df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2

Analysis

max time kernel
150s
max time network
101s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
Size

840KB
MD5

024ffc0a906b6ef8618e02c6349b1e61
SHA1

eebb32abf9151f35345869181eb8ffb88f21fabe
SHA256

df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2
SHA512

00982b9809900bb2cc05592c5d03608c43823bab0f377766b476e248c0ff2716041fab3ae7c4c1a9d6527e0e483078207c15e47ec7c7fa0579372c0ee93d27d9
SSDEEP

12288:gCpyvXFPTfnCvX66h/NYJ9nDW6FApNg3gZqdDUtOuBiMc/j6KRVrxn7Nl4+GtlrL:dk9P7nCvX6MNYLIbgYJ3chra+GbrL

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d3WQGzd9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zauda.exe

Executes dropped EXE 10 IoCs

pid	Process
2000	d3WQGzd9.exe
2020	zauda.exe
1952	awhost.exe
1328	bwhost.exe
984	bwhost.exe
1416	cwhost.exe
336	csrss.exe
1620	cwhost.exe
580	cwhost.exe
1876	dwhost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1416-148-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/1620-155-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/1416-158-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/580-163-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1384	cmd.exe

Loads dropped DLL 14 IoCs

pid	Process
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
2000	d3WQGzd9.exe
2000	d3WQGzd9.exe
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
1416	cwhost.exe
848	DllHost.exe
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /y"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /w"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /W"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /v"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /x"	zauda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Program Files (x86)\\Internet Explorer\\lvvm.exe"	cwhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /Z"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /C"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /X"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /J"	zauda.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /g"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /F"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /z"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /N"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /s"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /T"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /R"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /q"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /M"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /o"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /j"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /b"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /e"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /l"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /k"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /h"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /d"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /S"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /Y"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /I"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /t"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /U"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /i"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /l"	d3WQGzd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /B"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /G"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /D"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /u"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /O"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /A"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /K"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /V"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /c"	zauda.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d3WQGzd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /f"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /E"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /a"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /r"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /L"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /P"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /Q"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /H"	zauda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauda = "C:\\Users\\Admin\\zauda.exe /m"	zauda.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1392 set thread context of 1032	1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	27
PID 1952 set thread context of 1368	1952	awhost.exe	35
PID 1328 set thread context of 984	1328	bwhost.exe	37
PID 984 set thread context of 880	984	bwhost.exe	38

