f23af3aa866f75026be897cd2f561f3e383904e89e6043bd22b4ae24f69787bd258a68ff696c09c03d656cbf7c79c2a52d8d82cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~Bu5XRMs.A
Filesize
1.9MB

MD5
6d6745c94eae5027ce7af343256c2c2e

SHA1
d9374ded0ee6df8af9cd200f20cd3c02baf67d78

SHA256
61ffa4b0f1d2106920a30fc28d955b697c9d2e60e5070ed9f8619e8239c19918

SHA512
6dcc86efc15f2a420f29b114313919286b0e3db29cf68426bcc70193a569d26a0bba4088c654f90ae92bb2f9b460090a9c0e7f381350c25460af2fcaf267ab32

Download Submit
C:\Users\Admin\AppData\Local\Temp\~Bu5xrMs.a
Filesize
1.9MB

MD5
6d6745c94eae5027ce7af343256c2c2e

SHA1
d9374ded0ee6df8af9cd200f20cd3c02baf67d78

SHA256
61ffa4b0f1d2106920a30fc28d955b697c9d2e60e5070ed9f8619e8239c19918

SHA512
6dcc86efc15f2a420f29b114313919286b0e3db29cf68426bcc70193a569d26a0bba4088c654f90ae92bb2f9b460090a9c0e7f381350c25460af2fcaf267ab32

Download Submit
C:\Users\Admin\AppData\Roaming\{cd0d74c0-1ab4-11ed-b686-806e6f6e6963}\rSV2PaIW0w.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{cd0d74c0-1ab4-11ed-b686-806e6f6e6963}\rSV2PaIW0w.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\Documents\xzUjbor38MGMIJuvu58ublWE.exe
Filesize
5.5MB

MD5
91f6f48383c2d43120c14b74bf894575

SHA1
c49da1e376ae346d420e1486b7b865ee0d6e1485

SHA256
6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933

SHA512
a93ef32d57ff0991f1a2711371db24063bcf1c5cf4ebf2c24a0ac856b08df046fb760801dce3dca3a4c4f3eaaf18d4c1f0fe2befc5d5df9d5fefadd57f1bc69f

Download Submit
C:\Users\Admin\Documents\xzUjbor38MGMIJuvu58ublWE.exe
Filesize
5.5MB

MD5
91f6f48383c2d43120c14b74bf894575

SHA1
c49da1e376ae346d420e1486b7b865ee0d6e1485

SHA256
6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933

SHA512
a93ef32d57ff0991f1a2711371db24063bcf1c5cf4ebf2c24a0ac856b08df046fb760801dce3dca3a4c4f3eaaf18d4c1f0fe2befc5d5df9d5fefadd57f1bc69f

Download Submit
C:\Users\Admin\Pictures\Minor Policy\5H5kFxiBGjw0yGDY6tDSdoRb.exe
Filesize
196KB

MD5
f41b9e7741b3c6ea33a947e85f8ecd89

SHA1
1d17879310cf6ae6d3388f29bfc3ddc062c2d980

SHA256
4b9389d77338b5614133e85cf8a2d562c9994d9ca29df78631141a4b254d7a09

SHA512
f5cd4842b70b61686197654ab5f3c1022024dca6fff4f38c396c0484ac531c2c50b694294099c5dd99456f771dbcde7afa88fdae3006272f2f7c5a4d819f6a7d

Download Submit
C:\Users\Admin\Pictures\Minor Policy\5H5kFxiBGjw0yGDY6tDSdoRb.exe
Filesize
196KB

MD5
f41b9e7741b3c6ea33a947e85f8ecd89

SHA1
1d17879310cf6ae6d3388f29bfc3ddc062c2d980

SHA256
4b9389d77338b5614133e85cf8a2d562c9994d9ca29df78631141a4b254d7a09

SHA512
f5cd4842b70b61686197654ab5f3c1022024dca6fff4f38c396c0484ac531c2c50b694294099c5dd99456f771dbcde7afa88fdae3006272f2f7c5a4d819f6a7d

Download Submit
C:\Users\Admin\Pictures\Minor Policy\664lDs3CkTdjtJJILzDZFRQ9.exe
Filesize
7.3MB

