c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0

Analysis

max time kernel
147s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
Size

161KB
MD5

66fc2fb19cd6b028612201b24ca9d232
SHA1

3ebe63324a641b259ee5cc2fe2f05589efcdbadb
SHA256

c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0
SHA512

75b07851d7242863d6a8c356d79afeed69e488c11e28569e4e7e34cdd465c17d9325c467d3c9e89a939c4c5c8fe4bbab6c7b6c5f9b2b2cdd34bab8bf3f760b61
SSDEEP

3072:IWDdpkGLGqEIYebgLBHFTmrnb5qaD7Zc9dbqBZFc9/+Yzunep:IWfLLGq9YebsRmrYaD7ZQ0XS94nep

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1900	hexec.exe
1784	msdsa.exe
904	msdsa.exe
1780	runme.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDSADRV\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\msdsadrv.sys"	msdsa.exe

Loads dropped DLL 13 IoCs

pid	Process
544	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
544	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
1900	hexec.exe
1900	hexec.exe
1900	hexec.exe
1472	cmd.exe
1472	cmd.exe
1784	msdsa.exe
1784	msdsa.exe
1472	cmd.exe
1472	cmd.exe
1780	runme.exe
1780	runme.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File opened for modification	C:\Windows\SysWOW64\hexec.exe	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File opened for modification	C:\Windows\SysWOW64\go.bat	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
File opened for modification	C:\Windows\SysWOW64\msdsa.exe	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
File opened for modification	C:\Windows\SysWOW64\msdsadrv.sys	msdsa.exe
File created	C:\Windows\SysWOW64\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\hexec.exe	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\go.bat	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
File opened for modification	C:\Windows\SysWOW64\msdsa.ini	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
File opened for modification	C:\Windows\SysWOW64\runme.exe	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\msdsa.ini	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\msdsadrv.sys	msdsa.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\runme.exe	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe\winmain.exe	runme.exe
File created	C:\Windows\SysWOW64\msdsa.exe	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
1780	runme.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
904	msdsa.exe
1780	runme.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
904	msdsa.exe
904	msdsa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	msdsa.exe
Token: SeLoadDriverPrivilege	904	msdsa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1900	544	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe	26
PID 544 wrote to memory of 1900	544	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe	26
PID 544 wrote to memory of 1900	544	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe	26
PID 544 wrote to memory of 1900	544	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe	26
PID 544 wrote to memory of 1900	544	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe	26
PID 544 wrote to memory of 1900	544	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe	26
PID 544 wrote to memory of 1900	544	c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe	26
PID 1900 wrote to memory of 1472	1900	hexec.exe	27
PID 1900 wrote to memory of 1472	1900	hexec.exe	27
PID 1900 wrote to memory of 1472	1900	hexec.exe	27
PID 1900 wrote to memory of 1472	1900	hexec.exe	27
PID 1900 wrote to memory of 1472	1900	hexec.exe	27
PID 1900 wrote to memory of 1472	1900	hexec.exe	27
PID 1900 wrote to memory of 1472	1900	hexec.exe	27
PID 1472 wrote to memory of 1784	1472	cmd.exe	29
PID 1472 wrote to memory of 1784	1472	cmd.exe	29
PID 1472 wrote to memory of 1784	1472	cmd.exe	29
PID 1472 wrote to memory of 1784	1472	cmd.exe	29
PID 1472 wrote to memory of 1784	1472	cmd.exe	29
PID 1472 wrote to memory of 1784	1472	cmd.exe	29
PID 1472 wrote to memory of 1784	1472	cmd.exe	29
PID 1472 wrote to memory of 820	1472	cmd.exe	30
PID 1472 wrote to memory of 820	1472	cmd.exe	30
PID 1472 wrote to memory of 820	1472	cmd.exe	30
PID 1472 wrote to memory of 820	1472	cmd.exe	30
PID 1472 wrote to memory of 820	1472	cmd.exe	30
PID 1472 wrote to memory of 820	1472	cmd.exe	30
PID 1472 wrote to memory of 820	1472	cmd.exe	30
PID 820 wrote to memory of 2016	820	net.exe	31
PID 820 wrote to memory of 2016	820	net.exe	31
PID 820 wrote to memory of 2016	820	net.exe	31
PID 820 wrote to memory of 2016	820	net.exe	31
PID 820 wrote to memory of 2016	820	net.exe	31
PID 820 wrote to memory of 2016	820	net.exe	31
PID 820 wrote to memory of 2016	820	net.exe	31
PID 1472 wrote to memory of 1780	1472	cmd.exe	33
PID 1472 wrote to memory of 1780	1472	cmd.exe	33
PID 1472 wrote to memory of 1780	1472	cmd.exe	33
PID 1472 wrote to memory of 1780	1472	cmd.exe	33
PID 1472 wrote to memory of 1780	1472	cmd.exe	33
PID 1472 wrote to memory of 1780	1472	cmd.exe	33
PID 1472 wrote to memory of 1780	1472	cmd.exe	33
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27
PID 904 wrote to memory of 1472	904	msdsa.exe	27