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\lvvm.exe	cwhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1932	tasklist.exe
688	tasklist.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{a8b10a90-7cc9-cb3a-842b-f0e02d692f2a}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a8b10a90-7cc9-cb3a-842b-f0e02d692f2a}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a8b10a90-7cc9-cb3a-842b-f0e02d692f2a}\cid = "8252587850640571031"	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	d3WQGzd9.exe
2000	d3WQGzd9.exe
1368	svchost.exe
2020	zauda.exe
2020	zauda.exe
1368	svchost.exe
880	explorer.exe
880	explorer.exe
2020	zauda.exe
2020	zauda.exe
2020	zauda.exe
1368	svchost.exe
2020	zauda.exe
1368	svchost.exe
1368	svchost.exe
2020	zauda.exe
2020	zauda.exe
2020	zauda.exe
2020	zauda.exe
1368	svchost.exe
2020	zauda.exe
1368	svchost.exe
1368	svchost.exe
2020	zauda.exe
2020	zauda.exe
2020	zauda.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
880	explorer.exe
2020	zauda.exe
1368	svchost.exe
1368	svchost.exe
2020	zauda.exe
2020	zauda.exe
1368	svchost.exe
1368	svchost.exe
2020	zauda.exe
1368	svchost.exe
2020	zauda.exe
1368	svchost.exe
2020	zauda.exe
1368	svchost.exe
2020	zauda.exe
1368	svchost.exe
1368	svchost.exe
2020	zauda.exe
1368	svchost.exe
1368	svchost.exe
2020	zauda.exe
2020	zauda.exe
1368	svchost.exe
2020	zauda.exe
1368	svchost.exe
1368	svchost.exe
2020	zauda.exe
1368	svchost.exe
1368	svchost.exe
2020	zauda.exe
2020	zauda.exe
2020	zauda.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	tasklist.exe
Token: SeDebugPrivilege	880	explorer.exe
Token: SeDebugPrivilege	688	tasklist.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
2000	d3WQGzd9.exe
2020	zauda.exe
1952	awhost.exe
1328	bwhost.exe
1876	dwhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1032	1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	27
PID 1392 wrote to memory of 1032	1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	27
PID 1392 wrote to memory of 1032	1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	27
PID 1392 wrote to memory of 1032	1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	27
PID 1392 wrote to memory of 1032	1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	27
PID 1392 wrote to memory of 1032	1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	27
PID 1392 wrote to memory of 1032	1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	27
PID 1392 wrote to memory of 1032	1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	27
PID 1392 wrote to memory of 1032	1392	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	27
PID 1032 wrote to memory of 2000	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	28
PID 1032 wrote to memory of 2000	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	28
PID 1032 wrote to memory of 2000	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	28
PID 1032 wrote to memory of 2000	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	28
PID 2000 wrote to memory of 2020	2000	d3WQGzd9.exe	29
PID 2000 wrote to memory of 2020	2000	d3WQGzd9.exe	29
PID 2000 wrote to memory of 2020	2000	d3WQGzd9.exe	29
PID 2000 wrote to memory of 2020	2000	d3WQGzd9.exe	29
PID 2000 wrote to memory of 1316	2000	d3WQGzd9.exe	30
PID 2000 wrote to memory of 1316	2000	d3WQGzd9.exe	30
PID 2000 wrote to memory of 1316	2000	d3WQGzd9.exe	30
PID 2000 wrote to memory of 1316	2000	d3WQGzd9.exe	30
PID 1316 wrote to memory of 1932	1316	cmd.exe	32
PID 1316 wrote to memory of 1932	1316	cmd.exe	32
PID 1316 wrote to memory of 1932	1316	cmd.exe	32
PID 1316 wrote to memory of 1932	1316	cmd.exe	32
PID 1032 wrote to memory of 1952	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	34
PID 1032 wrote to memory of 1952	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	34
PID 1032 wrote to memory of 1952	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	34
PID 1032 wrote to memory of 1952	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	34
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1952 wrote to memory of 1368	1952	awhost.exe	35
PID 1032 wrote to memory of 1328	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	36
PID 1032 wrote to memory of 1328	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	36
PID 1032 wrote to memory of 1328	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	36
PID 1032 wrote to memory of 1328	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	36
PID 1328 wrote to memory of 984	1328	bwhost.exe	37
PID 1328 wrote to memory of 984	1328	bwhost.exe	37
PID 1328 wrote to memory of 984	1328	bwhost.exe	37
PID 1328 wrote to memory of 984	1328	bwhost.exe	37
PID 1328 wrote to memory of 984	1328	bwhost.exe	37
PID 1328 wrote to memory of 984	1328	bwhost.exe	37
PID 1328 wrote to memory of 984	1328	bwhost.exe	37
PID 1328 wrote to memory of 984	1328	bwhost.exe	37
PID 1328 wrote to memory of 984	1328	bwhost.exe	37
PID 1328 wrote to memory of 984	1328	bwhost.exe	37
PID 984 wrote to memory of 880	984	bwhost.exe	38
PID 984 wrote to memory of 880	984	bwhost.exe	38
PID 984 wrote to memory of 880	984	bwhost.exe	38
PID 984 wrote to memory of 880	984	bwhost.exe	38
PID 984 wrote to memory of 880	984	bwhost.exe	38
PID 1032 wrote to memory of 1416	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	39
PID 1032 wrote to memory of 1416	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	39
PID 1032 wrote to memory of 1416	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	39
PID 1032 wrote to memory of 1416	1032	df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe	39
PID 880 wrote to memory of 336	880	explorer.exe	24

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336

C:\Users\Admin\AppData\Local\Temp\df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
"C:\Users\Admin\AppData\Local\Temp\df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
  "C:\Users\Admin\AppData\Local\Temp\df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Users\Admin\d3WQGzd9.exe
    C:\Users\Admin\d3WQGzd9.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\zauda.exe
      "C:\Users\Admin\zauda.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del d3WQGzd9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
- - C:\Users\Admin\awhost.exe
    C:\Users\Admin\awhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1368
- - C:\Users\Admin\bwhost.exe
    C:\Users\Admin\bwhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Users\Admin\bwhost.exe
      "C:\Users\Admin\bwhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Windows\explorer.exe
        