MD5
9c007ec6b7833a31f73c5c537834a6f0

SHA1
784b46bbb9c81f1f033322100cd9ead460f5f8a0

SHA256
a279976e67d2df6b3880be496e2ce77afc898af87a2fe4d7ea1615e31cad9a78

SHA512
6feb3229892bb0295488d5a933518c550bf8d1e45a145c315fd4a5fc31b230075dd61cc3e8dda23a12ff58427e768cb6c59b5176906edcab4b0822f736ad3483

Download Submit
C:\Users\Admin\Pictures\Minor Policy\664lDs3CkTdjtJJILzDZFRQ9.exe
Filesize
7.3MB

MD5
9c007ec6b7833a31f73c5c537834a6f0

SHA1
784b46bbb9c81f1f033322100cd9ead460f5f8a0

SHA256
a279976e67d2df6b3880be496e2ce77afc898af87a2fe4d7ea1615e31cad9a78

SHA512
6feb3229892bb0295488d5a933518c550bf8d1e45a145c315fd4a5fc31b230075dd61cc3e8dda23a12ff58427e768cb6c59b5176906edcab4b0822f736ad3483

Download Submit
C:\Users\Admin\Pictures\Minor Policy\9l5dUDkKyveORxwEYWoP2x6m.exe
Filesize
1.6MB

MD5
10d95359ce086767acbe12b5e7b23fbb

SHA1
bad9b781a403dee3a46e6434193880ddf3ea8307

SHA256
876bfabddc00e795c35658732ff1e180505d482bd91779c7bad4a66518fff985

SHA512
1dd1c65d8491c2d5e3f533f1c523f055458751ce34715a8d84cb7f7bf5adabebdc96f377601d649de2089d78219f6c547c09aac69f56b94168ab114864b54224

Download Submit
C:\Users\Admin\Pictures\Minor Policy\9l5dUDkKyveORxwEYWoP2x6m.exe
Filesize
1.6MB

MD5
10d95359ce086767acbe12b5e7b23fbb

SHA1
bad9b781a403dee3a46e6434193880ddf3ea8307

SHA256
876bfabddc00e795c35658732ff1e180505d482bd91779c7bad4a66518fff985

SHA512
1dd1c65d8491c2d5e3f533f1c523f055458751ce34715a8d84cb7f7bf5adabebdc96f377601d649de2089d78219f6c547c09aac69f56b94168ab114864b54224

Download Submit
C:\Users\Admin\Pictures\Minor Policy\DgyUKfSy9C3IWVJNGIa0cc17.exe
Filesize
414KB

MD5
edf2eb69c5fff1cd47ae25c59695d040

SHA1
442d45adc9d967c1ac84d72697d3e6fdc183c3d1

SHA256
e5eb694f24982ff71260946f290e225f129201d7839b90831f3d1b7d31254df6

SHA512
9b85afaf2dea1ba3b2dcea5069cb8e9a4b6e433c054154aa0f225cb83b6f350e5d3cc23955fab4b28ec364a2397f5d71200219f540aaaf9229f9a38a8f045216

Download Submit
C:\Users\Admin\Pictures\Minor Policy\JLvDB3D38RiO0RoDYyZXn_Mu.exe
Filesize
4.8MB

MD5
854d5dfe2d5193aa4150765c123df8ad

SHA1
1b21d80c4beb90b03d795cf11145619aeb3a4f37

SHA256
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45

SHA512
48ed604ea966a35cc16631ce5da692bb236badafdb6d3d01ef3a27ab5a9c1ea6a19d6e8209c894ab292614cfbd355c2ca96401fd4dbb9a3abbfd886cddae77cc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\JLvDB3D38RiO0RoDYyZXn_Mu.exe
Filesize
4.8MB

MD5
854d5dfe2d5193aa4150765c123df8ad

SHA1
1b21d80c4beb90b03d795cf11145619aeb3a4f37

SHA256
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45

SHA512
48ed604ea966a35cc16631ce5da692bb236badafdb6d3d01ef3a27ab5a9c1ea6a19d6e8209c894ab292614cfbd355c2ca96401fd4dbb9a3abbfd886cddae77cc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\KiBg3iH0AW4gglsgkr7mEr6P.exe
Filesize
5.1MB

MD5
5ddf3627e4653db4f2f8d2fd9c0afc97

SHA1
0bdbfc683acd5512c356fefad998ee9ba9276e97

SHA256
6b21a42824ae2bda24f29a05bb973d5edd721a398fedc0812bab408fec73a379

SHA512
26445e0aaf50b31c2ed11af2a8480e552fc4a9f540f90352d475c741ebb74a0c6f7fb10a16cb0b756350a210a85a75184dfa092ea9fb8123e6a2df6afde5a8fc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\KiBg3iH0AW4gglsgkr7mEr6P.exe
Filesize
5.1MB

