e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291

Analysis

max time kernel
161s
max time network
175s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
Size

759KB
MD5

a2af52797b82cd8b7892dfbcf04b7f89
SHA1

a1693b5d2f62d91813a4859ad4c0b7cb2cdf0e7d
SHA256

e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291
SHA512

c7e69e584420f7b1e8cfd36034656a52fbf1a33194f7db0796d172a8675f21d5333a91a9788e88333e3ae72759a2d838bfbb98027842ca2da0ef8519664c0543
SSDEEP

12288:plqhYneRa5V1DfnT8GWW0rO5C+mOXyqCZKH9O7B3p9FrEz3u8swZTKlz6IfAQbg8:p4hYhDvTTlr4ayqh9O15Ezjsw5K8Mp5t

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1940	svchost.exe
1496	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1628-55-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1628-63-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Loads dropped DLL 13 IoCs

pid	Process
1628	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
1628	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
1940	svchost.exe
1940	svchost.exe
1940	svchost.exe
1940	svchost.exe
1940	svchost.exe
1940	svchost.exe
1940	svchost.exe
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RUNDLL = "c:\\windows\\system32\\rundll32\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svc = "rundll32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secure = "c:\\windows\\system32\\secure\\rundll32.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secure = "c:\\windows\\system32\\secure\\rundll32.exe"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\rundll32\winamp.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32\nick.txt	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32\securemirc.ini	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32\winamp.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File created	\??\c:\windows\SysWOW64\secure\secure.dll	svchost.exe
File created	\??\c:\windows\SysWOW64\secure\dmu.dll	svchost.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32\botnut.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File created	\??\c:\windows\SysWOW64\rundll32\dmu.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File created	\??\c:\windows\SysWOW64\secure\mirc.ini	svchost.exe
File opened for modification	\??\c:\windows\syswow64\secure\mirc.ini	rundll32.exe
File created	\??\c:\windows\SysWOW64\rundll32\botnut.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File created	\??\c:\windows\SysWOW64\rundll32\moo.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File opened for modification	\??\c:\windows\syswow64\secure\remote.ini	rundll32.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32\moo.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File created	\??\c:\windows\SysWOW64\rundll32\nick.txt	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32\net.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32\svchost.exe	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32\dmu.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File created	\??\c:\windows\SysWOW64\rundll32\net.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File created	\??\c:\windows\SysWOW64\rundll32\securemirc.ini	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File created	\??\c:\windows\SysWOW64\rundll32\svchost.exe	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File opened for modification	\??\c:\windows\syswow64\rundll32\mirc.ini	svchost.exe
File opened for modification	\??\c:\windows\syswow64\rundll32\botnut.dll	svchost.exe
File created	\??\c:\windows\SysWOW64\notepad.exe	svchost.exe
File opened for modification	\??\c:\windows\syswow64\rundll32\remote.ini	svchost.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File created	\??\c:\windows\SysWOW64\rundll32\secure.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File opened for modification	\??\c:\windows\syswow64\secure\secure.dll	rundll32.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32\secure.dll	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File created	\??\c:\windows\SysWOW64\secure\rundll32.exe	svchost.exe
File created	\??\c:\windows\SysWOW64\notepad.exe	rundll32.exe
File created	\??\c:\windows\SysWOW64\rundll32\mirc.ini	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
File opened for modification	\??\c:\windows\SysWOW64\rundll32\mirc.ini	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "secure"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"c:\\windows\\syswow64\\rundll32\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"c:\\windows\\syswow64\\rundll32\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"c:\\windows\\syswow64\\rundll32\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "botnut"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"c:\\windows\\syswow64\\secure\\rundll32.exe\""	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"c:\\windows\\syswow64\\secure\\rundll32.exe\""	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "botnut"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"c:\\windows\\syswow64\\secure\\rundll32.exe\""	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"c:\\windows\\syswow64\\secure\\rundll32.exe\""	rundll32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1940	svchost.exe
1940	svchost.exe
1496	rundll32.exe
1496	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1940	1628	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe	27
PID 1628 wrote to memory of 1940	1628	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe	27
PID 1628 wrote to memory of 1940	1628	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe	27
PID 1628 wrote to memory of 1940	1628	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe	27
PID 1628 wrote to memory of 1940	1628	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe	27
PID 1628 wrote to memory of 1940	1628	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe	27
PID 1628 wrote to memory of 1940	1628	e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe	27
PID 1940 wrote to memory of 1496	1940	svchost.exe	28
PID 1940 wrote to memory of 1496	1940	svchost.exe	28
PID 1940 wrote to memory of 1496	1940	svchost.exe	28
PID 1940 wrote to memory of 1496	1940	svchost.exe	28
PID 1940 wrote to memory of 1496	1940	svchost.exe	28
PID 1940 wrote to memory of 1496	1940	svchost.exe	28
PID 1940 wrote to memory of 1496	1940	svchost.exe	28

