abac9b724c6d13aa90b5484b7c424c1505f9f7d58504954bb3ed9b718a448991

Analysis

max time kernel
157s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-07-2022 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan/3.exe
Size

376KB
MD5

ee39fe5532bdf8daa98b723c901896f9
SHA1

74b487e2817f4f18deaa13ba02e33f6dea688469
SHA256

97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050
SHA512

badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 48 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Fun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe3.exeFun.exeFun.exeFun.exeFun.exeFun.exeSVIQ.EXEFun.exeFun.exeFun.exeFun.exeFun.exedc.exeFun.exeFun.exeFun.exeFun.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe

Executes dropped EXE 64 IoCs

Processes:

Fun.exeSVIQ.EXEdc.exedc.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeFun.exeSVIQ.EXEFun.exe

pid	process
688	Fun.exe
1632	SVIQ.EXE
1624	dc.exe
1856	dc.exe
2788	Fun.exe
5104	SVIQ.EXE
3700	Fun.exe
4532	SVIQ.EXE
4856	Fun.exe
1276	SVIQ.EXE
920	Fun.exe
2432	SVIQ.EXE
3928	Fun.exe
4024	SVIQ.EXE
3708	Fun.exe
2028	SVIQ.EXE
4308	Fun.exe
2868	SVIQ.EXE
4964	Fun.exe
4888	SVIQ.EXE
1292	Fun.exe
5076	SVIQ.EXE
720	Fun.exe
876	SVIQ.EXE
4692	Fun.exe
4716	SVIQ.EXE
4772	Fun.exe
4644	SVIQ.EXE
4400	Fun.exe
3148	SVIQ.EXE
216	Fun.exe
1064	SVIQ.EXE
3776	Fun.exe
4532	SVIQ.EXE
4176	Fun.exe
4832	SVIQ.EXE
1252	Fun.exe
3204	SVIQ.EXE
1100	Fun.exe
4712	SVIQ.EXE
544	Fun.exe
1052	SVIQ.EXE
3012	Fun.exe
1808	SVIQ.EXE
3968	Fun.exe
3044	Fun.exe
2320	Fun.exe
2540	Fun.exe
1184	Fun.exe
3936	Fun.exe
400	Fun.exe
3532	Fun.exe
940	Fun.exe
3328	Fun.exe
1884	Fun.exe
1620	Fun.exe
2808	Fun.exe
1436	SVIQ.EXE
876	Fun.exe
3184	SVIQ.EXE
4736	Fun.exe
4716	Fun.exe
3448	SVIQ.EXE
4780	Fun.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Fun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeSVIQ.EXEFun.exe3.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exedc.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	SVIQ.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe

Drops file in System32 directory 64 IoCs

Processes:

3.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeSVIQ.EXEFun.exeFun.exeFun.exeFun.exeFun.exeFun.exedc.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File created	C:\Windows\SysWOW64\WinSit.exe	3.exe
File created	C:\Windows\SysWOW64\config\Win.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	dc.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe

Drops file in Windows directory 64 IoCs

Processes:

description	ioc	process
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	SVIQ.EXE
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	dc.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3.exeFun.exeSVIQ.EXEdc.exedc.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exe

