f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
Size

626KB
MD5

b8b4e23bef6680bb4f36af3a7d820b24
SHA1

e725da4a8a2d5b8f0fe7b214625f473c793a3b94
SHA256

f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89
SHA512

04cf97efa98fced5b8c48cf42681852d466858a6851e96fdb9fdaadfd769fd70521f66dbaabdbfd3fdd270ea933d487d69432219c00fc918555527d9170edbc6
SSDEEP

12288:IDyLu+6UozqxxVEBJD67GnwLQVoFRo58dZNUoPpdgm8nMwiTuOy:IDyS0xxV+JSGnwLBFLTPpN8nMwiSOy

Score

9^/10

collection spyware stealer

Malware Config

Signatures

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1188-139-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1188-144-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1188-149-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1188-154-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2628-151-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2628-157-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2628-161-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2628-162-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/1188-139-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1188-144-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1188-149-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2628-151-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/1188-154-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2628-157-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2628-161-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2628-162-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
4000	natsv.exe
3008	dnsmon.exe
4768	dnsmon.exe
5052	natsv.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	natsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dnsmon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5000 set thread context of 2076	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	88
PID 2076 set thread context of 1188	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	91
PID 2076 set thread context of 2628	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	96
PID 3008 set thread context of 4768	3008	dnsmon.exe	101

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
4000	natsv.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
4000	natsv.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
4000	natsv.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
4000	natsv.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
4000	natsv.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
4000	natsv.exe
5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
2628	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
2628	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
3008	dnsmon.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe
3008	dnsmon.exe
5052	natsv.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
4768	dnsmon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
Token: SeDebugPrivilege	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
Token: SeDebugPrivilege	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
Token: SeDebugPrivilege	4000	natsv.exe
Token: SeDebugPrivilege	3008	dnsmon.exe
Token: SeDebugPrivilege	3008	dnsmon.exe
Token: SeDebugPrivilege	5052	natsv.exe
Token: SeDebugPrivilege	4768	dnsmon.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4548	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	85
PID 5000 wrote to memory of 4548	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	85
PID 5000 wrote to memory of 4548	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	85
PID 5000 wrote to memory of 2076	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	88
PID 5000 wrote to memory of 2076	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	88
PID 5000 wrote to memory of 2076	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	88
PID 5000 wrote to memory of 2076	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	88
PID 5000 wrote to memory of 2076	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	88
PID 5000 wrote to memory of 2076	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	88
PID 5000 wrote to memory of 2076	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	88
PID 5000 wrote to memory of 2076	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	88
PID 5000 wrote to memory of 2076	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	88
PID 5000 wrote to memory of 2788	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	89
PID 5000 wrote to memory of 2788	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	89
PID 5000 wrote to memory of 2788	5000	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	89
PID 2076 wrote to memory of 1188	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	91
PID 2076 wrote to memory of 1188	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	91
PID 2076 wrote to memory of 1188	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	91
PID 2076 wrote to memory of 1188	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	91
PID 2076 wrote to memory of 1188	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	91
PID 2076 wrote to memory of 1188	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	91
PID 2076 wrote to memory of 1188	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	91
PID 2076 wrote to memory of 1188	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	91
PID 2076 wrote to memory of 1188	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	91
PID 2788 wrote to memory of 4000	2788	cmd.exe	92
PID 2788 wrote to memory of 4000	2788	cmd.exe	92
PID 2788 wrote to memory of 4000	2788	cmd.exe	92
PID 4000 wrote to memory of 1780	4000	natsv.exe	93
PID 4000 wrote to memory of 1780	4000	natsv.exe	93
PID 4000 wrote to memory of 1780	4000	natsv.exe	93
PID 1780 wrote to memory of 2520	1780	cmd.exe	95
PID 1780 wrote to memory of 2520	1780	cmd.exe	95
PID 1780 wrote to memory of 2520	1780	cmd.exe	95
PID 2076 wrote to memory of 2628	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	96
PID 2076 wrote to memory of 2628	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	96
PID 2076 wrote to memory of 2628	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	96
PID 2076 wrote to memory of 2628	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	96
PID 2076 wrote to memory of 2628	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	96
PID 2076 wrote to memory of 2628	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	96
PID 2076 wrote to memory of 2628	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	96
PID 2076 wrote to memory of 2628	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	96
PID 2076 wrote to memory of 2628	2076	f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe	96
PID 4000 wrote to memory of 3008	4000	natsv.exe	97
PID 4000 wrote to memory of 3008	4000	natsv.exe	97
PID 4000 wrote to memory of 3008	4000	natsv.exe	97
PID 3008 wrote to memory of 4768	3008	dnsmon.exe	101
PID 3008 wrote to memory of 4768	3008	dnsmon.exe	101
PID 3008 wrote to memory of 4768	3008	dnsmon.exe	101
PID 3008 wrote to memory of 4768	3008	dnsmon.exe	101
PID 3008 wrote to memory of 4768	3008	dnsmon.exe	101
PID 3008 wrote to memory of 4768	3008	dnsmon.exe	101
PID 3008 wrote to memory of 4768	3008	dnsmon.exe	101
PID 3008 wrote to memory of 4768	3008	dnsmon.exe	101
PID 3008 wrote to memory of 4768	3008	dnsmon.exe	101
PID 3008 wrote to memory of 1408	3008	dnsmon.exe	102
PID 3008 wrote to memory of 1408	3008	dnsmon.exe	102
PID 3008 wrote to memory of 1408	3008	dnsmon.exe	102
PID 1408 wrote to memory of 5052	1408	cmd.exe	104
PID 1408 wrote to memory of 5052	1408	cmd.exe	104
PID 1408 wrote to memory of 5052	1408	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
"C:\Users\Admin\AppData\Local\Temp\f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
  2⤵
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
  "C:\Users\Admin\AppData\Local\Temp\f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
    "C:\Users\Admin\AppData\Local\Temp\f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe" /stext C:\ProgramData\Mails.txt
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1188
- - C:\Users\Admin\AppData\Local\Temp\f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe
    "C:\Users\Admin\AppData\Local\Temp\f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89.exe" /stext C:\ProgramData\Browsers.txt
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
        5⤵
        