        0000003C*
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
- - C:\Users\Admin\cwhost.exe
    C:\Users\Admin\cwhost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    PID:1416
  - - C:\Users\Admin\cwhost.exe
      C:\Users\Admin\cwhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
      4⤵
      Executes dropped EXE
      PID:1620
  - - C:\Users\Admin\cwhost.exe
      C:\Users\Admin\cwhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      PID:580
- - C:\Users\Admin\dwhost.exe
    C:\Users\Admin\dwhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
    3⤵
    - Deletes itself
    PID:1384
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:688

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Loads dropped DLL
PID:848

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\awhost.exe

Filesize
68KB

MD5
b0406fa1f1b4a471ce4c1521708d1ef3

SHA1
bd2bb68d92c8b6af7604d52e336152bc48ea1227

SHA256
ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

SHA512
07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

Download Submit
C:\Users\Admin\awhost.exe

Filesize
68KB

MD5
b0406fa1f1b4a471ce4c1521708d1ef3

SHA1
bd2bb68d92c8b6af7604d52e336152bc48ea1227

SHA256
ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

SHA512
07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

Download Submit
C:\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
C:\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
C:\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
C:\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
C:\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
C:\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
C:\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
C:\Users\Admin\d3WQGzd9.exe

Filesize
364KB

MD5
db406d87e556a0008c18429ecf3cc93a

SHA1
3a1b7a87080bf1d78fca904bd7515833bbd380e8

SHA256
2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

SHA512
e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

Download Submit
C:\Users\Admin\d3WQGzd9.exe

Filesize
364KB

MD5
db406d87e556a0008c18429ecf3cc93a

SHA1
3a1b7a87080bf1d78fca904bd7515833bbd380e8

SHA256
2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

SHA512
e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

Download Submit
C:\Users\Admin\dwhost.exe

Filesize
24KB

MD5
aaa893d374547f20f7fdd7c3b6c56b36

SHA1
f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

SHA256
17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

SHA512
491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

Download Submit
C:\Users\Admin\zauda.exe

Filesize
364KB

MD5
b94829f71bf0c5842ea78aa0b976c129

SHA1
3c1b0d7b45ecbd2069a722ab9c1549c299c86c89

SHA256
cffed0c3fe5e9f34e1d9364bef53f9216cb13baae2d865e4f09a8651d864b8b2

SHA512
f2b72b15386d735590a3593a6adb4bd88d7acb634b6e4b3f75823e4fac11aa4c56bae222355eeb395f8c9f9c5d375fe57f76ac82fc9666a2f68f9d1a9c469384

Download Submit
C:\Users\Admin\zauda.exe

Filesize
364KB

MD5
b94829f71bf0c5842ea78aa0b976c129

SHA1
3c1b0d7b45ecbd2069a722ab9c1549c299c86c89

SHA256
cffed0c3fe5e9f34e1d9364bef53f9216cb13baae2d865e4f09a8651d864b8b2

SHA512
f2b72b15386d735590a3593a6adb4bd88d7acb634b6e4b3f75823e4fac11aa4c56bae222355eeb395f8c9f9c5d375fe57f76ac82fc9666a2f68f9d1a9c469384

Download Submit
C:\Windows\system32\consrv.DLL

Filesize
53KB

MD5
68689b2e7472e2cfb3f39da8a59505d9

SHA1
5be15784ab1193dc13ac24ec1efcabded5fe2df4

SHA256
f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

SHA512
269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

Download Submit
\Users\Admin\awhost.exe

Filesize
68KB

MD5
b0406fa1f1b4a471ce4c1521708d1ef3

SHA1
bd2bb68d92c8b6af7604d52e336152bc48ea1227

SHA256
ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

SHA512
07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

Download Submit
\Users\Admin\awhost.exe

Filesize
68KB

MD5
b0406fa1f1b4a471ce4c1521708d1ef3

SHA1
bd2bb68d92c8b6af7604d52e336152bc48ea1227

SHA256
ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

SHA512
07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

Download Submit
\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
\Users\Admin\d3WQGzd9.exe

