cobaltstrike | aa38afd9f6522ca8342f30b1dc8dbcaa5e3d35f0a5fbf92597a9448f11929eb1

Analysis

max time kernel
604s
max time network
748s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CompiledNTVDM.zip
Size

2.7MB
MD5

4b82b608988728d1e777f9582eb60fef
SHA1

584e6a3057e63697d9db487d956a59e2946ad5e0
SHA256

aa38afd9f6522ca8342f30b1dc8dbcaa5e3d35f0a5fbf92597a9448f11929eb1
SHA512

bdfab637c0f6781e640041be48e3854258da18abef480dfd41e4b7f5634c62caa08953548db41a85aac4d0c35cca8c8a1cc4d355ef8be2024368e4d3452b1e57
SSDEEP

49152:AbySyWzYrqhUrF55qmruwVtEOd3ltpbVTyq5I79+5EUuMzb:AbygMJ5ImruyV3tpJTD50dUfzb

Score

10^/10

cobaltstrike backdoor discovery persistence trojan

Malware Config

Extracted

Family

cobaltstrike

http://A��:3850982656�*H1�W��_P�D$#

Attributes

user_agent
�*H1�W��_P�D$#

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 5 IoCs

Processes:

findstr.exe

pid process

3988 findstr.exe
4840
2592
228
1900
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3988	findstr.exe
4840
2592
228
1900

Drops file in System32 directory 64 IoCs

Processes:

RunDll32.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SETEF89.tmp	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEFC7.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEF1A.tmp	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEF41.tmp	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEF76.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEF87.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\fastopen.exe	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEF9C.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\himem.sys	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\loadfix.com	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEFB1.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\exe2bin.exe	fsutil.exe
File opened for modification	C:\Windows\SysWOW64\himem.sys	fsutil.exe
File opened for modification	C:\Windows\SysWOW64\keyboard.sys	fsutil.exe
File created	C:\Windows\SysWOW64\SETEF87.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\kb16.com	fsutil.exe
File created	C:\Windows\SysWOW64\SETEF1A.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEF41.tmp	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEF62.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\graphics.com	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEFB1.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\bios4.rom	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEF86.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEF8A.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\autoexec.nt	fsutil.exe
File opened for modification	C:\Windows\SysWOW64\bios4.rom	fsutil.exe
File opened for modification	C:\Windows\SysWOW64\SETEF65.tmp	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEF9D.tmp	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEFA0.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEFB2.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\share.exe	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\mscdexnt.exe	fsutil.exe
File opened for modification	C:\Windows\SysWOW64\v7vga.rom	fsutil.exe
File created	C:\Windows\SysWOW64\SETEF63.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEF9B.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEFC7.tmp	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEFDC.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\v7vga.rom	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\debug.exe	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEF88.tmp	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEF9E.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEFC8.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEFDB.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\debug.exe	fsutil.exe
File opened for modification	C:\Windows\SysWOW64\remline.bas	fsutil.exe
File opened for modification	C:\Windows\SysWOW64\command.com	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\money.bas	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEFDB.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\remline.bas	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\setver.exe	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\setver.exe	fsutil.exe
File opened for modification	C:\Windows\SysWOW64\SETEF9E.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\kb16.com	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\bios1.rom	fsutil.exe
File created	C:\Windows\SysWOW64\SETEF2D.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\msherc.com	RunDll32.exe
File created	C:\Windows\SysWOW64\SETEFDA.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEFFE.tmp	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\edit.com	fsutil.exe
File opened for modification	C:\Windows\SysWOW64\gorilla.bas	fsutil.exe
File opened for modification	C:\Windows\SysWOW64\autoexec.nt	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\cmos.ram	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\SETEF63.tmp	RunDll32.exe
File opened for modification	C:\Windows\system32\ldntvdm.dll	rundll32.exe

Drops file in Windows directory 27 IoCs

Processes:

rundll32.exeRunDll32.exe

description	ioc	process
File opened for modification	C:\Windows\INF\ntvdmx64.inf	rundll32.exe
File created	C:\Windows\INF\SETF087.tmp	rundll32.exe
File created	C:\Windows\Symbols\dbghelp\x64\SETF064.tmp	rundll32.exe
File created	C:\Windows\INF\SETF021.tmp	RunDll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x64\symsrv.dll	rundll32.exe
File created	C:\Windows\Symbols\SETF086.tmp	rundll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x86\dbghelp.dll	RunDll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x86\symsrv.yes	RunDll32.exe
File opened for modification	C:\Windows\INF\SETF021.tmp	RunDll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x64\SETF064.tmp	rundll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x64\dbghelp.dll	rundll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x64\symsrv.yes	rundll32.exe
File opened for modification	C:\Windows\Symbols\instntvdmx64.bat	rundll32.exe
File opened for modification	C:\Windows\INF\SETF087.tmp	rundll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x64\SETF075.tmp	rundll32.exe
File created	C:\Windows\Symbols\dbghelp\x86\SETF00F.tmp	RunDll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x86\symsrv.dll	RunDll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x86\SETF011.tmp	RunDll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x86\SETF00F.tmp	RunDll32.exe
File created	C:\Windows\Symbols\dbghelp\x86\SETF011.tmp	RunDll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x64\SETF065.tmp	rundll32.exe
File created	C:\Windows\Symbols\dbghelp\x64\SETF065.tmp	rundll32.exe
File created	C:\Windows\Symbols\dbghelp\x64\SETF075.tmp	rundll32.exe
File opened for modification	C:\Windows\Symbols\SETF086.tmp	rundll32.exe
File opened for modification	C:\Windows\Symbols\dbghelp\x86\SETF010.tmp	RunDll32.exe
File opened for modification	C:\Windows\INF\ntvdmx64-32.inf	RunDll32.exe
File created	C:\Windows\Symbols\dbghelp\x86\SETF010.tmp	RunDll32.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	reg.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2128 reg.exe
3208 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1920 NOTEPAD.EXE

