f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1

Analysis

max time kernel
112s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
Size

167KB
MD5

a0b87e9cdb91b839a7c9f593c4f2bc86
SHA1

3ad5bee62f643533969fbcfa204b5482ab9dd976
SHA256

f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1
SHA512

5474f9ec092e22a6abbd2a86160f6e2532c6897a896e8aaca24fbd53c16ce321b4bf7d8282a7ffefd2d1110db21abd13c4daf14fa84204b64c400c44af6263a4
SSDEEP

3072:Hvmp70lTBprTKDW5hYPjK3oWisThOcXM+qmp70lTBprTKDW5hYPjK3oWisThOcXM:DBXUPjO1ThsBXUPjO1Th

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 22 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000022e34-134.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-135.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e4a-141.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e4a-140.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-152.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-177.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e5b-178.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e5b-183.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e67-188.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e67-193.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e6f-206.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e6f-207.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-239.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-245.dat	aspack_v212_v242
behavioral2/files/0x000c000000022e5e-246.dat	aspack_v212_v242
behavioral2/files/0x000c000000022e5e-248.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-262.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-265.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-277.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-281.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-287.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e34-291.dat	aspack_v212_v242

Executes dropped EXE 6 IoCs

pid	Process
4980	6de708af.exe
3304	6de708af.exe
3756	6de708af.exe
5080	6de708af.exe
2412	6de708af.exe
4056	6de708af.exe

