nymaim | 76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743

Analysis

max time kernel
60s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2022 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
Size

1.2MB
MD5

f4879204a6832c436217574fe5e70b9e
SHA1

b0c22588f8e0bfa76e8d224938a0cb77ceac0e6e
SHA256

76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743
SHA512

b0ad31f0d91455ea1cb0f6e9e4daf9e083b37bff04beb93091c095dc2b4a17ef861c4e8e7bca0166febfb062b6fe9e12aa0f26d35446f0af13a92ed3ac4b5dc3
SSDEEP

24576:kwN7ZHv6UoXqOJGkGjUeN7DKAFqYEzPvnma5tr:kwFZyU7kGYeV2vbPmaXr

Score

10^/10

nymaim privateloader tofsee xmrig discovery evasion loader main miner persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

privateloader

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

208.67.104.60

Attributes

payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

6JjiOZriUG8chYUWxPr8mEAN.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6JjiOZriUG8chYUWxPr8mEAN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6JjiOZriUG8chYUWxPr8mEAN.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1296-289-0x0000000000E00000-0x0000000000EF1000-memory.dmp	xmrig
behavioral2/memory/1296-294-0x0000000000E00000-0x0000000000EF1000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

7kuHBpGNuJV2Ul2AjjeSYBXI.exe0vYzV0yo6wbvEgonKGyNJFY8.exewjRxjmRF61AazDb0PgJcZkMi.exeaepwMv7N0V7AZeoQfFNHIR9x.exe6JjiOZriUG8chYUWxPr8mEAN.exeNawtLUOTXChdfWC9ZVCmkkXI.exeis-AC17B.tmpexsearcher60.exe

pid	process
1780	7kuHBpGNuJV2Ul2AjjeSYBXI.exe
3576	0vYzV0yo6wbvEgonKGyNJFY8.exe
5072	wjRxjmRF61AazDb0PgJcZkMi.exe
2700	aepwMv7N0V7AZeoQfFNHIR9x.exe
1312	6JjiOZriUG8chYUWxPr8mEAN.exe
1272	NawtLUOTXChdfWC9ZVCmkkXI.exe
4212	is-AC17B.tmp
4640	exsearcher60.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3784 netsh.exe

pid	process
3784	netsh.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Minor Policy\NawtLUOTXChdfWC9ZVCmkkXI.exe	vmprotect
C:\Users\Admin\Pictures\Minor Policy\NawtLUOTXChdfWC9ZVCmkkXI.exe	vmprotect
behavioral2/memory/1272-161-0x0000000140000000-0x0000000140623000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6JjiOZriUG8chYUWxPr8mEAN.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6JjiOZriUG8chYUWxPr8mEAN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6JjiOZriUG8chYUWxPr8mEAN.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe0vYzV0yo6wbvEgonKGyNJFY8.exe7kuHBpGNuJV2Ul2AjjeSYBXI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0vYzV0yo6wbvEgonKGyNJFY8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7kuHBpGNuJV2Ul2AjjeSYBXI.exe

Loads dropped DLL 2 IoCs

Processes:

is-AC17B.tmpregsvr32.exe

pid process

4212 is-AC17B.tmp
836 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4212	is-AC17B.tmp
836	regsvr32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6JjiOZriUG8chYUWxPr8mEAN.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6JjiOZriUG8chYUWxPr8mEAN.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ipinfo.io
16 ipinfo.io
127 ipinfo.io
128 ipinfo.io
145 ipinfo.io

flow	ioc
15	ipinfo.io
16	ipinfo.io
127	ipinfo.io
128	ipinfo.io
145	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6JjiOZriUG8chYUWxPr8mEAN.exe

pid process

1312 6JjiOZriUG8chYUWxPr8mEAN.exe

pid	process
1312	6JjiOZriUG8chYUWxPr8mEAN.exe

Drops file in Program Files directory 14 IoCs

Processes:

is-AC17B.tmp6JjiOZriUG8chYUWxPr8mEAN.exe

description	ioc	process
File created	C:\Program Files (x86)\exSearcher\is-SHB62.tmp	is-AC17B.tmp
File created	C:\Program Files (x86)\exSearcher\is-4IVLV.tmp	is-AC17B.tmp
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	6JjiOZriUG8chYUWxPr8mEAN.exe
File created	C:\Program Files (x86)\exSearcher\is-F31QF.tmp	is-AC17B.tmp
File created	C:\Program Files (x86)\exSearcher\is-S230R.tmp	is-AC17B.tmp
File created	C:\Program Files (x86)\exSearcher\is-I7O4N.tmp	is-AC17B.tmp
File created	C:\Program Files (x86)\exSearcher\is-RU4L2.tmp	is-AC17B.tmp
File created	C:\Program Files (x86)\exSearcher\is-BIEQM.tmp	is-AC17B.tmp
File opened for modification	C:\Program Files (x86)\exSearcher\unins000.dat	is-AC17B.tmp
File created	C:\Program Files (x86)\exSearcher\unins000.dat	is-AC17B.tmp
File created	C:\Program Files (x86)\exSearcher\is-BVQRH.tmp	is-AC17B.tmp
File created	C:\Program Files (x86)\exSearcher\is-UAJ3A.tmp	is-AC17B.tmp
File opened for modification	C:\Program Files (x86)\exSearcher\exsearcher60.exe	is-AC17B.tmp
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	6JjiOZriUG8chYUWxPr8mEAN.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

5024 sc.exe
220 sc.exe
1004 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5024	sc.exe
220	sc.exe
1004	sc.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3596	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3192	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
5012	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
316	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4608	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
312	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4220	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
2888	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4604	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3952	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1548	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4720	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
5088	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3200	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4976	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4880	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3328	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3908	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4060	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1300	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1176	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
688	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4532	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4352	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3776	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3836	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
2072	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1748	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4908	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3520	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4236	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3488	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1288	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1312	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3684	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
2780	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
808	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3200	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4976	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3328	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1776	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4072	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
912	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1828	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3904	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1812	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1760	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
220	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
228	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
332	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1004	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
2896	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
2684	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4252	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1916	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
5108	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
2472	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3692	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3596	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
2232	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3600	1780	WerFault.exe	7kuHBpGNuJV2Ul2AjjeSYBXI.exe
916	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
4240	4900	WerFault.exe	tjcaxgnm.exe
2472	3408	WerFault.exe	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4772 schtasks.exe
4636 schtasks.exe

pid	process
4772	schtasks.exe
4636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe6JjiOZriUG8chYUWxPr8mEAN.exe

pid	process
3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
1312	6JjiOZriUG8chYUWxPr8mEAN.exe
1312	6JjiOZriUG8chYUWxPr8mEAN.exe
1312	6JjiOZriUG8chYUWxPr8mEAN.exe
1312	6JjiOZriUG8chYUWxPr8mEAN.exe
1312	6JjiOZriUG8chYUWxPr8mEAN.exe
1312	6JjiOZriUG8chYUWxPr8mEAN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aepwMv7N0V7AZeoQfFNHIR9x.exe