MD5
5ddf3627e4653db4f2f8d2fd9c0afc97

SHA1
0bdbfc683acd5512c356fefad998ee9ba9276e97

SHA256
6b21a42824ae2bda24f29a05bb973d5edd721a398fedc0812bab408fec73a379

SHA512
26445e0aaf50b31c2ed11af2a8480e552fc4a9f540f90352d475c741ebb74a0c6f7fb10a16cb0b756350a210a85a75184dfa092ea9fb8123e6a2df6afde5a8fc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\OSOxsXR1HQ1NlYsvOyI_SX7s.exe
Filesize
12.1MB

MD5
19b20fc498d366730c470bacab083fe7

SHA1
9d63950c73423991e2884392bc9682d836f9e031

SHA256
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

SHA512
0c03e865381fab1e06b2c42f70a3183bd96b06eaa6524f9d254ff708859b89c92a5f7c7186c84888bd543ad1cbf3d45ca4125acdaec059751e9ba2097f90dedb

Download Submit
C:\Users\Admin\Pictures\Minor Policy\OSOxsXR1HQ1NlYsvOyI_SX7s.exe
Filesize
12.1MB

MD5
19b20fc498d366730c470bacab083fe7

SHA1
9d63950c73423991e2884392bc9682d836f9e031

SHA256
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

SHA512
0c03e865381fab1e06b2c42f70a3183bd96b06eaa6524f9d254ff708859b89c92a5f7c7186c84888bd543ad1cbf3d45ca4125acdaec059751e9ba2097f90dedb

Download Submit
C:\Users\Admin\Pictures\Minor Policy\PuEJ5l6mOhzioR8XUAIq2YSy.exe
Filesize
625KB

MD5
dfd744e7fa0eff75edd3dcef583de19a

SHA1
a3b8731fcfa2ea747fa415d44c3e909f14c05c89

SHA256
174187cf1d64a1eb5172a3dbf6b560dddc588a1d1edba896c0746a8c9b41b05b

SHA512
a1f349c9583c70b14274accb2e7348859bb13fb7315db698f9b90c7948b682e5f609f723b55b9fe4e5facdf7851cd2873b6badc7d89d9f96e0f1273b184c6c45

Download Submit
C:\Users\Admin\Pictures\Minor Policy\UacCqD6LL6e0804zS3d5lQ86.exe
Filesize
196KB

MD5
6461f42f3a4ed78a8133ea07a752dc6b

SHA1
f1066b5e35d7bedb44765e18747a5bb09a8a33e0

SHA256
7d51d09df887d02efb0ad589d90fd45a5ca24b4554f4d80a7d58995e9022c44a

SHA512
c5b1fd6e83a470d8b2b9c7b6418a981fd3f3394818300d5ec07a9b09f48244069d39be7591787967d05e189ac740a57bf10c2b827c2c36dc84371fa08fd3974a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\UacCqD6LL6e0804zS3d5lQ86.exe
Filesize
196KB

MD5
6461f42f3a4ed78a8133ea07a752dc6b

SHA1
f1066b5e35d7bedb44765e18747a5bb09a8a33e0

SHA256
7d51d09df887d02efb0ad589d90fd45a5ca24b4554f4d80a7d58995e9022c44a

SHA512
c5b1fd6e83a470d8b2b9c7b6418a981fd3f3394818300d5ec07a9b09f48244069d39be7591787967d05e189ac740a57bf10c2b827c2c36dc84371fa08fd3974a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\YiKtFZJ_79WKHZwX6bhVv7CF.exe
Filesize
414KB

MD5
edf2eb69c5fff1cd47ae25c59695d040

SHA1
442d45adc9d967c1ac84d72697d3e6fdc183c3d1

SHA256
e5eb694f24982ff71260946f290e225f129201d7839b90831f3d1b7d31254df6

SHA512
9b85afaf2dea1ba3b2dcea5069cb8e9a4b6e433c054154aa0f225cb83b6f350e5d3cc23955fab4b28ec364a2397f5d71200219f540aaaf9229f9a38a8f045216

