07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88

Analysis

max time kernel
92s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Size

271KB
MD5

1e502080294f8d8135580ae31f1b3404
SHA1

4a25854bdf70e7bd408462bbf68e812956fc965f
SHA256

07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88
SHA512

6dca62da72b2ff487e2eec07d1f639f719d4a95b217a6e4c7ac0ea001926800c12280b0c8deee61aad387d6a38d6c43f54708b9788851f4bebc96970841fa63c
SSDEEP

6144:83/4YIJ8m1MxUyRzoVOBlYQflIGU6VtW:8P4BJTM6++OBlYER3t

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe:*:enabled:@shell32.dll,-1"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

Sets DLL path for service in the registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4660-132-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4660-134-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4660-133-0x0000000000400000-0x0000000000455000-memory.dmp	upx
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll	upx
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	upx
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	upx
behavioral2/memory/5032-139-0x0000000000F60000-0x0000000000FB5000-memory.dmp	upx
\??\c:\windows\SysWOW64\irmon.dll	upx
C:\Windows\SysWOW64\Irmon.dll	upx
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	upx
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	upx
C:\Windows\SysWOW64\Irmon.dll	upx
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	upx
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	upx
C:\Windows\SysWOW64\Irmon.dll	upx
C:\Windows\SysWOW64\Nla.dll	upx
\??\c:\windows\SysWOW64\nla.dll	upx
C:\Windows\SysWOW64\Nla.dll	upx
C:\Windows\SysWOW64\Nla.dll	upx
\??\c:\windows\SysWOW64\ntmssvc.dll	upx
C:\Windows\SysWOW64\Ntmssvc.dll	upx
C:\Windows\SysWOW64\Ntmssvc.dll	upx
C:\Windows\SysWOW64\Ntmssvc.dll	upx
\??\c:\windows\SysWOW64\nwcworkstation.dll	upx
C:\Windows\SysWOW64\NWCWorkstation.dll	upx
C:\Windows\SysWOW64\NWCWorkstation.dll	upx
C:\Windows\SysWOW64\NWCWorkstation.dll	upx
\??\c:\windows\SysWOW64\nwsapagent.dll	upx
C:\Windows\SysWOW64\Nwsapagent.dll	upx
C:\Windows\SysWOW64\Nwsapagent.dll	upx
C:\Windows\SysWOW64\Nwsapagent.dll	upx
\??\c:\windows\SysWOW64\srservice.dll	upx
C:\Windows\SysWOW64\SRService.dll	upx
C:\Windows\SysWOW64\SRService.dll	upx
C:\Windows\SysWOW64\SRService.dll	upx
\??\c:\windows\SysWOW64\wmdmpmsp.dll	upx
C:\Windows\SysWOW64\WmdmPmSp.dll	upx
C:\Windows\SysWOW64\WmdmPmSp.dll	upx
C:\Windows\SysWOW64\WmdmPmSp.dll	upx
\??\c:\windows\SysWOW64\logonhours.dll	upx
C:\Windows\SysWOW64\LogonHours.dll	upx
C:\Windows\SysWOW64\LogonHours.dll	upx
C:\Windows\SysWOW64\LogonHours.dll	upx
\??\c:\windows\SysWOW64\pcaudit.dll	upx
C:\Windows\SysWOW64\PCAudit.dll	upx
C:\Windows\SysWOW64\PCAudit.dll	upx
C:\Windows\SysWOW64\PCAudit.dll	upx
\??\c:\windows\SysWOW64\helpsvc.dll	upx
C:\Windows\SysWOW64\helpsvc.dll	upx
C:\Windows\SysWOW64\helpsvc.dll	upx
C:\Windows\SysWOW64\helpsvc.dll	upx
C:\Windows\SysWOW64\helpsvc.dll	upx
C:\Windows\SysWOW64\helpsvc.dll	upx
C:\Windows\SysWOW64\helpsvc.dll	upx
\??\c:\windows\SysWOW64\uploadmgr.dll	upx
C:\Windows\SysWOW64\uploadmgr.dll	upx
C:\Windows\SysWOW64\uploadmgr.dll	upx
C:\Windows\SysWOW64\uploadmgr.dll	upx
C:\Windows\SysWOW64\uploadmgr.dll	upx
C:\Windows\SysWOW64\uploadmgr.dll	upx
C:\Windows\SysWOW64\uploadmgr.dll	upx
behavioral2/memory/4660-195-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Loads dropped DLL 45 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
5032	svchost.exe
5032	svchost.exe
2816	svchost.exe
5032	svchost.exe
5032	svchost.exe
2816	svchost.exe
5032	svchost.exe
5032	svchost.exe
2816	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
4556	svchost.exe
4556	svchost.exe
4556	svchost.exe
4664	svchost.exe
4664	svchost.exe
4664	svchost.exe
4580	svchost.exe
4580	svchost.exe
4580	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
3604	svchost.exe
3604	svchost.exe
3604	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

description	ioc	process
File opened (read-only)	\??\X:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\F:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\H:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\K:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\L:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\N:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\O:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\R:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\E:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\I:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\M:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\Q:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\T:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\V:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\W:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\G:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\J:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\P:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\S:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\U:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\Y:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened (read-only)	\??\Z:	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

