7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe
Size

368KB
MD5

891d6585190bc5d5a219562c998ae945
SHA1

571981a09506df4c110a90041648f606d201776c
SHA256

7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78
SHA512

a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7
SSDEEP

6144:hYDhB6ActM8FbPt6a15RGkPNJAcb+k2WzoPiML3AYRYAe5mYkl5q+cvrfA:K9BvctM85t35JPNJj2WzoRLQYRYzmYOd

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.comsvchost.com

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

svchost.comsvchost.com

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2"	svchost.com
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2"	svchost.com

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

svchost.comsvchost.com

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.com
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.com

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

svchost.comsvchost.com

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.com
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.com

Disables Task Manager via registry modification
evasion
Executes dropped EXE 4 IoCs

Processes:

svchost.comcftmon.exesvchost.comcftmon.exe

pid process

272 svchost.com
1348 cftmon.exe
964 svchost.com
1980 cftmon.exe

pid	process
272	svchost.com
1348	cftmon.exe
964	svchost.com
1980	cftmon.exe

Sets file execution options in registry 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.comsvchost.com

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe	svchost.com

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.com	upx
\Users\Admin\AppData\Local\Temp\svchost.com	upx
\Users\Admin\AppData\Local\Temp\svchost.com	upx
\Users\Admin\AppData\Local\Temp\svchost.com	upx
C:\Users\Admin\AppData\Local\Temp\svchost.com	upx
C:\Users\Admin\AppData\Local\Temp\svchost.com	upx
behavioral1/memory/272-63-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1280-60-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
C:\Program Files (x86)\Common Files\System\cftmon.exe	upx
\Users\Admin\AppData\Local\Temp\svchost.com	upx
C:\Users\Admin\AppData\Local\Temp\svchost.com	upx
C:\Program Files (x86)\Common Files\System\cftmon.exe	upx
\??\c:\Thumbs.db	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
C:\Windows\SysWOW64\fdisk.com	upx
\Windows\SysWOW64\fdisk.com	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
\Windows\Help\cliconf.chm	upx
\Windows\Help\cliconf.chm	upx
C:\Windows\Help\cliconf.chm	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	upx
\Windows\SysWOW64\fdisk.com	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
C:\Users\Admin\Templates\cache\SFCsrvc.pif	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
behavioral1/memory/1348-98-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
C:\Program Files (x86)\Common Files\System\cftmon.exe	upx
behavioral1/memory/964-100-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1980-105-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
\Windows\Help\cliconf.chm	upx
\Windows\Help\cliconf.chm	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	upx
\Windows\SysWOW64\fdisk.com	upx
\Windows\SysWOW64\fdisk.com	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
\Program Files (x86)\Common Files\System\cftmon.exe	upx
\Windows\Help\cliconf.chm	upx
\Windows\Help\cliconf.chm	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	upx
\Windows\SysWOW64\fdisk.com	upx
\Windows\SysWOW64\fdisk.com	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	upx
\Windows\SysWOW64\fdisk.com	upx

Drops startup file 2 IoCs

Processes:

svchost.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	svchost.com
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	svchost.com

Loads dropped DLL 64 IoCs

Processes:

7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exesvchost.comsvchost.comcftmon.exe

pid	process
1280	7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe
1280	7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe
1280	7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe
1280	7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
1348	cftmon.exe
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com
964	svchost.com

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.comsvchost.com

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com"	svchost.com

Drops desktop.ini file(s) 4 IoCs

Processes:

svchost.com7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe

description	ioc	process
File opened for modification	\??\c:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	svchost.com
File opened for modification	C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe
File opened for modification	C:\Users\Admin\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	svchost.com
File opened for modification	C:\Users\Admin\Templates\cache\desktop.ini	svchost.com