C:\Users\Admin\AppData\Local\Temp\c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
"C:\Users\Admin\AppData\Local\Temp\c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\hexec.exe
  "C:\Windows\system32\hexec.exe" C:\Windows\system32\go.bat
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\go.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\msdsa.exe
      msdsa.exe -:installonly
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1784
  - - C:\Windows\SysWOW64\net.exe
      net start MSDSA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start MSDSA
        5⤵
        
        PID:2016
  - - C:\Windows\SysWOW64\runme.exe
      runme.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1780

C:\Windows\SysWOW64\msdsa.exe
C:\Windows\SysWOW64\msdsa.exe
1⤵
- Executes dropped EXE
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\go.bat

Filesize
234B

MD5
2d775f85e78e8d54f1fe88a6890e4ce5

SHA1
d01c31b5e613887bf4f3d1f6065d161bfbbe297d

SHA256
e658989c7ec02d319d5c0151281d048c19d2bd89d43b6e067797161cf3c74bd0

SHA512
71214c0439015c13a5af492aed52d260bbe644032170f80c0ef2884804c859e510078f7c3cbfc8d5a60444ef70858d7a66f161aa0c8f5e0cdf9920e3dbbbcfa2

Download Submit
C:\Windows\SysWOW64\hexec.exe

Filesize
17KB

MD5
8156fa5e0fe92c906c005148802b3e34

SHA1
0c2b95bb8d7ef2adbd951bad306d1508d7dd3d39

SHA256
c62b3297b7134b0a0e9a133627a34dfd587dc37de91bac2900a137a579ff46ae

SHA512
48ff99b4b0cb495c857192c1afd5332afaf2d3196b1ea5cddcd8b69e7bcdca6770209c6fce7e6976bc77c44b7ac7e32365791c1cfaa14c3825f84870aa5c52cb

Download Submit
C:\Windows\SysWOW64\hexec.exe

Filesize
17KB

MD5
8156fa5e0fe92c906c005148802b3e34

SHA1
0c2b95bb8d7ef2adbd951bad306d1508d7dd3d39

SHA256
c62b3297b7134b0a0e9a133627a34dfd587dc37de91bac2900a137a579ff46ae

SHA512
48ff99b4b0cb495c857192c1afd5332afaf2d3196b1ea5cddcd8b69e7bcdca6770209c6fce7e6976bc77c44b7ac7e32365791c1cfaa14c3825f84870aa5c52cb

Download Submit
C:\Windows\SysWOW64\msdsa.exe

Filesize
35KB

MD5
f4fe580cc6de481af8947ed94c6fe2cf

SHA1
49d3710dd959a5b26e473c25da483bed28ac1e2a

SHA256
c5d9a3f1706eefcdf4fbb96d9a51f1ccde711505c1dc4e199988926f6eaf0660

SHA512
cbd03477067ab1cb70e16a4bd2d96733f351d715c48ddda9955719ede5efe57fad9391945ab304cce481a475833f4655c83a266326eedeb64c7502dc4d5a40d4