pid	process
3000	3.exe
3000	3.exe
3000	3.exe
3000	3.exe
688	Fun.exe
688	Fun.exe
1632	SVIQ.EXE
1632	SVIQ.EXE
1632	SVIQ.EXE
1632	SVIQ.EXE
1624	dc.exe
1624	dc.exe
1624	dc.exe
1624	dc.exe
1856	dc.exe
1856	dc.exe
1632	SVIQ.EXE
1632	SVIQ.EXE
1624	dc.exe
1624	dc.exe
3000	3.exe
3000	3.exe
1632	SVIQ.EXE
1632	SVIQ.EXE
1624	dc.exe
1624	dc.exe
688	Fun.exe
688	Fun.exe
1632	SVIQ.EXE
1632	SVIQ.EXE
1624	dc.exe
1624	dc.exe
1632	SVIQ.EXE
1632	SVIQ.EXE
1624	dc.exe
1624	dc.exe
2788	Fun.exe
2788	Fun.exe
5104	SVIQ.EXE
5104	SVIQ.EXE
1632	SVIQ.EXE
1632	SVIQ.EXE
1624	dc.exe
1624	dc.exe
3700	Fun.exe
3700	Fun.exe
1632	SVIQ.EXE
1632	SVIQ.EXE
4532	SVIQ.EXE
4532	SVIQ.EXE
1632	SVIQ.EXE
1632	SVIQ.EXE
4856	Fun.exe
4856	Fun.exe
1624	dc.exe
1624	dc.exe
1276	SVIQ.EXE
1276	SVIQ.EXE
1624	dc.exe
1624	dc.exe
920	Fun.exe
920	Fun.exe
1632	SVIQ.EXE
1632	SVIQ.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

3.exeFun.exeSVIQ.EXEdc.exedc.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exe

pid	process
3000	3.exe
3000	3.exe
688	Fun.exe
688	Fun.exe
1632	SVIQ.EXE
1632	SVIQ.EXE
1624	dc.exe
1624	dc.exe
1856	dc.exe
1856	dc.exe
2788	Fun.exe
2788	Fun.exe
5104	SVIQ.EXE
5104	SVIQ.EXE
3700	Fun.exe
3700	Fun.exe
4532	SVIQ.EXE
4532	SVIQ.EXE
4856	Fun.exe
4856	Fun.exe
1276	SVIQ.EXE
1276	SVIQ.EXE
920	Fun.exe
920	Fun.exe
2432	SVIQ.EXE
2432	SVIQ.EXE
3928	Fun.exe
3928	Fun.exe
4024	SVIQ.EXE
4024	SVIQ.EXE
3708	Fun.exe
3708	Fun.exe
2028	SVIQ.EXE
2028	SVIQ.EXE
4308	Fun.exe
4308	Fun.exe
2868	SVIQ.EXE
2868	SVIQ.EXE
4964	Fun.exe
4964	Fun.exe
4888	SVIQ.EXE
4888	SVIQ.EXE
1292	Fun.exe
1292	Fun.exe
5076	SVIQ.EXE
5076	SVIQ.EXE
720	Fun.exe
720	Fun.exe
876	SVIQ.EXE
876	SVIQ.EXE
4692	Fun.exe
4692	Fun.exe
4716	SVIQ.EXE
4716	SVIQ.EXE
4772	Fun.exe
4772	Fun.exe
4644	SVIQ.EXE
4644	SVIQ.EXE
4400	Fun.exe
4400	Fun.exe
3148	SVIQ.EXE
3148	SVIQ.EXE
216	Fun.exe
216	Fun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3.exeFun.exeSVIQ.EXEdc.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe

description	pid	process	target process
PID 3000 wrote to memory of 688	3000	3.exe	Fun.exe
PID 3000 wrote to memory of 688	3000	3.exe	Fun.exe
PID 3000 wrote to memory of 688	3000	3.exe	Fun.exe
PID 688 wrote to memory of 1632	688	Fun.exe	SVIQ.EXE
PID 688 wrote to memory of 1632	688	Fun.exe	SVIQ.EXE
PID 688 wrote to memory of 1632	688	Fun.exe	SVIQ.EXE
PID 1632 wrote to memory of 1624	1632	SVIQ.EXE	dc.exe
PID 1632 wrote to memory of 1624	1632	SVIQ.EXE	dc.exe
PID 1632 wrote to memory of 1624	1632	SVIQ.EXE	dc.exe
PID 3000 wrote to memory of 1856	3000	3.exe	dc.exe
PID 3000 wrote to memory of 1856	3000	3.exe	dc.exe
PID 3000 wrote to memory of 1856	3000	3.exe	dc.exe
PID 1624 wrote to memory of 2788	1624	dc.exe	Fun.exe
PID 1624 wrote to memory of 2788	1624	dc.exe	Fun.exe
PID 1624 wrote to memory of 2788	1624	dc.exe	Fun.exe
PID 2788 wrote to memory of 5104	2788	Fun.exe	SVIQ.EXE
PID 2788 wrote to memory of 5104	2788	Fun.exe	SVIQ.EXE
PID 2788 wrote to memory of 5104	2788	Fun.exe	SVIQ.EXE
PID 1624 wrote to memory of 3700	1624	dc.exe	Fun.exe
PID 1624 wrote to memory of 3700	1624	dc.exe	Fun.exe
PID 1624 wrote to memory of 3700	1624	dc.exe	Fun.exe
PID 3700 wrote to memory of 4532	3700	Fun.exe	SVIQ.EXE
PID 3700 wrote to memory of 4532	3700	Fun.exe	SVIQ.EXE
PID 3700 wrote to memory of 4532	3700	Fun.exe	SVIQ.EXE
PID 1632 wrote to memory of 4856	1632	SVIQ.EXE	Fun.exe
PID 1632 wrote to memory of 4856	1632	SVIQ.EXE	Fun.exe
PID 1632 wrote to memory of 4856	1632	SVIQ.EXE	Fun.exe
PID 4856 wrote to memory of 1276	4856	Fun.exe	SVIQ.EXE
PID 4856 wrote to memory of 1276	4856	Fun.exe	SVIQ.EXE
PID 4856 wrote to memory of 1276	4856	Fun.exe	SVIQ.EXE
PID 1624 wrote to memory of 920	1624	dc.exe	Fun.exe
PID 1624 wrote to memory of 920	1624	dc.exe	Fun.exe
PID 1624 wrote to memory of 920	1624	dc.exe	Fun.exe
PID 920 wrote to memory of 2432	920	Fun.exe	SVIQ.EXE
PID 920 wrote to memory of 2432	920	Fun.exe	SVIQ.EXE
PID 920 wrote to memory of 2432	920	Fun.exe	SVIQ.EXE
PID 1632 wrote to memory of 3928	1632	SVIQ.EXE	Fun.exe
PID 1632 wrote to memory of 3928	1632	SVIQ.EXE	Fun.exe
PID 1632 wrote to memory of 3928	1632	SVIQ.EXE	Fun.exe
PID 3928 wrote to memory of 4024	3928	Fun.exe	SVIQ.EXE
PID 3928 wrote to memory of 4024	3928	Fun.exe	SVIQ.EXE
PID 3928 wrote to memory of 4024	3928	Fun.exe	SVIQ.EXE
PID 1624 wrote to memory of 3708	1624	dc.exe	Fun.exe
PID 1624 wrote to memory of 3708	1624	dc.exe	Fun.exe
PID 1624 wrote to memory of 3708	1624	dc.exe	Fun.exe
PID 3708 wrote to memory of 2028	3708	Fun.exe	SVIQ.EXE
PID 3708 wrote to memory of 2028	3708	Fun.exe	SVIQ.EXE
PID 3708 wrote to memory of 2028	3708	Fun.exe	SVIQ.EXE
PID 1632 wrote to memory of 4308	1632	SVIQ.EXE	Fun.exe
PID 1632 wrote to memory of 4308	1632	SVIQ.EXE	Fun.exe
PID 1632 wrote to memory of 4308	1632	SVIQ.EXE	Fun.exe
PID 4308 wrote to memory of 2868	4308	Fun.exe	SVIQ.EXE
PID 4308 wrote to memory of 2868	4308	Fun.exe	SVIQ.EXE
PID 4308 wrote to memory of 2868	4308	Fun.exe	SVIQ.EXE
PID 1632 wrote to memory of 4964	1632	SVIQ.EXE	Fun.exe
PID 1632 wrote to memory of 4964	1632	SVIQ.EXE	Fun.exe
PID 1632 wrote to memory of 4964	1632	SVIQ.EXE	Fun.exe
PID 4964 wrote to memory of 4888	4964	Fun.exe	SVIQ.EXE
PID 4964 wrote to memory of 4888	4964	Fun.exe	SVIQ.EXE
PID 4964 wrote to memory of 4888	4964	Fun.exe	SVIQ.EXE
PID 1624 wrote to memory of 1292	1624	dc.exe	Fun.exe
PID 1624 wrote to memory of 1292	1624	dc.exe	Fun.exe
PID 1624 wrote to memory of 1292	1624	dc.exe	Fun.exe
PID 1292 wrote to memory of 5076	1292	Fun.exe	SVIQ.EXE