pid	process
2128	reg.exe
3208	reg.exe

pid	process
1920	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exerundll32.exe

description	pid	process	target process
PID 3056 wrote to memory of 3560	3056	cmd.exe	cacls.exe
PID 3056 wrote to memory of 3560	3056	cmd.exe	cacls.exe
PID 3056 wrote to memory of 2128	3056	cmd.exe	reg.exe
PID 3056 wrote to memory of 2128	3056	cmd.exe	reg.exe
PID 3056 wrote to memory of 4264	3056	cmd.exe	find.exe
PID 3056 wrote to memory of 4264	3056	cmd.exe	find.exe
PID 3056 wrote to memory of 1588	3056	cmd.exe	cmd.exe
PID 3056 wrote to memory of 1588	3056	cmd.exe	cmd.exe
PID 1588 wrote to memory of 3208	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 3208	1588	cmd.exe	reg.exe
PID 3056 wrote to memory of 2560	3056	cmd.exe	cmd.exe
PID 3056 wrote to memory of 2560	3056	cmd.exe	cmd.exe
PID 3056 wrote to memory of 2072	3056	cmd.exe	rundll32.exe
PID 3056 wrote to memory of 2072	3056	cmd.exe	rundll32.exe
PID 2072 wrote to memory of 1644	2072	rundll32.exe	RunDll32.exe
PID 2072 wrote to memory of 1644	2072	rundll32.exe	RunDll32.exe
PID 2072 wrote to memory of 3204	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 3204	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 1584	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 1584	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 4600	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 4600	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 1468	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 1468	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 4372	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 4372	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2256	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2256	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 116	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 116	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 428	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 428	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2432	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2432	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 4560	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 4560	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 3692	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 3692	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 1552	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 1552	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2180	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2180	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 3952	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 3952	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 5068	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 5068	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 5024	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 5024	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 1832	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 1832	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 3080	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 3080	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 3900	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 3900	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2196	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2196	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 4684	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 4684	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2728	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2728	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2192	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2192	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2300	2072	rundll32.exe	fsutil.exe
PID 2072 wrote to memory of 2300	2072	rundll32.exe	fsutil.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\CompiledNTVDM.zip
1⤵
PID:1388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4068

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\CompiledNTVDM\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\CompiledNTVDM\install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:3560

C:\Windows\system32\reg.exe
reg query HKLM\Hardware\Description\System\CentralProcessor\0
2⤵
- Checks processor information in registry
- Modifies registry key
PID:2128

C:\Windows\system32\find.exe
Find /i "x86"
2⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State /v UEFISecureBootEnabled
2⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State /v UEFISecureBootEnabled
3⤵
- Modifies registry key
PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:2560

C:\Windows\system32\rundll32.exe
rundll32.exe advpack.dll,LaunchINFSection C:\Users\Admin\Documents\CompiledNTVDM\ntvdmx64.inf
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\system32\RunDll32.exe
RunDll32 advpack.dll,LaunchINFSection C:\Users\Admin\Documents\CompiledNTVDM\ntvdmx64-32.Inf
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1644

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\ansi.sys C:\Windows\SysWOW64\ansi.sys
3⤵
PID:3204

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\append.exe C:\Windows\SysWOW64\append.exe
3⤵
PID:1584

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\autoexec.nt C:\Windows\SysWOW64\autoexec.nt
3⤵
- Drops file in System32 directory
PID:4600

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\backup.exe C:\Windows\SysWOW64\backup.exe
3⤵
PID:1468

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\bios1.rom C:\Windows\SysWOW64\bios1.rom
3⤵
- Drops file in System32 directory
PID:4372

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\bios4.rom C:\Windows\SysWOW64\bios4.rom
3⤵
- Drops file in System32 directory
PID:2256

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\cmos.ram C:\Windows\SysWOW64\cmos.ram
3⤵
PID:116

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\command.com C:\Windows\SysWOW64\command.com
3⤵
PID:428

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\config.nt C:\Windows\SysWOW64\config.nt
3⤵
PID:2432

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\country.sys C:\Windows\SysWOW64\country.sys
3⤵
PID:4560

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\debug.exe C:\Windows\SysWOW64\debug.exe
3⤵
- Drops file in System32 directory
PID:3692

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\edit.com C:\Windows\SysWOW64\edit.com
3⤵
- Drops file in System32 directory
PID:1552

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\edit.hlp C:\Windows\SysWOW64\edit.hlp
3⤵
PID:2180

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\edlin.exe C:\Windows\SysWOW64\edlin.exe
3⤵
PID:3952

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\exe2bin.exe C:\Windows\SysWOW64\exe2bin.exe
3⤵
- Drops file in System32 directory
PID:5068

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\fastopen.exe C:\Windows\SysWOW64\fastopen.exe
3⤵
PID:5024

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\gorilla.bas C:\Windows\SysWOW64\gorilla.bas
3⤵
- Drops file in System32 directory
PID:1832

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\graphics.com C:\Windows\SysWOW64\graphics.com
3⤵
PID:3080

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\graphics.pro C:\Windows\SysWOW64\graphics.pro
3⤵
PID:3900

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\himem.sys C:\Windows\SysWOW64\himem.sys
3⤵
- Drops file in System32 directory
PID:2196

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\kb16.com C:\Windows\SysWOW64\kb16.com
3⤵
- Drops file in System32 directory
PID:4684

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\keyboard.sys C:\Windows\SysWOW64\keyboard.sys
3⤵
- Drops file in System32 directory
PID:2728

