amadey | 5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1

Analysis

max time kernel
95s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2022 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
Size

6.4MB
MD5

30fd8d41dcf3e7b9ce4aa1ed077efbfe
SHA1

53418ba5aa14bc3c25c33f8f1afd29396fd4f393
SHA256

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1
SHA512

dc1e33d0d8cf187905676713cf4fcbb5b01633bfa138322874c19246de4ab87b18a15753097ee4f217ac81762e3548865a64a6bbcd6d5d2463993b3031087d9a
SSDEEP

196608:OJsj/2yInkh0D+3yavAf5jNnsSov4FVqe:f/2yIkui3yyAISXFVD

Malware Config

Extracted

Family

privateloader

208.67.104.60

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

raccoon

Botnet

9639124f779df011a9355e2898aadfc8

http://45.67.35.17/

rc4.plain

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Extracted

Family

vidar

Version

55.7

Botnet

937

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

Attributes

profile_id
937

Extracted

Family

raccoon

Botnet

53508e7dc4e08bd33122d190a04a1200

http://45.15.156.105/

rc4.plain

Extracted

Family

redline

Botnet

711

194.110.203.100:32796

Attributes

auth_value
24e3340d853c89cad1e25194559ee778

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 3812 rundll32.exe
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	3812	rundll32.exe

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/772-367-0x0000000000700000-0x0000000000728000-memory.dmp	family_redline

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Oef2IK2N0dTJquHhYTjCv2qI.exezK5kNlFFAnndUnMv4mXxOsXG.exeWJqYTAlM104TArJsuoqbsKbZ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Oef2IK2N0dTJquHhYTjCv2qI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	zK5kNlFFAnndUnMv4mXxOsXG.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WJqYTAlM104TArJsuoqbsKbZ.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 24 IoCs

Processes:

Oef2IK2N0dTJquHhYTjCv2qI.exeoSrATmUV6JpsokU4uOJKUGDi.exeDGP8UszwAR0fl6eAhxlElVW9.exeeKQidjFSl8cIAZAEBhMIOOyL.exejaeL3LsCuDHm0egcAAyUXZHk.exeyxyi6IFtLA9t3qvbCscp0so5.exeE1l20UCyomRMGGQJKOLGUaPX.exesI_k_HqSaW8OQHpPOpRRlyFC.exeWloV3YOAoTbD8b4LrHg83nBE.exeEYviF7L7EFBtiWhWS6oCRYcA.exeis-5IT7M.tmpzK5kNlFFAnndUnMv4mXxOsXG.exeuhFgatxQ5rlCjPeQcID5DRwH.exeX30RSY_GXkmR_YlGBmVJwauE.exeBY2W0uUYbmocVf5FAIA6AymA.exeO1adNDOdRurRJqyyvDLkVf58.exeETjSVRGlPiaoBX1gSPJicw2F.exe7T1pFTgHdduM_0TW3ZPPh6pa.exegnsearcher81.exeBSRFIkq.exerovwer.exeuhFgatxQ5rlCjPeQcID5DRwH.exevgchyrds.exeWJqYTAlM104TArJsuoqbsKbZ.exe

pid	process
3680	Oef2IK2N0dTJquHhYTjCv2qI.exe
3516	oSrATmUV6JpsokU4uOJKUGDi.exe
5076	DGP8UszwAR0fl6eAhxlElVW9.exe
3424	eKQidjFSl8cIAZAEBhMIOOyL.exe
2700	jaeL3LsCuDHm0egcAAyUXZHk.exe
5096	yxyi6IFtLA9t3qvbCscp0so5.exe
3320	E1l20UCyomRMGGQJKOLGUaPX.exe
2772	sI_k_HqSaW8OQHpPOpRRlyFC.exe
4328	WloV3YOAoTbD8b4LrHg83nBE.exe
3528	EYviF7L7EFBtiWhWS6oCRYcA.exe
760	is-5IT7M.tmp
812	zK5kNlFFAnndUnMv4mXxOsXG.exe
3624	uhFgatxQ5rlCjPeQcID5DRwH.exe
3608	X30RSY_GXkmR_YlGBmVJwauE.exe
4288	BY2W0uUYbmocVf5FAIA6AymA.exe
4316	O1adNDOdRurRJqyyvDLkVf58.exe
4348	ETjSVRGlPiaoBX1gSPJicw2F.exe
480	7T1pFTgHdduM_0TW3ZPPh6pa.exe
3144	gnsearcher81.exe
2844	BSRFIkq.exe
3064	rovwer.exe
4908	uhFgatxQ5rlCjPeQcID5DRwH.exe
4620	vgchyrds.exe
1652	WJqYTAlM104TArJsuoqbsKbZ.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4256 netsh.exe
4160 netsh.exe

pid	process
4256	netsh.exe
4160	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Minor Policy\O1adNDOdRurRJqyyvDLkVf58.exe	upx
C:\Users\Admin\Pictures\Minor Policy\O1adNDOdRurRJqyyvDLkVf58.exe	upx
behavioral2/memory/4316-209-0x0000000000F20000-0x0000000001702000-memory.dmp	upx
behavioral2/memory/4316-246-0x0000000000F20000-0x0000000001702000-memory.dmp	upx

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4344-134-0x0000000000EE0000-0x0000000001B23000-memory.dmp	vmprotect
behavioral2/memory/4344-132-0x0000000000EE0000-0x0000000001B23000-memory.dmp	vmprotect
behavioral2/memory/4344-136-0x0000000000EE0000-0x0000000001B23000-memory.dmp	vmprotect
C:\Users\Admin\Pictures\Minor Policy\WloV3YOAoTbD8b4LrHg83nBE.exe	vmprotect
C:\Users\Admin\Pictures\Minor Policy\WloV3YOAoTbD8b4LrHg83nBE.exe	vmprotect
behavioral2/memory/4328-169-0x0000000140000000-0x000000014061E000-memory.dmp	vmprotect
behavioral2/memory/4344-217-0x0000000000EE0000-0x0000000001B23000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WJqYTAlM104TArJsuoqbsKbZ.exeOef2IK2N0dTJquHhYTjCv2qI.exezK5kNlFFAnndUnMv4mXxOsXG.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WJqYTAlM104TArJsuoqbsKbZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WJqYTAlM104TArJsuoqbsKbZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Oef2IK2N0dTJquHhYTjCv2qI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Oef2IK2N0dTJquHhYTjCv2qI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zK5kNlFFAnndUnMv4mXxOsXG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	zK5kNlFFAnndUnMv4mXxOsXG.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exeDGP8UszwAR0fl6eAhxlElVW9.exeX30RSY_GXkmR_YlGBmVJwauE.exeEYviF7L7EFBtiWhWS6oCRYcA.exeuhFgatxQ5rlCjPeQcID5DRwH.exeyxyi6IFtLA9t3qvbCscp0so5.exerovwer.exeOef2IK2N0dTJquHhYTjCv2qI.exevgchyrds.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DGP8UszwAR0fl6eAhxlElVW9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	X30RSY_GXkmR_YlGBmVJwauE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	EYviF7L7EFBtiWhWS6oCRYcA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	uhFgatxQ5rlCjPeQcID5DRwH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	yxyi6IFtLA9t3qvbCscp0so5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Oef2IK2N0dTJquHhYTjCv2qI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	vgchyrds.exe

Loads dropped DLL 5 IoCs

Processes:

is-5IT7M.tmpConhost.exerundll32.exeX30RSY_GXkmR_YlGBmVJwauE.exe

pid process

760 is-5IT7M.tmp
3096 Conhost.exe
5108 rundll32.exe
3608 X30RSY_GXkmR_YlGBmVJwauE.exe
3608 X30RSY_GXkmR_YlGBmVJwauE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
760	is-5IT7M.tmp
3096	Conhost.exe
5108	rundll32.exe
3608	X30RSY_GXkmR_YlGBmVJwauE.exe
3608	X30RSY_GXkmR_YlGBmVJwauE.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7T1pFTgHdduM_0TW3ZPPh6pa.exeDGP8UszwAR0fl6eAhxlElVW9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LOLPA4DESK = "\"C:\\Program Files (x86)\\ClipManagerP0\\ClipManager_Svc.exe\""	7T1pFTgHdduM_0TW3ZPPh6pa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwqbiqrw = "\"C:\\Users\\Admin\\vgchyrds.exe\""	DGP8UszwAR0fl6eAhxlElVW9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Oef2IK2N0dTJquHhYTjCv2qI.exezK5kNlFFAnndUnMv4mXxOsXG.exeWJqYTAlM104TArJsuoqbsKbZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Oef2IK2N0dTJquHhYTjCv2qI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zK5kNlFFAnndUnMv4mXxOsXG.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WJqYTAlM104TArJsuoqbsKbZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ipinfo.io
17 ipinfo.io
164 ipinfo.io
166 ipinfo.io
193 ipinfo.io
207 ipinfo.io

flow	ioc
16	ipinfo.io
17	ipinfo.io
164	ipinfo.io
166	ipinfo.io
193	ipinfo.io
207	ipinfo.io

Drops file in System32 directory 8 IoCs

Processes:

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exeWJqYTAlM104TArJsuoqbsKbZ.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
File opened for modification	C:\Windows\System32\GroupPolicy	WJqYTAlM104TArJsuoqbsKbZ.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	WJqYTAlM104TArJsuoqbsKbZ.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	WJqYTAlM104TArJsuoqbsKbZ.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	WJqYTAlM104TArJsuoqbsKbZ.exe
File opened for modification	C:\Windows\System32\GroupPolicy	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Oef2IK2N0dTJquHhYTjCv2qI.exezK5kNlFFAnndUnMv4mXxOsXG.exeWJqYTAlM104TArJsuoqbsKbZ.exe

pid process

3680 Oef2IK2N0dTJquHhYTjCv2qI.exe
812 zK5kNlFFAnndUnMv4mXxOsXG.exe
1652 WJqYTAlM104TArJsuoqbsKbZ.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

eKQidjFSl8cIAZAEBhMIOOyL.exejaeL3LsCuDHm0egcAAyUXZHk.exe

description	pid	process	target process
PID 3424 set thread context of 772	3424	eKQidjFSl8cIAZAEBhMIOOyL.exe	vbc.exe
PID 2700 set thread context of 5072	2700	jaeL3LsCuDHm0egcAAyUXZHk.exe	vbc.exe