Sets DLL path for service in the registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	6de708af.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	6de708af.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	6de708af.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	6de708af.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	6de708af.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2200-132-0x0000000000640000-0x000000000067A000-memory.dmp	upx
behavioral2/files/0x0008000000022e34-134.dat	upx
behavioral2/files/0x0008000000022e34-135.dat	upx
behavioral2/memory/4980-136-0x00000000004F0000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/4980-137-0x00000000004F0000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/4980-138-0x00000000004F0000-0x0000000000515000-memory.dmp	upx
behavioral2/files/0x0006000000022e4a-141.dat	upx
behavioral2/files/0x0006000000022e4a-140.dat	upx
behavioral2/memory/2248-142-0x00000000753F0000-0x0000000075415000-memory.dmp	upx
behavioral2/memory/2248-143-0x00000000753F0000-0x0000000075415000-memory.dmp	upx
behavioral2/memory/2248-146-0x00000000753F0000-0x0000000075415000-memory.dmp	upx
behavioral2/memory/2200-147-0x0000000000640000-0x000000000067A000-memory.dmp	upx
behavioral2/memory/2200-145-0x0000000000640000-0x000000000067A000-memory.dmp	upx
behavioral2/files/0x0006000000022e4d-150.dat	upx
behavioral2/files/0x0006000000022e4d-149.dat	upx
behavioral2/files/0x0008000000022e34-152.dat	upx
behavioral2/memory/3304-153-0x00000000006E0000-0x0000000000705000-memory.dmp	upx
behavioral2/memory/3304-154-0x00000000006E0000-0x0000000000705000-memory.dmp	upx
behavioral2/memory/2992-155-0x00000000751E0000-0x000000007521A000-memory.dmp	upx
behavioral2/memory/3304-156-0x00000000006E0000-0x0000000000705000-memory.dmp	upx
behavioral2/files/0x0006000000022e4f-158.dat	upx
behavioral2/files/0x0006000000022e4f-159.dat	upx
behavioral2/memory/4708-161-0x00000000751A0000-0x00000000751DA000-memory.dmp	upx
behavioral2/memory/4708-160-0x00000000751A0000-0x00000000751DA000-memory.dmp	upx
behavioral2/memory/4708-162-0x00000000751A0000-0x00000000751DA000-memory.dmp	upx
behavioral2/files/0x0006000000022e53-163.dat	upx
behavioral2/files/0x0006000000022e53-166.dat	upx
behavioral2/memory/4600-167-0x0000000074B30000-0x0000000074B6A000-memory.dmp	upx
behavioral2/memory/4600-168-0x0000000074B30000-0x0000000074B6A000-memory.dmp	upx
behavioral2/memory/4600-170-0x0000000074B30000-0x0000000074B6A000-memory.dmp	upx
behavioral2/files/0x0006000000022e54-169.dat	upx
behavioral2/memory/1216-172-0x0000000074AF0000-0x0000000074B2A000-memory.dmp	upx
behavioral2/memory/1216-173-0x0000000074AF0000-0x0000000074B2A000-memory.dmp	upx
behavioral2/files/0x0006000000022e54-171.dat	upx
behavioral2/memory/1216-174-0x0000000074AF0000-0x0000000074B2A000-memory.dmp	upx
behavioral2/files/0x0008000000022e34-177.dat	upx
behavioral2/files/0x0009000000022e59-175.dat	upx
behavioral2/memory/216-180-0x0000000074A70000-0x0000000074AAA000-memory.dmp	upx
behavioral2/memory/216-181-0x0000000074A70000-0x0000000074AAA000-memory.dmp	upx
behavioral2/files/0x0009000000022e59-179.dat	upx
behavioral2/memory/216-182-0x0000000074A70000-0x0000000074AAA000-memory.dmp	upx
behavioral2/files/0x0006000000022e5b-178.dat	upx
behavioral2/memory/5108-184-0x0000000074940000-0x0000000074965000-memory.dmp	upx
behavioral2/files/0x0006000000022e5b-183.dat	upx
behavioral2/memory/5108-185-0x0000000074940000-0x0000000074965000-memory.dmp	upx
behavioral2/memory/5108-186-0x0000000074940000-0x0000000074965000-memory.dmp	upx
behavioral2/files/0x0007000000022e5d-187.dat	upx
behavioral2/files/0x0007000000022e5d-189.dat	upx
behavioral2/memory/4496-190-0x0000000074920000-0x000000007495A000-memory.dmp	upx
behavioral2/memory/4496-191-0x0000000074920000-0x000000007495A000-memory.dmp	upx
behavioral2/memory/4496-192-0x0000000074920000-0x000000007495A000-memory.dmp	upx
behavioral2/files/0x0006000000022e67-188.dat	upx
behavioral2/memory/3268-194-0x00000000749C0000-0x00000000749E5000-memory.dmp	upx
behavioral2/files/0x0006000000022e67-193.dat	upx
behavioral2/memory/3268-195-0x00000000749C0000-0x00000000749E5000-memory.dmp	upx
behavioral2/files/0x0007000000022e5d-196.dat	upx
behavioral2/files/0x0006000000022e6e-200.dat	upx
behavioral2/memory/2736-204-0x0000000073FE0000-0x000000007401A000-memory.dmp	upx
behavioral2/memory/3268-205-0x00000000749C0000-0x00000000749E5000-memory.dmp	upx
behavioral2/memory/2200-202-0x0000000000640000-0x000000000067A000-memory.dmp	upx
behavioral2/files/0x0006000000022e6e-199.dat	upx
behavioral2/memory/2736-201-0x0000000073FE0000-0x000000007401A000-memory.dmp	upx
behavioral2/files/0x0007000000022e6f-206.dat	upx
behavioral2/memory/3436-209-0x00000000756B0000-0x00000000756D5000-memory.dmp	upx

Loads dropped DLL 26 IoCs

pid	Process
2248	Svchost.exe
2992	Svchost.exe
4708	Svchost.exe
4600	Svchost.exe
1216	Svchost.exe
216	Svchost.exe
5108	Svchost.exe
4496	Svchost.exe
3268	Svchost.exe
4496	Svchost.exe
2736	Svchost.exe
3436	Svchost.exe
1216	Svchost.exe
4708	Svchost.exe
4600	Svchost.exe
4708	Svchost.exe
4600	Svchost.exe
2992	Svchost.exe
2992	Svchost.exe
216	Svchost.exe
964	Svchost.exe
216	Svchost.exe
2736	Svchost.exe
1216	Svchost.exe
4496	Svchost.exe
2736	Svchost.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ias.dll	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	6de708af.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
File opened for modification	C:\Windows\SysWOW64\23D70B10.tmp	6de708af.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	6de708af.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	6de708af.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	6de708af.exe
File opened for modification	C:\Windows\SysWOW64\345C0B10.tmp	6de708af.exe
File opened for modification	C:\Windows\SysWOW64\018C0B10.tmp	6de708af.exe
File opened for modification	C:\Windows\SysWOW64\60C50B10.tmp	6de708af.exe
File opened for modification	C:\Windows\SysWOW64\0DDB0B10.tmp	6de708af.exe
File opened for modification	C:\Windows\SysWOW64\70070B10.tmp	6de708af.exe
File opened for modification	C:\Windows\SysWOW64\28A40B10.tmp	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	6de708af.exe