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\krnl386.exe C:\Windows\SysWOW64\krnl386.exe
3⤵
PID:2192

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\loadfix.com C:\Windows\SysWOW64\loadfix.com
3⤵
PID:2300

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\mem.exe C:\Windows\SysWOW64\mem.exe
3⤵
PID:2716

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\money.bas C:\Windows\SysWOW64\money.bas
3⤵
PID:2952

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\mscdexnt.exe C:\Windows\SysWOW64\mscdexnt.exe
3⤵
- Drops file in System32 directory
PID:2900

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\msherc.com C:\Windows\SysWOW64\msherc.com
3⤵
PID:2848

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\nibbles.bas C:\Windows\SysWOW64\nibbles.bas
3⤵
PID:4828

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\ntdos.sys C:\Windows\SysWOW64\ntdos.sys
3⤵
PID:3660

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\ntio.sys C:\Windows\SysWOW64\ntio.sys
3⤵
PID:3468

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\ntvdm.exe C:\Windows\SysWOW64\ntvdm.exe
3⤵
PID:1476

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\qbasic.exe C:\Windows\SysWOW64\qbasic.exe
3⤵
PID:4056

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\qbasic.hlp C:\Windows\SysWOW64\qbasic.hlp
3⤵
PID:5052

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\redir.exe C:\Windows\SysWOW64\redir.exe
3⤵
PID:3060

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\remline.bas C:\Windows\SysWOW64\remline.bas
3⤵
- Drops file in System32 directory
PID:1128

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\setver.exe C:\Windows\SysWOW64\setver.exe
3⤵
- Drops file in System32 directory
PID:2800

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\share.exe C:\Windows\SysWOW64\share.exe
3⤵
PID:1588

C:\Windows\system32\fsutil.exe
fsutil hardlink create C:\Windows\system32\v7vga.rom C:\Windows\SysWOW64\v7vga.rom
3⤵
- Drops file in System32 directory
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Symbols\instntvdmx64.bat install
3⤵
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs
4⤵
PID:1980

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs
5⤵
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "
4⤵
PID:1584

C:\Windows\system32\findstr.exe
findstr /I /C:ldntvdm.dll
4⤵
PID:4844

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /f /d " ldntvdm.dll"
4⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs
4⤵
PID:1792

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs
5⤵
PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "
4⤵
PID:4248

C:\Windows\system32\findstr.exe
findstr /I /C:ldntvdm.dll
4⤵
- Loads dropped DLL
PID:3988

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /f /d " ldntvdm.dll"
4⤵
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\DOCUME~1\COMPIL~1\ldntvdm\system32\ldntvdm.dll
Filesize
17KB

MD5
2c20f10ce649bbd6de48a71d3a78282d

SHA1
a04d63ea88cb7108ec61c046a86892612b642fb9

SHA256
d7c0bf0aa896016ec9a4335b624cf2244df10a8320a5166a015a1eb063d0f717

SHA512
fb7582501f27b1b411ddfe95ce391dfcca7715750679845ed34480270a9fad703b18c21d2f8a4c167196d98f10394c6b0de70ff28abfcfa93dabd5fa9a197b93

Download Submit
C:\Users\Admin\DOCUME~1\COMPIL~1\ldntvdm\syswow64\ldntvdm.dll
Filesize
20KB

MD5
5bf47fdf3a25591c46589ccd9edde27b

SHA1
46095f917acf4bcf47e7659d640128f5a409fdce

SHA256
e5dd2378c42249643c2b30278aace8ce672dd1b9ee0ac8ba31cf423e54940c85

SHA512
f6355305812bc70b17bf252b8c0d9257816d73bcc75978bb6669a763c14426127927148e014b456945ad61a925af5288dde0d8b564f05287866a83b689783c27

Download Submit
C:\Windows\Symbols\instntvdmx64.bat
Filesize
4KB

MD5
61a7bb35173033c595776b59a218568c

SHA1
d634ac9bd8a2b41a57d60fcccbc7201a9a63877b

SHA256
85b588f98b4ecfb68e60aa80612327ad3172006ff4b602e60d76e7311bf749af

SHA512
7c8aeb859b68979028586a786cc59654dd3ffd6165ce9a95c48f6bc897bf8a5d50fd56981e10eae6ea93cb79702eee98db1ea068a042f32d963701e3d203fd71

Download Submit
C:\Windows\SysWOW64\ansi.sys
Filesize
8KB

MD5
8aad333c876590293f72b315e162bcc7

SHA1
e37168fbd229c4b903d42a778af28f78f4d741d8

SHA256
c929c0893bba4c6454632d3408ee4f7661b51cf5c2ce20035dcd4283cd623c85

SHA512
9c5ea80020caada1b6d0a6f0307ffedb506dd0287ea41110a3bf67825bdef23752c063883add1eff0a692c85ee940e371c34fd622f50d389d43614894ed10bc4

Download Submit
C:\Windows\SysWOW64\append.exe
Filesize
10KB

MD5
38dd3b731c8bb272ba91709d3eaebb9f

SHA1
fd7ee7bd77f95a740c82fe8610d7bf78a796da76

SHA256
73d6928246f369aac5de742e149196bf4dc3b5801a6effeed6d014e52841d0ac

SHA512
0bf9947df9c0292fe385bd91a9434090b2e76a19a1d1353a831350962432c196cc41c829cd4f207050a6ba791a76a4f439243321b6c5fb87549dbc5e1b1bdb3f

Download Submit
C:\Windows\SysWOW64\autoexec.nt
Filesize
438B

MD5
c464578006b6208d36e2613318cd83df

SHA1
76655db223c59d0be2102f3a8bf4b0acaf676f54

SHA256
c2a23a5fb96682c33d99c13a57e6f3c1e10dfd3d263d972775a8c42bfb6a9a9b

SHA512
6fa1e8983ad9c999468512bceb9254136be74798b42cc7f24017a8a6f4471881c69f9c352bb3cfd57c267bea67fe5885a68d077a22d4a031d495b9c32a11c8cf