Download Submit
C:\Windows\SysWOW64\msdsa.exe

Filesize
35KB

MD5
f4fe580cc6de481af8947ed94c6fe2cf

SHA1
49d3710dd959a5b26e473c25da483bed28ac1e2a

SHA256
c5d9a3f1706eefcdf4fbb96d9a51f1ccde711505c1dc4e199988926f6eaf0660

SHA512
cbd03477067ab1cb70e16a4bd2d96733f351d715c48ddda9955719ede5efe57fad9391945ab304cce481a475833f4655c83a266326eedeb64c7502dc4d5a40d4

Download Submit
C:\Windows\SysWOW64\msdsa.exe

Filesize
35KB

MD5
f4fe580cc6de481af8947ed94c6fe2cf

SHA1
49d3710dd959a5b26e473c25da483bed28ac1e2a

SHA256
c5d9a3f1706eefcdf4fbb96d9a51f1ccde711505c1dc4e199988926f6eaf0660

SHA512
cbd03477067ab1cb70e16a4bd2d96733f351d715c48ddda9955719ede5efe57fad9391945ab304cce481a475833f4655c83a266326eedeb64c7502dc4d5a40d4

Download Submit
C:\Windows\SysWOW64\msdsa.ini

Filesize
3KB

MD5
70d8d7027563b67fcb56d44488656416

SHA1
895d9a9e7df42c9fbdab1f5298f14b2ffb928787

SHA256
50e1e3e5f045f673b06f67964abf23a14325dd9416d5fedf181c0b9be826520d

SHA512
916e99f5e666a54581dd8413c52b50b25beb88a9316ed7cf8e91b9737e6a4df429772f28f2f29376f16818a3cecffaed4260ac8504c0be85917c003e391a22b7

Download Submit
C:\Windows\SysWOW64\runme.exe

Filesize
17KB

MD5
26021d4d87c8160da422fabda07953a8

SHA1
f40cdcc51651637eaf9b050eb49e1f75e7b9560e

SHA256
51bc1b23c737dd152047714b15a4da2b10aab2c8ef1380859054d0d86bee8194

SHA512
d971daf34b1e404be0c5bdcceb34f05cb2819103e8ae4a277628f70d73973ee5175d01222020d1f91e2e8bd2053f57d2f084b73f4be7e95e9126516444137dde

Download Submit
C:\Windows\SysWOW64\runme.exe

Filesize
17KB

MD5
26021d4d87c8160da422fabda07953a8

SHA1
f40cdcc51651637eaf9b050eb49e1f75e7b9560e

SHA256
51bc1b23c737dd152047714b15a4da2b10aab2c8ef1380859054d0d86bee8194

SHA512
d971daf34b1e404be0c5bdcceb34f05cb2819103e8ae4a277628f70d73973ee5175d01222020d1f91e2e8bd2053f57d2f084b73f4be7e95e9126516444137dde

Download Submit
\Windows\SysWOW64\hexec.exe

Filesize
17KB

MD5
8156fa5e0fe92c906c005148802b3e34

SHA1
0c2b95bb8d7ef2adbd951bad306d1508d7dd3d39

SHA256
c62b3297b7134b0a0e9a133627a34dfd587dc37de91bac2900a137a579ff46ae

SHA512
48ff99b4b0cb495c857192c1afd5332afaf2d3196b1ea5cddcd8b69e7bcdca6770209c6fce7e6976bc77c44b7ac7e32365791c1cfaa14c3825f84870aa5c52cb

Download Submit
\Windows\SysWOW64\hexec.exe

Filesize
17KB

MD5
8156fa5e0fe92c906c005148802b3e34

SHA1
0c2b95bb8d7ef2adbd951bad306d1508d7dd3d39

SHA256
c62b3297b7134b0a0e9a133627a34dfd587dc37de91bac2900a137a579ff46ae

SHA512
48ff99b4b0cb495c857192c1afd5332afaf2d3196b1ea5cddcd8b69e7bcdca6770209c6fce7e6976bc77c44b7ac7e32365791c1cfaa14c3825f84870aa5c52cb