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.comsvchost.com

description	ioc	process
File opened (read-only)	\??\e:	svchost.com
File opened (read-only)	\??\h:	svchost.com
File opened (read-only)	\??\o:	svchost.com
File opened (read-only)	\??\u:	svchost.com
File opened (read-only)	\??\n:	svchost.com
File opened (read-only)	\??\u:	svchost.com
File opened (read-only)	\??\f:	svchost.com
File opened (read-only)	\??\p:	svchost.com
File opened (read-only)	\??\v:	svchost.com
File opened (read-only)	\??\w:	svchost.com
File opened (read-only)	\??\k:	svchost.com
File opened (read-only)	\??\k:	svchost.com
File opened (read-only)	\??\m:	svchost.com
File opened (read-only)	\??\t:	svchost.com
File opened (read-only)	\??\y:	svchost.com
File opened (read-only)	\??\h:	svchost.com
File opened (read-only)	\??\q:	svchost.com
File opened (read-only)	\??\a:	svchost.com
File opened (read-only)	\??\g:	svchost.com
File opened (read-only)	\??\p:	svchost.com
File opened (read-only)	\??\b:	svchost.com
File opened (read-only)	\??\i:	svchost.com
File opened (read-only)	\??\l:	svchost.com
File opened (read-only)	\??\s:	svchost.com
File opened (read-only)	\??\x:	svchost.com
File opened (read-only)	\??\b:	svchost.com
File opened (read-only)	\??\i:	svchost.com
File opened (read-only)	\??\j:	svchost.com
File opened (read-only)	\??\m:	svchost.com
File opened (read-only)	\??\z:	svchost.com
File opened (read-only)	\??\e:	svchost.com
File opened (read-only)	\??\j:	svchost.com
File opened (read-only)	\??\z:	svchost.com
File opened (read-only)	\??\n:	svchost.com
File opened (read-only)	\??\v:	svchost.com
File opened (read-only)	\??\w:	svchost.com
File opened (read-only)	\??\o:	svchost.com
File opened (read-only)	\??\y:	svchost.com
File opened (read-only)	\??\a:	svchost.com
File opened (read-only)	\??\f:	svchost.com
File opened (read-only)	\??\l:	svchost.com
File opened (read-only)	\??\q:	svchost.com
File opened (read-only)	\??\r:	svchost.com
File opened (read-only)	\??\s:	svchost.com
File opened (read-only)	\??\t:	svchost.com
File opened (read-only)	\??\x:	svchost.com
File opened (read-only)	\??\g:	svchost.com
File opened (read-only)	\??\r:	svchost.com

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1280-60-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1348-98-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/964-100-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1980-105-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/272-182-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1280-183-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/964-184-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1980-189-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/964-190-0x00000000025E0000-0x00000000026A8000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

svchost.com

description ioc process

File opened for modification \??\c:\autorun.inf svchost.com
File opened for modification C:\\autorun.inf svchost.com
Drops file in System32 directory 2 IoCs

Processes:

svchost.com

description ioc process

File created C:\Windows\SysWOW64\fdisk.com svchost.com
File opened for modification C:\Windows\SysWOW64\fdisk.com svchost.com
Drops file in Program Files directory 1 IoCs

Processes:

svchost.com

description ioc process

File created C:\Program Files (x86)\Common Files\System\cftmon.exe svchost.com
Drops file in Windows directory 1 IoCs

Processes:

svchost.com

description ioc process

File created C:\Windows\Help\cliconf.chm svchost.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\autorun.inf	svchost.com
File opened for modification	C:\\autorun.inf	svchost.com

description	ioc	process
File created	C:\Windows\SysWOW64\fdisk.com	svchost.com
File opened for modification	C:\Windows\SysWOW64\fdisk.com	svchost.com

description	ioc	process
File created	C:\Program Files (x86)\Common Files\System\cftmon.exe	svchost.com

description	ioc	process
File created	C:\Windows\Help\cliconf.chm	svchost.com

Modifies registry class 11 IoCs

Processes:

svchost.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\xmspaint.exe	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\xmspaint.exe\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\System\\cftmon.exe %1"	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\xnotepad.exe\shell	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\xnotepad.exe\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\System\\cftmon.exe %1"	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\xmspaint.exe\shell\open\command	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\xmspaint.exe\shell	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\xmspaint.exe\shell\open	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\xnotepad.exe\shell\open\command	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\xnotepad.exe	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\xnotepad.exe\shell\open	svchost.com