Drops file in System32 directory 14 IoCs

Processes:

07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

Program crash 36 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4916	5032	WerFault.exe	svchost.exe
4068	2816	WerFault.exe	svchost.exe
3508	2816	WerFault.exe	svchost.exe
3608	5032	WerFault.exe	svchost.exe
1800	2816	WerFault.exe	svchost.exe
4056	5032	WerFault.exe	svchost.exe
4312	5116	WerFault.exe	svchost.exe
64	5116	WerFault.exe	svchost.exe
4976	5116	WerFault.exe	svchost.exe
1280	2712	WerFault.exe	svchost.exe
2452	2712	WerFault.exe	svchost.exe
2424	2712	WerFault.exe	svchost.exe
1352	4556	WerFault.exe	svchost.exe
60	4556	WerFault.exe	svchost.exe
4568	4556	WerFault.exe	svchost.exe
4476	4664	WerFault.exe	svchost.exe
3352	4664	WerFault.exe	svchost.exe
2680	4664	WerFault.exe	svchost.exe
4656	4580	WerFault.exe	svchost.exe
1820	4580	WerFault.exe	svchost.exe
2184	4580	WerFault.exe	svchost.exe
4952	1000	WerFault.exe	svchost.exe
1076	1000	WerFault.exe	svchost.exe
3960	1000	WerFault.exe	svchost.exe
3508	3604	WerFault.exe	svchost.exe
112	3604	WerFault.exe	svchost.exe
3796	3604	WerFault.exe	svchost.exe
1876	2828	WerFault.exe	svchost.exe
2728	2828	WerFault.exe	svchost.exe
4512	2828	WerFault.exe	svchost.exe
884	5064	WerFault.exe	svchost.exe
3496	5064	WerFault.exe	svchost.exe
4704	5064	WerFault.exe	svchost.exe
2956	3124	WerFault.exe	svchost.exe
1028	3124	WerFault.exe	svchost.exe
3512	3124	WerFault.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

pid	process
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

pid	process
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

description pid process

Token: SeDebugPrivilege 4660 07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

description	pid	process
Token: SeDebugPrivilege	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe

description	pid	process	target process
PID 4660 wrote to memory of 572	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	winlogon.exe
PID 4660 wrote to memory of 572	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	winlogon.exe
PID 4660 wrote to memory of 572	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	winlogon.exe
PID 4660 wrote to memory of 572	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	winlogon.exe
PID 4660 wrote to memory of 572	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	winlogon.exe
PID 4660 wrote to memory of 572	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	winlogon.exe
PID 4660 wrote to memory of 656	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	lsass.exe
PID 4660 wrote to memory of 656	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	lsass.exe
PID 4660 wrote to memory of 656	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	lsass.exe
PID 4660 wrote to memory of 656	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	lsass.exe
PID 4660 wrote to memory of 656	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	lsass.exe
PID 4660 wrote to memory of 656	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	lsass.exe
PID 4660 wrote to memory of 760	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 760	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 760	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 760	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 760	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 760	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 768	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 768	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 768	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 768	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 768	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 768	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 776	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 776	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 776	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 776	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 776	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 776	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	fontdrvhost.exe
PID 4660 wrote to memory of 876	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 876	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 876	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 876	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 876	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 876	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 932	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 932	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 932	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 932	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 932	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 932	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 992	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	dwm.exe
PID 4660 wrote to memory of 992	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	dwm.exe
PID 4660 wrote to memory of 992	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	dwm.exe
PID 4660 wrote to memory of 992	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	dwm.exe
PID 4660 wrote to memory of 992	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	dwm.exe
PID 4660 wrote to memory of 992	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	dwm.exe
PID 4660 wrote to memory of 428	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 428	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 428	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 428	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 428	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 428	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 400	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 400	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 400	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 400	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 400	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 400	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 892	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 892	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 892	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe
PID 4660 wrote to memory of 892	4660	07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:656

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:572

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:768

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1120

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2204

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2804

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe
"C:\Users\Admin\AppData\Local\Temp\07875db1675aba6075917cc58ac432ebf8799ed26ada2d984ab1ace3c1a3ef88.exe"
2⤵
- Modifies firewall policy service
- Sets DLL path for service in the registry
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3528