Download Submit
C:\Windows\SysWOW64\backup.exe
Filesize
22KB

MD5
ddcde525258e411bbe6e9cd994fa72a8

SHA1
10560343dca143db213ec52b560397a8b55ed475

SHA256
b692773717380e80558c5cf20bb5c6f9830dfd2ee908058daa51095955a6f239

SHA512
5a5b4517298380dcca5f15f37b44b1a649c6b3e0b4837ef6e6a3fcff0ca4dda75a7d14c5f0172046a2d295bdae522f5c76e7a050c038597e7609337ed8ef6094

Download Submit
C:\Windows\SysWOW64\bios1.rom
Filesize
27KB

MD5
84bdb1e378591d930482b896a1648c53

SHA1
c6741ab5b8e28851290b27e47ed77e12bc84cd96

SHA256
1ce33544249fef59865b91308faf60f354563cf854f80eb196d47c968899a574

SHA512
00c178c5fcf89eb7e7cc985122f37857b4684425587daec402007a79bab3cd656939e06d9157c1085136a6ab9d526a021fd0623bf1d6b5bb28a98090954cd703

Download Submit
C:\Windows\SysWOW64\bios4.rom
Filesize
7KB

MD5
b44c4c9ca9d4bcc8430f3276576f562b

SHA1
2cdc23f9cb099221d6fe58fd86dd71da948db9e2

SHA256
b09fdff1a500971d54233378ce9c36f1b6a58bf577e4a544da03a0d78d7e0d6f

SHA512
47b923568f8cb7310f9973cf007d371ebe30db993134392f780660c2e3c280841eb285e44e7a8da21149f8e744ab0ff3de5ed627e25a972a2eaf49783cc0f0fc

Download Submit
C:\Windows\SysWOW64\cmos.ram
Filesize
64B

MD5
5d24fb0922e71de67e20e9f22946a54d

SHA1
e94de2504d357c1bd41ddd94ef1b619b22cb534c

SHA256
97fca7adb543bdac4e571185a3f37c17a30a6ad937e0817048d965a850edddd9

SHA512
d5772885d8b43b2da889ed22a0c0dade1dcebbac7e91df5b93d087d1d3c3efe5f0d18bb47d5261c3e157332db6fb8cbc15bf4fe1a501bbf3bef7de66c03741e1

Download Submit
C:\Windows\SysWOW64\command.com
Filesize
49KB

MD5
2e259d9af02d2891a9971eec9dabffa0

SHA1
1a7454b7e76f1559cdeccc87f135d49aa16183d9

SHA256
908a77ac617c2d741f0aa1b73f73973dcf29adc91f092e5bcb02173c8c732c43

SHA512
6cc5524399950b0af23c50c6b34c73174dfdb4db5a112f95275e035cc7d39c4fda7c82fbddfb4f7295ac11572427d1cad3c8aa7c412d73d1fcd0d3461f49abdb

Download Submit
C:\Windows\SysWOW64\config.nt
Filesize
2KB

MD5
802cba52a616db4d5a2215d618110b3d

SHA1
8b4f354257468cd201eb666e818a99796c58a40b

SHA256
6ae1e74e78de00c0fa03124e6f947d977c71f253855ad2af979554074aea189a

SHA512
4d754df863b1abd1c8709b057b3f35a88c0ecd7a042add625a4b14e76cb28d0981e1afb2fccfc6a35abbcbb1bc68c977976292b744e1b2eddd66ea8bb3278455

Download Submit
C:\Windows\SysWOW64\country.sys
Filesize
26KB

MD5
2bac6dd45043bb2b38e60d6ec5c8787c

SHA1
1854487158d7cc32b5782af20b91fa821dda19cf

SHA256
9ddf2b738307b5950699513e6b8221e2044bb686487a8c216af7c6fd3f853b54

SHA512
896e881bef191a6b70b71ae15a91a5959c3c6f2b300ac5747866b1f979996cbb1b4ea9b07efcd884c4dba6b9bfecbceeca39df0a372502bb4ff540e8e9a77510

Download Submit
C:\Windows\SysWOW64\debug.exe
Filesize
20KB

MD5
c17afa0aad78c621f818dd6729572c48

SHA1
5915a889c84e6e6e3878297ed6467ee0b8fd982f

SHA256
9c230aa1caff2ff9d845514017b3e4bbe7b308ad26ad88740967651f7955cd60

SHA512
eee89abcf2bca60f3917af9170c7b70690f604ae1523315d0e180f8719bf12956cd785ea7f59b3a783271b9bf47df57e806e0d0960008c05daae782c530da3ff

Download Submit
C:\Windows\SysWOW64\edit.com
Filesize
413B

MD5
064bd7d30c100e423a6f806afa7f3f5e

SHA1
54acfff92f4793a6e820723e09613e86bf54097c

SHA256
e0a0b24fee4037cb050670661c30ad7ecc0ea9483938152fca3d807c443e8a46

SHA512
505c272275b32e3c09cd3fbcea17e525bc9c5a5aed90aa9d9abcff7be193bad6d00b183028c84107f3e6f779c6ab379cb197214799b414ff9238f245ee517bf1

Download Submit
C:\Windows\SysWOW64\edit.hlp
Filesize
17KB

MD5
021635fb623ea9627d39be6401adac05

SHA1
ed9f31c6f4b136c532a31c870455520ac9c15d8f

SHA256
deb09a378b88f46a5ba3c755afe03b9b2b0e18c929d9cdb24003b6bf0caee631

SHA512
0238b9707b9f1730030a77cfab0c00059fc5a397dcc79fccf6abc14a167d05af6ebfef7ca1d77a29f934b9f003a1382465b96f7e6b399fba73a8efbf2e3aa72f