Download Submit
\Windows\SysWOW64\hexec.exe

Filesize
17KB

MD5
8156fa5e0fe92c906c005148802b3e34

SHA1
0c2b95bb8d7ef2adbd951bad306d1508d7dd3d39

SHA256
c62b3297b7134b0a0e9a133627a34dfd587dc37de91bac2900a137a579ff46ae

SHA512
48ff99b4b0cb495c857192c1afd5332afaf2d3196b1ea5cddcd8b69e7bcdca6770209c6fce7e6976bc77c44b7ac7e32365791c1cfaa14c3825f84870aa5c52cb

Download Submit
\Windows\SysWOW64\hexec.exe

Filesize
17KB

MD5
8156fa5e0fe92c906c005148802b3e34

SHA1
0c2b95bb8d7ef2adbd951bad306d1508d7dd3d39

SHA256
c62b3297b7134b0a0e9a133627a34dfd587dc37de91bac2900a137a579ff46ae

SHA512
48ff99b4b0cb495c857192c1afd5332afaf2d3196b1ea5cddcd8b69e7bcdca6770209c6fce7e6976bc77c44b7ac7e32365791c1cfaa14c3825f84870aa5c52cb

Download Submit
\Windows\SysWOW64\hexec.exe

Filesize
17KB

MD5
8156fa5e0fe92c906c005148802b3e34

SHA1
0c2b95bb8d7ef2adbd951bad306d1508d7dd3d39

SHA256
c62b3297b7134b0a0e9a133627a34dfd587dc37de91bac2900a137a579ff46ae

SHA512
48ff99b4b0cb495c857192c1afd5332afaf2d3196b1ea5cddcd8b69e7bcdca6770209c6fce7e6976bc77c44b7ac7e32365791c1cfaa14c3825f84870aa5c52cb

Download Submit
\Windows\SysWOW64\msdsa.exe

Filesize
35KB

MD5
f4fe580cc6de481af8947ed94c6fe2cf

SHA1
49d3710dd959a5b26e473c25da483bed28ac1e2a

SHA256
c5d9a3f1706eefcdf4fbb96d9a51f1ccde711505c1dc4e199988926f6eaf0660

SHA512
cbd03477067ab1cb70e16a4bd2d96733f351d715c48ddda9955719ede5efe57fad9391945ab304cce481a475833f4655c83a266326eedeb64c7502dc4d5a40d4

Download Submit
\Windows\SysWOW64\msdsa.exe

Filesize
35KB

MD5
f4fe580cc6de481af8947ed94c6fe2cf

SHA1
49d3710dd959a5b26e473c25da483bed28ac1e2a

SHA256
c5d9a3f1706eefcdf4fbb96d9a51f1ccde711505c1dc4e199988926f6eaf0660

SHA512
cbd03477067ab1cb70e16a4bd2d96733f351d715c48ddda9955719ede5efe57fad9391945ab304cce481a475833f4655c83a266326eedeb64c7502dc4d5a40d4

Download Submit
\Windows\SysWOW64\msdsa.exe

Filesize
35KB

MD5
f4fe580cc6de481af8947ed94c6fe2cf

SHA1
49d3710dd959a5b26e473c25da483bed28ac1e2a

SHA256
c5d9a3f1706eefcdf4fbb96d9a51f1ccde711505c1dc4e199988926f6eaf0660

SHA512
cbd03477067ab1cb70e16a4bd2d96733f351d715c48ddda9955719ede5efe57fad9391945ab304cce481a475833f4655c83a266326eedeb64c7502dc4d5a40d4