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3728

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4300

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:2504

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2696

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2132

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:984

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 596
2⤵
- Program crash
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 748
2⤵
- Program crash
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 756
2⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5032 -ip 5032
1⤵
PID:4964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 596
2⤵
- Program crash
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 444
2⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 436
2⤵
- Program crash
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2816 -ip 2816
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2816 -ip 2816
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5032 -ip 5032
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5032 -ip 5032
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2816 -ip 2816
1⤵
PID:2884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 596
2⤵
- Program crash
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 632
2⤵
- Program crash
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 708
2⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5116 -ip 5116
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5116 -ip 5116
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5116 -ip 5116
1⤵
PID:4876

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 596
2⤵
- Program crash
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 632
2⤵
- Program crash
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 712
2⤵
- Program crash
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2712 -ip 2712
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2712 -ip 2712
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2712 -ip 2712
1⤵
PID:3936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 596
2⤵
- Program crash
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 660
2⤵
- Program crash
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 760
2⤵
- Program crash
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4556 -ip 4556
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4556 -ip 4556
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4556 -ip 4556
1⤵
PID:740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 596
2⤵
- Program crash
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 596
2⤵
- Program crash
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 520
2⤵
- Program crash
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4664 -ip 4664
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4664 -ip 4664
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4664 -ip 4664
1⤵
PID:2840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 596
2⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 720
2⤵
- Program crash
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 472
2⤵
- Program crash
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4580 -ip 4580
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4580 -ip 4580
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4580 -ip 4580
1⤵
PID:5020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 596
2⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 632
2⤵
- Program crash
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 472
2⤵
- Program crash
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1000 -ip 1000
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1000 -ip 1000
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1000 -ip 1000
1⤵
PID:5060

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 604
2⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 436
2⤵
- Program crash
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 464
2⤵
- Program crash
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 3604 -ip 3604
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 3604 -ip 3604
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 3604 -ip 3604
1⤵
PID:1564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 604
2⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 608
2⤵
- Program crash
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 620
2⤵
- Program crash
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 2828 -ip 2828
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 2828 -ip 2828
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 2828 -ip 2828
1⤵
PID:5056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 596
2⤵
- Program crash
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 440
2⤵
- Program crash
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 736
2⤵
- Program crash
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 5064 -ip 5064
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 5064 -ip 5064
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 5064 -ip 5064
1⤵
PID:3456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 596
2⤵
- Program crash
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 720
2⤵
- Program crash
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 436
2⤵
- Program crash
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3124 -ip 3124
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 3124 -ip 3124
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3124 -ip 3124
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\LogonHours.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\LogonHours.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\LogonHours.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\NWCWorkstation.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\NWCWorkstation.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\NWCWorkstation.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Nla.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Nla.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Nla.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Ntmssvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Ntmssvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Ntmssvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Nwsapagent.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Nwsapagent.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\Nwsapagent.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\PCAudit.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\PCAudit.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\PCAudit.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\SRService.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\SRService.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\SRService.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\WmdmPmSp.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\WmdmPmSp.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\WmdmPmSp.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\helpsvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\helpsvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\helpsvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\helpsvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\helpsvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\helpsvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\uploadmgr.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\uploadmgr.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\uploadmgr.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\uploadmgr.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\uploadmgr.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
C:\Windows\SysWOW64\uploadmgr.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\helpsvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\irmon.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\logonhours.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\nla.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\ntmssvc.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\nwcworkstation.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\nwsapagent.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\pcaudit.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\srservice.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\uploadmgr.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
\??\c:\windows\SysWOW64\wmdmpmsp.dll

Filesize
271KB

MD5
69c79e8c7bf10597ab7aeed803c76561

SHA1
9a78337619f3f10ca9cb4ab3e0305f11775911a8

SHA256
8c2f5fde0a78650710a09f40aa545f0c8508bce82cbb6cdc0c26481506896681

SHA512
db89c8c1030a35e6295becb6b10ca9f829278ee246faa529a6f892ed6ac477a82f7cb23a9a671530484edf557025f1c19d3f81ed55a096483e149861b88f57b7

Download Submit
memory/4660-152-0x0000000002410000-0x0000000006410000-memory.dmp

Filesize
64.0MB

Download
memory/4660-138-0x0000000002410000-0x0000000006410000-memory.dmp

Filesize
64.0MB

Download
memory/4660-133-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4660-134-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4660-132-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4660-195-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5032-139-0x0000000000F60000-0x0000000000FB5000-memory.dmp

Filesize
340KB

Download