C:\Users\Admin\AppData\Local\Temp\e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe
"C:\Users\Admin\AppData\Local\Temp\e95f4144973ef35c18ae04b396d044d6960bfe57873bde9bb5779f181a3d9291.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1628
- C:\windows\SysWOW64\rundll32\svchost.exe
  "C:\windows\system32\rundll32\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\windows\SysWOW64\secure\rundll32.exe
    "C:\windows\system32\secure\rundll32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32\svchost.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
C:\Windows\SysWOW64\secure\rundll32.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
C:\windows\SysWOW64\rundll32\svchost.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
C:\windows\SysWOW64\secure\rundll32.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\??\c:\windows\syswow64\rundll32\botnut.dll

Filesize
41KB

MD5
f7ce7c614ebdcd0cef4b6869942f1fd5

SHA1
81568b8f494dc581f7e3c4f23d4b30418ae8ea4a

SHA256
1ce8f34cad902e4134704ee17c6d400c8a06139d96c57c97ad3e91215344b987

SHA512
27fe536b7f9b53353242d30a4f1491c6b08ebe466fce5943841bf973b9cf0bdcb72f120ad3b4a039996cb830a22662834164cda47bf30e7660b112a32039e475

Download Submit
\??\c:\windows\syswow64\rundll32\dmu.dll

Filesize
30KB

MD5
62456b6cbdb93b6f1458469d90c57e2c

SHA1
aee316ef1f6e14e839dd3ce4ef6e4dcd0dacc4c9

SHA256
445d74478a92117eb400ea0c41e8a90f91e44401b1b28536cd5bb8087572ed3f

SHA512
29331e7da090c9824d67db0a7c62099f3ca97e927d7ffda51237d785dadaf6c21875e98c6e404bb1f9a91382857fcd3ca57c504dc5fb5e5f6f9019cf3fcc732f

Download Submit
\??\c:\windows\syswow64\rundll32\mirc.ini

Filesize
3KB

MD5
8969d3153c6f59c1d1703f9eaa8eaadd

SHA1
d015a6bc916272457c1b1044ce30e25bf4614f34

SHA256
4a9de396dc87f87d2be6451201fd1540f27a40bbd7d83aca1184c9945b683b9b

SHA512
cd22cf739d532827e127ff0c973ea8cfd214dc82024ff8bded4f013eaf9a36a1eeb066d3fa1a41ed74fa05a700e389dd5a8fec770730a237efb927875a17d0a6

Download Submit
\??\c:\windows\syswow64\rundll32\nick.txt

Filesize
19KB

MD5
b15445952e02f2163a15b9f290293520

SHA1
6eb3e852e26887b96bf14e2d96824a22298af739

SHA256
e719c2a7d940ee3e0c7f54d0fe2c4920d400168659801e5c6c2b4fc33753debd

SHA512
a14f452d938b9d5f7cde5b61e2cbb075069132647e8decee4117bb15c4ce79dfb565bcdf817d8a70c36aaf0d1c055a0fdf4bb8528861474c92a4298e93fc9084

Download Submit
\??\c:\windows\syswow64\rundll32\secure.dll

Filesize
8KB

MD5
7e6e843d207d81218025ea1e2bcdc565

SHA1
b52d3b73534e66e88dc09696a603ccf6b47b6883

SHA256
95547f96fc8d3317bba3e31afa4280d49b7b6b3b1402578841dca6e97f0dbd32

SHA512
6eea9447aea1152ad995f59af9a491cd7fadc7687a888cec90354e0f0dccee26e6051ddb6a258774966c6ffd2e8e61769ff80b425078c32e3355f9227e39ed8e