Drops file in Program Files directory 16 IoCs

Processes:

is-5IT7M.tmpOef2IK2N0dTJquHhYTjCv2qI.exe7T1pFTgHdduM_0TW3ZPPh6pa.exe

description	ioc	process
File created	C:\Program Files (x86)\gnSearcher\is-R7VT9.tmp	is-5IT7M.tmp
File created	C:\Program Files (x86)\gnSearcher\is-RDIS6.tmp	is-5IT7M.tmp
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Oef2IK2N0dTJquHhYTjCv2qI.exe
File created	C:\Program Files (x86)\gnSearcher\is-BCPIJ.tmp	is-5IT7M.tmp
File created	C:\Program Files (x86)\gnSearcher\is-HFNJN.tmp	is-5IT7M.tmp
File created	C:\Program Files (x86)\gnSearcher\is-3A3FA.tmp	is-5IT7M.tmp
File created	C:\Program Files (x86)\gnSearcher\is-9S4ED.tmp	is-5IT7M.tmp
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Oef2IK2N0dTJquHhYTjCv2qI.exe
File created	C:\Program Files (x86)\gnSearcher\is-CCPSD.tmp	is-5IT7M.tmp
File created	C:\Program Files (x86)\gnSearcher\is-HR17F.tmp	is-5IT7M.tmp
File opened for modification	C:\Program Files (x86)\gnSearcher\gnsearcher81.exe	is-5IT7M.tmp
File created	C:\Program Files (x86)\gnSearcher\unins000.dat	is-5IT7M.tmp
File created	C:\Program Files (x86)\gnSearcher\is-UA26I.tmp	is-5IT7M.tmp
File opened for modification	C:\Program Files (x86)\gnSearcher\unins000.dat	is-5IT7M.tmp
File created	C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe	7T1pFTgHdduM_0TW3ZPPh6pa.exe
File opened for modification	C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe	7T1pFTgHdduM_0TW3ZPPh6pa.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

3856 sc.exe
1268 sc.exe
2468 sc.exe
4092 sc.exe
2812 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3856	sc.exe
1268	sc.exe
2468	sc.exe
4092	sc.exe
2812	sc.exe

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3520	5096	WerFault.exe	yxyi6IFtLA9t3qvbCscp0so5.exe
3524	5076	WerFault.exe	DGP8UszwAR0fl6eAhxlElVW9.exe
1752	5108	WerFault.exe	rundll32.exe
1932	4620	WerFault.exe	vgchyrds.exe
4664	3608	WerFault.exe	X30RSY_GXkmR_YlGBmVJwauE.exe
1820	3424	WerFault.exe	eKQidjFSl8cIAZAEBhMIOOyL.exe
4696	3516	WerFault.exe	oSrATmUV6JpsokU4uOJKUGDi.exe
4088	4288	WerFault.exe	BY2W0uUYbmocVf5FAIA6AymA.exe
4960	2752	WerFault.exe	rovwer.exe
3632	2768	WerFault.exe	pTeW1fiFMIWZ2fmPLbslhC2g.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ETjSVRGlPiaoBX1gSPJicw2F.exeX30RSY_GXkmR_YlGBmVJwauE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ETjSVRGlPiaoBX1gSPJicw2F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	X30RSY_GXkmR_YlGBmVJwauE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	X30RSY_GXkmR_YlGBmVJwauE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ETjSVRGlPiaoBX1gSPJicw2F.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4516 schtasks.exe
2688 schtasks.exe
2720 schtasks.exe
2688 schtasks.exe
456 schtasks.exe
2736 schtasks.exe
1008 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4924 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1840 taskkill.exe

pid	process
4516	schtasks.exe
2688	schtasks.exe
2720	schtasks.exe
2688	schtasks.exe
456	schtasks.exe
2736	schtasks.exe
1008	schtasks.exe

pid	process
4924	timeout.exe

pid	process
1840	taskkill.exe

Modifies registry class 2 IoCs

Processes:

uhFgatxQ5rlCjPeQcID5DRwH.exe5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	uhFgatxQ5rlCjPeQcID5DRwH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4264 PING.EXE
2240 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 187 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4264	PING.EXE
2240	PING.EXE

description	flow	ioc
HTTP User-Agent header	187	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exeE1l20UCyomRMGGQJKOLGUaPX.exeOef2IK2N0dTJquHhYTjCv2qI.exezK5kNlFFAnndUnMv4mXxOsXG.exegnsearcher81.exeoSrATmUV6JpsokU4uOJKUGDi.exeWJqYTAlM104TArJsuoqbsKbZ.exeX30RSY_GXkmR_YlGBmVJwauE.exeETjSVRGlPiaoBX1gSPJicw2F.execmd.exe

pid	process
4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
3320	E1l20UCyomRMGGQJKOLGUaPX.exe
3320	E1l20UCyomRMGGQJKOLGUaPX.exe
3680	Oef2IK2N0dTJquHhYTjCv2qI.exe
3680	Oef2IK2N0dTJquHhYTjCv2qI.exe
3680	Oef2IK2N0dTJquHhYTjCv2qI.exe
3680	Oef2IK2N0dTJquHhYTjCv2qI.exe
3680	Oef2IK2N0dTJquHhYTjCv2qI.exe
3680	Oef2IK2N0dTJquHhYTjCv2qI.exe
812	zK5kNlFFAnndUnMv4mXxOsXG.exe
812	zK5kNlFFAnndUnMv4mXxOsXG.exe
3144	gnsearcher81.exe
3144	gnsearcher81.exe
3144	gnsearcher81.exe
3144	gnsearcher81.exe
3144	gnsearcher81.exe
3144	gnsearcher81.exe
3516	oSrATmUV6JpsokU4uOJKUGDi.exe
3516	oSrATmUV6JpsokU4uOJKUGDi.exe
1652	WJqYTAlM104TArJsuoqbsKbZ.exe
1652	WJqYTAlM104TArJsuoqbsKbZ.exe
1652	WJqYTAlM104TArJsuoqbsKbZ.exe
1652	WJqYTAlM104TArJsuoqbsKbZ.exe
1652	WJqYTAlM104TArJsuoqbsKbZ.exe
1652	WJqYTAlM104TArJsuoqbsKbZ.exe
3608	X30RSY_GXkmR_YlGBmVJwauE.exe
3608	X30RSY_GXkmR_YlGBmVJwauE.exe
4348	ETjSVRGlPiaoBX1gSPJicw2F.exe
4348	ETjSVRGlPiaoBX1gSPJicw2F.exe
812	cmd.exe
812	cmd.exe
812	cmd.exe
3516	oSrATmUV6JpsokU4uOJKUGDi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

oSrATmUV6JpsokU4uOJKUGDi.execmd.exe

description pid process

Token: SeDebugPrivilege 3516 oSrATmUV6JpsokU4uOJKUGDi.exe
Token: SeDebugPrivilege 812 cmd.exe

description	pid	process
Token: SeDebugPrivilege	3516	oSrATmUV6JpsokU4uOJKUGDi.exe
Token: SeDebugPrivilege	812	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exesI_k_HqSaW8OQHpPOpRRlyFC.exe7T1pFTgHdduM_0TW3ZPPh6pa.exeis-5IT7M.tmpEYviF7L7EFBtiWhWS6oCRYcA.exeDGP8UszwAR0fl6eAhxlElVW9.exe