Download Submit
\Windows\SysWOW64\msdsa.exe

Filesize
35KB

MD5
f4fe580cc6de481af8947ed94c6fe2cf

SHA1
49d3710dd959a5b26e473c25da483bed28ac1e2a

SHA256
c5d9a3f1706eefcdf4fbb96d9a51f1ccde711505c1dc4e199988926f6eaf0660

SHA512
cbd03477067ab1cb70e16a4bd2d96733f351d715c48ddda9955719ede5efe57fad9391945ab304cce481a475833f4655c83a266326eedeb64c7502dc4d5a40d4

Download Submit
\Windows\SysWOW64\runme.exe

Filesize
17KB

MD5
26021d4d87c8160da422fabda07953a8

SHA1
f40cdcc51651637eaf9b050eb49e1f75e7b9560e

SHA256
51bc1b23c737dd152047714b15a4da2b10aab2c8ef1380859054d0d86bee8194

SHA512
d971daf34b1e404be0c5bdcceb34f05cb2819103e8ae4a277628f70d73973ee5175d01222020d1f91e2e8bd2053f57d2f084b73f4be7e95e9126516444137dde

Download Submit
\Windows\SysWOW64\runme.exe

Filesize
17KB

MD5
26021d4d87c8160da422fabda07953a8

SHA1
f40cdcc51651637eaf9b050eb49e1f75e7b9560e

SHA256
51bc1b23c737dd152047714b15a4da2b10aab2c8ef1380859054d0d86bee8194

SHA512
d971daf34b1e404be0c5bdcceb34f05cb2819103e8ae4a277628f70d73973ee5175d01222020d1f91e2e8bd2053f57d2f084b73f4be7e95e9126516444137dde

Download Submit
\Windows\SysWOW64\runme.exe

Filesize
17KB

MD5
26021d4d87c8160da422fabda07953a8

SHA1
f40cdcc51651637eaf9b050eb49e1f75e7b9560e

SHA256
51bc1b23c737dd152047714b15a4da2b10aab2c8ef1380859054d0d86bee8194

SHA512
d971daf34b1e404be0c5bdcceb34f05cb2819103e8ae4a277628f70d73973ee5175d01222020d1f91e2e8bd2053f57d2f084b73f4be7e95e9126516444137dde

Download Submit
\Windows\SysWOW64\runme.exe

Filesize
17KB

MD5
26021d4d87c8160da422fabda07953a8

SHA1
f40cdcc51651637eaf9b050eb49e1f75e7b9560e

SHA256
51bc1b23c737dd152047714b15a4da2b10aab2c8ef1380859054d0d86bee8194

SHA512
d971daf34b1e404be0c5bdcceb34f05cb2819103e8ae4a277628f70d73973ee5175d01222020d1f91e2e8bd2053f57d2f084b73f4be7e95e9126516444137dde

Download Submit
memory/544-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/904-185-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/904-191-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/904-86-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/904-85-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/904-87-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/904-136-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1472-131-0x0000000075560000-0x0000000075600000-memory.dmp

Filesize
640KB

Download
memory/1472-133-0x0000000075560000-0x0000000075600000-memory.dmp

Filesize
640KB

Download
memory/1472-192-0x0000000000150000-0x0000000000175000-memory.dmp

Filesize
148KB

Download
memory/1472-81-0x0000000000460000-0x00000000004FB000-memory.dmp

Filesize
620KB

Download
memory/1472-186-0x0000000000150000-0x0000000000175000-memory.dmp

Filesize
148KB

Download
memory/1472-130-0x0000000075560000-0x0000000075600000-memory.dmp

Filesize
640KB

Download
memory/1472-132-0x0000000075560000-0x0000000075600000-memory.dmp

Filesize
640KB

Download
memory/1780-188-0x0000000000820000-0x0000000000845000-memory.dmp

Filesize
148KB

Download
memory/1780-187-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1780-189-0x0000000000820000-0x0000000000845000-memory.dmp

Filesize
148KB

Download
memory/1780-190-0x000000007EFA0000-0x000000007EFA5000-memory.dmp

Filesize
20KB

Download
memory/1784-72-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1784-77-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download