Download Submit
C:\Users\Admin\Pictures\Minor Policy\_AstX9gq3XmSblZuRyQxea9F.exe
Filesize
1.6MB

MD5
10d95359ce086767acbe12b5e7b23fbb

SHA1
bad9b781a403dee3a46e6434193880ddf3ea8307

SHA256
876bfabddc00e795c35658732ff1e180505d482bd91779c7bad4a66518fff985

SHA512
1dd1c65d8491c2d5e3f533f1c523f055458751ce34715a8d84cb7f7bf5adabebdc96f377601d649de2089d78219f6c547c09aac69f56b94168ab114864b54224

Download Submit
C:\Users\Admin\Pictures\Minor Policy\_AstX9gq3XmSblZuRyQxea9F.exe
Filesize
1.6MB

MD5
10d95359ce086767acbe12b5e7b23fbb

SHA1
bad9b781a403dee3a46e6434193880ddf3ea8307

SHA256
876bfabddc00e795c35658732ff1e180505d482bd91779c7bad4a66518fff985

SHA512
1dd1c65d8491c2d5e3f533f1c523f055458751ce34715a8d84cb7f7bf5adabebdc96f377601d649de2089d78219f6c547c09aac69f56b94168ab114864b54224

Download Submit
C:\Users\Admin\Pictures\Minor Policy\a3bnm83tK5KNT6N2CNH_1Bmz.exe
Filesize
2.3MB

MD5
0722c4f56082709fd15e183418225d8f

SHA1
417854bae29c89d705f81023b9a48b4c5cc4da1a

SHA256
aa5383824eeb7c5bbef67fd59ae5c833c86533eded463da9f005a45824adc04a

SHA512
9751600445d461f38d42731f1c2bc3b42b8145f8d63d7adfedeb05fbbd8819f74fd902d449198f62251ae02bec3e437ae1a76fbee23bea62fbe7a08e66b4f6f5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\a3bnm83tK5KNT6N2CNH_1Bmz.exe
Filesize
2.3MB

MD5
0722c4f56082709fd15e183418225d8f

SHA1
417854bae29c89d705f81023b9a48b4c5cc4da1a

SHA256
aa5383824eeb7c5bbef67fd59ae5c833c86533eded463da9f005a45824adc04a

SHA512
9751600445d461f38d42731f1c2bc3b42b8145f8d63d7adfedeb05fbbd8819f74fd902d449198f62251ae02bec3e437ae1a76fbee23bea62fbe7a08e66b4f6f5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\c1AuCiSzTTdtrbvsFqSEWgHM.exe
Filesize
2.3MB

MD5
0722c4f56082709fd15e183418225d8f

SHA1
417854bae29c89d705f81023b9a48b4c5cc4da1a

SHA256
aa5383824eeb7c5bbef67fd59ae5c833c86533eded463da9f005a45824adc04a

SHA512
9751600445d461f38d42731f1c2bc3b42b8145f8d63d7adfedeb05fbbd8819f74fd902d449198f62251ae02bec3e437ae1a76fbee23bea62fbe7a08e66b4f6f5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\c1AuCiSzTTdtrbvsFqSEWgHM.exe
Filesize
2.3MB

MD5
0722c4f56082709fd15e183418225d8f

SHA1
417854bae29c89d705f81023b9a48b4c5cc4da1a

SHA256
aa5383824eeb7c5bbef67fd59ae5c833c86533eded463da9f005a45824adc04a

SHA512
9751600445d461f38d42731f1c2bc3b42b8145f8d63d7adfedeb05fbbd8819f74fd902d449198f62251ae02bec3e437ae1a76fbee23bea62fbe7a08e66b4f6f5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dI9_I6Gfr5yXRbcIRrqgit_Z.exe
Filesize
137KB

MD5
3e7476424f53cb86bde748a440f853a6

SHA1
8b5a86f7005196149a662df06ee7767be6bd403f

SHA256
88f86bd0c315b807570a8330266fe9c8f04f04cef5c06de8f9f82eda57f10531

SHA512
09b9b8f7343f74023e3978d6adf9e5d0d4704e0e025c8f7810584b1a35eb668ca1b2ea00478576160e2c59ccd27cd96c6afa2c8970718c236d0aa37dd527a77c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dI9_I6Gfr5yXRbcIRrqgit_Z.exe
Filesize
137KB