C:\Users\Admin\AppData\Local\Temp\trojan\3.exe
"C:\Users\Admin\AppData\Local\Temp\trojan\3.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\dc.exe
C:\Windows\dc.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5076

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
- Executes dropped EXE
PID:1064

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1252

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
- Executes dropped EXE
PID:3204

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:544

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
- Executes dropped EXE
PID:1052

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Executes dropped EXE
PID:3968

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Executes dropped EXE
PID:2320

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Executes dropped EXE
PID:1184

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Executes dropped EXE
PID:3532

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Executes dropped EXE
PID:3328

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Executes dropped EXE
PID:1884

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:876

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
- Executes dropped EXE
PID:3184

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Executes dropped EXE
PID:4716

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:4780

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:4772

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:4528

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:3604

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:5084

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:424

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:4856

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:4972

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
PID:1100

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:4124

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Windows directory
PID:1408

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:3012

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
PID:3548

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
PID:4160

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:4872

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:3752

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
PID:3532

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:3252

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3172

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:1592

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Windows directory
PID:3216

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:5008

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Windows directory
PID:4548

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
6⤵
PID:1688

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
5⤵
PID:4436

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4024

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:720

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:876

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3148

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3776

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:4532

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:4176

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:4832

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1100

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:4712

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3012

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:1808

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
PID:3044

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
PID:2540

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
PID:3936

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
PID:400

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
PID:940

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
PID:1620

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2808

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:1436

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:4736

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:3448

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3720

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
PID:1516

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2428

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
PID:4032

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:4768

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
PID:4604

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:4232

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
PID:4472

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
PID:3992

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:4128

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
PID:4720

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:5092

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
PID:4812

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1620

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
PID:4192

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:4640

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
PID:4088

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1924

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
PID:4756

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:5096

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
PID:4400

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
PID:624

C:\Windows\dc.exe
C:\Windows\dc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\Help\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SVIQ.EXE
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\System\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\System\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\System\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\System\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\System\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\System\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\System\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\dc.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\dc.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\dc.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\dc.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\dc.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\inf\Other.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\system\Fun.exe
Filesize
376KB

MD5
ee39fe5532bdf8daa98b723c901896f9

SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469

SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
memory/216-374-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/216-366-0x0000000000000000-mapping.dmp

Download
memory/216-377-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/400-475-0x0000000000000000-mapping.dmp

Download
memory/544-422-0x0000000000000000-mapping.dmp

Download
memory/688-134-0x0000000000000000-mapping.dmp

Download
memory/688-150-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/688-181-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/720-330-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/720-331-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/720-321-0x0000000000000000-mapping.dmp

Download
memory/876-325-0x0000000000000000-mapping.dmp

Download
memory/876-329-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/876-518-0x0000000000000000-mapping.dmp

Download
memory/920-235-0x0000000000000000-mapping.dmp

Download
memory/920-251-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/940-486-0x0000000000000000-mapping.dmp

Download
memory/1052-427-0x0000000000000000-mapping.dmp

Download
memory/1064-370-0x0000000000000000-mapping.dmp

Download
memory/1064-376-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1064-375-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1100-420-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1100-411-0x0000000000000000-mapping.dmp

Download
memory/1184-465-0x0000000000000000-mapping.dmp

Download
memory/1252-410-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1252-404-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1252-400-0x0000000000000000-mapping.dmp

Download
memory/1276-233-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1276-227-0x0000000000000000-mapping.dmp

Download
memory/1292-320-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1292-316-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1292-309-0x0000000000000000-mapping.dmp

