61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
Size

554KB
MD5

920dbc03f2b68c7858e190b329564080
SHA1

816c13db1ca80eb5673cab7a47955dea8e9b98b6
SHA256

61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee
SHA512

726ad60eeb6868487336340d90d1fb56571b1ed4cae58766db95034b82f0523dcb57f60743dba8bc3df6876a2f34d9bab94f79ba7ae81aeb6ea33c41c6ceebc4
SSDEEP

6144:imVCRD/xy7N6MQ2K2mm0Wse1/QlmznD0ui2n3R9e/l+AlK/HLKzuCMU7cDFlGI/w:iFD/xys2K2mmHs+00Ddi2n3XeN+bHIT

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\VaultCmd.exe"	reg.exe

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\585N35DY7U.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\585N35DY7U.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
960	VaultCmd.exe
1688	typeperf.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/844-58-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/844-60-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/844-61-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/844-64-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/844-67-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/844-68-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/844-101-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1020-120-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
960	VaultCmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1688 set thread context of 1020	1688	typeperf.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1708	reg.exe
812	reg.exe
1636	reg.exe
1248	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
960	VaultCmd.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
960	VaultCmd.exe
960	VaultCmd.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1688	typeperf.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1688	typeperf.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1688	typeperf.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1688	typeperf.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1688	typeperf.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1688	typeperf.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1688	typeperf.exe
960	VaultCmd.exe
960	VaultCmd.exe
960	VaultCmd.exe
1688	typeperf.exe
960	VaultCmd.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
Token: SeDebugPrivilege	960	VaultCmd.exe
Token: 1	844	AppLaunch.exe
Token: SeCreateTokenPrivilege	844	AppLaunch.exe
Token: SeAssignPrimaryTokenPrivilege	844	AppLaunch.exe
Token: SeLockMemoryPrivilege	844	AppLaunch.exe
Token: SeIncreaseQuotaPrivilege	844	AppLaunch.exe
Token: SeMachineAccountPrivilege	844	AppLaunch.exe
Token: SeTcbPrivilege	844	AppLaunch.exe
Token: SeSecurityPrivilege	844	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	844	AppLaunch.exe
Token: SeLoadDriverPrivilege	844	AppLaunch.exe
Token: SeSystemProfilePrivilege	844	AppLaunch.exe
Token: SeSystemtimePrivilege	844	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	844	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	844	AppLaunch.exe
Token: SeCreatePagefilePrivilege	844	AppLaunch.exe
Token: SeCreatePermanentPrivilege	844	AppLaunch.exe
Token: SeBackupPrivilege	844	AppLaunch.exe
Token: SeRestorePrivilege	844	AppLaunch.exe
Token: SeShutdownPrivilege	844	AppLaunch.exe
Token: SeDebugPrivilege	844	AppLaunch.exe
Token: SeAuditPrivilege	844	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	844	AppLaunch.exe
Token: SeChangeNotifyPrivilege	844	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	844	AppLaunch.exe
Token: SeUndockPrivilege	844	AppLaunch.exe
Token: SeSyncAgentPrivilege	844	AppLaunch.exe
Token: SeEnableDelegationPrivilege	844	AppLaunch.exe
Token: SeManageVolumePrivilege	844	AppLaunch.exe
Token: SeImpersonatePrivilege	844	AppLaunch.exe
Token: SeCreateGlobalPrivilege	844	AppLaunch.exe
Token: 31	844	AppLaunch.exe
Token: 32	844	AppLaunch.exe
Token: 33	844	AppLaunch.exe
Token: 34	844	AppLaunch.exe
Token: 35	844	AppLaunch.exe
Token: SeDebugPrivilege	1688	typeperf.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
844	AppLaunch.exe
844	AppLaunch.exe
844	AppLaunch.exe
844	AppLaunch.exe
844	AppLaunch.exe
1020	AppLaunch.exe
1020	AppLaunch.exe
844	AppLaunch.exe
844	AppLaunch.exe
844	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 844	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	26
PID 1348 wrote to memory of 960	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	27
PID 1348 wrote to memory of 960	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	27
PID 1348 wrote to memory of 960	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	27
PID 1348 wrote to memory of 960	1348	61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe	27
PID 844 wrote to memory of 936	844	AppLaunch.exe	28
PID 844 wrote to memory of 936	844	AppLaunch.exe	28
PID 844 wrote to memory of 936	844	AppLaunch.exe	28
PID 844 wrote to memory of 936	844	AppLaunch.exe	28
PID 844 wrote to memory of 936	844	AppLaunch.exe	28
PID 844 wrote to memory of 936	844	AppLaunch.exe	28
PID 844 wrote to memory of 936	844	AppLaunch.exe	28
PID 844 wrote to memory of 1532	844	AppLaunch.exe	30
PID 844 wrote to memory of 1532	844	AppLaunch.exe	30
PID 844 wrote to memory of 1532	844	AppLaunch.exe	30
PID 844 wrote to memory of 1532	844	AppLaunch.exe	30
PID 844 wrote to memory of 1532	844	AppLaunch.exe	30
PID 844 wrote to memory of 1532	844	AppLaunch.exe	30
PID 844 wrote to memory of 1532	844	AppLaunch.exe	30
PID 844 wrote to memory of 752	844	AppLaunch.exe	32
PID 844 wrote to memory of 752	844	AppLaunch.exe	32
PID 844 wrote to memory of 752	844	AppLaunch.exe	32
PID 844 wrote to memory of 752	844	AppLaunch.exe	32
PID 844 wrote to memory of 752	844	AppLaunch.exe	32
PID 844 wrote to memory of 752	844	AppLaunch.exe	32
PID 844 wrote to memory of 752	844	AppLaunch.exe	32
PID 844 wrote to memory of 948	844	AppLaunch.exe	33
PID 844 wrote to memory of 948	844	AppLaunch.exe	33
PID 844 wrote to memory of 948	844	AppLaunch.exe	33
PID 844 wrote to memory of 948	844	AppLaunch.exe	33
PID 844 wrote to memory of 948	844	AppLaunch.exe	33
PID 844 wrote to memory of 948	844	AppLaunch.exe	33
PID 844 wrote to memory of 948	844	AppLaunch.exe	33
PID 936 wrote to memory of 1248	936	cmd.exe	39
PID 936 wrote to memory of 1248	936	cmd.exe	39
PID 936 wrote to memory of 1248	936	cmd.exe	39
PID 936 wrote to memory of 1248	936	cmd.exe	39
PID 936 wrote to memory of 1248	936	cmd.exe	39
PID 936 wrote to memory of 1248	936	cmd.exe	39
PID 936 wrote to memory of 1248	936	cmd.exe	39
PID 948 wrote to memory of 1708	948	cmd.exe	36
PID 948 wrote to memory of 1708	948	cmd.exe	36
PID 948 wrote to memory of 1708	948	cmd.exe	36
PID 948 wrote to memory of 1708	948	cmd.exe	36
PID 948 wrote to memory of 1708	948	cmd.exe	36
PID 948 wrote to memory of 1708	948	cmd.exe	36
PID 948 wrote to memory of 1708	948	cmd.exe	36
PID 1532 wrote to memory of 812	1532	cmd.exe	37
PID 1532 wrote to memory of 812	1532	cmd.exe	37
PID 1532 wrote to memory of 812	1532	cmd.exe	37
PID 1532 wrote to memory of 812	1532	cmd.exe	37
PID 1532 wrote to memory of 812	1532	cmd.exe	37
PID 1532 wrote to memory of 812	1532	cmd.exe	37
PID 1532 wrote to memory of 812	1532	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe
"C:\Users\Admin\AppData\Local\Temp\61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\585N35DY7U.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\585N35DY7U.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\585N35DY7U.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\585N35DY7U.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1708
- C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe
  "C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\typeperf.exe
    "C:\Users\Admin\AppData\Local\Temp\typeperf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe" /f
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe" /f
      4⤵
      Modifies WinLogon for persistence
      PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\typeperf.exe