description pid process

Token: SeDebugPrivilege 2700 aepwMv7N0V7AZeoQfFNHIR9x.exe

description	pid	process
Token: SeDebugPrivilege	2700	aepwMv7N0V7AZeoQfFNHIR9x.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exewjRxjmRF61AazDb0PgJcZkMi.exeis-AC17B.tmp0vYzV0yo6wbvEgonKGyNJFY8.exe7kuHBpGNuJV2Ul2AjjeSYBXI.exe

description	pid	process	target process
PID 3408 wrote to memory of 2700	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	aepwMv7N0V7AZeoQfFNHIR9x.exe
PID 3408 wrote to memory of 2700	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	aepwMv7N0V7AZeoQfFNHIR9x.exe
PID 3408 wrote to memory of 2700	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	aepwMv7N0V7AZeoQfFNHIR9x.exe
PID 3408 wrote to memory of 3576	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	0vYzV0yo6wbvEgonKGyNJFY8.exe
PID 3408 wrote to memory of 3576	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	0vYzV0yo6wbvEgonKGyNJFY8.exe
PID 3408 wrote to memory of 3576	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	0vYzV0yo6wbvEgonKGyNJFY8.exe
PID 3408 wrote to memory of 1780	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	7kuHBpGNuJV2Ul2AjjeSYBXI.exe
PID 3408 wrote to memory of 1780	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	7kuHBpGNuJV2Ul2AjjeSYBXI.exe
PID 3408 wrote to memory of 1780	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	7kuHBpGNuJV2Ul2AjjeSYBXI.exe
PID 3408 wrote to memory of 1312	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	6JjiOZriUG8chYUWxPr8mEAN.exe
PID 3408 wrote to memory of 1312	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	6JjiOZriUG8chYUWxPr8mEAN.exe
PID 3408 wrote to memory of 1312	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	6JjiOZriUG8chYUWxPr8mEAN.exe
PID 3408 wrote to memory of 5072	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	wjRxjmRF61AazDb0PgJcZkMi.exe
PID 3408 wrote to memory of 5072	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	wjRxjmRF61AazDb0PgJcZkMi.exe
PID 3408 wrote to memory of 5072	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	wjRxjmRF61AazDb0PgJcZkMi.exe
PID 3408 wrote to memory of 1272	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	NawtLUOTXChdfWC9ZVCmkkXI.exe
PID 3408 wrote to memory of 1272	3408	76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe	NawtLUOTXChdfWC9ZVCmkkXI.exe
PID 5072 wrote to memory of 4212	5072	wjRxjmRF61AazDb0PgJcZkMi.exe	is-AC17B.tmp
PID 5072 wrote to memory of 4212	5072	wjRxjmRF61AazDb0PgJcZkMi.exe	is-AC17B.tmp
PID 5072 wrote to memory of 4212	5072	wjRxjmRF61AazDb0PgJcZkMi.exe	is-AC17B.tmp
PID 4212 wrote to memory of 4640	4212	is-AC17B.tmp	exsearcher60.exe
PID 4212 wrote to memory of 4640	4212	is-AC17B.tmp	exsearcher60.exe
PID 4212 wrote to memory of 4640	4212	is-AC17B.tmp	exsearcher60.exe
PID 3576 wrote to memory of 836	3576	0vYzV0yo6wbvEgonKGyNJFY8.exe	regsvr32.exe
PID 3576 wrote to memory of 836	3576	0vYzV0yo6wbvEgonKGyNJFY8.exe	regsvr32.exe
PID 3576 wrote to memory of 836	3576	0vYzV0yo6wbvEgonKGyNJFY8.exe	regsvr32.exe
PID 1780 wrote to memory of 4124	1780	7kuHBpGNuJV2Ul2AjjeSYBXI.exe	cmd.exe
PID 1780 wrote to memory of 4124	1780	7kuHBpGNuJV2Ul2AjjeSYBXI.exe	cmd.exe
PID 1780 wrote to memory of 4124	1780	7kuHBpGNuJV2Ul2AjjeSYBXI.exe	cmd.exe
PID 1780 wrote to memory of 4288	1780	7kuHBpGNuJV2Ul2AjjeSYBXI.exe	WerFault.exe
PID 1780 wrote to memory of 4288	1780	7kuHBpGNuJV2Ul2AjjeSYBXI.exe	WerFault.exe
PID 1780 wrote to memory of 4288	1780	7kuHBpGNuJV2Ul2AjjeSYBXI.exe	WerFault.exe
PID 1780 wrote to memory of 5024	1780	7kuHBpGNuJV2Ul2AjjeSYBXI.exe	sc.exe
PID 1780 wrote to memory of 5024	1780	7kuHBpGNuJV2Ul2AjjeSYBXI.exe	sc.exe
PID 1780 wrote to memory of 5024	1780	7kuHBpGNuJV2Ul2AjjeSYBXI.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe
"C:\Users\Admin\AppData\Local\Temp\76d24986d08eb37ffdd603f7eb6359896b4be44f91b60a79fd8a1ccb98342743.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 656
2⤵
- Program crash
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 656
2⤵
- Program crash
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 828
2⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 836
2⤵
- Program crash
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 992
2⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1180
2⤵
- Program crash
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1408
2⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1452
2⤵
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1756
2⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1920
2⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1828
2⤵
- Program crash
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1756
2⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1896
2⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1916
2⤵
- Program crash
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1804
2⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1628
2⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1920
2⤵
- Program crash
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1964
2⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1844
2⤵
- Program crash
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1940
2⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1760
2⤵
- Program crash
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1844
2⤵
- Program crash
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1904
2⤵
- Program crash
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2016
2⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2084
2⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2104
2⤵
- Program crash
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2136
2⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2128
2⤵
- Program crash
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2120
2⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2164
2⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2084
2⤵
- Program crash
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2164
2⤵
- Program crash
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2168
2⤵
- Program crash
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2164
2⤵
- Program crash
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1976
2⤵
- Program crash
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1952
2⤵
- Program crash
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1876
2⤵
- Program crash
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2244
2⤵
- Program crash
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1980
2⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2116
2⤵
- Program crash
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2176
2⤵
- Program crash
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2144
2⤵
- Program crash
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2308
2⤵
- Program crash
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2256
2⤵
- Program crash
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1464
2⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2156
2⤵
- Program crash
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2124
2⤵
- Program crash
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2156
2⤵
- Program crash
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2080
2⤵
- Program crash
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2112
2⤵
- Program crash
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3328
2⤵
- Program crash
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3492
2⤵
- Program crash
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3492
2⤵
- Program crash
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3596
2⤵
- Program crash
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3692
2⤵
- Program crash
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3704
2⤵
- Program crash
PID:5108

C:\Users\Admin\Pictures\Minor Policy\NawtLUOTXChdfWC9ZVCmkkXI.exe
"C:\Users\Admin\Pictures\Minor Policy\NawtLUOTXChdfWC9ZVCmkkXI.exe"
2⤵
- Executes dropped EXE
PID:1272

C:\Users\Admin\Pictures\Minor Policy\7kuHBpGNuJV2Ul2AjjeSYBXI.exe
"C:\Users\Admin\Pictures\Minor Policy\7kuHBpGNuJV2Ul2AjjeSYBXI.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\iwirybie\
3⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tjcaxgnm.exe" C:\Windows\SysWOW64\iwirybie\
3⤵
PID:4288