description	pid	process	target process
PID 4344 wrote to memory of 2772	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	sI_k_HqSaW8OQHpPOpRRlyFC.exe
PID 4344 wrote to memory of 2772	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	sI_k_HqSaW8OQHpPOpRRlyFC.exe
PID 4344 wrote to memory of 2772	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	sI_k_HqSaW8OQHpPOpRRlyFC.exe
PID 4344 wrote to memory of 2700	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	jaeL3LsCuDHm0egcAAyUXZHk.exe
PID 4344 wrote to memory of 2700	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	jaeL3LsCuDHm0egcAAyUXZHk.exe
PID 4344 wrote to memory of 2700	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	jaeL3LsCuDHm0egcAAyUXZHk.exe
PID 4344 wrote to memory of 3528	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	EYviF7L7EFBtiWhWS6oCRYcA.exe
PID 4344 wrote to memory of 3528	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	EYviF7L7EFBtiWhWS6oCRYcA.exe
PID 4344 wrote to memory of 3528	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	EYviF7L7EFBtiWhWS6oCRYcA.exe
PID 4344 wrote to memory of 3424	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	eKQidjFSl8cIAZAEBhMIOOyL.exe
PID 4344 wrote to memory of 3424	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	eKQidjFSl8cIAZAEBhMIOOyL.exe
PID 4344 wrote to memory of 3424	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	eKQidjFSl8cIAZAEBhMIOOyL.exe
PID 4344 wrote to memory of 3680	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	Oef2IK2N0dTJquHhYTjCv2qI.exe
PID 4344 wrote to memory of 3680	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	Oef2IK2N0dTJquHhYTjCv2qI.exe
PID 4344 wrote to memory of 3680	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	Oef2IK2N0dTJquHhYTjCv2qI.exe
PID 4344 wrote to memory of 3516	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	oSrATmUV6JpsokU4uOJKUGDi.exe
PID 4344 wrote to memory of 3516	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	oSrATmUV6JpsokU4uOJKUGDi.exe
PID 4344 wrote to memory of 3516	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	oSrATmUV6JpsokU4uOJKUGDi.exe
PID 4344 wrote to memory of 5076	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	DGP8UszwAR0fl6eAhxlElVW9.exe
PID 4344 wrote to memory of 5076	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	DGP8UszwAR0fl6eAhxlElVW9.exe
PID 4344 wrote to memory of 5076	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	DGP8UszwAR0fl6eAhxlElVW9.exe
PID 4344 wrote to memory of 4328	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	WloV3YOAoTbD8b4LrHg83nBE.exe
PID 4344 wrote to memory of 4328	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	WloV3YOAoTbD8b4LrHg83nBE.exe
PID 4344 wrote to memory of 3320	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	E1l20UCyomRMGGQJKOLGUaPX.exe
PID 4344 wrote to memory of 3320	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	E1l20UCyomRMGGQJKOLGUaPX.exe
PID 4344 wrote to memory of 3320	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	E1l20UCyomRMGGQJKOLGUaPX.exe
PID 4344 wrote to memory of 5096	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	yxyi6IFtLA9t3qvbCscp0so5.exe
PID 4344 wrote to memory of 5096	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	yxyi6IFtLA9t3qvbCscp0so5.exe
PID 4344 wrote to memory of 5096	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	yxyi6IFtLA9t3qvbCscp0so5.exe
PID 2772 wrote to memory of 760	2772	sI_k_HqSaW8OQHpPOpRRlyFC.exe	is-5IT7M.tmp
PID 2772 wrote to memory of 760	2772	sI_k_HqSaW8OQHpPOpRRlyFC.exe	is-5IT7M.tmp
PID 2772 wrote to memory of 760	2772	sI_k_HqSaW8OQHpPOpRRlyFC.exe	is-5IT7M.tmp
PID 4344 wrote to memory of 3624	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	uhFgatxQ5rlCjPeQcID5DRwH.exe
PID 4344 wrote to memory of 3624	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	uhFgatxQ5rlCjPeQcID5DRwH.exe
PID 4344 wrote to memory of 3624	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	uhFgatxQ5rlCjPeQcID5DRwH.exe
PID 4344 wrote to memory of 812	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	zK5kNlFFAnndUnMv4mXxOsXG.exe
PID 4344 wrote to memory of 812	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	zK5kNlFFAnndUnMv4mXxOsXG.exe
PID 4344 wrote to memory of 812	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	zK5kNlFFAnndUnMv4mXxOsXG.exe
PID 4344 wrote to memory of 3608	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	X30RSY_GXkmR_YlGBmVJwauE.exe
PID 4344 wrote to memory of 3608	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	X30RSY_GXkmR_YlGBmVJwauE.exe
PID 4344 wrote to memory of 3608	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	X30RSY_GXkmR_YlGBmVJwauE.exe
PID 4344 wrote to memory of 4288	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	BY2W0uUYbmocVf5FAIA6AymA.exe
PID 4344 wrote to memory of 4288	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	BY2W0uUYbmocVf5FAIA6AymA.exe
PID 4344 wrote to memory of 4288	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	BY2W0uUYbmocVf5FAIA6AymA.exe
PID 4344 wrote to memory of 4316	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	O1adNDOdRurRJqyyvDLkVf58.exe
PID 4344 wrote to memory of 4316	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	O1adNDOdRurRJqyyvDLkVf58.exe
PID 4344 wrote to memory of 4348	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	ETjSVRGlPiaoBX1gSPJicw2F.exe
PID 4344 wrote to memory of 4348	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	ETjSVRGlPiaoBX1gSPJicw2F.exe
PID 4344 wrote to memory of 480	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	7T1pFTgHdduM_0TW3ZPPh6pa.exe
PID 4344 wrote to memory of 480	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	7T1pFTgHdduM_0TW3ZPPh6pa.exe
PID 4344 wrote to memory of 480	4344	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	7T1pFTgHdduM_0TW3ZPPh6pa.exe
PID 480 wrote to memory of 456	480	7T1pFTgHdduM_0TW3ZPPh6pa.exe	schtasks.exe
PID 480 wrote to memory of 456	480	7T1pFTgHdduM_0TW3ZPPh6pa.exe	schtasks.exe
PID 480 wrote to memory of 456	480	7T1pFTgHdduM_0TW3ZPPh6pa.exe	schtasks.exe
PID 760 wrote to memory of 3144	760	is-5IT7M.tmp	gnsearcher81.exe
PID 760 wrote to memory of 3144	760	is-5IT7M.tmp	gnsearcher81.exe
PID 760 wrote to memory of 3144	760	is-5IT7M.tmp	gnsearcher81.exe
PID 3528 wrote to memory of 3096	3528	EYviF7L7EFBtiWhWS6oCRYcA.exe	Conhost.exe
PID 3528 wrote to memory of 3096	3528	EYviF7L7EFBtiWhWS6oCRYcA.exe	Conhost.exe
PID 3528 wrote to memory of 3096	3528	EYviF7L7EFBtiWhWS6oCRYcA.exe	Conhost.exe
PID 480 wrote to memory of 2736	480	7T1pFTgHdduM_0TW3ZPPh6pa.exe	schtasks.exe
PID 480 wrote to memory of 2736	480	7T1pFTgHdduM_0TW3ZPPh6pa.exe	schtasks.exe
PID 480 wrote to memory of 2736	480	7T1pFTgHdduM_0TW3ZPPh6pa.exe	schtasks.exe
PID 5076 wrote to memory of 4848	5076	DGP8UszwAR0fl6eAhxlElVW9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
"C:\Users\Admin\AppData\Local\Temp\5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\Pictures\Minor Policy\EYviF7L7EFBtiWhWS6oCRYcA.exe
"C:\Users\Admin\Pictures\Minor Policy\EYviF7L7EFBtiWhWS6oCRYcA.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /y .\JV5mZK.B
3⤵
PID:3096

C:\Users\Admin\Pictures\Minor Policy\sI_k_HqSaW8OQHpPOpRRlyFC.exe
"C:\Users\Admin\Pictures\Minor Policy\sI_k_HqSaW8OQHpPOpRRlyFC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\is-RTPA2.tmp\is-5IT7M.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RTPA2.tmp\is-5IT7M.tmp" /SL4 $901C2 "C:\Users\Admin\Pictures\Minor Policy\sI_k_HqSaW8OQHpPOpRRlyFC.exe" 1974201 54784
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:760

C:\Program Files (x86)\gnSearcher\gnsearcher81.exe
"C:\Program Files (x86)\gnSearcher\gnsearcher81.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Users\Admin\AppData\Roaming\{99cae5c0-1ab4-11ed-899c-806e6f6e6963}\BSRFIkq.exe
5⤵
- Executes dropped EXE
PID:2844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gnsearcher81.exe" /f & erase "C:\Program Files (x86)\gnSearcher\gnsearcher81.exe" & exit
5⤵
PID:3668

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gnsearcher81.exe" /f
6⤵
- Kills process with taskkill
PID:1840

C:\Users\Admin\Pictures\Minor Policy\E1l20UCyomRMGGQJKOLGUaPX.exe
"C:\Users\Admin\Pictures\Minor Policy\E1l20UCyomRMGGQJKOLGUaPX.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3320

C:\Users\Admin\Pictures\Minor Policy\jaeL3LsCuDHm0egcAAyUXZHk.exe
"C:\Users\Admin\Pictures\Minor Policy\jaeL3LsCuDHm0egcAAyUXZHk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:5072

C:\Users\Admin\Pictures\Minor Policy\Oef2IK2N0dTJquHhYTjCv2qI.exe
"C:\Users\Admin\Pictures\Minor Policy\Oef2IK2N0dTJquHhYTjCv2qI.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Users\Admin\Documents\WJqYTAlM104TArJsuoqbsKbZ.exe
"C:\Users\Admin\Documents\WJqYTAlM104TArJsuoqbsKbZ.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Users\Admin\Pictures\Minor Policy\fjUCPSuUzvHlWwpdKDM_fcM_.exe
"C:\Users\Admin\Pictures\Minor Policy\fjUCPSuUzvHlWwpdKDM_fcM_.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
4⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\is-7KLAT.tmp\fjUCPSuUzvHlWwpdKDM_fcM_.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7KLAT.tmp\fjUCPSuUzvHlWwpdKDM_fcM_.tmp" /SL5="$5016C,15591043,792064,C:\Users\Admin\Pictures\Minor Policy\fjUCPSuUzvHlWwpdKDM_fcM_.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
5⤵
PID:3676

C:\Users\Admin\Pictures\Minor Policy\0YJfZFuEFVAniEny0h0ZdhMR.exe
"C:\Users\Admin\Pictures\Minor Policy\0YJfZFuEFVAniEny0h0ZdhMR.exe"
4⤵
PID:4292

C:\Users\Admin\Pictures\Minor Policy\_SckiEzeXF2ax4sD182wgn8t.exe
"C:\Users\Admin\Pictures\Minor Policy\_SckiEzeXF2ax4sD182wgn8t.exe"
4⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\is-9JTGB.tmp\is-9URBB.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9JTGB.tmp\is-9URBB.tmp" /SL4 $70118 "C:\Users\Admin\Pictures\Minor Policy\_SckiEzeXF2ax4sD182wgn8t.exe" 1974201 54784
5⤵
PID:3272

C:\Users\Admin\Pictures\Minor Policy\BAPjCn7tfAxw5IzGxxryATPh.exe
"C:\Users\Admin\Pictures\Minor Policy\BAPjCn7tfAxw5IzGxxryATPh.exe"
4⤵
PID:2320

C:\Windows\SysWOW64\nslookup.exe
nslookup /?
5⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Submitting.vsdm & ping -n 5 localhost
5⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:3668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
7⤵
PID:3716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
7⤵
PID:4232

C:\Users\Admin\Pictures\Minor Policy\pTeW1fiFMIWZ2fmPLbslhC2g.exe
"C:\Users\Admin\Pictures\Minor Policy\pTeW1fiFMIWZ2fmPLbslhC2g.exe"
4⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 344
5⤵
- Program crash
PID:3632

C:\Users\Admin\Pictures\Minor Policy\4TItzJMM06ohfUu5GiSYEytY.exe
"C:\Users\Admin\Pictures\Minor Policy\4TItzJMM06ohfUu5GiSYEytY.exe"
4⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\7zS69C1.tmp\Install.exe
.\Install.exe
5⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\7zS7162.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:4032

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:3952

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:4808

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:4812

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:4556

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:2624

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNOoCOwaQ" /SC once /ST 04:42:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:2720

