200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

Analysis

max time kernel
152s
max time network
97s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
Size

294KB
MD5

86071d73aeafb6e6cc657168a413c44f
SHA1

1e16123ee577aeabde95bf4de00e29ff94354ecf
SHA256

200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581
SHA512

8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2
SSDEEP

6144:N0JRJZIU/HCDNtkpCTWMZQHFqypLdlmMJyYzsZLcjyPQ5PHAd:N0B/iDNtkpCpZQDduLbaAd

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 15 IoCs

pid	Process
1388	api-ms-win-core-file-l1-2-0.exe
1208	adsldpc.exe
1736	aaclient.exe
1036	AdmTmpl.exe
2004	api-ms-win-core-file-l2-1-0.exe
1108	accessibilitycpl.exe
520	actxprxy.exe
1676	activeds.exe
1720	accessibilitycpl.exe
1708	aaclient.exe
1920	amstream.exe
1648	api-ms-win-core-namedpipe-l1-1-0.exe
1428	AltTab.exe
2004	aeevts.exe
1408	AltTab.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1764	netsh.exe

Deletes itself 1 IoCs

pid	Process
1208	adsldpc.exe

Loads dropped DLL 28 IoCs

pid	Process
1092	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
1092	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
1388	api-ms-win-core-file-l1-2-0.exe
1388	api-ms-win-core-file-l1-2-0.exe
1208	adsldpc.exe
1208	adsldpc.exe
1736	aaclient.exe
1736	aaclient.exe
1036	AdmTmpl.exe
1036	AdmTmpl.exe
2004	api-ms-win-core-file-l2-1-0.exe
2004	api-ms-win-core-file-l2-1-0.exe
1108	accessibilitycpl.exe
1108	accessibilitycpl.exe
520	actxprxy.exe
520	actxprxy.exe
1676	activeds.exe
1676	activeds.exe
1720	accessibilitycpl.exe
1720	accessibilitycpl.exe
1708	aaclient.exe
1708	aaclient.exe
1920	amstream.exe
1920	amstream.exe
1648	api-ms-win-core-namedpipe-l1-1-0.exe
1648	api-ms-win-core-namedpipe-l1-1-0.exe
1428	AltTab.exe
1428	AltTab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smwcore = "C:\\Windows\\system32\\AltTab.exe"	AltTab.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\adsldpc.exe	api-ms-win-core-file-l1-2-0.exe
File created	C:\Windows\SysWOW64\AltTab.exe	api-ms-win-core-namedpipe-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\activeds.exe	actxprxy.exe
File opened for modification	C:\Windows\SysWOW64\aaclient.exe	accessibilitycpl.exe
File created	C:\Windows\SysWOW64\AltTab.nls	AltTab.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
File opened for modification	C:\Windows\SysWOW64\adsldpc.exe	api-ms-win-core-file-l1-2-0.exe
File opened for modification	C:\Windows\SysWOW64\aaclient.exe	adsldpc.exe
File opened for modification	C:\Windows\SysWOW64\accessibilitycpl.exe	api-ms-win-core-file-l2-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
File opened for modification	C:\Windows\SysWOW64\AdmTmpl.exe	aaclient.exe
File opened for modification	C:\Windows\SysWOW64\AltTab.exe	api-ms-win-core-namedpipe-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\accessibilitycpl.exe	activeds.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe	AdmTmpl.exe