Download Submit
C:\Windows\SysWOW64\edlin.exe
Filesize
12KB

MD5
b7a0aa49cbb604b2c3a42a49c36d8a4f

SHA1
2966e6bd2e4a42450766115734128e0a255807bc

SHA256
9d835a8a46406fcb01f4509550cc86ea2755c3084c95c744cbec79d8d94c0477

SHA512
39827204bb4d4f46cc5a21afab88f064ea6d38104392aca0eb30ae00c81e099cd53cea58d7145afc2ab180a83cc50b234e0670bdcc38105490219d21212b662e

Download Submit
C:\Windows\SysWOW64\exe2bin.exe
Filesize
8KB

MD5
683626544e81387771ed55e1a0f2047b

SHA1
5b95678df5a5f68a37007e526153463704e6a809

SHA256
edf4009a2ab45a30ae3291b0f8c9585de9a15b6a1262288ae6694d4693cb737e

SHA512
bc6b314f33575c576e5ccd893152b74c181c76ebb1b2669565becc888a02c0715aa93be3512b241834069135de6976bcd6cf8519cd3d01eaed3bf99efc4132dd

Download Submit
C:\Windows\SysWOW64\fastopen.exe
Filesize
882B

MD5
68062c0ece86ab7801b5b47fdc855a06

SHA1
f574d8ca521fd9f038d94140d0606f7d622c1d82

SHA256
69dabbdb754b358ac4fe4b22de04c0e4c93076816f14bb0730caa9fd223996fc

SHA512
3fb78c538a425eecaf51d6175fb81a82d2d745267999aa3a1c2f4ce11bd32d45a22ba89c2825b0b3343def8f316cbb023cf10e4676f76bf656a58c7c2ec58711

Download Submit
C:\Windows\SysWOW64\gorilla.bas
Filesize
28KB

MD5
3651562e0a058e661e38a1e9e82afadb

SHA1
97fd0e987df1372abdb5f7105e8a91357e51bea4

SHA256
9926fc1f50c4b489ec4c1b0da5bd2c497ebf4282b3259c28a835a743e24699f7

SHA512
abcc884a333f89fd2b798736bef2339c6a9c7302a40a2bae08e3cacc3a45c3ea8f1c13a9e0b66d74754bbbe0386ae6f60c32fe230442e74e0dc0634ac8f4a1b3

Download Submit
C:\Windows\SysWOW64\graphics.com
Filesize
19KB

MD5
6e4e7884e6489ac4f5e6dab176a73e52

SHA1
35248484a4007156a24c62618205cc1657eea2b2

SHA256
989b38806ec1e1bdd30da3dc6b41cc85bdc81dda74f870fcc7df399876eb2756

SHA512
688d24aaf2d06a4e64e25ed26540ea07cf0516d7e9b85a44d231b4874c330d3809bbffb218fc046feac5ad71d5ffdb6650f37cdb69b79d3de37d5ed91adfc1f7

Download Submit
C:\Windows\SysWOW64\graphics.pro
Filesize
20KB

MD5
bc33aa625d6b807f718627386df78426

SHA1
23b563e377737c97f11401c49ce33c5e01d644bd

SHA256
b734f750a473f83d33aa773fe3d6c7bcdd209d97339f37b03b8c5f3f8eed890b

SHA512
656dbea85b4035373b7e9aaf9871f092a219f4301dc957cb76662f91a36a71007a824ff70db87a71994bfadc4c74ac249b9b36c8fd2971725326b3b136a6c2ac

Download Submit
C:\Windows\SysWOW64\himem.sys
Filesize
4KB

MD5
e6bc0f98fecef245a0010d350c1a0b9b

SHA1
182c9b4d26d11eda25deaa2ec6051ac2d324cb08

SHA256
08aa2c47d835460ed3067fa7d6f8a3b37edeca524ad102b0588fdd1bf389ce08

SHA512
b84197b66de8de88cd21ab257de7d8491ffb1ad00f5929333ff099a2e5493a7f6780b41d24b5749ec689a4c7da4ce1697f207e35e43dc7eda435f0dc1ed02326

Download Submit
C:\Windows\SysWOW64\kb16.com
Filesize
14KB

MD5
e57695537ba7534f3e2ddeca76917cd7

SHA1
65220df1d01cf0f322206e5596336b506312a150

SHA256
9c432ea71e0e11bfb2edf9166c862826115ec4cdf8439f986a5ed71d9a3af3b9

SHA512
31d04f9ea22aff628a1a2c3257dc38cc1a87b7a34ff429487919cf0b1582f78c73a4db49525300a7b54b8efdda9e67499af1dbb500287b3b7ccdce94403c48b5

Download Submit
C:\Windows\SysWOW64\keyboard.sys
Filesize
39KB

MD5
a2cf1c78e6f5f9bae9775316d49a8264

SHA1
7b6e90a8d9cd7fbe4241e0250ff4c6dd0656db95

SHA256
96fcac606683cf262dbc030713a9263731ee83f19a10207e5dd632e5ee06c2ad

SHA512
e67b08786dffba1bcd69431a627f063f26ce9b6a4382b4c0068c07d4705b6fbe6316f92367072f44b688c0e1280f7e417511920bf7b9f4e9a4858cb25cc8d07a