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1708	4708	WerFault.exe	84
3240	4600	WerFault.exe	88
5068	1216	WerFault.exe	89
3696	216	WerFault.exe	94
1248	4496	WerFault.exe	97
3880	1216	WerFault.exe	89
4048	2736	WerFault.exe	101
2044	2992	WerFault.exe	80
948	216	WerFault.exe	94
5032	4496	WerFault.exe	97
5096	1216	WerFault.exe	89
1840	2736	WerFault.exe	101
2184	2736	WerFault.exe	101

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4980	6de708af.exe
4980	6de708af.exe
2200	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
2200	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
3304	6de708af.exe
3304	6de708af.exe
3756	6de708af.exe
3756	6de708af.exe
5080	6de708af.exe
5080	6de708af.exe
2412	6de708af.exe
2412	6de708af.exe
4056	6de708af.exe
4056	6de708af.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 4980	2200	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe	78
PID 2200 wrote to memory of 4980	2200	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe	78
PID 2200 wrote to memory of 4980	2200	f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe	78
PID 2992 wrote to memory of 3304	2992	Svchost.exe	81
PID 2992 wrote to memory of 3304	2992	Svchost.exe	81
PID 2992 wrote to memory of 3304	2992	Svchost.exe	81
PID 4708 wrote to memory of 3756	4708	Svchost.exe	112
PID 4708 wrote to memory of 3756	4708	Svchost.exe	112
PID 4708 wrote to memory of 3756	4708	Svchost.exe	112
PID 216 wrote to memory of 5080	216	Svchost.exe	121
PID 216 wrote to memory of 5080	216	Svchost.exe	121
PID 216 wrote to memory of 5080	216	Svchost.exe	121
PID 2736 wrote to memory of 2412	2736	Svchost.exe	125
PID 2736 wrote to memory of 2412	2736	Svchost.exe	125
PID 2736 wrote to memory of 2412	2736	Svchost.exe	125
PID 2736 wrote to memory of 4056	2736	Svchost.exe	132
PID 2736 wrote to memory of 4056	2736	Svchost.exe	132
PID 2736 wrote to memory of 4056	2736	Svchost.exe	132

C:\Users\Admin\AppData\Local\Temp\f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe
"C:\Users\Admin\AppData\Local\Temp\f10a289151e760502a63d3b520cf6789eeac7ce3f6a82057ed4c26d669d809d1.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\6de708af.exe
  C:\6de708af.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4980

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:2248

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992
- C:\6de708af.exe
  C:\6de708af.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 564
  2⤵
  - Program crash
  PID:2044

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 580
  2⤵
  - Program crash
  PID:1708
- C:\6de708af.exe
  C:\6de708af.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708
1⤵
PID:1976

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
PID:4600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 580
  2⤵
  - Program crash
  PID:3240

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
PID:1216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 580
  2⤵
  - Program crash
  PID:5068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 616
  2⤵
  - Program crash
  PID:3880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 596
  2⤵
  - Program crash
  PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4600 -ip 4600
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1216 -ip 1216
1⤵
PID:4612

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 584
  2⤵
  - Program crash
  PID:3696
- C:\6de708af.exe
  C:\6de708af.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 484
  2⤵
  - Program crash
  PID:948

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 216 -ip 216
1⤵
PID:544

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
PID:4496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 632
  2⤵
  - Program crash
  PID:1248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 536
  2⤵
  - Program crash
  PID:5032