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bZCfWmYpafNHhnGzrD" /SC once /ST 14:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\vgttqJecaYSgKWKae\tHiYAlstDQxxzmy\FAGwVzy.exe\" mf /site_id 525403 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:2688

C:\Users\Admin\Pictures\Minor Policy\18Yd85nefkS2FlSMwuO0rcTo.exe
"C:\Users\Admin\Pictures\Minor Policy\18Yd85nefkS2FlSMwuO0rcTo.exe"
4⤵
PID:2728

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /y .\JV5mZK.B
5⤵
PID:4296

C:\Users\Admin\Pictures\Minor Policy\qlGuFngD7fb_y9XZJqXh389f.exe
"C:\Users\Admin\Pictures\Minor Policy\qlGuFngD7fb_y9XZJqXh389f.exe"
4⤵
PID:2304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
5⤵
PID:3176

C:\Users\Admin\Pictures\Minor Policy\9chQQUsX4rQn5XMLEypxygHo.exe
"C:\Users\Admin\Pictures\Minor Policy\9chQQUsX4rQn5XMLEypxygHo.exe"
4⤵
PID:2560

C:\Users\Admin\Pictures\Minor Policy\Tef0dtdj5D2WCqgx8litBU3D.exe
"C:\Users\Admin\Pictures\Minor Policy\Tef0dtdj5D2WCqgx8litBU3D.exe"
4⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
5⤵
PID:3904

C:\Users\Admin\Pictures\Minor Policy\vFCkOAGxsgcpvLK5ynvuT2Xu.exe
"C:\Users\Admin\Pictures\Minor Policy\vFCkOAGxsgcpvLK5ynvuT2Xu.exe"
4⤵
PID:3024

C:\Users\Admin\Pictures\Minor Policy\k2Uzuln35oNEEBKllhDMx92_.exe
"C:\Users\Admin\Pictures\Minor Policy\k2Uzuln35oNEEBKllhDMx92_.exe"
4⤵
PID:864

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4516

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2688

C:\Users\Admin\Pictures\Minor Policy\eKQidjFSl8cIAZAEBhMIOOyL.exe
"C:\Users\Admin\Pictures\Minor Policy\eKQidjFSl8cIAZAEBhMIOOyL.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 148
3⤵
- Program crash
PID:1820

C:\Users\Admin\Pictures\Minor Policy\yxyi6IFtLA9t3qvbCscp0so5.exe
"C:\Users\Admin\Pictures\Minor Policy\yxyi6IFtLA9t3qvbCscp0so5.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:5096

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3064

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
4⤵
- Creates scheduled task(s)
PID:1008

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
4⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1140
3⤵
- Program crash
PID:3520

C:\Users\Admin\Pictures\Minor Policy\DGP8UszwAR0fl6eAhxlElVW9.exe
"C:\Users\Admin\Pictures\Minor Policy\DGP8UszwAR0fl6eAhxlElVW9.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sicnucdi\
3⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lbuspyfe.exe" C:\Windows\SysWOW64\sicnucdi\
3⤵
PID:3468

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create sicnucdi binPath= "C:\Windows\SysWOW64\sicnucdi\lbuspyfe.exe /d\"C:\Users\Admin\Pictures\Minor Policy\DGP8UszwAR0fl6eAhxlElVW9.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
- Launches sc.exe
PID:2812

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description sicnucdi "wifi internet conection"
3⤵
- Launches sc.exe
PID:3856

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start sicnucdi
3⤵
- Launches sc.exe
PID:1268

C:\Users\Admin\vgchyrds.exe
"C:\Users\Admin\vgchyrds.exe" /d"C:\Users\Admin\Pictures\Minor Policy\DGP8UszwAR0fl6eAhxlElVW9.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fcwxucsz.exe" C:\Windows\SysWOW64\sicnucdi\
4⤵
PID:4712

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config sicnucdi binPath= "C:\Windows\SysWOW64\sicnucdi\fcwxucsz.exe /d\"C:\Users\Admin\vgchyrds.exe\""
4⤵
- Launches sc.exe
PID:2468

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
- Modifies Windows Firewall
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5141.bat" "
4⤵
PID:4304

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4264

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1040
4⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start sicnucdi
4⤵
- Launches sc.exe
PID:4092

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1036
3⤵
- Program crash
PID:3524

C:\Users\Admin\Pictures\Minor Policy\oSrATmUV6JpsokU4uOJKUGDi.exe
"C:\Users\Admin\Pictures\Minor Policy\oSrATmUV6JpsokU4uOJKUGDi.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1220
3⤵
- Program crash
PID:4696

C:\Users\Admin\Pictures\Minor Policy\WloV3YOAoTbD8b4LrHg83nBE.exe
"C:\Users\Admin\Pictures\Minor Policy\WloV3YOAoTbD8b4LrHg83nBE.exe"
2⤵
- Executes dropped EXE
PID:4328

C:\Users\Admin\Pictures\Minor Policy\O1adNDOdRurRJqyyvDLkVf58.exe
"C:\Users\Admin\Pictures\Minor Policy\O1adNDOdRurRJqyyvDLkVf58.exe"
2⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Pictures\Minor Policy\O1adNDOdRurRJqyyvDLkVf58.exe
3⤵
PID:4696

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:5004

C:\Users\Admin\Pictures\Minor Policy\zK5kNlFFAnndUnMv4mXxOsXG.exe
"C:\Users\Admin\Pictures\Minor Policy\zK5kNlFFAnndUnMv4mXxOsXG.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:812

C:\Users\Admin\Pictures\Minor Policy\BY2W0uUYbmocVf5FAIA6AymA.exe
"C:\Users\Admin\Pictures\Minor Policy\BY2W0uUYbmocVf5FAIA6AymA.exe"
2⤵
- Executes dropped EXE
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 264
3⤵
- Program crash
PID:4088

C:\Users\Admin\Pictures\Minor Policy\uhFgatxQ5rlCjPeQcID5DRwH.exe
"C:\Users\Admin\Pictures\Minor Policy\uhFgatxQ5rlCjPeQcID5DRwH.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:3624

C:\Users\Admin\Pictures\Minor Policy\uhFgatxQ5rlCjPeQcID5DRwH.exe
"C:\Users\Admin\Pictures\Minor Policy\uhFgatxQ5rlCjPeQcID5DRwH.exe" -q
3⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\Pictures\Minor Policy\X30RSY_GXkmR_YlGBmVJwauE.exe
"C:\Users\Admin\Pictures\Minor Policy\X30RSY_GXkmR_YlGBmVJwauE.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Minor Policy\X30RSY_GXkmR_YlGBmVJwauE.exe" & exit
3⤵
PID:2540

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 2024
3⤵
- Program crash
PID:4664

C:\Users\Admin\Pictures\Minor Policy\7T1pFTgHdduM_0TW3ZPPh6pa.exe
"C:\Users\Admin\Pictures\Minor Policy\7T1pFTgHdduM_0TW3ZPPh6pa.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:456

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2736

C:\Users\Admin\Pictures\Minor Policy\ETjSVRGlPiaoBX1gSPJicw2F.exe
"C:\Users\Admin\Pictures\Minor Policy\ETjSVRGlPiaoBX1gSPJicw2F.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5076 -ip 5076
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5096 -ip 5096
1⤵
PID:4636

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:560

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 600
3⤵
- Program crash
PID:1752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5108 -ip 5108
1⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Loads dropped DLL
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4620 -ip 4620
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3608 -ip 3608
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3424 -ip 3424
1⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 416
2⤵
- Program crash
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3516 -ip 3516
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4288 -ip 4288
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2752 -ip 2752
1⤵
PID:4664

C:\Program Files (x86)\gnSearcher\gnsearcher81.exe
"C:\Program Files (x86)\gnSearcher\gnsearcher81.exe"
1⤵
PID:684

C:\Users\Admin\AppData\Roaming\{99cae5c0-1ab4-11ed-899c-806e6f6e6963}\AwBx3.exe
2⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2768 -ip 2768
1⤵
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\gnSearcher\gnsearcher81.exe
Filesize
2.8MB

MD5
798f337edb0706fc6ad4b92f15976e4f

SHA1
3af1799fc075aa793391ba3ed5efc015c8ee43cd

SHA256
6b2ff7f8c6d3f1cf22f90a4e561d93ca44eb9a831be1324ef574d0abc48fc761

SHA512
a4fd5aab2c9c60cad330e1659f973895805780469227429349f8161dd60c972836db7e6164952318d8c2f0f4b24ac7fb04121a935799cc80b44cc61a272885cc

Download Submit
C:\Program Files (x86)\gnSearcher\gnsearcher81.exe
Filesize
2.8MB

MD5
798f337edb0706fc6ad4b92f15976e4f

SHA1
3af1799fc075aa793391ba3ed5efc015c8ee43cd

SHA256
6b2ff7f8c6d3f1cf22f90a4e561d93ca44eb9a831be1324ef574d0abc48fc761

SHA512
a4fd5aab2c9c60cad330e1659f973895805780469227429349f8161dd60c972836db7e6164952318d8c2f0f4b24ac7fb04121a935799cc80b44cc61a272885cc

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\98E4B9E09258E3C5F565FA64983EE15B
Filesize
1KB

MD5
d0663d1d45faaba82b901f77177e8d3e

SHA1
d241b5eef595984c57d7eb131703ece529782c9d

SHA256
374a678431af9842b29a365b5db3177b8a9778b5d01d7db5650179392b210285

SHA512
f68fc97e7d4c447bdd83328d24cb96604a124a0b4d9526bda6b883d7c5a596825827d998350904464e17f41052d80cdb5fe9f42a1cbfe55cec00ad4d433d4de8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
1KB

MD5
aeada416f14c35e572581b59c74b50f2

SHA1
ed38d97e14bbf40c898c187b8644557e5330608b

SHA256
934412c38a7d6550ab130f192b91b1ff71d81f05d38751c0309143da455fe8ea

SHA512
aeb4410b46d4b00be37ac6e760b9c28d51242c1024cd5892c01f5cca39775d546b31c798fb3a5e7cca22e544fbd0e88a041e4347c4499bee003e96408901c3ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
78910cfa3473dc6b22ea55a7d2224f67