Download Submit
C:\Windows\SysWOW64\krnl386.exe
Filesize
83KB

MD5
df341464b80a2d82c468b948eb161eb2

SHA1
68da4869224404929437dcffc7e2f705fc9224a7

SHA256
d404576899cc11d23f368f2b30554e6108657cd37809837b341fd37e6b1a7af4

SHA512
ca315559280bac4bbe9a9cf3445ab3d779839a2d95df5c2f8bc6c3c108daef85cfc98a8898a7cd0973170ff8740e8267393a7b4621fdc873c95980f51b267ccc

Download Submit
C:\Windows\SysWOW64\loadfix.com
Filesize
1KB

MD5
536460507b20ae0f03d7bee8111028cf

SHA1
a970f3ba84900974523fa3e920a35fca7a812d64

SHA256
8e62654a49bd88c784c53f25e9fba13c641624d6a02214385115f66ccf1ecfdb

SHA512
44dbfbbd934499e1d23f7ac993bfdc0a9b25cb46ee2fb58523bfdbe0ce80d4475f4b4a9ca8c52dea811c9edae255eb494595b0affbfa8028f53f3fa4efc1eb36

Download Submit
C:\Windows\SysWOW64\mem.exe
Filesize
39KB

MD5
b4841a9693c572f6e764af4e168efe5c

SHA1
e6196d88ae461dc4d8128feabbd290e1a2a81ebd

SHA256
c4582b1e0738f3aaf89e17de0f940caa7e4b3d77a21fccd6ff91b7e075bdf6eb

SHA512
6029f9778b9dc2676fbd84c9a5faee14c4029bbf3ef0725b7aa057c44ff50d6d62acf88be2e56114a1844b9f9629d09bcbda5a1c1d1da7826eb468bbbebdf44b

Download Submit
C:\Windows\SysWOW64\money.bas
Filesize
45KB

MD5
1388197c59612cbb3df3adde3edf56ee

SHA1
9ccfe9c5fd18016d50c4ee3a425d42858274f4f1

SHA256
9f5153fddae4351fe845f2eeedd74e293d30f8898505a0d9b4d4488888f9d065

SHA512
ae6a4bde42746b167410d5b2535a88b331afba25338bae0cc3fceda005d8b51b95a8b211b9b61fc59b6a7be0976d5cf874650ffee611a22734f9770089c66316

Download Submit
C:\Windows\SysWOW64\mscdexnt.exe
Filesize
917B

MD5
6a5b002d6235c3e468a29fb87ab35e3f

SHA1
0785344bba0aeb223b1b16f928bfd0ce263baf30

SHA256
b3151a2dfe4a67a6c2e6113071d1f1c713bb78a04adea986fe01540eb96762d0

SHA512
6c6c255a921200fcf8f957ab0a391111576306eb8dc8c3c27e696d40e37dbddecd26f4d712f0e43096b55de9ba4c38cdf96801746ba97a637b86a85ae3f42e81

Download Submit
C:\Windows\SysWOW64\msherc.com
Filesize
6KB

MD5
3dc72e3d753d1761778468f2e17d5471

SHA1
7a6dc1647118425ebdcd6859d16e47c9a2986464

SHA256
eb96ee0e8be6d4a4332c3e1947d95f9c448a0a8a96b5cd74a38d33a1e0b9405e

SHA512
2c72a63c2b528c56eb5e526244baebb54d049cbf92672b55c780d8853f9216c6411f90898d9cca2dfd3edfa58c54ea3e158dbaa846a259d4da6ca3fb3b01b4f0

Download Submit
C:\Windows\SysWOW64\nibbles.bas
Filesize
23KB

MD5
8d133a769390956edb65182ef144e5a1

SHA1
bb9646390d18b70f112a12dded7a9d715a537351

SHA256
24017f3b84e5e072090ab55b76700feaec197c5b12ebb26432bce3b2e88e8528

SHA512
90e8076a6d0ed388f05372cb4faf3a1e58357ca33a21ed7aeec1b0b1375ce1a99f961befdf4e9e776c32a6eba99c21673d47fbeeb77438c0f6e7572cc188d128

Download Submit
C:\Windows\SysWOW64\ntdos.sys
Filesize
27KB

MD5
01d95f844255c4217b4da43dd5ffd5a0

SHA1
b01b460fce8422c220730609d09e203f986353c2

SHA256
957662320654ad5251c3a8b228a5dadec28aa65dddbcba38c3658a6e7f93bc84

SHA512
7977933e864b3d448c6773485f6c220111dcd9a3e74711b9c2d4715edf886677533808b8fcd014dffcdaf68bf7c7c40defbe2d8bd1dd1e1e790c4b7c2a7eb302

Download Submit
C:\Windows\SysWOW64\ntio.sys
Filesize
33KB

MD5
cebf9f829ed19c8b98b3ca365ae44908

SHA1
1912ef18142efd36ef6e3656de239fb41c4cb176

SHA256
cfc8be16576bb6acd16bb8fc9b2d9a080f544bbfdd2d2d2df07ed908b3ab4937

SHA512
d5905ecef4a49054d48e9fbb444b8a1c946b4d1d49bda5796f22907459730c6327052e775833ed78e0b57ab7ead09ae2f879487cdb4b1aed863f5721132e58dc

Download Submit
C:\Windows\SysWOW64\ntvdm.exe
Filesize
3.0MB

MD5
28060ca1c7c2630dfb41c751da135628

SHA1
ea976ad1163c23905c6bef4b39a3ac5bc4ee1ea1

SHA256
57f747f54840645f19135366dc38d9f29596beb536ec5b23cc77e1c798846a85

SHA512
5aada567b8d89c3f285e4b7f9ab5e36ebbff6b35cac49fb1cc2d98454d6360a3621f91a0d7d86ee5db5e7d2fd0abc0c1b7f661738ecff48dffc9076237767194