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4496 -ip 4496
1⤵
PID:3528

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 580
  2⤵
  - Program crash
  PID:4048
- C:\6de708af.exe
  C:\6de708af.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 460
  2⤵
  - Program crash
  PID:1840
- C:\6de708af.exe
  C:\6de708af.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 472
  2⤵
  - Program crash
  PID:2184

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4496 -ip 4496
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2736 -ip 2736
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2992 -ip 2992
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4600 -ip 4600
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4708 -ip 4708
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1216 -ip 1216
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2992 -ip 2992
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4600 -ip 4600
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2992 -ip 2992
1⤵
PID:1504

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 216 -ip 216
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4708 -ip 4708
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 216 -ip 216
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4496 -ip 4496
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1216 -ip 1216
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2736 -ip 2736
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2736 -ip 2736
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\6de708af.exe

Filesize
83KB

MD5
61642141e8c3b9b65b66a8cc6961b67b

SHA1
67eda43ccff0632fa57839d2a8c144113effdecf

SHA256
6e49898a66eee951a83998151eba7726463deaad868e67c41d333e7b64f22a66

SHA512
ffd096b18dee7706d5a421510c37385d715264bb4dfbb43268f4f49e3e12621de7a52271d1cd194c47adbbc8243c629505150615e981d95f29e5936ac883767a

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
cfaad481f2fb7c093f902e108fb731b7

SHA1
d1f0193edddd5fc882c268907411c0c98104ce9a

SHA256
1edc5e34f352fd7fd56312d83b913f35ed883010b4c7dbce7125c89bd1f6bc26

SHA512
2cc4d8e5abdf3ff1d206954b3aa6308061590cb9bb146d00805445f4e3fa4c460b76ca6541ee469b16d28f9c07cda89dcfeebe5c8e7d782064ae3d1148189481

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
f496ce08b08ab2cd8e6f25dce8855b5a

SHA1
66c69b16d73fc8bcb14e44e5692069740992d066

SHA256
6659954eb7ed3b7db57bb3a51c4985336265fc7dbe218f0d29a89f92279289b2

SHA512
0465d3a24a315f92c092864af1a8bf849c2b5c0d8de60410964e8ef422b2488c9c1194ff3e45febcea961215677f8421a48c981ee82e2bd4b188566a3c68da70

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
f496ce08b08ab2cd8e6f25dce8855b5a

SHA1
66c69b16d73fc8bcb14e44e5692069740992d066

SHA256
6659954eb7ed3b7db57bb3a51c4985336265fc7dbe218f0d29a89f92279289b2

SHA512
0465d3a24a315f92c092864af1a8bf849c2b5c0d8de60410964e8ef422b2488c9c1194ff3e45febcea961215677f8421a48c981ee82e2bd4b188566a3c68da70

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
cce374926e709db0259550cd67b1263c

SHA1
ff57b22f4d19fe3f5982e24dfea1bd3454f6592c

SHA256
beac5ac66d2466c33dca3fc734f87eb6fe5b52847819052294a62c769fb11701

SHA512
24c30300e0154362d644380a2eaa57aae60e26d1b75efefbd576647345f2701ec28f3020bfdf6a51bebaca9c8f75fcf6b431b4f1cb08d394d48af77e6928d249

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
edd067b27d95597397563ec50cb8883f

SHA1
c847b2e92fafda11009112193c8f1f2c9480f297

SHA256
176bf4a336fa54818f3def6b5267a5f11d09fd92b7c01cef63261d864b65c478

SHA512
18742bf5f224f393f476ac0101fb1c2629cb2673e28a4424a6088ed98e553afcb0da16ce5e253b35f18da491dd87fd70ae4399cebe0a1440d4ad0d65db47cf69

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
83KB

MD5
0760cb25568e03d76e85d36dbe4e6389

SHA1
e3e3c614127c6344892d680ec7745ee5c07d3583

SHA256
acdcabec1de8c9dbef35a5a23e7ce258c419517a8fdb855d3fc1a703550b8e6d

SHA512
b00aaae0d7c74460c96781c2e4837ca229c10dc049c9889df22123f3ae88af9b2e6af86179d9d838c5a17775536c8dcba77f291d110bc684e94d50d7f5c2ca21