Filesize
554KB

MD5
920dbc03f2b68c7858e190b329564080

SHA1
816c13db1ca80eb5673cab7a47955dea8e9b98b6

SHA256
61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee

SHA512
726ad60eeb6868487336340d90d1fb56571b1ed4cae58766db95034b82f0523dcb57f60743dba8bc3df6876a2f34d9bab94f79ba7ae81aeb6ea33c41c6ceebc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\typeperf.exe

Filesize
554KB

MD5
920dbc03f2b68c7858e190b329564080

SHA1
816c13db1ca80eb5673cab7a47955dea8e9b98b6

SHA256
61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee

SHA512
726ad60eeb6868487336340d90d1fb56571b1ed4cae58766db95034b82f0523dcb57f60743dba8bc3df6876a2f34d9bab94f79ba7ae81aeb6ea33c41c6ceebc4

Download Submit
\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
\Users\Admin\AppData\Local\Temp\typeperf.exe

Filesize
554KB

MD5
920dbc03f2b68c7858e190b329564080

SHA1
816c13db1ca80eb5673cab7a47955dea8e9b98b6

SHA256
61813e2eaf167ce0b7db5db00760d2247128b918d69c5cdd6d8c86ccb978e9ee

SHA512
726ad60eeb6868487336340d90d1fb56571b1ed4cae58766db95034b82f0523dcb57f60743dba8bc3df6876a2f34d9bab94f79ba7ae81aeb6ea33c41c6ceebc4

Download Submit
memory/844-58-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/844-67-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/844-68-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/844-64-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/844-61-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/844-60-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/844-57-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/844-101-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/960-93-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/960-103-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1020-120-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1348-56-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-104-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-55-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1688-102-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1688-121-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download