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create iwirybie binPath= "C:\Windows\SysWOW64\iwirybie\tjcaxgnm.exe /d\"C:\Users\Admin\Pictures\Minor Policy\7kuHBpGNuJV2Ul2AjjeSYBXI.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
- Launches sc.exe
PID:5024

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description iwirybie "wifi internet conection"
3⤵
- Launches sc.exe
PID:220

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start iwirybie
3⤵
- Launches sc.exe
PID:1004

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1036
3⤵
- Program crash
PID:3600

C:\Users\Admin\Pictures\Minor Policy\6JjiOZriUG8chYUWxPr8mEAN.exe
"C:\Users\Admin\Pictures\Minor Policy\6JjiOZriUG8chYUWxPr8mEAN.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Users\Admin\Documents\vA22DQ60BXFiLsrOJ0iULCzk.exe
"C:\Users\Admin\Documents\vA22DQ60BXFiLsrOJ0iULCzk.exe"
3⤵
PID:5108

C:\Users\Admin\Pictures\Minor Policy\XWIynIT5ChCA0gHzXaA87vk5.exe
"C:\Users\Admin\Pictures\Minor Policy\XWIynIT5ChCA0gHzXaA87vk5.exe"
4⤵
PID:4620

C:\Users\Admin\Pictures\Minor Policy\Irb4rEinIGpJ7G2ZoUTWUx3w.exe
"C:\Users\Admin\Pictures\Minor Policy\Irb4rEinIGpJ7G2ZoUTWUx3w.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
4⤵
PID:1316

C:\Users\Admin\Pictures\Minor Policy\is6AlXMs2QaM6clg_7V3C9VM.exe
"C:\Users\Admin\Pictures\Minor Policy\is6AlXMs2QaM6clg_7V3C9VM.exe"
4⤵
PID:3604

C:\Users\Admin\Pictures\Minor Policy\CgcmJfME50zK4XSLKVaqUzsd.exe
"C:\Users\Admin\Pictures\Minor Policy\CgcmJfME50zK4XSLKVaqUzsd.exe"
4⤵
PID:2960

C:\Users\Admin\Pictures\Minor Policy\TOAZN4h5BSfdx35jS23BknTs.exe
"C:\Users\Admin\Pictures\Minor Policy\TOAZN4h5BSfdx35jS23BknTs.exe"
4⤵
PID:4816

C:\Users\Admin\Pictures\Minor Policy\LtQcLU8N_iwH1Da5RAFtGcZX.exe
"C:\Users\Admin\Pictures\Minor Policy\LtQcLU8N_iwH1Da5RAFtGcZX.exe"
4⤵
PID:968

C:\Users\Admin\Pictures\Minor Policy\exnmsgLrlxSKR20ZbvGotKJ8.exe
"C:\Users\Admin\Pictures\Minor Policy\exnmsgLrlxSKR20ZbvGotKJ8.exe"
4⤵
PID:1292

C:\Users\Admin\Pictures\Minor Policy\RJcH_jZ1MbLUSryP6kj0eUyi.exe
"C:\Users\Admin\Pictures\Minor Policy\RJcH_jZ1MbLUSryP6kj0eUyi.exe"
4⤵
PID:2452

C:\Users\Admin\Pictures\Minor Policy\1LnzNA4VWyQAJ2lq0w9QGDB7.exe
"C:\Users\Admin\Pictures\Minor Policy\1LnzNA4VWyQAJ2lq0w9QGDB7.exe"
4⤵
PID:1472

C:\Users\Admin\Pictures\Minor Policy\GtigwE6xQWKLMmPp9jt8DL94.exe
"C:\Users\Admin\Pictures\Minor Policy\GtigwE6xQWKLMmPp9jt8DL94.exe"
4⤵
PID:832

C:\Users\Admin\Pictures\Minor Policy\5wFQgLWkovkS4wittHEt0GKU.exe
"C:\Users\Admin\Pictures\Minor Policy\5wFQgLWkovkS4wittHEt0GKU.exe"
4⤵
PID:1696

C:\Users\Admin\Pictures\Minor Policy\D1uYAlev9GjADd8jgTh_Rpfq.exe
"C:\Users\Admin\Pictures\Minor Policy\D1uYAlev9GjADd8jgTh_Rpfq.exe"
4⤵
PID:912

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4772

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4636

C:\Users\Admin\Pictures\Minor Policy\0vYzV0yo6wbvEgonKGyNJFY8.exe
"C:\Users\Admin\Pictures\Minor Policy\0vYzV0yo6wbvEgonKGyNJFY8.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s .\ZYYPw.D2E /u
3⤵
- Loads dropped DLL
PID:836

C:\Users\Admin\Pictures\Minor Policy\wjRxjmRF61AazDb0PgJcZkMi.exe
"C:\Users\Admin\Pictures\Minor Policy\wjRxjmRF61AazDb0PgJcZkMi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\is-0U6KP.tmp\is-AC17B.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0U6KP.tmp\is-AC17B.tmp" /SL4 $3301EA "C:\Users\Admin\Pictures\Minor Policy\wjRxjmRF61AazDb0PgJcZkMi.exe" 2165757 52736
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4212

C:\Program Files (x86)\exSearcher\exsearcher60.exe
"C:\Program Files (x86)\exSearcher\exsearcher60.exe"
4⤵
- Executes dropped EXE
PID:4640

C:\Users\Admin\AppData\Roaming\{99cae5c0-1ab4-11ed-899c-806e6f6e6963}\TdbJ66qpTtuNS.exe
5⤵
PID:4140

C:\Users\Admin\Pictures\Minor Policy\aepwMv7N0V7AZeoQfFNHIR9x.exe
"C:\Users\Admin\Pictures\Minor Policy\aepwMv7N0V7AZeoQfFNHIR9x.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1220
3⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3728
2⤵
- Program crash
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1920
2⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2044
2⤵
- Program crash
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1932
2⤵
- Program crash
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2132
2⤵
- Program crash
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1756
2⤵
- Program crash
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2228
2⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1740
2⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1756
2⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2108
2⤵
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2044
2⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2772
2⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2108
2⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2388
2⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2628
2⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3144
2⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3328
2⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3564
2⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3692
2⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3156
2⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3492
2⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3620
2⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3156
2⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3548
2⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2228
2⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2228
2⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2228
2⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2568
2⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3152
2⤵
PID:2632

C:\Users\Admin\Pictures\Minor Policy\dwk3f3y1UTs1BHIItzHrdWlu.exe
"C:\Users\Admin\Pictures\Minor Policy\dwk3f3y1UTs1BHIItzHrdWlu.exe"
2⤵
PID:4056

C:\Users\Admin\Pictures\Minor Policy\CIBXw5oQ3B4BYFjovv43XCrb.exe
"C:\Users\Admin\Pictures\Minor Policy\CIBXw5oQ3B4BYFjovv43XCrb.exe"
2⤵
PID:1528

C:\Users\Admin\Pictures\Minor Policy\HOPWMZ3NbG5GRJHFESSetGYm.exe
"C:\Users\Admin\Pictures\Minor Policy\HOPWMZ3NbG5GRJHFESSetGYm.exe"
2⤵
PID:2828