File opened for modification	C:\Windows\SysWOW64\actxprxy.exe	accessibilitycpl.exe
File created	C:\Windows\SysWOW64\aeevts.exe	AltTab.exe
File created	C:\Windows\SysWOW64\aaclient.exe	adsldpc.exe
File created	C:\Windows\SysWOW64\activeds.exe	actxprxy.exe
File created	C:\Windows\SysWOW64\accessibilitycpl.exe	activeds.exe
File created	C:\Windows\SysWOW64\AdmTmpl.exe	aaclient.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe	AdmTmpl.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe	amstream.exe
File opened for modification	C:\Windows\SysWOW64\amstream.exe	aaclient.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe	amstream.exe
File opened for modification	C:\Windows\SysWOW64\aeevts.exe	AltTab.exe
File created	C:\Windows\SysWOW64\accessibilitycpl.exe	api-ms-win-core-file-l2-1-0.exe
File created	C:\Windows\SysWOW64\actxprxy.exe	accessibilitycpl.exe
File created	C:\Windows\SysWOW64\aaclient.exe	accessibilitycpl.exe
File created	C:\Windows\SysWOW64\amstream.exe	aaclient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe
1428	AltTab.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
Token: SeDebugPrivilege	1388	api-ms-win-core-file-l1-2-0.exe
Token: SeDebugPrivilege	1208	adsldpc.exe
Token: SeDebugPrivilege	1736	aaclient.exe
Token: SeDebugPrivilege	1036	AdmTmpl.exe
Token: SeDebugPrivilege	2004	api-ms-win-core-file-l2-1-0.exe
Token: SeDebugPrivilege	1108	accessibilitycpl.exe
Token: SeDebugPrivilege	520	actxprxy.exe
Token: SeDebugPrivilege	1676	activeds.exe
Token: SeDebugPrivilege	1720	accessibilitycpl.exe
Token: SeDebugPrivilege	1708	aaclient.exe
Token: SeDebugPrivilege	1920	amstream.exe
Token: SeDebugPrivilege	1648	api-ms-win-core-namedpipe-l1-1-0.exe
Token: SeDebugPrivilege	1428	AltTab.exe
Token: SeDebugPrivilege	2004	aeevts.exe
Token: SeDebugPrivilege	1408	AltTab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1388	1092	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe	27
PID 1092 wrote to memory of 1388	1092	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe	27
PID 1092 wrote to memory of 1388	1092	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe	27
PID 1092 wrote to memory of 1388	1092	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe	27
PID 1388 wrote to memory of 1208	1388	api-ms-win-core-file-l1-2-0.exe	28
PID 1388 wrote to memory of 1208	1388	api-ms-win-core-file-l1-2-0.exe	28
PID 1388 wrote to memory of 1208	1388	api-ms-win-core-file-l1-2-0.exe	28
PID 1388 wrote to memory of 1208	1388	api-ms-win-core-file-l1-2-0.exe	28
PID 1208 wrote to memory of 1736	1208	adsldpc.exe	29
PID 1208 wrote to memory of 1736	1208	adsldpc.exe	29
PID 1208 wrote to memory of 1736	1208	adsldpc.exe	29
PID 1208 wrote to memory of 1736	1208	adsldpc.exe	29
PID 1736 wrote to memory of 1036	1736	aaclient.exe	30
PID 1736 wrote to memory of 1036	1736	aaclient.exe	30