Download Submit
C:\Windows\SysWOW64\qbasic.exe
Filesize
251KB

MD5
1f4352f6189dc26c33e7ef81c862d0c9

SHA1
8e2f0dbb3280e9be872c784b5dfe54ddc29803b3

SHA256
e8341b546cc12cfd4d59a7eb24e116f2cfbcae71779d9a7f712902f65e5deb6e

SHA512
6a379d58c642b8a9360eda3d3a533d25ac3b8180e7423d6cfbab42cdfe8cb8149f13192d7f9ea86db6121315f667bb6c819e713572af9cbf9fdb2c8351024166

Download Submit
C:\Windows\SysWOW64\qbasic.hlp
Filesize
127KB

MD5
681c7c17ec72718b44e7b75fc97677ba

SHA1
09c7b3db55698e750b05875a033fd16533dade03

SHA256
6740dba6966378c317a6273299157db1388d6b5820ecb7a05ab68cf2af96a8db

SHA512
4ce76848eee457d94a7e6258d2bacc2eb8720175dc38b5420375b8df8c7c8fc5146fe15e14fb4406934ee37ec9aafeecc97573771b8fd190bfdb761244cc0846

Download Submit
C:\Windows\SysWOW64\redir.exe
Filesize
17KB

MD5
e5cc704fcbbab7ae25a97c083ac68a12

SHA1
c1017d7aeb4967e9b927f9c705512e948c575d8f

SHA256
4efe625d7391cbec07c984282e4431d9f53f3452fe1bda4b8e9a97bf1a578d53

SHA512
9640b6f418abfc8f645351d9cfade5cd58cf440384af85d3d6055140ac0e6b31c1c14f97e945374f176e3358aa3a4a70e98be7ca1ee1fcaf56e64e381958e06f

Download Submit
C:\Windows\SysWOW64\remline.bas
Filesize
12KB

MD5
8b5f2d01f0117e25dc158276e3382ea4

SHA1
4bfe286a70ce830d3ad36c1320722e89f5d702b3

SHA256
b1b9b3b3c70026ed01a47c88319c9bd1bb392e55575a9dec7e87230a36799ac5

SHA512
91520d7b7974702a78f186e5c6ae4108307ae31216cf9b66edf3f4fb126e9dfe5634c041e48396565b3ae16e096137a0e8a52bff2d4a30882fc36034176d2e4e

Download Submit
C:\Windows\SysWOW64\setver.exe
Filesize
11KB

MD5
485a2f3c5a40d53645ce65ad04c68687

SHA1
8ab0828bdf867a5d97e0e8efbc025a3ee0600fcd

SHA256
8ab7e855fb4bd066ac0230dfb7d194180bb73fdd99c040c340a903353dcd822b

SHA512
99af62a2ca1ee20687868266d7102c0a965792df33911d1adf683891d83b5661ad434faef70edc650ebef92a04c164167f98d709bb53dfee1091ddac1a448f01

Download Submit
C:\Windows\SysWOW64\share.exe
Filesize
882B

MD5
68062c0ece86ab7801b5b47fdc855a06

SHA1
f574d8ca521fd9f038d94140d0606f7d622c1d82

SHA256
69dabbdb754b358ac4fe4b22de04c0e4c93076816f14bb0730caa9fd223996fc

SHA512
3fb78c538a425eecaf51d6175fb81a82d2d745267999aa3a1c2f4ce11bd32d45a22ba89c2825b0b3343def8f316cbb023cf10e4676f76bf656a58c7c2ec58711

Download Submit
C:\Windows\SysWOW64\v7vga.rom
Filesize
18KB

MD5
86491ad7bc0964089cd4e703e65d45db

SHA1
4997a752bb2e57bd5317e5bde3a24962954bcb9c

SHA256
970f105cd9e42ee56f07aae695bac89786d3455ab9d4c1ea9a1d1643b1e8f6f0

SHA512
a9abc9f36e3654fa36fe6fe86c48e5c6050344d625cacd7282059945e332b037999278fa9b8f67e04e4ed36a7032501f80e0d1feb81374d460dbb09cbd17f1d2

Download Submit
C:\Windows\System32\ldntvdm.dll
Filesize
17KB

MD5
2c20f10ce649bbd6de48a71d3a78282d

SHA1
a04d63ea88cb7108ec61c046a86892612b642fb9

SHA256
d7c0bf0aa896016ec9a4335b624cf2244df10a8320a5166a015a1eb063d0f717

SHA512
fb7582501f27b1b411ddfe95ce391dfcca7715750679845ed34480270a9fad703b18c21d2f8a4c167196d98f10394c6b0de70ff28abfcfa93dabd5fa9a197b93

Download Submit
C:\Windows\System32\ldntvdm.dll
Filesize
17KB

MD5
2c20f10ce649bbd6de48a71d3a78282d

SHA1
a04d63ea88cb7108ec61c046a86892612b642fb9

SHA256
d7c0bf0aa896016ec9a4335b624cf2244df10a8320a5166a015a1eb063d0f717

SHA512
fb7582501f27b1b411ddfe95ce391dfcca7715750679845ed34480270a9fad703b18c21d2f8a4c167196d98f10394c6b0de70ff28abfcfa93dabd5fa9a197b93

Download Submit
C:\Windows\System32\ldntvdm.dll
Filesize
17KB

MD5
2c20f10ce649bbd6de48a71d3a78282d

SHA1
a04d63ea88cb7108ec61c046a86892612b642fb9

SHA256
d7c0bf0aa896016ec9a4335b624cf2244df10a8320a5166a015a1eb063d0f717

SHA512
fb7582501f27b1b411ddfe95ce391dfcca7715750679845ed34480270a9fad703b18c21d2f8a4c167196d98f10394c6b0de70ff28abfcfa93dabd5fa9a197b93

