1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Size

88KB
MD5

15e49d6669518123528837daa809f830
SHA1

bb99059337de845366ffba902be439fafcc20d78
SHA256

1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9
SHA512

934971b4be75026f209ad6045257addca3b41b785a49b0ccedcbcaf0aafaaee7a80787f5ea4dea27a79edb7c50fba99616994a49704c03f7ce836b0d37872780
SSDEEP

1536:atZHJGPKZi+unw3uzV1c02GccppoNr9hTcOujjwGTr0aIiksSaV1K7s:o3GCZi+u93+FPNr9hoOVGToadTug

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

Loads dropped DLL 36 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
1600	svchost.exe
1600	svchost.exe
1600	svchost.exe
4932	svchost.exe
4932	svchost.exe
4932	svchost.exe
4780	svchost.exe
4780	svchost.exe
4780	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
4128	svchost.exe
4116	svchost.exe
4128	svchost.exe
4128	svchost.exe
4116	svchost.exe
4116	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
4588	svchost.exe
4588	svchost.exe
4588	svchost.exe
3648	svchost.exe
3648	svchost.exe
3648	svchost.exe

Drops file in System32 directory 14 IoCs

Processes:

1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

pid	process
5016	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
5016	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

C:\Users\Admin\AppData\Local\Temp\1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
"C:\Users\Admin\AppData\Local\Temp\1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:2432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
PID:1600

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
PID:4932

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
PID:4780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
PID:3372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
PID:4128

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
PID:4116

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
PID:2624

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
PID:1656

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
PID:4064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:4588

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
PID:3648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\LogonHours.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\LogonHours.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\LogonHours.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\NWCWorkstation.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\NWCWorkstation.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\NWCWorkstation.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Nla.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Nla.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Nla.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Ntmssvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Ntmssvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Ntmssvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Nwsapagent.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Nwsapagent.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\Nwsapagent.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\PCAudit.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\PCAudit.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\PCAudit.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\SRService.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\SRService.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\SRService.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\WmdmPmSp.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\WmdmPmSp.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\WmdmPmSp.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\helpsvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\helpsvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\helpsvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\uploadmgr.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\uploadmgr.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
C:\Windows\SysWOW64\uploadmgr.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\helpsvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\irmon.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\logonhours.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\nla.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\ntmssvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\nwcworkstation.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\nwsapagent.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\pcaudit.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\srservice.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\uploadmgr.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\wmdmpmsp.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
memory/5016-142-0x0000000000FF0000-0x0000000001012000-memory.dmp

Filesize
136KB

Download
memory/5016-137-0x0000000002430000-0x0000000006430000-memory.dmp

Filesize
64.0MB

Download
memory/5016-143-0x0000000002430000-0x0000000006430000-memory.dmp

Filesize
64.0MB

Download
memory/5016-132-0x0000000000FF0000-0x0000000001012000-memory.dmp

Filesize
136KB

Download