SHA1
c3993c288c88d689adac4381e3a4e4afc8eae1cb

SHA256
22793bbd4b65ed6208f3e67fb53e6b008936c8969c5a7a0b598a07894d4ddd82

SHA512
b9599a327db6fa57e92512c555cbed8ade096baffa208958bf58f3796fbd709aa0099c4077b035a660a97d5b358989d14c4e4db420d31e52631bc198e590f740

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\98E4B9E09258E3C5F565FA64983EE15B
Filesize
540B

MD5
346f4a2b29bfc1abc859653bcd16fffe

SHA1
c4634d7888be08b99e616f56014af3557946bf0e

SHA256
73111f86dd97a43b7d90ebd94b0e94af907a96ab8c38874b70e1d10bf95b6dcb

SHA512
0551e6bf3e4ab647cf1b27eac5aa26046ca5bb0fd61f63ccfe2b200215890685a41a77787e50b3c6a3c10cc30aa712de6627795c1daf76f9a51a4d05ff3799a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
492B

MD5
b347798d48f7b6f62130a65c34ce1f1b

SHA1
649bbf0b0dc8347e5285f331c24657befecf8257

SHA256
ae7f0bcdf5359a179f54b9ace055f95c368b1d010a9ce01cd3330d311ea7aeb2

SHA512
52b49730b11c11941e79a9978674df371fef47d5a260305922573da842970a14946e92bc2960f3da37215973b05ac1103c2a563f446bf4cf5cdce8f8e0cfcaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
270KB

MD5
91c0ecd7a45a9b6d6faf58423d1ff4ee

SHA1
89a3c4c111944bbbe83c2b9f50008879328e230a

SHA256
f12dfd638591c5444499e2325c59698554c7557880d722f8935cf2cdea46d111

SHA512
225452075fdf6a6302c18b9dd9eae818f2b14027d146dad9a4c58bb6c9dfae787c7caf3abaf5c29fe3a24010a81954088c3d9b2bf63a579d6df1841caf0b4dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
270KB

MD5
91c0ecd7a45a9b6d6faf58423d1ff4ee

SHA1
89a3c4c111944bbbe83c2b9f50008879328e230a

SHA256
f12dfd638591c5444499e2325c59698554c7557880d722f8935cf2cdea46d111

SHA512
225452075fdf6a6302c18b9dd9eae818f2b14027d146dad9a4c58bb6c9dfae787c7caf3abaf5c29fe3a24010a81954088c3d9b2bf63a579d6df1841caf0b4dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
270KB

MD5
91c0ecd7a45a9b6d6faf58423d1ff4ee

SHA1
89a3c4c111944bbbe83c2b9f50008879328e230a

SHA256
f12dfd638591c5444499e2325c59698554c7557880d722f8935cf2cdea46d111

SHA512
225452075fdf6a6302c18b9dd9eae818f2b14027d146dad9a4c58bb6c9dfae787c7caf3abaf5c29fe3a24010a81954088c3d9b2bf63a579d6df1841caf0b4dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5141.bat
Filesize
150B

MD5
4c1854499bc10c7ba29912425e814352

SHA1
99930f4de3c1826c13941f8688f92f7ebf501775

SHA256
d68b6fc291f06086c3a96148bf6688a433b7d4b7295699c668abfbc7602dca67

SHA512
3d947dd0cd0291851d030b9e3ec5618dd5e58f94b128164a5493f0d4db734ec11b623a1db4ea41d2c4a632e05b71a92eef92f2ca6efc564e30f2e7537d029ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JV5mZK.B
Filesize
2.2MB

MD5
fbba26a518bb2a34e7e2ab7b54a37d73

SHA1
d94876ff692d628eaacf2ab50be65a41cbe6d798

SHA256
addf1a40f32be9fd58f43310676227b1b81e7e6a334ee235abc06156fcfa4a27

SHA512
5b46ccfecc271f3f73f06c75327aaf5b3f58563fc8be27844f921a5cc65fbdbcc1a055101c408b6d9b54342f959a06dc449b0c70bbaafef9e0bda264f9f3e19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
45ceed48afd68359f317952e8845ea02

SHA1
0149982c8c5a90616c3392974b1a543eb2b4e894

SHA256
ba07f9487a10ed278772d9571d6e867f53338029a3c4580eed2e08d8f5a8f9bd

SHA512
c41645620e26ece7bf044c7a7a8d43383e87a07baae20596d7e01a609d403396fc1993647724185b066e48d9b7f7bddca8913c838dfa56916de7dbd27b9bd4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
845a5f94673e266f80fae41538a94db1

SHA1
a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

SHA256
3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

SHA512
f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
845a5f94673e266f80fae41538a94db1

SHA1
a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

SHA256
3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

SHA512
f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-17DGS.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RTPA2.tmp\is-5IT7M.tmp
Filesize
659KB

MD5
34a3efb47055787f7a4537fb08fb93ec

SHA1
7396195a1bc60f31bb90b5c8abf4b4ce95ec06f9

SHA256
fe0505386751f6c7a49d4b3594cc99c8936a9906e49c595934e586f0b9a9e409

SHA512
055b18c604aa583f0150f39e564438e15cd07dff308212a2c508978e2347224e2c7979f5066fb4f4e9073d5a76ee845d659214cd5f8669ce808e74d0078520ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RTPA2.tmp\is-5IT7M.tmp
Filesize
659KB

MD5
34a3efb47055787f7a4537fb08fb93ec

SHA1
7396195a1bc60f31bb90b5c8abf4b4ce95ec06f9

SHA256
fe0505386751f6c7a49d4b3594cc99c8936a9906e49c595934e586f0b9a9e409

SHA512
055b18c604aa583f0150f39e564438e15cd07dff308212a2c508978e2347224e2c7979f5066fb4f4e9073d5a76ee845d659214cd5f8669ce808e74d0078520ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\jv5mzK.B
Filesize
2.2MB

MD5
fbba26a518bb2a34e7e2ab7b54a37d73

SHA1
d94876ff692d628eaacf2ab50be65a41cbe6d798

SHA256
addf1a40f32be9fd58f43310676227b1b81e7e6a334ee235abc06156fcfa4a27

SHA512
5b46ccfecc271f3f73f06c75327aaf5b3f58563fc8be27844f921a5cc65fbdbcc1a055101c408b6d9b54342f959a06dc449b0c70bbaafef9e0bda264f9f3e19b

Download Submit
C:\Users\Admin\AppData\Roaming\{99cae5c0-1ab4-11ed-899c-806e6f6e6963}\BSRFIkq.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{99cae5c0-1ab4-11ed-899c-806e6f6e6963}\BSRFIkq.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\Documents\WJqYTAlM104TArJsuoqbsKbZ.exe
Filesize
5.5MB

MD5
91f6f48383c2d43120c14b74bf894575

SHA1
c49da1e376ae346d420e1486b7b865ee0d6e1485

SHA256
6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933

SHA512
a93ef32d57ff0991f1a2711371db24063bcf1c5cf4ebf2c24a0ac856b08df046fb760801dce3dca3a4c4f3eaaf18d4c1f0fe2befc5d5df9d5fefadd57f1bc69f

Download Submit
C:\Users\Admin\Documents\WJqYTAlM104TArJsuoqbsKbZ.exe
Filesize
5.5MB

MD5
91f6f48383c2d43120c14b74bf894575

SHA1
c49da1e376ae346d420e1486b7b865ee0d6e1485

SHA256
6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933

SHA512
a93ef32d57ff0991f1a2711371db24063bcf1c5cf4ebf2c24a0ac856b08df046fb760801dce3dca3a4c4f3eaaf18d4c1f0fe2befc5d5df9d5fefadd57f1bc69f

Download Submit
C:\Users\Admin\Pictures\Minor Policy\7T1pFTgHdduM_0TW3ZPPh6pa.exe
Filesize
153KB

MD5
a9ac092f289b11e881a4676bf03b8ec9

SHA1
1c7930297c8e87ae7f2496e6aa98d762824ab102

SHA256
bcaabd004b3ff5135feaeb965ee3391030865f6f24ac1bf2d94154f918b97a55

SHA512
c2f72c70c4a27fa5db377a9140deabb9b11ed2e83431eebc93aebbfe188a105ce1f209f4a781f9255c6191436acf24885d1c18d4872dd006759601690a0f8572

Download Submit
C:\Users\Admin\Pictures\Minor Policy\7T1pFTgHdduM_0TW3ZPPh6pa.exe
Filesize
153KB

MD5
a9ac092f289b11e881a4676bf03b8ec9

SHA1
1c7930297c8e87ae7f2496e6aa98d762824ab102

SHA256
bcaabd004b3ff5135feaeb965ee3391030865f6f24ac1bf2d94154f918b97a55

SHA512
c2f72c70c4a27fa5db377a9140deabb9b11ed2e83431eebc93aebbfe188a105ce1f209f4a781f9255c6191436acf24885d1c18d4872dd006759601690a0f8572

Download Submit
C:\Users\Admin\Pictures\Minor Policy\BY2W0uUYbmocVf5FAIA6AymA.exe
Filesize
643KB

MD5
c6dba85ca1051f634642c1578a3f0464

SHA1
4ca400b19f0f98fcb68525ee79a89964cf619cb1

SHA256
30aba4868cf76576848c64cc09853d89273c77bbdc15a4c1573f1d5126253ef2

SHA512
1607587811e32094c4845e14af2c73e779410f9d57914f7974a191d5a92956eca44ac3c30e4895a56530e54f1c1f30622008a29223eea17bd7decd2b9a2097f5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\BY2W0uUYbmocVf5FAIA6AymA.exe
Filesize
643KB

MD5
c6dba85ca1051f634642c1578a3f0464

SHA1
4ca400b19f0f98fcb68525ee79a89964cf619cb1

SHA256
30aba4868cf76576848c64cc09853d89273c77bbdc15a4c1573f1d5126253ef2

SHA512
1607587811e32094c4845e14af2c73e779410f9d57914f7974a191d5a92956eca44ac3c30e4895a56530e54f1c1f30622008a29223eea17bd7decd2b9a2097f5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\DGP8UszwAR0fl6eAhxlElVW9.exe
Filesize
232KB