Download
memory/1436-512-0x0000000000000000-mapping.dmp

Download
memory/1620-497-0x0000000000000000-mapping.dmp

Download
memory/1624-161-0x0000000000000000-mapping.dmp

Download
memory/1624-172-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1632-152-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1632-147-0x0000000000000000-mapping.dmp

Download
memory/1808-437-0x0000000000000000-mapping.dmp

Download
memory/1856-178-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1856-179-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1856-173-0x0000000000000000-mapping.dmp

Download
memory/1884-496-0x0000000000000000-mapping.dmp

Download
memory/2028-284-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2028-282-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2028-278-0x0000000000000000-mapping.dmp

Download
memory/2320-455-0x0000000000000000-mapping.dmp

Download
memory/2432-245-0x0000000000000000-mapping.dmp

Download
memory/2432-250-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2540-457-0x0000000000000000-mapping.dmp

Download
memory/2788-199-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2788-182-0x0000000000000000-mapping.dmp

Download
memory/2788-198-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2808-508-0x0000000000000000-mapping.dmp

Download
memory/2868-295-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2868-290-0x0000000000000000-mapping.dmp

Download
memory/2868-296-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3000-180-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3000-130-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3012-433-0x0000000000000000-mapping.dmp

Download
memory/3044-445-0x0000000000000000-mapping.dmp

Download
memory/3148-362-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3148-358-0x0000000000000000-mapping.dmp

Download
memory/3148-364-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3184-522-0x0000000000000000-mapping.dmp

Download
memory/3204-405-0x0000000000000000-mapping.dmp

Download
memory/3204-409-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3328-489-0x0000000000000000-mapping.dmp

Download
memory/3448-540-0x0000000000000000-mapping.dmp

Download
memory/3532-476-0x0000000000000000-mapping.dmp

Download
memory/3700-200-0x0000000000000000-mapping.dmp

Download
memory/3700-216-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3708-270-0x0000000000000000-mapping.dmp

Download
memory/3708-285-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3708-281-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3776-388-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3776-378-0x0000000000000000-mapping.dmp

Download
memory/3776-386-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3928-252-0x0000000000000000-mapping.dmp

Download
memory/3928-263-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3928-269-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3936-466-0x0000000000000000-mapping.dmp

Download
memory/3968-443-0x0000000000000000-mapping.dmp

Download
memory/4024-262-0x0000000000000000-mapping.dmp

Download
memory/4024-268-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4176-398-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4176-399-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4176-389-0x0000000000000000-mapping.dmp

Download
memory/4308-286-0x0000000000000000-mapping.dmp

Download
memory/4308-297-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4308-293-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4400-354-0x0000000000000000-mapping.dmp

Download
memory/4400-361-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4400-365-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4532-210-0x0000000000000000-mapping.dmp

Download
memory/4532-215-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4532-382-0x0000000000000000-mapping.dmp

Download
memory/4532-387-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4644-351-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4644-347-0x0000000000000000-mapping.dmp

Download
memory/4692-336-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4692-332-0x0000000000000000-mapping.dmp

Download
memory/4692-342-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4712-419-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4712-415-0x0000000000000000-mapping.dmp

Download
memory/4716-337-0x0000000000000000-mapping.dmp

Download
memory/4716-530-0x0000000000000000-mapping.dmp

Download
memory/4716-341-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4736-529-0x0000000000000000-mapping.dmp

Download
memory/4772-343-0x0000000000000000-mapping.dmp

Download
memory/4772-353-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4772-352-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4780-547-0x0000000000000000-mapping.dmp

Download
memory/4832-397-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4832-393-0x0000000000000000-mapping.dmp

Download
memory/4856-230-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4856-217-0x0000000000000000-mapping.dmp

Download
memory/4856-234-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4888-302-0x0000000000000000-mapping.dmp

Download
memory/4888-307-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4964-306-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4964-298-0x0000000000000000-mapping.dmp

Download
memory/4964-308-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5076-313-0x0000000000000000-mapping.dmp

Download
memory/5076-317-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5076-319-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5104-197-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5104-192-0x0000000000000000-mapping.dmp

Download