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\LogonHours.dll

Filesize
83KB

MD5
0760cb25568e03d76e85d36dbe4e6389

SHA1
e3e3c614127c6344892d680ec7745ee5c07d3583

SHA256
acdcabec1de8c9dbef35a5a23e7ce258c419517a8fdb855d3fc1a703550b8e6d

SHA512
b00aaae0d7c74460c96781c2e4837ca229c10dc049c9889df22123f3ae88af9b2e6af86179d9d838c5a17775536c8dcba77f291d110bc684e94d50d7f5c2ca21

Download Submit
C:\Windows\SysWOW64\NWCWorkstation.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\NWCWorkstation.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\NWCWorkstation.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Nla.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Nla.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Nla.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Ntmssvc.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Ntmssvc.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Ntmssvc.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Nwsapagent.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Nwsapagent.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\Nwsapagent.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\PCAudit.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\PCAudit.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\PCAudit.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\SRService.dll

Filesize
83KB

MD5
0760cb25568e03d76e85d36dbe4e6389

SHA1
e3e3c614127c6344892d680ec7745ee5c07d3583

SHA256
acdcabec1de8c9dbef35a5a23e7ce258c419517a8fdb855d3fc1a703550b8e6d

SHA512
b00aaae0d7c74460c96781c2e4837ca229c10dc049c9889df22123f3ae88af9b2e6af86179d9d838c5a17775536c8dcba77f291d110bc684e94d50d7f5c2ca21

Download Submit
C:\Windows\SysWOW64\WmdmPmSp.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\WmdmPmSp.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\WmdmPmSp.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
C:\Windows\SysWOW64\helpsvc.dll

Filesize
83KB

MD5
0760cb25568e03d76e85d36dbe4e6389

SHA1
e3e3c614127c6344892d680ec7745ee5c07d3583

SHA256
acdcabec1de8c9dbef35a5a23e7ce258c419517a8fdb855d3fc1a703550b8e6d

SHA512
b00aaae0d7c74460c96781c2e4837ca229c10dc049c9889df22123f3ae88af9b2e6af86179d9d838c5a17775536c8dcba77f291d110bc684e94d50d7f5c2ca21

Download Submit
C:\Windows\SysWOW64\uploadmgr.dll

Filesize
83KB

MD5
0760cb25568e03d76e85d36dbe4e6389

SHA1
e3e3c614127c6344892d680ec7745ee5c07d3583

SHA256
acdcabec1de8c9dbef35a5a23e7ce258c419517a8fdb855d3fc1a703550b8e6d

SHA512
b00aaae0d7c74460c96781c2e4837ca229c10dc049c9889df22123f3ae88af9b2e6af86179d9d838c5a17775536c8dcba77f291d110bc684e94d50d7f5c2ca21

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
83KB

MD5
0760cb25568e03d76e85d36dbe4e6389

SHA1
e3e3c614127c6344892d680ec7745ee5c07d3583

SHA256
acdcabec1de8c9dbef35a5a23e7ce258c419517a8fdb855d3fc1a703550b8e6d

SHA512
b00aaae0d7c74460c96781c2e4837ca229c10dc049c9889df22123f3ae88af9b2e6af86179d9d838c5a17775536c8dcba77f291d110bc684e94d50d7f5c2ca21

Download Submit
\??\c:\windows\SysWOW64\helpsvc.dll

Filesize
83KB

MD5
0760cb25568e03d76e85d36dbe4e6389

SHA1
e3e3c614127c6344892d680ec7745ee5c07d3583

SHA256
acdcabec1de8c9dbef35a5a23e7ce258c419517a8fdb855d3fc1a703550b8e6d

SHA512
b00aaae0d7c74460c96781c2e4837ca229c10dc049c9889df22123f3ae88af9b2e6af86179d9d838c5a17775536c8dcba77f291d110bc684e94d50d7f5c2ca21

Download Submit
\??\c:\windows\SysWOW64\irmon.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
\??\c:\windows\SysWOW64\logonhours.dll