MD5
d440eda2642b825a96ead2584a99df98

SHA1
8b46704cf6c5d0583c81591db5e51b3a7e694c97

SHA256
d849888234af0173d498b70bc2d402af850664776079fb3f28c45a8a126e5099

SHA512
28d09ed39066f48a15a5daac5e2951f11399f7e289adf4560b3b48ca6141a3016708db4e66b91ac6d7abe0919a5fc77db5dd6092fa874c5602693d71f4b2bf25

Download Submit
C:\Users\Admin\Pictures\Minor Policy\DGP8UszwAR0fl6eAhxlElVW9.exe
Filesize
232KB

MD5
d440eda2642b825a96ead2584a99df98

SHA1
8b46704cf6c5d0583c81591db5e51b3a7e694c97

SHA256
d849888234af0173d498b70bc2d402af850664776079fb3f28c45a8a126e5099

SHA512
28d09ed39066f48a15a5daac5e2951f11399f7e289adf4560b3b48ca6141a3016708db4e66b91ac6d7abe0919a5fc77db5dd6092fa874c5602693d71f4b2bf25

Download Submit
C:\Users\Admin\Pictures\Minor Policy\E1l20UCyomRMGGQJKOLGUaPX.exe
Filesize
6.1MB

MD5
554c35e7f8372facb81013ed8a1abac7

SHA1
2f913331b0da061cced1ec22923dfcb7701661fa

SHA256
bcb26a341e64f4faf00f57e17955a576b6b41768b29a8d556a4f6d1f52320245

SHA512
dccda647c9b1634e031aba9f8b825d16356307eacc9b96f5d25f746b7a1fa6c82f527876b97d99750328633b01300b27ec24a9ffdaf2978abd4318d7889f8a4d

Download Submit
C:\Users\Admin\Pictures\Minor Policy\E1l20UCyomRMGGQJKOLGUaPX.exe
Filesize
6.1MB

MD5
554c35e7f8372facb81013ed8a1abac7

SHA1
2f913331b0da061cced1ec22923dfcb7701661fa

SHA256
bcb26a341e64f4faf00f57e17955a576b6b41768b29a8d556a4f6d1f52320245

SHA512
dccda647c9b1634e031aba9f8b825d16356307eacc9b96f5d25f746b7a1fa6c82f527876b97d99750328633b01300b27ec24a9ffdaf2978abd4318d7889f8a4d

Download Submit
C:\Users\Admin\Pictures\Minor Policy\ETjSVRGlPiaoBX1gSPJicw2F.exe
Filesize
156KB

MD5
a2b4cec56bf837a8ac85947992c5deac

SHA1
6754932edf2e9464c5635609ef91495043c18673

SHA256
ff980bca1aba96fbfc83670e38593540b3a75e37acce030f6db9f5e3ad4fa19d

SHA512
f711bd46ea7c892bb9ec3986f1c667eaefd02262808d781e2a070de326da0286d881a3eee7ee6af78bb1b04f6a1f2bba51f1d17172e8097c2e8f2005d4d84f3d

Download Submit
C:\Users\Admin\Pictures\Minor Policy\ETjSVRGlPiaoBX1gSPJicw2F.exe
Filesize
156KB

MD5
a2b4cec56bf837a8ac85947992c5deac

SHA1
6754932edf2e9464c5635609ef91495043c18673

SHA256
ff980bca1aba96fbfc83670e38593540b3a75e37acce030f6db9f5e3ad4fa19d

SHA512
f711bd46ea7c892bb9ec3986f1c667eaefd02262808d781e2a070de326da0286d881a3eee7ee6af78bb1b04f6a1f2bba51f1d17172e8097c2e8f2005d4d84f3d

Download Submit
C:\Users\Admin\Pictures\Minor Policy\EYviF7L7EFBtiWhWS6oCRYcA.exe
Filesize
1.8MB

MD5
b8ba6be68ed100283134a099706867c5

SHA1
6f6c7ed3812eff1488c72679add579a5976ccab0

SHA256
2a2e3bfe05d3b240d13f9fd302b6b00818da4e8bb65fa7fd480606916b807f8e

SHA512
d1e24a7e79fdfbc34fd4e2b29e396ffc3771753c8747493998aee632d982a820cc5e8ff774398981bfb0912c8004cf7eae11a774b65be1dbe0e6b5297668a9e1

Download Submit
C:\Users\Admin\Pictures\Minor Policy\EYviF7L7EFBtiWhWS6oCRYcA.exe
Filesize
1.8MB

MD5
b8ba6be68ed100283134a099706867c5

SHA1
6f6c7ed3812eff1488c72679add579a5976ccab0

SHA256
2a2e3bfe05d3b240d13f9fd302b6b00818da4e8bb65fa7fd480606916b807f8e

SHA512
d1e24a7e79fdfbc34fd4e2b29e396ffc3771753c8747493998aee632d982a820cc5e8ff774398981bfb0912c8004cf7eae11a774b65be1dbe0e6b5297668a9e1

Download Submit
C:\Users\Admin\Pictures\Minor Policy\O1adNDOdRurRJqyyvDLkVf58.exe
Filesize
2.4MB

MD5
820aac4af4041832fd845165bd2aa9cf

SHA1
5bd7e4b0355e0c9c1f676a0a9db25589ad815c27

SHA256
f90220b98550878f3056c732d437bae3026e4d7c7aa9bb733dbaa9c748cb80e7

SHA512
cd6e7bd98feeb8fa9b0e366f2a35779a9d5203c4ef08f3c722a49b0868850e1f7fe3d32f4bd1f5b6398f539c9085e8dbade6bb6563294a770391cef6939060d9

Download Submit
C:\Users\Admin\Pictures\Minor Policy\O1adNDOdRurRJqyyvDLkVf58.exe
Filesize
2.4MB

MD5
820aac4af4041832fd845165bd2aa9cf

SHA1
5bd7e4b0355e0c9c1f676a0a9db25589ad815c27

SHA256
f90220b98550878f3056c732d437bae3026e4d7c7aa9bb733dbaa9c748cb80e7

SHA512
cd6e7bd98feeb8fa9b0e366f2a35779a9d5203c4ef08f3c722a49b0868850e1f7fe3d32f4bd1f5b6398f539c9085e8dbade6bb6563294a770391cef6939060d9

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Oef2IK2N0dTJquHhYTjCv2qI.exe
Filesize
4.8MB

MD5
854d5dfe2d5193aa4150765c123df8ad

SHA1
1b21d80c4beb90b03d795cf11145619aeb3a4f37

SHA256
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45

SHA512
48ed604ea966a35cc16631ce5da692bb236badafdb6d3d01ef3a27ab5a9c1ea6a19d6e8209c894ab292614cfbd355c2ca96401fd4dbb9a3abbfd886cddae77cc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Oef2IK2N0dTJquHhYTjCv2qI.exe
Filesize
4.8MB

MD5
854d5dfe2d5193aa4150765c123df8ad

SHA1
1b21d80c4beb90b03d795cf11145619aeb3a4f37

SHA256
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45

SHA512
48ed604ea966a35cc16631ce5da692bb236badafdb6d3d01ef3a27ab5a9c1ea6a19d6e8209c894ab292614cfbd355c2ca96401fd4dbb9a3abbfd886cddae77cc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\WloV3YOAoTbD8b4LrHg83nBE.exe
Filesize
3.5MB

MD5
c9dd331060bfb98acc554bdec8675e64

SHA1
7eff8060c1230bb1207c3452649d27ebc144eb63

SHA256
a43ba866355013dd2afd3c89ad4cd9427b7c209cae3c09c157843688cdf81e18

SHA512
82d72a0e3b40d5c5853844a82d50abc24626b3dea6609877bb5a349cc9d0e1ae54599b6cb623fc37596f30f6bc5f50b14a47e43afd38c351cb25d1f04d20efd8

Download Submit
C:\Users\Admin\Pictures\Minor Policy\WloV3YOAoTbD8b4LrHg83nBE.exe
Filesize
3.5MB

MD5
c9dd331060bfb98acc554bdec8675e64

SHA1
7eff8060c1230bb1207c3452649d27ebc144eb63

SHA256
a43ba866355013dd2afd3c89ad4cd9427b7c209cae3c09c157843688cdf81e18

SHA512
82d72a0e3b40d5c5853844a82d50abc24626b3dea6609877bb5a349cc9d0e1ae54599b6cb623fc37596f30f6bc5f50b14a47e43afd38c351cb25d1f04d20efd8

Download Submit
C:\Users\Admin\Pictures\Minor Policy\X30RSY_GXkmR_YlGBmVJwauE.exe
Filesize
305KB

MD5
762e7752d16b568fe82adae61417a4c2

SHA1
707ce53a1c2b98958671791cfcd6475883e503e6

SHA256
6c79622c6008ea7e85bd60740d0e8bd5829d0567e4c8217eafec4849ad9bf654

SHA512
5959e43d0b84c63e5ea586992904fd4411f8296d0fd7aeb4b7572ff704737971b5790aaa67ceea0dbd57569772e14527ea97902b194c29f7ca02d773c09b6028

Download Submit
C:\Users\Admin\Pictures\Minor Policy\X30RSY_GXkmR_YlGBmVJwauE.exe
Filesize
305KB

MD5
762e7752d16b568fe82adae61417a4c2

SHA1
707ce53a1c2b98958671791cfcd6475883e503e6

SHA256
6c79622c6008ea7e85bd60740d0e8bd5829d0567e4c8217eafec4849ad9bf654

SHA512
5959e43d0b84c63e5ea586992904fd4411f8296d0fd7aeb4b7572ff704737971b5790aaa67ceea0dbd57569772e14527ea97902b194c29f7ca02d773c09b6028

Download Submit
C:\Users\Admin\Pictures\Minor Policy\eKQidjFSl8cIAZAEBhMIOOyL.exe
Filesize
234KB