PID 1736 wrote to memory of 1036	1736	aaclient.exe	30
PID 1736 wrote to memory of 1036	1736	aaclient.exe	30
PID 1036 wrote to memory of 2004	1036	AdmTmpl.exe	31
PID 1036 wrote to memory of 2004	1036	AdmTmpl.exe	31
PID 1036 wrote to memory of 2004	1036	AdmTmpl.exe	31
PID 1036 wrote to memory of 2004	1036	AdmTmpl.exe	31
PID 2004 wrote to memory of 1108	2004	api-ms-win-core-file-l2-1-0.exe	32
PID 2004 wrote to memory of 1108	2004	api-ms-win-core-file-l2-1-0.exe	32
PID 2004 wrote to memory of 1108	2004	api-ms-win-core-file-l2-1-0.exe	32
PID 2004 wrote to memory of 1108	2004	api-ms-win-core-file-l2-1-0.exe	32
PID 1108 wrote to memory of 520	1108	accessibilitycpl.exe	33
PID 1108 wrote to memory of 520	1108	accessibilitycpl.exe	33
PID 1108 wrote to memory of 520	1108	accessibilitycpl.exe	33
PID 1108 wrote to memory of 520	1108	accessibilitycpl.exe	33
PID 520 wrote to memory of 1676	520	actxprxy.exe	34
PID 520 wrote to memory of 1676	520	actxprxy.exe	34
PID 520 wrote to memory of 1676	520	actxprxy.exe	34
PID 520 wrote to memory of 1676	520	actxprxy.exe	34
PID 1676 wrote to memory of 1720	1676	activeds.exe	35
PID 1676 wrote to memory of 1720	1676	activeds.exe	35
PID 1676 wrote to memory of 1720	1676	activeds.exe	35
PID 1676 wrote to memory of 1720	1676	activeds.exe	35
PID 1720 wrote to memory of 1708	1720	accessibilitycpl.exe	36
PID 1720 wrote to memory of 1708	1720	accessibilitycpl.exe	36
PID 1720 wrote to memory of 1708	1720	accessibilitycpl.exe	36
PID 1720 wrote to memory of 1708	1720	accessibilitycpl.exe	36
PID 1708 wrote to memory of 1920	1708	aaclient.exe	37
PID 1708 wrote to memory of 1920	1708	aaclient.exe	37
PID 1708 wrote to memory of 1920	1708	aaclient.exe	37
PID 1708 wrote to memory of 1920	1708	aaclient.exe	37
PID 1920 wrote to memory of 1648	1920	amstream.exe	38
PID 1920 wrote to memory of 1648	1920	amstream.exe	38
PID 1920 wrote to memory of 1648	1920	amstream.exe	38
PID 1920 wrote to memory of 1648	1920	amstream.exe	38
PID 1648 wrote to memory of 1428	1648	api-ms-win-core-namedpipe-l1-1-0.exe	39
PID 1648 wrote to memory of 1428	1648	api-ms-win-core-namedpipe-l1-1-0.exe	39
PID 1648 wrote to memory of 1428	1648	api-ms-win-core-namedpipe-l1-1-0.exe	39
PID 1648 wrote to memory of 1428	1648	api-ms-win-core-namedpipe-l1-1-0.exe	39
PID 1428 wrote to memory of 2004	1428	AltTab.exe	40
PID 1428 wrote to memory of 2004	1428	AltTab.exe	40
PID 1428 wrote to memory of 2004	1428	AltTab.exe	40
PID 1428 wrote to memory of 2004	1428	AltTab.exe	40
PID 1428 wrote to memory of 1764	1428	AltTab.exe	41
PID 1428 wrote to memory of 1764	1428	AltTab.exe	41
PID 1428 wrote to memory of 1764	1428	AltTab.exe	41
PID 1428 wrote to memory of 1764	1428	AltTab.exe	41
PID 1428 wrote to memory of 1408	1428	AltTab.exe	43
PID 1428 wrote to memory of 1408	1428	AltTab.exe	43
PID 1428 wrote to memory of 1408	1428	AltTab.exe	43
PID 1428 wrote to memory of 1408	1428	AltTab.exe	43