MD5
3e7476424f53cb86bde748a440f853a6

SHA1
8b5a86f7005196149a662df06ee7767be6bd403f

SHA256
88f86bd0c315b807570a8330266fe9c8f04f04cef5c06de8f9f82eda57f10531

SHA512
09b9b8f7343f74023e3978d6adf9e5d0d4704e0e025c8f7810584b1a35eb668ca1b2ea00478576160e2c59ccd27cd96c6afa2c8970718c236d0aa37dd527a77c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\l4X4cC1IE46ILnYnmizDmpMc.exe
Filesize
109KB

MD5
8eaa251d5f36f6a6320f9ce7390f0101

SHA1
af0447aa8853f6a60ec6594fd5ec8c80b84b712e

SHA256
6c7f7aac489075f1a461dd5cf11c323abb8e816a72d5ce9dd208191b12fe09d3

SHA512
448d49d907332ea0d89b75249f77caaf018e34794a92331a0f3b382e932bf2660dbcba462acdfe19dff841901ddbc57d83804fd7fe09d25c154846427df27023

Download Submit
C:\Users\Admin\Pictures\Minor Policy\l4X4cC1IE46ILnYnmizDmpMc.exe
Filesize
109KB

MD5
8eaa251d5f36f6a6320f9ce7390f0101

SHA1
af0447aa8853f6a60ec6594fd5ec8c80b84b712e

SHA256
6c7f7aac489075f1a461dd5cf11c323abb8e816a72d5ce9dd208191b12fe09d3

SHA512
448d49d907332ea0d89b75249f77caaf018e34794a92331a0f3b382e932bf2660dbcba462acdfe19dff841901ddbc57d83804fd7fe09d25c154846427df27023

Download Submit
C:\Users\Admin\Pictures\Minor Policy\pqvn2ZFEVpI8BVxrgLk9ztes.exe
Filesize
197KB

MD5
cb2862c13f00df6cb083ce8984127eba

SHA1
c1c5cb8c8ca77cffd554ea34a4161e5376be77d2

SHA256
0d22d6a52105f39fdce4934857f5fe90710f760e501b12bf4f6fa9abf96b3e41

SHA512
77992fab0ccd6104f473cdec7411e43fc0d1d7d10cefc756b40f4b5936c71b45d34102d183c2a2e8a8973e92f2cfddf0a03f64e87d11d44b12cf61e9338af70e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\pqvn2ZFEVpI8BVxrgLk9ztes.exe
Filesize
197KB

MD5
cb2862c13f00df6cb083ce8984127eba

SHA1
c1c5cb8c8ca77cffd554ea34a4161e5376be77d2

SHA256
0d22d6a52105f39fdce4934857f5fe90710f760e501b12bf4f6fa9abf96b3e41

SHA512
77992fab0ccd6104f473cdec7411e43fc0d1d7d10cefc756b40f4b5936c71b45d34102d183c2a2e8a8973e92f2cfddf0a03f64e87d11d44b12cf61e9338af70e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\rS9ERVOuVkyntYQegzSoRrFD.exe
Filesize
380KB

MD5
c0b4de4f711b7c28369d7a4018f94759

SHA1
4cf0c26459c732e1b334b8a2b4748161d922e657

SHA256
736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d

SHA512
6e0f13d4492841eecf84bba5953aeec94563aa3c5bc11845e6d6a94915cb4493564f920e849a51551328c25aae71674646768a7ec666dd8263767a9ec3293ada

Download Submit
C:\Users\Admin\Pictures\Minor Policy\rS9ERVOuVkyntYQegzSoRrFD.exe
Filesize
380KB

MD5
c0b4de4f711b7c28369d7a4018f94759

SHA1
4cf0c26459c732e1b334b8a2b4748161d922e657

SHA256
736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d

SHA512
6e0f13d4492841eecf84bba5953aeec94563aa3c5bc11845e6d6a94915cb4493564f920e849a51551328c25aae71674646768a7ec666dd8263767a9ec3293ada

Download Submit
C:\Users\Admin\Pictures\Minor Policy\x5xwtI3zb_1GBIskWa1DM34d.exe
Filesize
941KB

MD5
2092922a347423590e96cfd6e3229f7a

SHA1
141d4659bbad7b2fb8cf04bf8c1c3d2bcd4b720e

SHA256
85e5b6c3109f53edf81c55aef3f08cf321e350c7353a5d9774f927f77052bf2a

SHA512
54e235b2f181f221fc3927080f38b70a2de1844955640edc8dc4af88b258ee7acdd0e81ae06c2255ef4927ba81da2d1674aa6ec784f05659acb2fda19c08aeab