C:\Users\Admin\Pictures\Minor Policy\LMK57unOQ85egzjpTQHBpCGp.exe
"C:\Users\Admin\Pictures\Minor Policy\LMK57unOQ85egzjpTQHBpCGp.exe"
2⤵
PID:2888

C:\Users\Admin\Pictures\Minor Policy\NPw55bNmtPG2Aq0UqIbComzc.exe
"C:\Users\Admin\Pictures\Minor Policy\NPw55bNmtPG2Aq0UqIbComzc.exe"
2⤵
PID:4052

C:\Users\Admin\Pictures\Minor Policy\eshYhmeM8jWhmdl8xDPRYFzY.exe
"C:\Users\Admin\Pictures\Minor Policy\eshYhmeM8jWhmdl8xDPRYFzY.exe"
2⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3408 -ip 3408
1⤵
PID:4120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3408 -ip 3408
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3408 -ip 3408
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3408 -ip 3408
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3408 -ip 3408
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3408 -ip 3408
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3408 -ip 3408
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3408 -ip 3408
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3408 -ip 3408
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3408 -ip 3408
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3408 -ip 3408
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3408 -ip 3408
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3408 -ip 3408
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3408 -ip 3408
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3408 -ip 3408
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3408 -ip 3408
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3408 -ip 3408
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3408 -ip 3408
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3408 -ip 3408
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3408 -ip 3408
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3408 -ip 3408
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3408 -ip 3408
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3408 -ip 3408
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3408 -ip 3408
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3408 -ip 3408
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3408 -ip 3408
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3408 -ip 3408
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3408 -ip 3408
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 3408 -ip 3408
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3408 -ip 3408
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 3408 -ip 3408
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3408 -ip 3408
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 3408 -ip 3408
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 3408 -ip 3408
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 3408 -ip 3408
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 3408 -ip 3408
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3408 -ip 3408
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3408 -ip 3408
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 3408 -ip 3408
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3408 -ip 3408
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 3408 -ip 3408
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 3408 -ip 3408
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 3408 -ip 3408
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 3408 -ip 3408
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 3408 -ip 3408
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 3408 -ip 3408
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 3408 -ip 3408
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3408 -ip 3408
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3408 -ip 3408
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3408 -ip 3408
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3408 -ip 3408
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 3408 -ip 3408
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3408 -ip 3408
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 3408 -ip 3408
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3408 -ip 3408
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3408 -ip 3408
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 3408 -ip 3408
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 3408 -ip 3408
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3408 -ip 3408
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3408 -ip 3408
1⤵
PID:1236

C:\Windows\SysWOW64\iwirybie\tjcaxgnm.exe
C:\Windows\SysWOW64\iwirybie\tjcaxgnm.exe /d"C:\Users\Admin\Pictures\Minor Policy\7kuHBpGNuJV2Ul2AjjeSYBXI.exe"
1⤵
PID:4900

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:4604

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
3⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 560
2⤵
- Program crash
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 1780 -ip 1780
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 3408 -ip 3408
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 4900 -ip 4900
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3408 -ip 3408
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3408 -ip 3408
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3408 -ip 3408
1⤵
PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3408 -ip 3408
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3408 -ip 3408
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 3408 -ip 3408
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 3408 -ip 3408
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2700 -ip 2700
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 3408 -ip 3408
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3408 -ip 3408
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3408 -ip 3408
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3408 -ip 3408
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3408 -ip 3408
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3408 -ip 3408
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3408 -ip 3408
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 3408 -ip 3408
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 3408 -ip 3408
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 3408 -ip 3408
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 3408 -ip 3408
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 3408 -ip 3408
1⤵
PID:308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 3408 -ip 3408
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3408 -ip 3408
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 3408 -ip 3408
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3408 -ip 3408
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 3408 -ip 3408
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 3408 -ip 3408
1⤵
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\exSearcher\exsearcher60.exe
Filesize
3.3MB

MD5
ec5d55b641eba49b8d019b74fd5a2f80

SHA1
bf545299f5b8fe43de530c74943e092a75b4d884

SHA256
93c065d0a2c322d27bc88bf6b6ad7ac75abef5c61db67aa71831cef1a307a840

SHA512
48c99eb09cafcfcfba5a145d93c26774f74d8ac0d3f1a47450f2fbb7cbb59988f0d34ef4336725310978065b97b2c1828e4987448d12fbe3ad04060e932308ae

Download Submit
C:\Program Files (x86)\exSearcher\exsearcher60.exe
Filesize
3.3MB

MD5
ec5d55b641eba49b8d019b74fd5a2f80

SHA1
bf545299f5b8fe43de530c74943e092a75b4d884

SHA256
93c065d0a2c322d27bc88bf6b6ad7ac75abef5c61db67aa71831cef1a307a840

SHA512
48c99eb09cafcfcfba5a145d93c26774f74d8ac0d3f1a47450f2fbb7cbb59988f0d34ef4336725310978065b97b2c1828e4987448d12fbe3ad04060e932308ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
c2a93ad184f82658bd7401cc27736248

SHA1
80d55afa0f6078818ac7733222d4b2cb436467a5

SHA256
d8ee2e69dae147abf01cda342e467942c6b25eb1c97ca580bffed2d889dbf6c7

SHA512
2ac093c5bb1fcfdbbe08e52c9f127fde09f51e8a9002629a816516602489a056d74c9c1727e39c046de8bedaf7ec2e74fe5ec48571e0bf9fc3fc9b7154710cfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
fbc35044d274436a008d222d140be826

SHA1
d4b58397aa28be1dabc49101f54dcef44a6eef25

SHA256
d236309a58d9b571ab4cad2b82e03a95cac8b2e15e81bf27f74964939270e14f

SHA512
d8287b30a0a5c7f97f2177e4a422a7c48e73976b2f66479fc21471f09134e861559fb2cd69fd541a32a263f002f207acdfd967e1577f01af8489fae2f3f26cb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\98E4B9E09258E3C5F565FA64983EE15B
Filesize
1KB

MD5
8b7bebc62017bcec13c6d763ef132b16

SHA1
24c39ceeb53a078f2a2c6c25f4b50f998bc66346

SHA256
dd2a2a2eb441103adaf533f986e02ab46cdd28bf75e7f653b93c4b2620a45b5f

SHA512
1bce1bdc2ac714e73d09021e9e5fbf376891923ee80b501818c05c4ea4c12c9f1f63c2fa9b05b6fd5cbf6584130f3b9738223a50d891df23e95e8a650ed5bb7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_6B030DB581A2D8F9B2266D9F23F1AFB5
Filesize
278B

MD5
b933a89f1767e73fc7210ef152fe0e6a

SHA1
a398fb30c2dd6942def8185b41c1a8af4aa03c84

SHA256
e85346802b8c8c822eacc482b884a73940f8b2b858e45fb79aaea859cb6fe336

SHA512
771688fb4f6e3bffe2ae8299c62c8652a95ad6fd7f1aba3ab4656850270a6c189ad40ded1d53961f6e6c066c0cabccbc68ff2d38926ff0d9f23e375b31424b45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
1KB