Download Submit
C:\Windows\System32\ldntvdm.dll
Filesize
17KB

MD5
2c20f10ce649bbd6de48a71d3a78282d

SHA1
a04d63ea88cb7108ec61c046a86892612b642fb9

SHA256
d7c0bf0aa896016ec9a4335b624cf2244df10a8320a5166a015a1eb063d0f717

SHA512
fb7582501f27b1b411ddfe95ce391dfcca7715750679845ed34480270a9fad703b18c21d2f8a4c167196d98f10394c6b0de70ff28abfcfa93dabd5fa9a197b93

Download Submit
C:\Windows\System32\ldntvdm.dll
Filesize
17KB

MD5
2c20f10ce649bbd6de48a71d3a78282d

SHA1
a04d63ea88cb7108ec61c046a86892612b642fb9

SHA256
d7c0bf0aa896016ec9a4335b624cf2244df10a8320a5166a015a1eb063d0f717

SHA512
fb7582501f27b1b411ddfe95ce391dfcca7715750679845ed34480270a9fad703b18c21d2f8a4c167196d98f10394c6b0de70ff28abfcfa93dabd5fa9a197b93

Download Submit
C:\Windows\system32\ldntvdm.dll
Filesize
17KB

MD5
2c20f10ce649bbd6de48a71d3a78282d

SHA1
a04d63ea88cb7108ec61c046a86892612b642fb9

SHA256
d7c0bf0aa896016ec9a4335b624cf2244df10a8320a5166a015a1eb063d0f717

SHA512
fb7582501f27b1b411ddfe95ce391dfcca7715750679845ed34480270a9fad703b18c21d2f8a4c167196d98f10394c6b0de70ff28abfcfa93dabd5fa9a197b93

Download Submit
memory/116-154-0x0000000000000000-mapping.dmp

Download
memory/224-226-0x0000000000000000-mapping.dmp

Download
memory/428-156-0x0000000000000000-mapping.dmp

Download
memory/1128-212-0x0000000000000000-mapping.dmp

Download
memory/1468-148-0x0000000000000000-mapping.dmp

Download
memory/1476-204-0x0000000000000000-mapping.dmp

Download
memory/1552-164-0x0000000000000000-mapping.dmp

Download
memory/1584-144-0x0000000000000000-mapping.dmp

Download
memory/1584-224-0x0000000000000000-mapping.dmp

Download
memory/1588-216-0x0000000000000000-mapping.dmp

Download
memory/1588-135-0x0000000000000000-mapping.dmp

Download
memory/1644-139-0x0000000000000000-mapping.dmp

Download
memory/1792-227-0x0000000000000000-mapping.dmp

Download
memory/1832-174-0x0000000000000000-mapping.dmp

Download
memory/1980-222-0x0000000000000000-mapping.dmp

Download
memory/2072-138-0x0000000000000000-mapping.dmp

Download
memory/2128-133-0x0000000000000000-mapping.dmp

Download
memory/2180-166-0x0000000000000000-mapping.dmp

Download
memory/2192-186-0x0000000000000000-mapping.dmp

Download
memory/2196-180-0x0000000000000000-mapping.dmp

Download
memory/2256-152-0x0000000000000000-mapping.dmp

Download
memory/2300-188-0x0000000000000000-mapping.dmp

Download
memory/2432-158-0x0000000000000000-mapping.dmp

Download
memory/2560-137-0x0000000000000000-mapping.dmp

Download
memory/2716-190-0x0000000000000000-mapping.dmp

Download
memory/2728-184-0x0000000000000000-mapping.dmp

Download
memory/2800-214-0x0000000000000000-mapping.dmp

Download
memory/2848-196-0x0000000000000000-mapping.dmp

Download
memory/2900-194-0x0000000000000000-mapping.dmp

Download
memory/2952-192-0x0000000000000000-mapping.dmp

Download
memory/3024-218-0x0000000000000000-mapping.dmp

Download
memory/3060-210-0x0000000000000000-mapping.dmp

Download
memory/3080-176-0x0000000000000000-mapping.dmp

Download
memory/3204-142-0x0000000000000000-mapping.dmp

Download
memory/3208-136-0x0000000000000000-mapping.dmp

Download
memory/3276-220-0x0000000000000000-mapping.dmp

Download
memory/3468-202-0x0000000000000000-mapping.dmp

Download
memory/3560-132-0x0000000000000000-mapping.dmp

Download
memory/3568-223-0x0000000000000000-mapping.dmp

Download
memory/3660-200-0x0000000000000000-mapping.dmp

Download
memory/3692-162-0x0000000000000000-mapping.dmp

Download
memory/3808-228-0x0000000000000000-mapping.dmp

Download
memory/3900-178-0x0000000000000000-mapping.dmp

Download
memory/3952-168-0x0000000000000000-mapping.dmp

Download
memory/3988-230-0x0000000000000000-mapping.dmp

Download
memory/4056-206-0x0000000000000000-mapping.dmp

Download
memory/4224-233-0x0000000000000000-mapping.dmp

Download
memory/4248-229-0x0000000000000000-mapping.dmp

Download
memory/4264-134-0x0000000000000000-mapping.dmp

Download
memory/4372-150-0x0000000000000000-mapping.dmp

Download
memory/4560-160-0x0000000000000000-mapping.dmp

Download
memory/4600-146-0x0000000000000000-mapping.dmp

Download
memory/4684-182-0x0000000000000000-mapping.dmp

Download
memory/4828-198-0x0000000000000000-mapping.dmp

Download
memory/4844-225-0x0000000000000000-mapping.dmp

Download
memory/5024-172-0x0000000000000000-mapping.dmp

Download
memory/5052-208-0x0000000000000000-mapping.dmp

Download
memory/5068-170-0x0000000000000000-mapping.dmp

Download