        PID:2520
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Browsers.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\natsv.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe

Filesize
626KB

MD5
b8b4e23bef6680bb4f36af3a7d820b24

SHA1
e725da4a8a2d5b8f0fe7b214625f473c793a3b94

SHA256
f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89

SHA512
04cf97efa98fced5b8c48cf42681852d466858a6851e96fdb9fdaadfd769fd70521f66dbaabdbfd3fdd270ea933d487d69432219c00fc918555527d9170edbc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe

Filesize
626KB

MD5
b8b4e23bef6680bb4f36af3a7d820b24

SHA1
e725da4a8a2d5b8f0fe7b214625f473c793a3b94

SHA256
f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89

SHA512
04cf97efa98fced5b8c48cf42681852d466858a6851e96fdb9fdaadfd769fd70521f66dbaabdbfd3fdd270ea933d487d69432219c00fc918555527d9170edbc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe

Filesize
626KB

MD5
b8b4e23bef6680bb4f36af3a7d820b24

SHA1
e725da4a8a2d5b8f0fe7b214625f473c793a3b94

SHA256
f118befe8f6796fa3972cbf51b688b24799df50c53cdbb70334c3541d7d8ed89

SHA512
04cf97efa98fced5b8c48cf42681852d466858a6851e96fdb9fdaadfd769fd70521f66dbaabdbfd3fdd270ea933d487d69432219c00fc918555527d9170edbc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe

Filesize
19KB

MD5
709b06bb9909f9b36994e7420b187893

SHA1
07855e0d08a9f600282d935d6f91527cd52457fe

SHA256
f45777b61c3d2a2534fdc59bc4c500bd33e74083de5f4df2ce964a53f2cc68b0

SHA512
fcb8ff967ecafb533d298a4ed2138cd6a3287eb93c3d7e5e00581cdae651f2b4004f89347a21f4e6699433282c5370a8698a5a80265d8d834a0669a907d518b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe

Filesize
19KB

MD5
709b06bb9909f9b36994e7420b187893

SHA1
07855e0d08a9f600282d935d6f91527cd52457fe

SHA256
f45777b61c3d2a2534fdc59bc4c500bd33e74083de5f4df2ce964a53f2cc68b0

SHA512
fcb8ff967ecafb533d298a4ed2138cd6a3287eb93c3d7e5e00581cdae651f2b4004f89347a21f4e6699433282c5370a8698a5a80265d8d834a0669a907d518b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe

Filesize
19KB

MD5
709b06bb9909f9b36994e7420b187893

SHA1
07855e0d08a9f600282d935d6f91527cd52457fe

SHA256
f45777b61c3d2a2534fdc59bc4c500bd33e74083de5f4df2ce964a53f2cc68b0

SHA512
fcb8ff967ecafb533d298a4ed2138cd6a3287eb93c3d7e5e00581cdae651f2b4004f89347a21f4e6699433282c5370a8698a5a80265d8d834a0669a907d518b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe

Filesize
19KB

MD5
709b06bb9909f9b36994e7420b187893

SHA1
07855e0d08a9f600282d935d6f91527cd52457fe

SHA256
f45777b61c3d2a2534fdc59bc4c500bd33e74083de5f4df2ce964a53f2cc68b0

SHA512
fcb8ff967ecafb533d298a4ed2138cd6a3287eb93c3d7e5e00581cdae651f2b4004f89347a21f4e6699433282c5370a8698a5a80265d8d834a0669a907d518b8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
514B

MD5
759dd1a3528f89ddca72040d8bf9264a

SHA1
311e4a971469847d99c6627bc59a4914ddbd60a4

SHA256
55db12098043e6237c7ef625d01b43fa8782200f8b59ac21f98b7113fa39ba81

SHA512
753219dece7e4a1eb284dcbf78902776b1f7e51fa09efd3bc1d07f287d97c466089fe86b1f189557575118a47bb70fbe989b7b02cd4573814e52b722f68d0529

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
514B

MD5
759dd1a3528f89ddca72040d8bf9264a

SHA1
311e4a971469847d99c6627bc59a4914ddbd60a4

SHA256
55db12098043e6237c7ef625d01b43fa8782200f8b59ac21f98b7113fa39ba81

SHA512
753219dece7e4a1eb284dcbf78902776b1f7e51fa09efd3bc1d07f287d97c466089fe86b1f189557575118a47bb70fbe989b7b02cd4573814e52b722f68d0529

Download Submit
memory/1188-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-144-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-154-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-146-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2076-176-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2628-161-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2628-157-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2628-162-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2628-151-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3008-158-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3008-177-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4000-159-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4000-147-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4768-170-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4768-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4768-178-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5000-132-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5000-133-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5000-160-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5052-175-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5052-179-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download