MD5
cce8615f9e697a298760ab4843b960fd

SHA1
e814ec411a2fb2cfed2a491ecc04f874035e98fa

SHA256
466a20366f2f16813a26bdc6cce70a33d8c14bef069efbe24e0c028c9eb92c10

SHA512
4d7d99d910b0fddcf40f4099260163172eb05fe66fdcfec5935989a3746da2f560e57a92be375f73325caca167d5c8e6a73b52acec1f6812cadd5f044269c11e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\eKQidjFSl8cIAZAEBhMIOOyL.exe
Filesize
234KB

MD5
cce8615f9e697a298760ab4843b960fd

SHA1
e814ec411a2fb2cfed2a491ecc04f874035e98fa

SHA256
466a20366f2f16813a26bdc6cce70a33d8c14bef069efbe24e0c028c9eb92c10

SHA512
4d7d99d910b0fddcf40f4099260163172eb05fe66fdcfec5935989a3746da2f560e57a92be375f73325caca167d5c8e6a73b52acec1f6812cadd5f044269c11e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\jaeL3LsCuDHm0egcAAyUXZHk.exe
Filesize
141KB

MD5
13fd3c9cd13274dc2c442e340ba6d42b

SHA1
57f9dd829648ac3c123d3922231b343a27e03166

SHA256
41686ad7861e37227ef1e467c075c844beee3e7c5fbdf9fbad39b9172f4a0c23

SHA512
fc8f2b13f618390d5176afc441f3ba2f1265f7706273507634fdc7c5b125f4f5d5fa2d3d6b41ac04c7c53fe36dda631214982b16836657e3605c8fbbbe69a682

Download Submit
C:\Users\Admin\Pictures\Minor Policy\jaeL3LsCuDHm0egcAAyUXZHk.exe
Filesize
141KB

MD5
13fd3c9cd13274dc2c442e340ba6d42b

SHA1
57f9dd829648ac3c123d3922231b343a27e03166

SHA256
41686ad7861e37227ef1e467c075c844beee3e7c5fbdf9fbad39b9172f4a0c23

SHA512
fc8f2b13f618390d5176afc441f3ba2f1265f7706273507634fdc7c5b125f4f5d5fa2d3d6b41ac04c7c53fe36dda631214982b16836657e3605c8fbbbe69a682

Download Submit
C:\Users\Admin\Pictures\Minor Policy\oSrATmUV6JpsokU4uOJKUGDi.exe
Filesize
365KB

MD5
ce79479b60b270264c48818b633d1559

SHA1
7dcf699fa25c99960e36c9487066b4a3a5855a3a

SHA256
5258d88ffd8275a1c16739aa05eeb34dac82c3493f02033cb37f1d2fc985ad1e

SHA512
d3430038c42cb8cf96b48c8548ec9717ef2b8f5e3c5875d7f530cc4d40ce510d0bcabfa751232bad5c62224e09850bd95da26c2e57d65cc2af28694af653e412

Download Submit
C:\Users\Admin\Pictures\Minor Policy\oSrATmUV6JpsokU4uOJKUGDi.exe
Filesize
365KB

MD5
ce79479b60b270264c48818b633d1559

SHA1
7dcf699fa25c99960e36c9487066b4a3a5855a3a

SHA256
5258d88ffd8275a1c16739aa05eeb34dac82c3493f02033cb37f1d2fc985ad1e

SHA512
d3430038c42cb8cf96b48c8548ec9717ef2b8f5e3c5875d7f530cc4d40ce510d0bcabfa751232bad5c62224e09850bd95da26c2e57d65cc2af28694af653e412

Download Submit
C:\Users\Admin\Pictures\Minor Policy\sI_k_HqSaW8OQHpPOpRRlyFC.exe
Filesize
2.1MB

MD5
a5a0ed639a5a6d8d31825db7f0c23fbc

SHA1
cfd83af729c7893622f62ed3580ed656a8518a3c

SHA256
18646ff39c91ed1a3495e580ae46ec36cef89bd362b645755ca645d238da9b2c

SHA512
029c510ae9ffd80576c34b59a0ae0364b80387c907b82eadd90eed7ef71371ef9e17c5b145851f742c3a7d0339dfa6382b0729c1c097e5da20bc8493abd67f9a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\sI_k_HqSaW8OQHpPOpRRlyFC.exe
Filesize
2.1MB

MD5
a5a0ed639a5a6d8d31825db7f0c23fbc

SHA1
cfd83af729c7893622f62ed3580ed656a8518a3c

SHA256
18646ff39c91ed1a3495e580ae46ec36cef89bd362b645755ca645d238da9b2c

SHA512
029c510ae9ffd80576c34b59a0ae0364b80387c907b82eadd90eed7ef71371ef9e17c5b145851f742c3a7d0339dfa6382b0729c1c097e5da20bc8493abd67f9a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\uhFgatxQ5rlCjPeQcID5DRwH.exe
Filesize
923KB

MD5
3f5711ce43dc38958b4a984f93460c14

SHA1
e75a607d126ac21df97c6a992fcfe1c65020d6fa

SHA256
f1ba72662b9d0e9412818b6ecafccb936adf8bcf4150dfc8b2dabb9e7020961e

SHA512
d732c217e994549b89cc33bb2f225c96185a77d82c556911ab8f31516862783d79dd508a0238d78caa0751e6eae0288ab7e5d8874e86d9b86a0d9bf99c6e1c6a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\uhFgatxQ5rlCjPeQcID5DRwH.exe
Filesize
923KB

MD5
3f5711ce43dc38958b4a984f93460c14

SHA1
e75a607d126ac21df97c6a992fcfe1c65020d6fa

SHA256
f1ba72662b9d0e9412818b6ecafccb936adf8bcf4150dfc8b2dabb9e7020961e

SHA512
d732c217e994549b89cc33bb2f225c96185a77d82c556911ab8f31516862783d79dd508a0238d78caa0751e6eae0288ab7e5d8874e86d9b86a0d9bf99c6e1c6a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\uhFgatxQ5rlCjPeQcID5DRwH.exe
Filesize
923KB

MD5
3f5711ce43dc38958b4a984f93460c14

SHA1
e75a607d126ac21df97c6a992fcfe1c65020d6fa

SHA256
f1ba72662b9d0e9412818b6ecafccb936adf8bcf4150dfc8b2dabb9e7020961e

SHA512
d732c217e994549b89cc33bb2f225c96185a77d82c556911ab8f31516862783d79dd508a0238d78caa0751e6eae0288ab7e5d8874e86d9b86a0d9bf99c6e1c6a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\yxyi6IFtLA9t3qvbCscp0so5.exe
Filesize
270KB

MD5
91c0ecd7a45a9b6d6faf58423d1ff4ee

SHA1
89a3c4c111944bbbe83c2b9f50008879328e230a

SHA256
f12dfd638591c5444499e2325c59698554c7557880d722f8935cf2cdea46d111

SHA512
225452075fdf6a6302c18b9dd9eae818f2b14027d146dad9a4c58bb6c9dfae787c7caf3abaf5c29fe3a24010a81954088c3d9b2bf63a579d6df1841caf0b4dcc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\yxyi6IFtLA9t3qvbCscp0so5.exe
Filesize
270KB

MD5
91c0ecd7a45a9b6d6faf58423d1ff4ee

SHA1
89a3c4c111944bbbe83c2b9f50008879328e230a

SHA256
f12dfd638591c5444499e2325c59698554c7557880d722f8935cf2cdea46d111

SHA512
225452075fdf6a6302c18b9dd9eae818f2b14027d146dad9a4c58bb6c9dfae787c7caf3abaf5c29fe3a24010a81954088c3d9b2bf63a579d6df1841caf0b4dcc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\zK5kNlFFAnndUnMv4mXxOsXG.exe
Filesize
4.4MB

MD5
a7ed84dbb8218d96343b3155e55adbf2

SHA1
2c38c2edc9b412857e21d84fee1f27ad8420cc94

SHA256
ba092fc3e1264da1eae62099c10e5eb37467c39b85e8812c2151a872e7e8f386

SHA512
0eb5ba2e613aaecd901948a150508594ee24cb017e846dac3d6f41294e46ca6343d729b8f8e7478254d53e6d90f018d63da5021b242866c803a4c450ac8f5466

Download Submit
C:\Users\Admin\vgchyrds.exe
Filesize
14.3MB

MD5
81f430fc4739da216bbf537c80a34801

SHA1
773ac2696c2eef4083c5283707f85827383bff05

SHA256
cf4c7993d3e7e4d6ed24e38b176bc635a3ebce9d227bdfb0d887bea012aabb42

SHA512
ef52fcd6e69cf01ad257ea23fcee911c47cb18ce08ecc794c744275e04f4021be6ef21254d90ba18d6b02b315a974f3760e9ef7c7c117688f8d43cb20157a38f

Download Submit
C:\Users\Admin\vgchyrds.exe
Filesize
14.3MB

MD5
81f430fc4739da216bbf537c80a34801

SHA1
773ac2696c2eef4083c5283707f85827383bff05

SHA256
cf4c7993d3e7e4d6ed24e38b176bc635a3ebce9d227bdfb0d887bea012aabb42

SHA512
ef52fcd6e69cf01ad257ea23fcee911c47cb18ce08ecc794c744275e04f4021be6ef21254d90ba18d6b02b315a974f3760e9ef7c7c117688f8d43cb20157a38f

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
Filesize
11B

MD5
ec3584f3db838942ec3669db02dc908e

SHA1
8dceb96874d5c6425ebb81bfee587244c89416da

SHA256
77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340

SHA512
35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
127B

MD5
7cc972a3480ca0a4792dc3379a763572

SHA1
f72eb4124d24f06678052706c542340422307317

SHA256
02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

SHA512
ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
memory/432-413-0x0000000000000000-mapping.dmp

Download
memory/456-194-0x0000000000000000-mapping.dmp

Download
memory/480-182-0x0000000000000000-mapping.dmp

Download
memory/760-168-0x0000000000000000-mapping.dmp

Download
memory/772-365-0x0000000000000000-mapping.dmp

Download
memory/772-367-0x0000000000700000-0x0000000000728000-memory.dmp

Filesize
160KB

Download
memory/812-240-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/812-279-0x00000000064C0000-0x0000000006682000-memory.dmp