Download Submit
\??\c:\windows\syswow64\rundll32\securemirc.ini

Filesize
3KB

MD5
04dcd1fcafe513a1fdd652f44e946688

SHA1
6a09468febf5967eedbfac4ce7a7b7adee728dda

SHA256
7c5eae6d28b411364b18dfa33632bc15b750dc6ffb40d5f4433fc8fc20551436

SHA512
dd317d825a3f837c174a3c27f0220612a7840831412785726aa84cddf7637329c2be28c9bfec86ad7a791931201cc9a3ef6984eb0f1414d73f00385afcabfc1a

Download Submit
\??\c:\windows\syswow64\secure\dmu.dll

Filesize
30KB

MD5
62456b6cbdb93b6f1458469d90c57e2c

SHA1
aee316ef1f6e14e839dd3ce4ef6e4dcd0dacc4c9

SHA256
445d74478a92117eb400ea0c41e8a90f91e44401b1b28536cd5bb8087572ed3f

SHA512
29331e7da090c9824d67db0a7c62099f3ca97e927d7ffda51237d785dadaf6c21875e98c6e404bb1f9a91382857fcd3ca57c504dc5fb5e5f6f9019cf3fcc732f

Download Submit
\??\c:\windows\syswow64\secure\mirc.ini

Filesize
3KB

MD5
04dcd1fcafe513a1fdd652f44e946688

SHA1
6a09468febf5967eedbfac4ce7a7b7adee728dda

SHA256
7c5eae6d28b411364b18dfa33632bc15b750dc6ffb40d5f4433fc8fc20551436

SHA512
dd317d825a3f837c174a3c27f0220612a7840831412785726aa84cddf7637329c2be28c9bfec86ad7a791931201cc9a3ef6984eb0f1414d73f00385afcabfc1a

Download Submit
\??\c:\windows\syswow64\secure\secure.dll

Filesize
8KB

MD5
7e6e843d207d81218025ea1e2bcdc565

SHA1
b52d3b73534e66e88dc09696a603ccf6b47b6883

SHA256
95547f96fc8d3317bba3e31afa4280d49b7b6b3b1402578841dca6e97f0dbd32

SHA512
6eea9447aea1152ad995f59af9a491cd7fadc7687a888cec90354e0f0dccee26e6051ddb6a258774966c6ffd2e8e61769ff80b425078c32e3355f9227e39ed8e

Download Submit
\Windows\SysWOW64\rundll32\dmu.dll

Filesize
30KB

MD5
62456b6cbdb93b6f1458469d90c57e2c

SHA1
aee316ef1f6e14e839dd3ce4ef6e4dcd0dacc4c9

SHA256
445d74478a92117eb400ea0c41e8a90f91e44401b1b28536cd5bb8087572ed3f

SHA512
29331e7da090c9824d67db0a7c62099f3ca97e927d7ffda51237d785dadaf6c21875e98c6e404bb1f9a91382857fcd3ca57c504dc5fb5e5f6f9019cf3fcc732f

Download Submit
\Windows\SysWOW64\rundll32\svchost.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\Windows\SysWOW64\rundll32\svchost.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\Windows\SysWOW64\rundll32\svchost.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\Windows\SysWOW64\rundll32\svchost.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\Windows\SysWOW64\rundll32\svchost.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\Windows\SysWOW64\rundll32\svchost.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\Windows\SysWOW64\secure\dmu.dll

Filesize
30KB

MD5
62456b6cbdb93b6f1458469d90c57e2c

SHA1
aee316ef1f6e14e839dd3ce4ef6e4dcd0dacc4c9

SHA256
445d74478a92117eb400ea0c41e8a90f91e44401b1b28536cd5bb8087572ed3f

SHA512
29331e7da090c9824d67db0a7c62099f3ca97e927d7ffda51237d785dadaf6c21875e98c6e404bb1f9a91382857fcd3ca57c504dc5fb5e5f6f9019cf3fcc732f

Download Submit
\Windows\SysWOW64\secure\rundll32.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\Windows\SysWOW64\secure\rundll32.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\Windows\SysWOW64\secure\rundll32.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\Windows\SysWOW64\secure\rundll32.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
\Windows\SysWOW64\secure\rundll32.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
memory/1496-80-0x0000000000000000-mapping.dmp

Download
memory/1628-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1628-56-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/1628-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1628-64-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1628-63-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1628-58-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/1628-57-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/1940-61-0x0000000000000000-mapping.dmp

Download