MD5
48af556f0d640dd55d642d40dd60399b

SHA1
37bf5135b71cff5041af44e4ec5f73eee1163da5

SHA256
f2ae772f15f23d46c14d0ad73abd5c1e06e91b85c1108a9b962f5aebcfcf37fe

SHA512
f6a366fe2c00e2f6f9c4135de69b1dd10af2db5035d6eb178d88b1393463528990f3b54d91516445e5f6a27208401afb9460c1fcd21375347813030b5220df3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B55A05DF158DA292513D680FF42729C8
Filesize
1KB

MD5
71c71975328ad03ced11bb37fae64e7b

SHA1
a531d3802191ab4d0f0071c53d072c0286031d39

SHA256
3dfe08cdb40e2b9335da0500d08cb40149996389fc76b658ff98c35d1c4d67e0

SHA512
7bb239d7a5cbc28c9a6e810223947bd98f9372c3007dfde595931bdb8f27a4e28d209cfef4ed55089137f8762840da917741e57928b6e4ef34662215900c8ba7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
c18c1ab84b27ba6cf9cd2e5ca8a96d62

SHA1
df6dc9e0b61be770d13df05ac149ed07c5f9210c

SHA256
c3535d9b617c8060aa4a80b708e2d017c1b344258b5f18d1b6889060c894ff2a

SHA512
cb84a250d7c37c1def8d34976326f4d90b4e5fc0dbefddec5958af85e67a07e77ca0bebe8bd8c3ab784b138eb2ee05004ebba20156e5e02186bd1dd1d92850e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
c10ada87157cbd5c44469676fe278658

SHA1
27f2c4a8280e8f1aed33ead38b484ba885d78738

SHA256
8659780e505692c58b1e7db90cfd314db567fcd2e6295066b436dff644c2efc6

SHA512
6e1ece58f98a8986c06e69c87ea0af73bd5e940e50e03ca19c1a68170095a79bd818d9f0c476d77067ba43d5219911d16bdd99f29e75673852448b6d96c3a3f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
b6bd719f594db2ca2f1780e39703074e

SHA1
be989b52e30e589155167287774be183be811fc2

SHA256
50c40eafe755d351e098bad65102f62084fe86713e6316c4edb0589c53ad3b42

SHA512
8ad6feedf89048f081a0457bcecd432b9ecede5a174a192614e373f7c09f6df8a259c39e27201cdd242533f73c6f82b303cb770bcecb7dcbd4cd36b784c02900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\98E4B9E09258E3C5F565FA64983EE15B
Filesize
540B

MD5
9355be6593f9b07fce2d5be659119a8a

SHA1
68a72cee0005bffdf3550ddfa5e0955492f5f52c

SHA256
280f6ad39879ea1f1c43a4199ff860e80bebb3ef4ecc818c2611bfdc89b9b617

SHA512
4f8cc5346ca3dcd1ba0679352bd33a064952559431ed670a4a2e340667c993648f95e6ca24e05b07bf17e8e6bc462f217186b4d8c612f19c62f79bc38da6f641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_6B030DB581A2D8F9B2266D9F23F1AFB5
Filesize
426B

MD5
ca401ee955f58757683b8d937ee87863

SHA1
6e0c7fb0bdd427b6f3de48757b83d926ae86fc50

SHA256
194ca0566267d393dd856d8a5dff142af5191d13d0f48dc231f7c78cb1f19d60

SHA512
70eaf1ee98ada5ff722e45035482b0b98adbe0e9b652c3b325f206df9d8989d7ebb25d4381932cdae5280bbde662bbc34d657926a2a7aef5cdbde3f49358b75c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
492B

MD5
0244460562e952352cb8c411f5aa3a48

SHA1
2158c51e02033b5ed28f1d332fd385dbac24a7b8

SHA256
be414bd2a6b14f60e5949c3da77d9fb951e895ec022fd9e3443f71bb54518d3c

SHA512
bb6d07cff34e4e31b4f9f2e5edb23085d39bedd4dd389102dd9921741f6c0d6b29eb4ccd05cefa611b5595543ac52cbfdd03ee224bbc27cfd2fa91b891682f09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B55A05DF158DA292513D680FF42729C8
Filesize
532B

MD5
74e1ba9b51f6b2118ff527beea104553

SHA1
6fb0dd507da418043d14b166079482b785ab5067

SHA256
0d781c770bef89721093e8ef1a3e16a4b59832f4ac0b8b3812f9e1a35b458a4c

SHA512
fc4619474346037812b0bd587e054941be9bee8f12976748b665eaf595ccdab3031a2a58a26a0f4184b2418b8f273dd4c160fd2cd8544a17ee008fcefd912c74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
88cd0249a2a3ffffc7bc2896bd7ccad9

SHA1
43aa074251aacf43fa516a62e7b8f40a653c0533

SHA256
4a0a13cd37318e86ef6eb7768d233851b72e8c75f5f9e47c33a350bcf44f5833

SHA512
f5fcc66cb758769dab95a06b0f39b0ec7352ccf214126957575ad176579dee94e3e50e8fc30027d6ec1560d0ce6a07745498227c7a339b4203a0d1118a3e37cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYYPw.D2E
Filesize
2.9MB

MD5
1a8fed4df65c30cd32963cbbe4869cf8

SHA1
e94e8548de2a6e74f4b41b1508f312e121aa68ee

SHA256
240a584a8b34bd243e9e2bff455efd93fa5e0e2c886f2a4d96d8eb5e0c7b6588

SHA512
89eb476665c97a80930bcf3576220ad77de47e83616fc8416f355cac37ea8e2d223ce4c237964ba40c332dc85342f436d8aaa2ac2fd3fd7bf4e78c2fc1be1640

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYYPw.D2E
Filesize
2.9MB

MD5
1a8fed4df65c30cd32963cbbe4869cf8

SHA1
e94e8548de2a6e74f4b41b1508f312e121aa68ee

SHA256
240a584a8b34bd243e9e2bff455efd93fa5e0e2c886f2a4d96d8eb5e0c7b6588

SHA512
89eb476665c97a80930bcf3576220ad77de47e83616fc8416f355cac37ea8e2d223ce4c237964ba40c332dc85342f436d8aaa2ac2fd3fd7bf4e78c2fc1be1640

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0U6KP.tmp\is-AC17B.tmp
Filesize
657KB

MD5
7cd12c54a9751ca6eee6ab0c85fb68f5

SHA1
76562e9b7888b6d20d67addb5a90b68b54a51987

SHA256
e82cabb027db8846c3430be760f137afa164c36f9e1b93a6e34c96de0b2c5a5f

SHA512
27ba5d2f719aaac2ead6fb42f23af3aa866f75026be897cd2f561f3e383904e89e6043bd22b4ae24f69787bd258a68ff696c09c03d656cbf7c79c2a52d8d82cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0U6KP.tmp\is-AC17B.tmp
Filesize
657KB

MD5
7cd12c54a9751ca6eee6ab0c85fb68f5

SHA1
76562e9b7888b6d20d67addb5a90b68b54a51987

SHA256
e82cabb027db8846c3430be760f137afa164c36f9e1b93a6e34c96de0b2c5a5f

SHA512
27ba5d2f719aaac2ead6fb42f23af3aa866f75026be897cd2f561f3e383904e89e6043bd22b4ae24f69787bd258a68ff696c09c03d656cbf7c79c2a52d8d82cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-18850.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjcaxgnm.exe
Filesize
13.6MB