Filesize
83KB

MD5
0760cb25568e03d76e85d36dbe4e6389

SHA1
e3e3c614127c6344892d680ec7745ee5c07d3583

SHA256
acdcabec1de8c9dbef35a5a23e7ce258c419517a8fdb855d3fc1a703550b8e6d

SHA512
b00aaae0d7c74460c96781c2e4837ca229c10dc049c9889df22123f3ae88af9b2e6af86179d9d838c5a17775536c8dcba77f291d110bc684e94d50d7f5c2ca21

Download Submit
\??\c:\windows\SysWOW64\nla.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
\??\c:\windows\SysWOW64\ntmssvc.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
\??\c:\windows\SysWOW64\nwcworkstation.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
\??\c:\windows\SysWOW64\nwsapagent.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
\??\c:\windows\SysWOW64\pcaudit.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
\??\c:\windows\SysWOW64\srservice.dll

Filesize
83KB

MD5
0760cb25568e03d76e85d36dbe4e6389

SHA1
e3e3c614127c6344892d680ec7745ee5c07d3583

SHA256
acdcabec1de8c9dbef35a5a23e7ce258c419517a8fdb855d3fc1a703550b8e6d

SHA512
b00aaae0d7c74460c96781c2e4837ca229c10dc049c9889df22123f3ae88af9b2e6af86179d9d838c5a17775536c8dcba77f291d110bc684e94d50d7f5c2ca21

Download Submit
\??\c:\windows\SysWOW64\uploadmgr.dll

Filesize
83KB

MD5
0760cb25568e03d76e85d36dbe4e6389

SHA1
e3e3c614127c6344892d680ec7745ee5c07d3583

SHA256
acdcabec1de8c9dbef35a5a23e7ce258c419517a8fdb855d3fc1a703550b8e6d

SHA512
b00aaae0d7c74460c96781c2e4837ca229c10dc049c9889df22123f3ae88af9b2e6af86179d9d838c5a17775536c8dcba77f291d110bc684e94d50d7f5c2ca21

Download Submit
\??\c:\windows\SysWOW64\wmdmpmsp.dll

Filesize
167KB

MD5
5eb2b2fad2e5c06fdc32a2afa57c4b75

SHA1
d9f8532ae219f3a545de0578bac9a73541d3b4e7

SHA256
58c8fedb3af00f63ef80ad3981629c41754e53fc63a41b8322980358be9563b7

SHA512
e7a5fa6da56a474016fcc1c0fc0c161055c740939528390ddaa75afc6457c98abd7e57f68607db778186f5e38a829571c99a2e443a3a9b3bdb32c74651d56ac4