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
Filesize
11B

MD5
ec3584f3db838942ec3669db02dc908e

SHA1
8dceb96874d5c6425ebb81bfee587244c89416da

SHA256
77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340

SHA512
35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
127B

MD5
7cc972a3480ca0a4792dc3379a763572

SHA1
f72eb4124d24f06678052706c542340422307317

SHA256
02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

SHA512
ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
memory/388-298-0x0000000003340000-0x000000000342A000-memory.dmp

Filesize
936KB

Download
memory/388-297-0x0000000003160000-0x000000000324A000-memory.dmp

Filesize
936KB

Download
memory/388-295-0x0000000000000000-mapping.dmp

Download
memory/524-303-0x0000000000000000-mapping.dmp

Download
memory/668-294-0x0000000000000000-mapping.dmp

Download
memory/780-218-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/780-208-0x0000000000000000-mapping.dmp

Download
memory/780-216-0x00000000053A0000-0x00000000059C8000-memory.dmp

Filesize
6.2MB

Download
memory/780-217-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/780-241-0x0000000006760000-0x000000000677A000-memory.dmp

Filesize
104KB

Download
memory/780-240-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/780-214-0x0000000002900000-0x0000000002936000-memory.dmp

Filesize
216KB

Download
memory/780-219-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/1032-309-0x0000000000470000-0x0000000000479000-memory.dmp

Filesize
36KB

Download
memory/1032-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1032-246-0x0000000000000000-mapping.dmp

Download
memory/1032-307-0x0000000000498000-0x00000000004A9000-memory.dmp

Filesize
68KB

Download
memory/1068-315-0x0000000000000000-mapping.dmp

Download
memory/1088-247-0x0000000000000000-mapping.dmp

Download
memory/1088-296-0x00000000009B0000-0x0000000001C4F000-memory.dmp

Filesize
18.6MB

Download
memory/1156-139-0x0000000000000000-mapping.dmp

Download
memory/1236-270-0x0000000000000000-mapping.dmp

Download
memory/1276-169-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1276-207-0x0000000077980000-0x0000000077B23000-memory.dmp

Filesize
1.6MB

Download
memory/1276-206-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1276-162-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1276-177-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1276-176-0x0000000077980000-0x0000000077B23000-memory.dmp

Filesize
1.6MB

Download
memory/1276-157-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1276-168-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1276-137-0x0000000000000000-mapping.dmp

Download
memory/1276-170-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1276-151-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1396-314-0x00000000063A0000-0x00000000069B8000-memory.dmp

Filesize
6.1MB

Download
memory/1396-277-0x0000000000E80000-0x0000000000EA8000-memory.dmp

Filesize
160KB

Download
memory/1396-316-0x0000000005FC0000-0x00000000060CA000-memory.dmp

Filesize
1.0MB

Download
memory/1396-257-0x0000000000000000-mapping.dmp

Download
memory/1396-317-0x0000000005FA0000-0x0000000005FB2000-memory.dmp

Filesize
72KB

Download
memory/1396-319-0x0000000006120000-0x000000000615C000-memory.dmp

Filesize
240KB

Download
memory/1548-249-0x0000000000000000-mapping.dmp

Download
memory/1744-322-0x0000000000000000-mapping.dmp

Download
memory/2084-193-0x0000000000000000-mapping.dmp

Download
memory/2092-293-0x0000000000000000-mapping.dmp

Download
memory/2172-180-0x0000000000000000-mapping.dmp

Download
memory/2548-175-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

Filesize
32KB

Download
memory/2548-200-0x0000000006310000-0x0000000006332000-memory.dmp

Filesize
136KB

Download
memory/2548-172-0x0000000000000000-mapping.dmp

Download
memory/2572-321-0x0000000000000000-mapping.dmp

Download
memory/2664-269-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-242-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-205-0x0000000077980000-0x0000000077B23000-memory.dmp

Filesize
1.6MB

Download
memory/2664-203-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-202-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-215-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-204-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-244-0x0000000077980000-0x0000000077B23000-memory.dmp

Filesize
1.6MB

Download
memory/2664-196-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-199-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-299-0x0000000077980000-0x0000000077B23000-memory.dmp