MD5
40629bee5794e047225b81bb5c7a252a

SHA1
dc1444e3a39c5f3d217720f9e839bf64a582db1a

SHA256
6e4b9884debea8727af741edec6de9cfecf66211cded6bb297ae4f4c5b6ca307

SHA512
abe745ca3d9ff43040a44504d479cfbe2731b3d6cb461f927666f481e749d6b9f0252bdb3e93b7b991f7df7587e1cd82f9e1295bff490ad3ee478f014fe041eb

Download Submit
C:\Users\Admin\AppData\Roaming\{99cae5c0-1ab4-11ed-899c-806e6f6e6963}\TdbJ66qpTtuNS.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{99cae5c0-1ab4-11ed-899c-806e6f6e6963}\TdbJ66qpTtuNS.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\Documents\vA22DQ60BXFiLsrOJ0iULCzk.exe
Filesize
5.5MB

MD5
91f6f48383c2d43120c14b74bf894575

SHA1
c49da1e376ae346d420e1486b7b865ee0d6e1485

SHA256
6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933

SHA512
a93ef32d57ff0991f1a2711371db24063bcf1c5cf4ebf2c24a0ac856b08df046fb760801dce3dca3a4c4f3eaaf18d4c1f0fe2befc5d5df9d5fefadd57f1bc69f

Download Submit
C:\Users\Admin\Documents\vA22DQ60BXFiLsrOJ0iULCzk.exe
Filesize
5.5MB

MD5
91f6f48383c2d43120c14b74bf894575

SHA1
c49da1e376ae346d420e1486b7b865ee0d6e1485

SHA256
6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933

SHA512
a93ef32d57ff0991f1a2711371db24063bcf1c5cf4ebf2c24a0ac856b08df046fb760801dce3dca3a4c4f3eaaf18d4c1f0fe2befc5d5df9d5fefadd57f1bc69f

Download Submit
C:\Users\Admin\Pictures\Minor Policy\0vYzV0yo6wbvEgonKGyNJFY8.exe
Filesize
1.9MB

MD5
0f0cd27402a328e00686325c6c8b9ff4

SHA1
554f76f9f304404ba040b697f63d0dc334827188

SHA256
fa3a9b2c0f3fac134e8f3f32e06b27f9a06aa3cf310e4cc0e65d97a921508092

SHA512
e2a53e7dd62e031e90732c80cd47440c5bde73ec21f0387a0635de4784e9c611496ce6cf144433a8d5de33574e8facbe38df5560558f624f5c43534e311a19aa

Download Submit
C:\Users\Admin\Pictures\Minor Policy\0vYzV0yo6wbvEgonKGyNJFY8.exe
Filesize
1.9MB

MD5
0f0cd27402a328e00686325c6c8b9ff4

SHA1
554f76f9f304404ba040b697f63d0dc334827188

SHA256
fa3a9b2c0f3fac134e8f3f32e06b27f9a06aa3cf310e4cc0e65d97a921508092

SHA512
e2a53e7dd62e031e90732c80cd47440c5bde73ec21f0387a0635de4784e9c611496ce6cf144433a8d5de33574e8facbe38df5560558f624f5c43534e311a19aa

Download Submit
C:\Users\Admin\Pictures\Minor Policy\6JjiOZriUG8chYUWxPr8mEAN.exe
Filesize
4.8MB

MD5
854d5dfe2d5193aa4150765c123df8ad

SHA1
1b21d80c4beb90b03d795cf11145619aeb3a4f37

SHA256
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45

SHA512
48ed604ea966a35cc16631ce5da692bb236badafdb6d3d01ef3a27ab5a9c1ea6a19d6e8209c894ab292614cfbd355c2ca96401fd4dbb9a3abbfd886cddae77cc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\6JjiOZriUG8chYUWxPr8mEAN.exe
Filesize
4.8MB

MD5
854d5dfe2d5193aa4150765c123df8ad

SHA1
1b21d80c4beb90b03d795cf11145619aeb3a4f37

SHA256
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45

SHA512
48ed604ea966a35cc16631ce5da692bb236badafdb6d3d01ef3a27ab5a9c1ea6a19d6e8209c894ab292614cfbd355c2ca96401fd4dbb9a3abbfd886cddae77cc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\7kuHBpGNuJV2Ul2AjjeSYBXI.exe
Filesize
223KB

MD5
e34de9176ba44850ad213abc57c74fff

SHA1
d131382cf5e48b86c58bbdecdcd1c8a3194ec64f

SHA256
01c5f981a0b9995dce8c4f950cd93d8135fedd253d48efc709fdce8ce3e07ae7

SHA512
569b192ccc194b867545fe1df772f3958490724f693fd6e6cb17c5545085bd2d3f0b4850c3ad33e37dc2f9e01559f96b86faa475b89fb1dad03f67bee1664705

Download Submit
C:\Users\Admin\Pictures\Minor Policy\7kuHBpGNuJV2Ul2AjjeSYBXI.exe
Filesize
223KB

MD5
e34de9176ba44850ad213abc57c74fff

SHA1
d131382cf5e48b86c58bbdecdcd1c8a3194ec64f

SHA256
01c5f981a0b9995dce8c4f950cd93d8135fedd253d48efc709fdce8ce3e07ae7

SHA512
569b192ccc194b867545fe1df772f3958490724f693fd6e6cb17c5545085bd2d3f0b4850c3ad33e37dc2f9e01559f96b86faa475b89fb1dad03f67bee1664705

Download Submit
C:\Users\Admin\Pictures\Minor Policy\CIBXw5oQ3B4BYFjovv43XCrb.exe
Filesize
104KB

MD5
85270630c529e1480e3b1df60a00e020

SHA1
93867a17a40b5886a11018368df44e8cebe0ff86

SHA256
b369c9f34e7351fc2616f2f951ea429da6e635df522710e915c14a6b78429503

SHA512
a47b86b4e059ac7be8c5d42d0a15a27a479c78c1e65181fe84bb46dd689c9307bcc7d88028fac388713802efe3502a8af3f3d321a2c776b4970537c65c647be3

Download Submit
C:\Users\Admin\Pictures\Minor Policy\CIBXw5oQ3B4BYFjovv43XCrb.exe
Filesize
104KB

MD5
85270630c529e1480e3b1df60a00e020

SHA1
93867a17a40b5886a11018368df44e8cebe0ff86

SHA256
b369c9f34e7351fc2616f2f951ea429da6e635df522710e915c14a6b78429503

SHA512
a47b86b4e059ac7be8c5d42d0a15a27a479c78c1e65181fe84bb46dd689c9307bcc7d88028fac388713802efe3502a8af3f3d321a2c776b4970537c65c647be3

Download Submit
C:\Users\Admin\Pictures\Minor Policy\HOPWMZ3NbG5GRJHFESSetGYm.exe
Filesize
395KB