C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
"C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe
  "C:\Windows\system32\api-ms-win-core-file-l1-2-0.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\adsldpc.exe
    "C:\Windows\system32\adsldpc.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe"
    3⤵
    - Executes dropped EXE
    - Deletes itself
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\SysWOW64\aaclient.exe
      "C:\Windows\system32\aaclient.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\SysWOW64\AdmTmpl.exe
        
        "C:\Windows\system32\AdmTmpl.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe
        
        "C:\Windows\system32\api-ms-win-core-file-l2-1-0.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        "C:\Windows\system32\accessibilitycpl.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe" -m"2004:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\actxprxy.exe
        
        "C:\Windows\system32\actxprxy.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe" -m"2004:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe" -m"1108:C:\Windows\SysWOW64\accessibilitycpl.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\activeds.exe
        
        "C:\Windows\system32\activeds.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe" -m"2004:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe" -m"1108:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"520:C:\Windows\SysWOW64\actxprxy.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        "C:\Windows\system32\accessibilitycpl.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe" -m"2004:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe" -m"1108:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"520:C:\Windows\SysWOW64\actxprxy.exe" -m"1676:C:\Windows\SysWOW64\activeds.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\aaclient.exe
        
        "C:\Windows\system32\aaclient.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe" -m"2004:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe" -m"1108:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"520:C:\Windows\SysWOW64\actxprxy.exe" -m"1676:C:\Windows\SysWOW64\activeds.exe" -m"1720:C:\Windows\SysWOW64\accessibilitycpl.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\amstream.exe
        
        "C:\Windows\system32\amstream.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe" -m"2004:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe" -m"1108:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"520:C:\Windows\SysWOW64\actxprxy.exe" -m"1676:C:\Windows\SysWOW64\activeds.exe" -m"1720:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1708:C:\Windows\SysWOW64\aaclient.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe
        
        "C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe" -m"2004:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe" -m"1108:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"520:C:\Windows\SysWOW64\actxprxy.exe" -m"1676:C:\Windows\SysWOW64\activeds.exe" -m"1720:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1708:C:\Windows\SysWOW64\aaclient.exe" -m"1920:C:\Windows\SysWOW64\amstream.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\AltTab.exe
        
        "C:\Windows\system32\AltTab.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe" -m"2004:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe" -m"1108:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"520:C:\Windows\SysWOW64\actxprxy.exe" -m"1676:C:\Windows\SysWOW64\activeds.exe" -m"1720:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1708:C:\Windows\SysWOW64\aaclient.exe" -m"1920:C:\Windows\SysWOW64\amstream.exe" -m"1648:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\aeevts.exe
        
        "C:\Windows\system32\aeevts.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe" -m"2004:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe" -m"1108:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"520:C:\Windows\SysWOW64\actxprxy.exe" -m"1676:C:\Windows\SysWOW64\activeds.exe" -m"1720:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1708:C:\Windows\SysWOW64\aaclient.exe" -m"1920:C:\Windows\SysWOW64\amstream.exe" -m"1648:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe" -m"1428:C:\Windows\SysWOW64\AltTab.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" firewall add allowedprogram "C:\Windows\SysWOW64\AltTab.exe" enable
        15⤵
        Modifies Windows Firewall
        
        PID:1764
        
        C:\Windows\SysWOW64\AltTab.exe
        
        "C:\Windows\SysWOW64\AltTab.exe" -m"1092:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1388:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe" -m"1208:C:\Windows\SysWOW64\adsldpc.exe" -m"1736:C:\Windows\SysWOW64\aaclient.exe" -m"1036:C:\Windows\SysWOW64\AdmTmpl.exe" -m"2004:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe" -m"1108:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"520:C:\Windows\SysWOW64\actxprxy.exe" -m"1676:C:\Windows\SysWOW64\activeds.exe" -m"1720:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1708:C:\Windows\SysWOW64\aaclient.exe" -m"1920:C:\Windows\SysWOW64\amstream.exe" -m"1648:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe" -w1428
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AdmTmpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AdmTmpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AltTab.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AltTab.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AltTab.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aaclient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aaclient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aaclient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aaclient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\activeds.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\activeds.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\actxprxy.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\actxprxy.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\adsldpc.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\adsldpc.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aeevts.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\amstream.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\amstream.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\AdmTmpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\AdmTmpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\AltTab.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\AltTab.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\aaclient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\aaclient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\aaclient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\aaclient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\activeds.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\activeds.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\actxprxy.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\actxprxy.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\adsldpc.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\adsldpc.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\aeevts.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\aeevts.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\amstream.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\amstream.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
memory/520-119-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1036-88-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1092-55-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1092-62-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1092-180-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1092-54-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1108-111-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1108-103-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1208-78-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1388-67-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1408-178-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1428-171-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1428-179-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1648-161-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1676-120-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1676-122-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1676-124-0x0000000002F40000-0x000000000302F000-memory.dmp

Filesize
956KB

Download
memory/1708-139-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1720-138-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1736-80-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1920-160-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2004-168-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2004-169-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2004-172-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2004-102-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download