Download Submit
memory/216-249-0x00000000753C0000-0x00000000753FA000-memory.dmp

Filesize
232KB

Download
memory/216-181-0x0000000074A70000-0x0000000074AAA000-memory.dmp

Filesize
232KB

Download
memory/216-180-0x0000000074A70000-0x0000000074AAA000-memory.dmp

Filesize
232KB

Download
memory/216-251-0x00000000753C0000-0x00000000753FA000-memory.dmp

Filesize
232KB

Download
memory/216-257-0x00000000753C0000-0x00000000753FA000-memory.dmp

Filesize
232KB

Download
memory/216-182-0x0000000074A70000-0x0000000074AAA000-memory.dmp

Filesize
232KB

Download
memory/964-250-0x0000000075640000-0x0000000075665000-memory.dmp

Filesize
148KB

Download
memory/964-252-0x0000000075640000-0x0000000075665000-memory.dmp

Filesize
148KB

Download
memory/964-256-0x0000000075640000-0x0000000075665000-memory.dmp

Filesize
148KB

Download
memory/1216-212-0x0000000075670000-0x00000000756AA000-memory.dmp

Filesize
232KB

Download
memory/1216-218-0x0000000075670000-0x00000000756AA000-memory.dmp

Filesize
232KB

Download
memory/1216-174-0x0000000074AF0000-0x0000000074B2A000-memory.dmp

Filesize
232KB

Download
memory/1216-172-0x0000000074AF0000-0x0000000074B2A000-memory.dmp

Filesize
232KB

Download
memory/1216-229-0x0000000075670000-0x00000000756AA000-memory.dmp

Filesize
232KB

Download
memory/1216-173-0x0000000074AF0000-0x0000000074B2A000-memory.dmp

Filesize
232KB

Download
memory/2200-132-0x0000000000640000-0x000000000067A000-memory.dmp

Filesize
232KB

Download
memory/2200-164-0x0000000002DE0000-0x0000000006DE0000-memory.dmp

Filesize
64.0MB

Download
memory/2200-147-0x0000000000640000-0x000000000067A000-memory.dmp

Filesize
232KB

Download
memory/2200-202-0x0000000000640000-0x000000000067A000-memory.dmp

Filesize
232KB

Download
memory/2200-145-0x0000000000640000-0x000000000067A000-memory.dmp

Filesize
232KB

Download
memory/2200-148-0x0000000002DE0000-0x0000000006DE0000-memory.dmp

Filesize
64.0MB

Download
memory/2248-142-0x00000000753F0000-0x0000000075415000-memory.dmp

Filesize
148KB

Download
memory/2248-146-0x00000000753F0000-0x0000000075415000-memory.dmp

Filesize
148KB

Download
memory/2248-143-0x00000000753F0000-0x0000000075415000-memory.dmp

Filesize
148KB

Download
memory/2412-279-0x0000000000A80000-0x0000000000AA5000-memory.dmp

Filesize
148KB

Download
memory/2412-282-0x0000000000A80000-0x0000000000AA5000-memory.dmp

Filesize
148KB

Download
memory/2412-278-0x0000000000A80000-0x0000000000AA5000-memory.dmp

Filesize
148KB

Download
memory/2412-296-0x0000000001840000-0x0000000005840000-memory.dmp

Filesize
64.0MB

Download
memory/2736-201-0x0000000073FE0000-0x000000007401A000-memory.dmp

Filesize
232KB

Download
memory/2736-284-0x0000000075400000-0x000000007543A000-memory.dmp

Filesize
232KB

Download
memory/2736-204-0x0000000073FE0000-0x000000007401A000-memory.dmp

Filesize
232KB

Download
memory/2736-283-0x0000000075400000-0x000000007543A000-memory.dmp

Filesize
232KB

Download
memory/2736-295-0x00000000756A0000-0x00000000756DA000-memory.dmp

Filesize
232KB

Download
memory/2736-226-0x0000000073FE0000-0x000000007401A000-memory.dmp

Filesize
232KB

Download
memory/2992-234-0x00000000751E0000-0x000000007521A000-memory.dmp

Filesize
232KB

Download
memory/2992-219-0x00000000751E0000-0x000000007521A000-memory.dmp

Filesize
232KB

Download
memory/2992-224-0x00000000751E0000-0x000000007521A000-memory.dmp

Filesize
232KB

Download
memory/2992-155-0x00000000751E0000-0x000000007521A000-memory.dmp

Filesize
232KB

Download
memory/2992-237-0x00000000751E0000-0x000000007521A000-memory.dmp

Filesize
232KB

Download
memory/2992-259-0x00000000751E0000-0x000000007521A000-memory.dmp

Filesize
232KB

Download
memory/2992-233-0x00000000751E0000-0x000000007521A000-memory.dmp

Filesize
232KB

Download
memory/3268-205-0x00000000749C0000-0x00000000749E5000-memory.dmp

Filesize
148KB

Download
memory/3268-194-0x00000000749C0000-0x00000000749E5000-memory.dmp