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exesvchost.comsvchost.comcftmon.exe

pid	process
1280	7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
272	svchost.com
964	svchost.com
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
964	svchost.com
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe
1980	cftmon.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exesvchost.comcftmon.exe

description	pid	process	target process
PID 1280 wrote to memory of 272	1280	7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe	svchost.com
PID 1280 wrote to memory of 272	1280	7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe	svchost.com
PID 1280 wrote to memory of 272	1280	7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe	svchost.com
PID 1280 wrote to memory of 272	1280	7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe	svchost.com
PID 272 wrote to memory of 1348	272	svchost.com	cftmon.exe
PID 272 wrote to memory of 1348	272	svchost.com	cftmon.exe
PID 272 wrote to memory of 1348	272	svchost.com	cftmon.exe
PID 272 wrote to memory of 1348	272	svchost.com	cftmon.exe
PID 272 wrote to memory of 964	272	svchost.com	svchost.com
PID 272 wrote to memory of 964	272	svchost.com	svchost.com
PID 272 wrote to memory of 964	272	svchost.com	svchost.com
PID 272 wrote to memory of 964	272	svchost.com	svchost.com
PID 1348 wrote to memory of 1980	1348	cftmon.exe	cftmon.exe
PID 1348 wrote to memory of 1980	1348	cftmon.exe	cftmon.exe
PID 1348 wrote to memory of 1980	1348	cftmon.exe	cftmon.exe
PID 1348 wrote to memory of 1980	1348	cftmon.exe	cftmon.exe

C:\Users\Admin\AppData\Local\Temp\7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe
"C:\Users\Admin\AppData\Local\Temp\7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\svchost.com
"C:\Users\Admin\AppData\Local\Temp\svchost.com"
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:272

C:\Program Files (x86)\Common Files\System\cftmon.exe
"C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -in
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348

C:\Program Files (x86)\Common Files\System\cftmon.exe
"C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -r
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Users\Admin\AppData\Local\Temp\svchost.com
C:\Users\Admin\AppData\Local\Temp\svchost.com keep_fucking
3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
C:\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
C:\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
C:\Users\Admin\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
C:\Windows\Help\cliconf.chm

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
C:\Windows\SysWOW64\fdisk.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\??\c:\Thumbs.db

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Program Files (x86)\Common Files\System\cftmon.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\SFCsrvc.pif

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\Help\cliconf.chm

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\Help\cliconf.chm

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\Help\cliconf.chm

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\Help\cliconf.chm

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\Help\cliconf.chm

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\Help\cliconf.chm

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\SysWOW64\fdisk.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\SysWOW64\fdisk.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\SysWOW64\fdisk.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\SysWOW64\fdisk.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\SysWOW64\fdisk.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\SysWOW64\fdisk.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\SysWOW64\fdisk.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
\Windows\SysWOW64\fdisk.com

Filesize
368KB

MD5
891d6585190bc5d5a219562c998ae945

SHA1
571981a09506df4c110a90041648f606d201776c

SHA256
7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

SHA512
a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

Download Submit
memory/272-99-0x00000000030E0000-0x00000000031A8000-memory.dmp

Filesize
800KB

Download
memory/272-182-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/272-63-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/272-59-0x0000000000000000-mapping.dmp

Download
memory/964-154-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-175-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-128-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-129-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-130-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-190-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-132-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-133-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-119-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-118-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-188-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-104-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-103-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-72-0x0000000000000000-mapping.dmp

Download
memory/964-101-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-100-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/964-126-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-187-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-186-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-125-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-146-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-147-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-148-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-150-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-149-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-185-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-152-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-153-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-120-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-155-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-156-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-124-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-131-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-102-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-151-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-123-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-184-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/964-122-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-164-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-165-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-166-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-167-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-168-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-169-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-170-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-171-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-172-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-173-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-174-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-127-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-176-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-177-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-178-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-179-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-180-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-181-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/964-121-0x00000000025E0000-0x00000000026A8000-memory.dmp

Filesize
800KB

Download
memory/1280-183-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1280-60-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1348-69-0x0000000000000000-mapping.dmp

Download
memory/1348-98-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1980-95-0x0000000000000000-mapping.dmp

Download
memory/1980-105-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1980-189-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download