Filesize
364KB

MD5
db406d87e556a0008c18429ecf3cc93a

SHA1
3a1b7a87080bf1d78fca904bd7515833bbd380e8

SHA256
2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

SHA512
e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

Download Submit
\Users\Admin\d3WQGzd9.exe

Filesize
364KB

MD5
db406d87e556a0008c18429ecf3cc93a

SHA1
3a1b7a87080bf1d78fca904bd7515833bbd380e8

SHA256
2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

SHA512
e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

Download Submit
\Users\Admin\dwhost.exe

Filesize
24KB

MD5
aaa893d374547f20f7fdd7c3b6c56b36

SHA1
f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

SHA256
17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

SHA512
491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

Download Submit
\Users\Admin\dwhost.exe

Filesize
24KB

MD5
aaa893d374547f20f7fdd7c3b6c56b36

SHA1
f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

SHA256
17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

SHA512
491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

Download Submit
\Users\Admin\zauda.exe

Filesize
364KB

MD5
b94829f71bf0c5842ea78aa0b976c129

SHA1
3c1b0d7b45ecbd2069a722ab9c1549c299c86c89

SHA256
cffed0c3fe5e9f34e1d9364bef53f9216cb13baae2d865e4f09a8651d864b8b2

SHA512
f2b72b15386d735590a3593a6adb4bd88d7acb634b6e4b3f75823e4fac11aa4c56bae222355eeb395f8c9f9c5d375fe57f76ac82fc9666a2f68f9d1a9c469384

Download Submit
\Users\Admin\zauda.exe

Filesize
364KB

MD5
b94829f71bf0c5842ea78aa0b976c129

SHA1
3c1b0d7b45ecbd2069a722ab9c1549c299c86c89

SHA256
cffed0c3fe5e9f34e1d9364bef53f9216cb13baae2d865e4f09a8651d864b8b2

SHA512
f2b72b15386d735590a3593a6adb4bd88d7acb634b6e4b3f75823e4fac11aa4c56bae222355eeb395f8c9f9c5d375fe57f76ac82fc9666a2f68f9d1a9c469384

Download Submit
\Windows\System32\consrv.dll

Filesize
53KB

MD5
68689b2e7472e2cfb3f39da8a59505d9

SHA1
5be15784ab1193dc13ac24ec1efcabded5fe2df4

SHA256
f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

SHA512
269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
ff7d5ec20bf73c02317e7a740fffe018

SHA1
365ac8cfe5b939854cc1c341caf051bcc45f9372

SHA256
1e230847d7034f5ab3bf010f569315e00673859af0574fc9f915636ed905779a

SHA512
30854c0d703fd7c6cbc0769d9be4125baa2577ec529d5e48177a434685b66752fd79c50f0321324e23eeb985738f403347748afefae7d8a3bfad388a5b512a44

Download Submit
\Windows\assembly\GAC_64\Desktop.ini

Filesize
5KB

MD5
3e7a118b119428247edfc5d5ef3761bc

SHA1
140e4cb00107678160411f016c4c17611580a209

SHA256
97c19f4103a16798202e50a501375d0bf3d7ec1bb654dda230337e85b01b1ec5

SHA512
b0e27a4d7aa62f937f275b9f413f75857846ae670bf3aed6e55c1db865485fda89e33dcdffa02ae2ab25f48d5f63f869232f9e6d69f9cdc8a5c93f39de09a925

Download Submit
memory/336-145-0x0000000001F00000-0x0000000001F12000-memory.dmp

Filesize
72KB

Download
memory/336-157-0x0000000001F00000-0x0000000001F12000-memory.dmp

Filesize
72KB

Download
memory/580-164-0x0000000000540000-0x0000000000558000-memory.dmp

Filesize
96KB

Download
memory/580-163-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/880-132-0x0000000000060000-0x0000000000075000-memory.dmp

Filesize
84KB

Download
memory/880-137-0x0000000001B20000-0x0000000001B39000-memory.dmp

Filesize
100KB

Download
memory/880-131-0x0000000001B20000-0x0000000001B39000-memory.dmp

Filesize
100KB

Download
memory/880-126-0x0000000001B20000-0x0000000001B39000-memory.dmp

Filesize
100KB

Download
memory/984-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/984-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/984-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/984-120-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/984-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/984-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/984-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1032-172-0x0000000002780000-0x000000000323A000-memory.dmp

Filesize
10.7MB

Download
memory/1032-174-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1032-67-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1032-138-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1032-62-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1032-57-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1032-59-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1032-68-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1032-56-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1368-100-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1368-98-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1368-101-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1368-95-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1368-94-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1368-102-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1368-105-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1368-97-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1368-106-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1416-148-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1416-159-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/1416-158-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1416-149-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/1620-156-0x0000000000530000-0x0000000000548000-memory.dmp

Filesize
96KB

Download
memory/1620-155-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download