Filesize
148KB

Download
memory/3268-195-0x00000000749C0000-0x00000000749E5000-memory.dmp

Filesize
148KB

Download
memory/3304-156-0x00000000006E0000-0x0000000000705000-memory.dmp

Filesize
148KB

Download
memory/3304-154-0x00000000006E0000-0x0000000000705000-memory.dmp

Filesize
148KB

Download
memory/3304-220-0x00000000006E0000-0x0000000000705000-memory.dmp

Filesize
148KB

Download
memory/3304-153-0x00000000006E0000-0x0000000000705000-memory.dmp

Filesize
148KB

Download
memory/3304-157-0x00000000014D0000-0x00000000054D0000-memory.dmp

Filesize
64.0MB

Download
memory/3304-165-0x00000000014D0000-0x00000000054D0000-memory.dmp

Filesize
64.0MB

Download
memory/3436-210-0x00000000756B0000-0x00000000756D5000-memory.dmp

Filesize
148KB

Download
memory/3436-209-0x00000000756B0000-0x00000000756D5000-memory.dmp

Filesize
148KB

Download
memory/3436-208-0x00000000756B0000-0x00000000756D5000-memory.dmp

Filesize
148KB

Download
memory/3436-225-0x00000000756B0000-0x00000000756D5000-memory.dmp

Filesize
148KB

Download
memory/3756-240-0x0000000000E20000-0x0000000000E45000-memory.dmp

Filesize
148KB

Download
memory/3756-255-0x0000000000E20000-0x0000000000E45000-memory.dmp

Filesize
148KB

Download
memory/3756-241-0x0000000000E20000-0x0000000000E45000-memory.dmp

Filesize
148KB

Download
memory/4056-293-0x0000000000640000-0x0000000000665000-memory.dmp

Filesize
148KB

Download
memory/4056-288-0x0000000000640000-0x0000000000665000-memory.dmp

Filesize
148KB

Download
memory/4056-289-0x0000000000640000-0x0000000000665000-memory.dmp

Filesize
148KB

Download
memory/4496-191-0x0000000074920000-0x000000007495A000-memory.dmp

Filesize
232KB

Download
memory/4496-190-0x0000000074920000-0x000000007495A000-memory.dmp

Filesize
232KB

Download
memory/4496-192-0x0000000074920000-0x000000007495A000-memory.dmp

Filesize
232KB

Download
memory/4600-167-0x0000000074B30000-0x0000000074B6A000-memory.dmp

Filesize
232KB

Download
memory/4600-223-0x00000000753C0000-0x00000000753FA000-memory.dmp

Filesize
232KB

Download
memory/4600-168-0x0000000074B30000-0x0000000074B6A000-memory.dmp

Filesize
232KB

Download
memory/4600-216-0x00000000753C0000-0x00000000753FA000-memory.dmp

Filesize
232KB

Download
memory/4600-170-0x0000000074B30000-0x0000000074B6A000-memory.dmp

Filesize
232KB

Download
memory/4600-231-0x00000000753C0000-0x00000000753FA000-memory.dmp

Filesize
232KB

Download
memory/4708-230-0x0000000075400000-0x000000007543A000-memory.dmp

Filesize
232KB

Download
memory/4708-162-0x00000000751A0000-0x00000000751DA000-memory.dmp

Filesize
232KB

Download
memory/4708-160-0x00000000751A0000-0x00000000751DA000-memory.dmp

Filesize
232KB

Download
memory/4708-161-0x00000000751A0000-0x00000000751DA000-memory.dmp

Filesize
232KB

Download
memory/4708-221-0x0000000075400000-0x000000007543A000-memory.dmp

Filesize
232KB

Download
memory/4708-217-0x0000000075400000-0x000000007543A000-memory.dmp

Filesize
232KB

Download
memory/4980-139-0x0000000002F80000-0x0000000006F80000-memory.dmp

Filesize
64.0MB

Download
memory/4980-138-0x00000000004F0000-0x0000000000515000-memory.dmp

Filesize
148KB

Download
memory/4980-137-0x00000000004F0000-0x0000000000515000-memory.dmp

Filesize
148KB

Download
memory/4980-136-0x00000000004F0000-0x0000000000515000-memory.dmp

Filesize
148KB

Download
memory/5080-267-0x0000000000780000-0x00000000007A5000-memory.dmp

Filesize
148KB

Download
memory/5080-264-0x0000000000780000-0x00000000007A5000-memory.dmp

Filesize
148KB

Download
memory/5080-263-0x0000000000780000-0x00000000007A5000-memory.dmp

Filesize
148KB

Download
memory/5108-186-0x0000000074940000-0x0000000074965000-memory.dmp

Filesize
148KB

Download
memory/5108-184-0x0000000074940000-0x0000000074965000-memory.dmp

Filesize
148KB

Download
memory/5108-185-0x0000000074940000-0x0000000074965000-memory.dmp

Filesize
148KB

Download