Filesize
1.8MB

Download
memory/812-210-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/812-252-0x0000000005BC0000-0x00000000061D8000-memory.dmp

Filesize
6.1MB

Download
memory/812-261-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/812-260-0x0000000076EF0000-0x0000000077093000-memory.dmp

Filesize
1.6MB

Download
memory/812-213-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/812-255-0x0000000006260000-0x000000000636A000-memory.dmp

Filesize
1.0MB

Download
memory/812-232-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/812-235-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/812-243-0x0000000005B40000-0x0000000005BB6000-memory.dmp

Filesize
472KB

Download
memory/812-245-0x0000000003210000-0x0000000003260000-memory.dmp

Filesize
320KB

Download
memory/812-195-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/812-350-0x0000000076EF0000-0x0000000077093000-memory.dmp

Filesize
1.6MB

Download
memory/812-334-0x0000000007130000-0x000000000765C000-memory.dmp

Filesize
5.2MB

Download
memory/812-171-0x0000000000000000-mapping.dmp

Download
memory/812-228-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/1008-282-0x0000000000000000-mapping.dmp

Download
memory/1268-265-0x0000000000000000-mapping.dmp

Download
memory/1652-333-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/1652-306-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/1652-345-0x0000000076EF0000-0x0000000077093000-memory.dmp

Filesize
1.6MB

Download
memory/1652-356-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/1652-340-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/1652-329-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/1652-293-0x0000000000000000-mapping.dmp

Download
memory/1652-313-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/1652-339-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/1840-403-0x0000000000000000-mapping.dmp

Download
memory/2240-383-0x0000000000000000-mapping.dmp

Download
memory/2304-409-0x0000000000000000-mapping.dmp

Download
memory/2320-412-0x0000000000000000-mapping.dmp

Download
memory/2468-314-0x0000000000000000-mapping.dmp

Download
memory/2540-355-0x0000000000000000-mapping.dmp

Download
memory/2560-408-0x0000000000000000-mapping.dmp

Download
memory/2688-322-0x0000000000000000-mapping.dmp

Download
memory/2700-138-0x0000000000000000-mapping.dmp

Download
memory/2728-410-0x0000000000000000-mapping.dmp

Download
memory/2736-229-0x0000000000000000-mapping.dmp

Download
memory/2768-411-0x0000000000000000-mapping.dmp

Download
memory/2772-164-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2772-137-0x0000000000000000-mapping.dmp

Download
memory/2772-183-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2812-258-0x0000000000000000-mapping.dmp

Download
memory/2844-236-0x0000000000000000-mapping.dmp

Download
memory/3016-426-0x0000000000000000-mapping.dmp

Download
memory/3064-241-0x0000000000000000-mapping.dmp

Download
memory/3064-270-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/3064-267-0x0000000000B86000-0x0000000000BA5000-memory.dmp

Filesize
124KB

Download
memory/3096-216-0x0000000000000000-mapping.dmp

Download
memory/3096-262-0x00000000030A0000-0x0000000003223000-memory.dmp

Filesize
1.5MB

Download
memory/3096-283-0x0000000003470000-0x000000000353A000-memory.dmp

Filesize
808KB

Download
memory/3096-292-0x0000000003350000-0x000000000346D000-memory.dmp

Filesize
1.1MB

Download
memory/3096-264-0x0000000003350000-0x000000000346D000-memory.dmp

Filesize
1.1MB

Download
memory/3096-285-0x0000000003540000-0x00000000035F6000-memory.dmp

Filesize
728KB

Download
memory/3144-269-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/3144-211-0x0000000000400000-0x00000000014D6000-memory.dmp

Filesize
16.8MB

Download
memory/3144-205-0x0000000000000000-mapping.dmp

Download
memory/3144-316-0x0000000000400000-0x00000000014D6000-memory.dmp

Filesize
16.8MB

Download
memory/3144-256-0x0000000000400000-0x00000000014D6000-memory.dmp

Filesize
16.8MB

Download
memory/3144-218-0x0000000000400000-0x00000000014D6000-memory.dmp

Filesize
16.8MB

Download
memory/3272-425-0x0000000000000000-mapping.dmp

Download
memory/3320-214-0x0000000000400000-0x0000000000D87000-memory.dmp

Filesize
9.5MB

Download
memory/3320-145-0x0000000000000000-mapping.dmp

Download
memory/3320-338-0x0000000000400000-0x0000000000D87000-memory.dmp

Filesize
9.5MB

Download
memory/3320-197-0x0000000000400000-0x0000000000D87000-memory.dmp

Filesize
9.5MB

Download
memory/3424-140-0x0000000000000000-mapping.dmp

Download
memory/3468-239-0x0000000000000000-mapping.dmp

Download
memory/3516-266-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/3516-227-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3516-254-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/3516-284-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/3516-225-0x00000000008A0000-0x00000000008F9000-memory.dmp

Filesize
356KB

Download
memory/3516-142-0x0000000000000000-mapping.dmp

Download
memory/3516-226-0x0000000004F80000-0x0000000005524000-memory.dmp

Filesize
5.6MB

Download
memory/3516-341-0x0000000000A66000-0x0000000000A9D000-memory.dmp

Filesize
220KB

Download
memory/3516-224-0x0000000000A66000-0x0000000000A9D000-memory.dmp

Filesize
220KB

Download
memory/3528-139-0x0000000000000000-mapping.dmp

Download
memory/3608-349-0x00000000007E8000-0x0000000000815000-memory.dmp

Filesize
180KB

Download
memory/3608-172-0x0000000000000000-mapping.dmp

Download
memory/3608-343-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/3608-259-0x00000000007E8000-0x0000000000815000-memory.dmp

Filesize
180KB

Download
memory/3608-298-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3608-231-0x0000000000780000-0x00000000007CA000-memory.dmp

Filesize
296KB

Download
memory/3608-234-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/3624-170-0x0000000000000000-mapping.dmp

Download
memory/3668-402-0x0000000000000000-mapping.dmp

Download
memory/3680-141-0x0000000000000000-mapping.dmp

Download
memory/3680-165-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/3680-212-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/3680-249-0x0000000076EF0000-0x0000000077093000-memory.dmp

Filesize
1.6MB

Download
memory/3680-348-0x0000000076EF0000-0x0000000077093000-memory.dmp

Filesize
1.6MB

Download
memory/3680-237-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/3680-311-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/3680-215-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/3680-347-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/3680-206-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/3680-290-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/3680-198-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/3680-346-0x0000000076EF0000-0x0000000077093000-memory.dmp

Filesize
1.6MB

Download
memory/3856-263-0x0000000000000000-mapping.dmp

Download
memory/4092-331-0x0000000000000000-mapping.dmp

Download
memory/4160-342-0x0000000000000000-mapping.dmp

Download
memory/4256-268-0x0000000000000000-mapping.dmp

Download
memory/4264-359-0x0000000000000000-mapping.dmp

Download
memory/4288-173-0x0000000000000000-mapping.dmp

Download
memory/4292-406-0x0000000000000000-mapping.dmp

Download
memory/4304-344-0x0000000000000000-mapping.dmp

Download
memory/4316-246-0x0000000000F20000-0x0000000001702000-memory.dmp

Filesize
7.9MB

Download
memory/4316-176-0x0000000000000000-mapping.dmp

Download
memory/4316-209-0x0000000000F20000-0x0000000001702000-memory.dmp

Filesize
7.9MB

Download
memory/4328-169-0x0000000140000000-0x000000014061E000-memory.dmp

Filesize
6.1MB

Download
memory/4328-144-0x0000000000000000-mapping.dmp

Download
memory/4344-132-0x0000000000EE0000-0x0000000001B23000-memory.dmp

Filesize
12.3MB

Download
memory/4344-136-0x0000000000EE0000-0x0000000001B23000-memory.dmp

Filesize
12.3MB

Download
memory/4344-217-0x0000000000EE0000-0x0000000001B23000-memory.dmp

Filesize
12.3MB

Download
memory/4344-134-0x0000000000EE0000-0x0000000001B23000-memory.dmp

Filesize
12.3MB

Download
memory/4348-177-0x0000000000000000-mapping.dmp

Download
memory/4348-321-0x00000225C4D50000-0x00000225C561C000-memory.dmp

Filesize
8.8MB

Download
memory/4348-354-0x00000225C4D50000-0x00000225C561C000-memory.dmp

Filesize
8.8MB

Download
memory/4484-414-0x0000000000000000-mapping.dmp

Download
memory/4496-407-0x0000000000000000-mapping.dmp

Download
memory/4516-295-0x0000000000000000-mapping.dmp

Download
memory/4620-278-0x0000000000000000-mapping.dmp

Download
memory/4620-303-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/4620-294-0x0000000000986000-0x000000000099C000-memory.dmp

Filesize
88KB

Download
memory/4696-238-0x0000000000000000-mapping.dmp

Download
memory/4712-300-0x0000000000000000-mapping.dmp

Download
memory/4756-390-0x0000000000000000-mapping.dmp

Download
memory/4848-233-0x0000000000000000-mapping.dmp

Download
memory/4908-248-0x0000000000000000-mapping.dmp

Download
memory/4924-361-0x0000000000000000-mapping.dmp

Download
memory/5004-289-0x0000000000000000-mapping.dmp

Download
memory/5072-363-0x0000000000000000-mapping.dmp

Download
memory/5072-364-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5076-143-0x0000000000000000-mapping.dmp

Download
memory/5076-223-0x0000000000A80000-0x0000000000A93000-memory.dmp

Filesize
76KB

Download
memory/5076-288-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/5076-222-0x0000000000BB6000-0x0000000000BCC000-memory.dmp

Filesize
88KB

Download
memory/5076-230-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/5096-146-0x0000000000000000-mapping.dmp

Download
memory/5096-291-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/5096-219-0x0000000000980000-0x00000000009BE000-memory.dmp

Filesize
248KB

Download
memory/5096-244-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/5096-257-0x0000000000BF6000-0x0000000000C15000-memory.dmp

Filesize
124KB

Download
memory/5108-320-0x0000000000000000-mapping.dmp

Download