MD5
44ac4a0638691a92c23cbed2eb78c722

SHA1
46e3782414c8430a5dbabbba813a08919141df46

SHA256
ab44e4d03066fb8578285c921ce41713689418bb1ddffddd95161375be4d34e5

SHA512
77f6241835ea8312ec0a6aee0016393893c8efdab276cd5b8392747ddd5249c4d12935b2977a23dc13d17edb0e2d985cb4e78b00f03b1e2b02f019902f7f10be

Download Submit
C:\Users\Admin\Pictures\Minor Policy\LMK57unOQ85egzjpTQHBpCGp.exe
Filesize
696KB

MD5
52ead7042a83ad42e9cde6c40c044abe

SHA1
d0c6e5e6f6423260718a09c16be1febe0e6cea18

SHA256
4e232be6b4104c0b64afc226b7514c4da1f0081b930c4edf138e8a974203d861

SHA512
667ae14da5a38f7f288832c96af437ddc64e0a11fb8ad78dc02e78821b5631dba98ec0fddf292e06222dad76f873ee71c81ac5494c7ec032c03e947d43ac58ab

Download Submit
C:\Users\Admin\Pictures\Minor Policy\LMK57unOQ85egzjpTQHBpCGp.exe
Filesize
696KB

MD5
52ead7042a83ad42e9cde6c40c044abe

SHA1
d0c6e5e6f6423260718a09c16be1febe0e6cea18

SHA256
4e232be6b4104c0b64afc226b7514c4da1f0081b930c4edf138e8a974203d861

SHA512
667ae14da5a38f7f288832c96af437ddc64e0a11fb8ad78dc02e78821b5631dba98ec0fddf292e06222dad76f873ee71c81ac5494c7ec032c03e947d43ac58ab

Download Submit
C:\Users\Admin\Pictures\Minor Policy\NawtLUOTXChdfWC9ZVCmkkXI.exe
Filesize
3.5MB

MD5
8659a680d6b2705cf899df0bd6288ae6

SHA1
78f2a18f624263e03e593f82faac89eb57ede380

SHA256
17d633b745260b6d357ae82fd314eb13bb897fbc35750c7340d8d02e97df0f74

SHA512
db642d210fef11ca73b78de8cddc82c4a7830febd4c19e4db7bb8b59bf76a5b90323dddadb2392cd456dbac42077e5a21b67fb3be4d2c1bcd01c226c8c455856

Download Submit
C:\Users\Admin\Pictures\Minor Policy\NawtLUOTXChdfWC9ZVCmkkXI.exe
Filesize
3.5MB

MD5
8659a680d6b2705cf899df0bd6288ae6

SHA1
78f2a18f624263e03e593f82faac89eb57ede380

SHA256
17d633b745260b6d357ae82fd314eb13bb897fbc35750c7340d8d02e97df0f74

SHA512
db642d210fef11ca73b78de8cddc82c4a7830febd4c19e4db7bb8b59bf76a5b90323dddadb2392cd456dbac42077e5a21b67fb3be4d2c1bcd01c226c8c455856

Download Submit
C:\Users\Admin\Pictures\Minor Policy\aepwMv7N0V7AZeoQfFNHIR9x.exe
Filesize
374KB

MD5
1a4d928640128e7db4144544238c4ad6

SHA1
2d2929ba3b3e0f4d4e8fba47d19017c2cae92e22

SHA256
2548534bf822498e6e98939ea5ef4477b6e00667af75625145b0bdc2311a3e65

SHA512
2c855df038b9edb6198e646b79fbc6b41e73c0cf2bc871b60c75295d423177390d47e47f323803a2a6653e35a4abdad23b7ed336452a2a870eb2321cd7ab16bf

Download Submit
C:\Users\Admin\Pictures\Minor Policy\aepwMv7N0V7AZeoQfFNHIR9x.exe
Filesize
374KB

MD5
1a4d928640128e7db4144544238c4ad6

SHA1
2d2929ba3b3e0f4d4e8fba47d19017c2cae92e22

SHA256
2548534bf822498e6e98939ea5ef4477b6e00667af75625145b0bdc2311a3e65

SHA512
2c855df038b9edb6198e646b79fbc6b41e73c0cf2bc871b60c75295d423177390d47e47f323803a2a6653e35a4abdad23b7ed336452a2a870eb2321cd7ab16bf

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dwk3f3y1UTs1BHIItzHrdWlu.exe
Filesize
724KB

MD5
06469b7e7904c634cdab3d3fe18a9ad3

SHA1
bbeb65a0bd4bbf7a87e0303aee2d9a3dd7c69ef7

SHA256
fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734

SHA512
3bcd23caa950b8fb06b9543de154a43263e125487bb3e033ad19f8ab66392cb5c6426b6b7f06080342ec0448a5578c1567d60366d976c3f0624627f3a087671e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dwk3f3y1UTs1BHIItzHrdWlu.exe
Filesize
724KB

MD5
06469b7e7904c634cdab3d3fe18a9ad3

SHA1
bbeb65a0bd4bbf7a87e0303aee2d9a3dd7c69ef7

SHA256
fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734

SHA512
3bcd23caa950b8fb06b9543de154a43263e125487bb3e033ad19f8ab66392cb5c6426b6b7f06080342ec0448a5578c1567d60366d976c3f0624627f3a087671e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\wjRxjmRF61AazDb0PgJcZkMi.exe
Filesize
2.3MB

MD5
8f23dbf6851fde1c01760d44c368132b

SHA1
29f9a4e4942552bd7a8fe60858a8fe436ac021d2

SHA256
f522262de8d5fab3f7f8dcd8abfb414d7c2452494d92392d04513ea022cea4f0

SHA512
33a562d3316e7d9196855945d0f42d6f0816f0146099f86b5d8daeecd0c97000a0035f620223d75279e48407fdfd6e1a23f2dc10bc878d07e1ba429f441dbeda

Download Submit
C:\Users\Admin\Pictures\Minor Policy\wjRxjmRF61AazDb0PgJcZkMi.exe
Filesize
2.3MB

MD5
8f23dbf6851fde1c01760d44c368132b

SHA1
29f9a4e4942552bd7a8fe60858a8fe436ac021d2

SHA256
f522262de8d5fab3f7f8dcd8abfb414d7c2452494d92392d04513ea022cea4f0

SHA512
33a562d3316e7d9196855945d0f42d6f0816f0146099f86b5d8daeecd0c97000a0035f620223d75279e48407fdfd6e1a23f2dc10bc878d07e1ba429f441dbeda

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
Filesize
11B

MD5
ec3584f3db838942ec3669db02dc908e

SHA1
8dceb96874d5c6425ebb81bfee587244c89416da

SHA256
77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340

SHA512
35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

Download Submit
C:\Windows\SysWOW64\iwirybie\tjcaxgnm.exe
Filesize
13.6MB

MD5
40629bee5794e047225b81bb5c7a252a

SHA1
dc1444e3a39c5f3d217720f9e839bf64a582db1a

SHA256
6e4b9884debea8727af741edec6de9cfecf66211cded6bb297ae4f4c5b6ca307

SHA512
abe745ca3d9ff43040a44504d479cfbe2731b3d6cb461f927666f481e749d6b9f0252bdb3e93b7b991f7df7587e1cd82f9e1295bff490ad3ee478f014fe041eb