Filesize
1.6MB

Download
memory/2664-300-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-195-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-201-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/2664-190-0x0000000000000000-mapping.dmp

Download
memory/2676-194-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-138-0x0000000000000000-mapping.dmp

Download
memory/2676-185-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-184-0x0000000000470000-0x0000000000479000-memory.dmp

Filesize
36KB

Download
memory/2676-183-0x00000000004A8000-0x00000000004B9000-memory.dmp

Filesize
68KB

Download
memory/2708-272-0x0000000000000000-mapping.dmp

Download
memory/2748-186-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2748-308-0x0000000000400000-0x00000000015C6000-memory.dmp

Filesize
17.8MB

Download
memory/2748-213-0x0000000000400000-0x00000000015C6000-memory.dmp

Filesize
17.8MB

Download
memory/2748-171-0x0000000000400000-0x00000000015C6000-memory.dmp

Filesize
17.8MB

Download
memory/2748-167-0x0000000000400000-0x00000000015C6000-memory.dmp

Filesize
17.8MB

Download
memory/2748-160-0x0000000000000000-mapping.dmp

Download
memory/2928-274-0x0000000000000000-mapping.dmp

Download
memory/3000-220-0x0000000003260000-0x0000000003323000-memory.dmp

Filesize
780KB

Download
memory/3000-178-0x0000000002F90000-0x000000000307A000-memory.dmp

Filesize
936KB

Download
memory/3000-243-0x0000000003170000-0x000000000325A000-memory.dmp

Filesize
936KB

Download
memory/3000-225-0x0000000003330000-0x00000000033DF000-memory.dmp

Filesize
700KB

Download
memory/3000-179-0x0000000003170000-0x000000000325A000-memory.dmp

Filesize
936KB

Download
memory/3000-161-0x0000000000000000-mapping.dmp

Download
memory/3008-266-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3008-289-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3008-248-0x0000000000000000-mapping.dmp

Download
memory/3008-335-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3068-253-0x0000000000000000-mapping.dmp

Download
memory/3196-318-0x0000000000000000-mapping.dmp

Download
memory/3196-320-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3208-291-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3208-251-0x0000000000000000-mapping.dmp

Download
memory/3208-268-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3436-132-0x0000000000A75000-0x0000000000B83000-memory.dmp

Filesize
1.1MB

Download
memory/3436-133-0x0000000002430000-0x0000000002681000-memory.dmp

Filesize
2.3MB

Download
memory/3436-134-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/3436-135-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/3508-325-0x0000000000000000-mapping.dmp

Download
memory/3508-327-0x0000000000DF0000-0x0000000000E80000-memory.dmp

Filesize
576KB

Download
memory/3544-140-0x0000000000000000-mapping.dmp

Download
memory/4084-343-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4224-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4224-313-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4224-152-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4224-136-0x0000000000000000-mapping.dmp

Download
memory/4224-209-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4292-284-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4292-333-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4292-245-0x0000000000000000-mapping.dmp

Download
memory/4292-265-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4296-250-0x0000000000000000-mapping.dmp

Download
memory/4348-198-0x0000000000000000-mapping.dmp

Download
memory/4532-154-0x0000000000000000-mapping.dmp

Download
memory/4628-329-0x0000000000000000-mapping.dmp

Download
memory/4628-338-0x0000000010000000-0x0000000010E10000-memory.dmp

Filesize
14.1MB

Download
memory/4640-302-0x0000000000000000-mapping.dmp

Download
memory/4640-312-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/4688-323-0x0000000000000000-mapping.dmp

Download
memory/4808-292-0x0000000000000000-mapping.dmp

Download
memory/4812-324-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4812-305-0x00000000004D8000-0x00000000004E9000-memory.dmp

Filesize
68KB

Download
memory/4812-258-0x0000000000000000-mapping.dmp

Download
memory/4812-306-0x0000000000470000-0x0000000000479000-memory.dmp

Filesize
36KB

Download
memory/4812-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4848-301-0x0000000000000000-mapping.dmp

Download
memory/4908-328-0x0000000000000000-mapping.dmp

Download
memory/4908-331-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Filesize
96KB

Download
memory/5044-330-0x0000000000000000-mapping.dmp

Download
memory/5092-311-0x0000000000000000-mapping.dmp

Download
memory/5092-332-0x0000000000749000-0x00000000007DB000-memory.dmp

Filesize
584KB

Download