74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 09:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
Size

122KB
MD5

2be5a04b3421f048de7d16638b1b0a11
SHA1

4f74e1c4707e6aa524a0e80b4540586058e53028
SHA256

74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964
SHA512

37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d
SSDEEP

3072:iJCD54/JTNWLQx7pMvifuWI9LJdZtg86WkUOwLNoJ:9UAifuWI91r96cryJ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	dc.exe

Executes dropped EXE 3 IoCs

pid	Process
3408	Fun.exe
712	SVIQ.EXE
1476	dc.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	dc.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	dc.exe
File opened for modification	C:\Windows\SysWOW64\Penx.dat	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File created	C:\Windows\SysWOW64\config\Win.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	dc.exe
File created	C:\Windows\SysWOW64\WinSit.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\Xpen.dat	Fun.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\Help\Other.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\wininit.ini	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\wininit.ini	dc.exe
File opened for modification	C:\Windows\inf\Other.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	SVIQ.EXE
File created	C:\Windows\SVIQ.EXE	SVIQ.EXE
File opened for modification	C:\Windows\inf\Other.exe	SVIQ.EXE
File created	C:\Windows\system\Fun.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\SVIQ.EXE	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\wininit.ini	SVIQ.EXE
File opened for modification	C:\Windows\system\Fun.exe	SVIQ.EXE
File opened for modification	C:\Windows\dc.exe	dc.exe
File created	C:\Windows\dc.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\inf\Other.exe	dc.exe
File opened for modification	C:\Windows\Help\Other.exe	dc.exe
File opened for modification	C:\Windows\system\Fun.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\Help\Other.exe	SVIQ.EXE
File created	C:\Windows\system\Fun.exe	dc.exe
File created	C:\Windows\dc.exe	dc.exe
File opened for modification	C:\Windows\SVIQ.exe	SVIQ.EXE
File opened for modification	C:\Windows\system\Fun.exe	dc.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\inf\Other.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File created	C:\Windows\SVIQ.EXE	dc.exe
File opened for modification	C:\Windows\dc.exe	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
File opened for modification	C:\Windows\dc.exe	SVIQ.EXE
File opened for modification	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
3408	Fun.exe
3408	Fun.exe
712	SVIQ.EXE
712	SVIQ.EXE
1476	dc.exe
1476	dc.exe
3408	Fun.exe
3408	Fun.exe
712	SVIQ.EXE
712	SVIQ.EXE
1476	dc.exe
1476	dc.exe
1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
712	SVIQ.EXE
712	SVIQ.EXE
3408	Fun.exe
3408	Fun.exe
1476	dc.exe
1476	dc.exe
712	SVIQ.EXE
712	SVIQ.EXE
3408	Fun.exe
3408	Fun.exe
1476	dc.exe
1476	dc.exe
712	SVIQ.EXE
712	SVIQ.EXE
3408	Fun.exe
3408	Fun.exe
1476	dc.exe
1476	dc.exe
712	SVIQ.EXE
712	SVIQ.EXE
3408	Fun.exe
3408	Fun.exe
1476	dc.exe
1476	dc.exe
3408	Fun.exe
3408	Fun.exe
712	SVIQ.EXE
712	SVIQ.EXE
1476	dc.exe
1476	dc.exe
3408	Fun.exe
712	SVIQ.EXE
3408	Fun.exe
712	SVIQ.EXE
1476	dc.exe
1476	dc.exe
712	SVIQ.EXE
3408	Fun.exe
712	SVIQ.EXE
3408	Fun.exe
1476	dc.exe
1476	dc.exe
3408	Fun.exe
3408	Fun.exe
712	SVIQ.EXE
712	SVIQ.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
3408	Fun.exe
3408	Fun.exe
712	SVIQ.EXE
712	SVIQ.EXE
1476	dc.exe
1476	dc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 3408	1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe	85
PID 1272 wrote to memory of 3408	1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe	85
PID 1272 wrote to memory of 3408	1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe	85
PID 3408 wrote to memory of 712	3408	Fun.exe	86
PID 3408 wrote to memory of 712	3408	Fun.exe	86
PID 3408 wrote to memory of 712	3408	Fun.exe	86
PID 1272 wrote to memory of 1476	1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe	87
PID 1272 wrote to memory of 1476	1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe	87
PID 1272 wrote to memory of 1476	1272	74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe	87

C:\Users\Admin\AppData\Local\Temp\74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe
"C:\Users\Admin\AppData\Local\Temp\74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system\Fun.exe
  C:\Windows\system\Fun.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\SVIQ.EXE
    C:\Windows\SVIQ.EXE
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:712
- C:\Windows\dc.exe
  C:\Windows\dc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Help\Other.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\Help\Other.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\Help\Other.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\SVIQ.EXE

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\SVIQ.EXE

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\SysWOW64\WinSit.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\SysWOW64\WinSit.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\SysWOW64\WinSit.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\SysWOW64\config\Win.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\SysWOW64\config\Win.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\SysWOW64\config\Win.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\System\Fun.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\dc.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\dc.exe

Filesize
63KB

MD5
5e155fd95ca631afcc14f7d7fb2a6e28

SHA1
7be6e0341b6a4ebc84f951ba7c3f94fae247688d

SHA256
f71382d6333b1e125ed93110df9806f001bc5b27369f47a7df5f2e38431b7e73

SHA512
5411caabc0495bbba929278fe91362f2fca66512d6f55c0a2e0ef8e0f4ceadeb565905434367b5c742fdf1dc2530c50fcb05b7a449ca8ddd33e6fe4c4c772e22

Download Submit
C:\Windows\dc.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\dc.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\inf\Other.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\inf\Other.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\inf\Other.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\system\Fun.exe

Filesize
122KB

MD5
2be5a04b3421f048de7d16638b1b0a11

SHA1
4f74e1c4707e6aa524a0e80b4540586058e53028

SHA256
74b33254aa9266c0fc73c5887d0cc929abbbe50bf6453d6aca910a9e8c2b9964

SHA512
37dc65d168922866287b4e1c14f8eb1eae86e68f0d6ece83ab4c6b38e6e10e6b9481a7d900512247016ce5dcd5e41fe8903f2735daa75907091ffe7be785560d

Download Submit
C:\Windows\wininit.ini

Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini

Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini

Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
memory/712-173-0x0000000000400000-0x0000000000420800-memory.dmp

Filesize
130KB

Download
memory/1272-132-0x0000000000400000-0x0000000000420800-memory.dmp

Filesize
130KB

Download
memory/1272-175-0x0000000000400000-0x0000000000420800-memory.dmp

Filesize
130KB

Download
memory/1476-174-0x0000000000400000-0x0000000000420800-memory.dmp

Filesize
130KB

Download
memory/3408-150-0x0000000000400000-0x0000000000420800-memory.dmp

Filesize
130KB

Download
memory/3408-176-0x0000000000400000-0x0000000000420800-memory.dmp

Filesize
130KB

Download