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
127B

MD5
7cc972a3480ca0a4792dc3379a763572

SHA1
f72eb4124d24f06678052706c542340422307317

SHA256
02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

SHA512
ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
memory/220-203-0x0000000000000000-mapping.dmp

Download
memory/836-232-0x0000000003600000-0x0000000003747000-memory.dmp

Filesize
1.3MB

Download
memory/836-214-0x0000000003750000-0x0000000003815000-memory.dmp

Filesize
788KB

Download
memory/836-196-0x0000000003600000-0x0000000003747000-memory.dmp

Filesize
1.3MB

Download
memory/836-172-0x0000000000000000-mapping.dmp

Download
memory/836-219-0x0000000002DD0000-0x0000000002E80000-memory.dmp

Filesize
704KB

Download
memory/836-195-0x0000000003220000-0x00000000034AB000-memory.dmp

Filesize
2.5MB

Download
memory/1004-209-0x0000000000000000-mapping.dmp

Download
memory/1272-161-0x0000000140000000-0x0000000140623000-memory.dmp

Filesize
6.1MB

Download
memory/1272-141-0x0000000000000000-mapping.dmp

Download
memory/1296-289-0x0000000000E00000-0x0000000000EF1000-memory.dmp

Filesize
964KB

Download
memory/1296-294-0x0000000000E00000-0x0000000000EF1000-memory.dmp

Filesize
964KB

Download
memory/1296-288-0x0000000000000000-mapping.dmp

Download
memory/1312-177-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1312-176-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1312-194-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1312-173-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1312-164-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1312-178-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1312-246-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/1312-155-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1312-245-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/1312-139-0x0000000000000000-mapping.dmp

Download
memory/1312-179-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/1316-312-0x0000000000000000-mapping.dmp

Download
memory/1528-299-0x0000000000000000-mapping.dmp

Download
memory/1780-181-0x00000000007F0000-0x0000000000803000-memory.dmp

Filesize
76KB

Download
memory/1780-215-0x00000000008E8000-0x00000000008F9000-memory.dmp

Filesize
68KB

Download
memory/1780-138-0x0000000000000000-mapping.dmp

Download
memory/1780-217-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/1780-180-0x00000000008E8000-0x00000000008F9000-memory.dmp

Filesize
68KB

Download
memory/1780-182-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2700-188-0x0000000005860000-0x0000000005872000-memory.dmp

Filesize
72KB

Download
memory/2700-190-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/2700-218-0x00000000068C0000-0x0000000006DEC000-memory.dmp

Filesize
5.2MB

Download
memory/2700-216-0x00000000066D0000-0x0000000006892000-memory.dmp

Filesize
1.8MB

Download
memory/2700-213-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/2700-258-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2700-189-0x0000000005880000-0x000000000598A000-memory.dmp

Filesize
1.0MB

Download
memory/2700-193-0x0000000000908000-0x000000000093F000-memory.dmp

Filesize
220KB

Download
memory/2700-187-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/2700-210-0x0000000006560000-0x00000000065D6000-memory.dmp

Filesize
472KB

Download
memory/2700-253-0x0000000000908000-0x000000000093F000-memory.dmp

Filesize
220KB

Download
memory/2700-136-0x0000000000000000-mapping.dmp

Download
memory/2700-199-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/2700-184-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2700-185-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/2700-198-0x0000000005CA0000-0x0000000005D32000-memory.dmp

Filesize
584KB

Download
memory/2700-183-0x0000000000850000-0x00000000008A8000-memory.dmp

Filesize
352KB

Download
memory/2828-303-0x0000000000000000-mapping.dmp

Download
memory/2888-309-0x0000000000C30000-0x0000000000CE4000-memory.dmp

Filesize
720KB

Download
memory/2888-302-0x0000000000000000-mapping.dmp

Download
memory/2960-310-0x0000000000000000-mapping.dmp

Download
memory/3408-135-0x0000000000400000-0x0000000002D1D000-memory.dmp

Filesize
41.1MB

Download
memory/3408-132-0x0000000002F01000-0x000000000300F000-memory.dmp

Filesize
1.1MB

Download
memory/3408-134-0x0000000000400000-0x0000000002D1D000-memory.dmp

Filesize
41.1MB

Download
memory/3408-133-0x0000000004B10000-0x0000000004D61000-memory.dmp

Filesize
2.3MB

Download
memory/3576-137-0x0000000000000000-mapping.dmp

Download
memory/3604-313-0x0000000000000000-mapping.dmp

Download
memory/3784-211-0x0000000000000000-mapping.dmp

Download
memory/4056-298-0x0000000000000000-mapping.dmp

Download
memory/4124-186-0x0000000000000000-mapping.dmp

Download
memory/4140-200-0x0000000000000000-mapping.dmp

Download
memory/4212-158-0x0000000000000000-mapping.dmp

Download
memory/4288-191-0x0000000000000000-mapping.dmp

Download
memory/4604-273-0x0000000002170000-0x0000000002176000-memory.dmp

Filesize
24KB

Download
memory/4604-282-0x0000000007900000-0x0000000007D0B000-memory.dmp

Filesize
4.0MB

Download
memory/4604-224-0x0000000000D00000-0x0000000000D15000-memory.dmp

Filesize
84KB

Download
memory/4604-285-0x00000000021E0000-0x00000000021E7000-memory.dmp

Filesize
28KB

Download
memory/4604-276-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/4604-223-0x0000000000000000-mapping.dmp

Download
memory/4604-240-0x0000000000D00000-0x0000000000D15000-memory.dmp

Filesize
84KB

Download
memory/4604-279-0x00000000021D0000-0x00000000021D5000-memory.dmp

Filesize
20KB

Download
memory/4604-295-0x0000000000D00000-0x0000000000D15000-memory.dmp

Filesize
84KB

Download
memory/4604-270-0x0000000002A00000-0x0000000002C0F000-memory.dmp

Filesize
2.1MB

Download
memory/4620-311-0x0000000000000000-mapping.dmp

Download
memory/4636-234-0x0000000000000000-mapping.dmp

Download
memory/4640-171-0x0000000000400000-0x000000000154C000-memory.dmp

Filesize
17.3MB

Download
memory/4640-205-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4640-251-0x0000000000400000-0x000000000154C000-memory.dmp

Filesize
17.3MB

Download
memory/4640-167-0x0000000000000000-mapping.dmp

Download
memory/4640-192-0x0000000000400000-0x000000000154C000-memory.dmp

Filesize
17.3MB

Download
memory/4772-225-0x0000000000000000-mapping.dmp

Download
memory/4900-230-0x0000000000783000-0x0000000000794000-memory.dmp

Filesize
68KB

Download
memory/4900-231-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/5024-197-0x0000000000000000-mapping.dmp

Download
memory/5072-247-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5072-151-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5072-156-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5072-140-0x0000000000000000-mapping.dmp

Download
memory/5108-252-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/5108-244-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/5108-238-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/5108-242-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/5108-237-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/5108-222-0x0000000000000000-mapping.dmp

Download
memory/5108-235-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/5108-239-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/5108-233-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/5108-241-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/5108-297-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/5108-296-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/5108-269-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/5108-243-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download