3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
Size

51KB
MD5

90ca9ef857133b48966dd0bf39fdca1c
SHA1

47f948dfdd4b12605a7b658d461419b4d1807446
SHA256

3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1
SHA512

1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60
SSDEEP

768:he6RKrrq1haq/b4548dWS24Pq6a4euUYSIKffx7T1wBWpZdQZur2:hZKrEh9zwlW6a4euUYSIIx7NHd5r2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1996	HdAudio.exe
1276	winhv.exe
1564	winhv.exe
320	HdAudio.exe

Loads dropped DLL 3 IoCs

pid	Process
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1968	dw20.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe"	HdAudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe"	HdAudio.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 1176	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	29
PID 1276 set thread context of 1564	1276	winhv.exe	36
PID 1660 set thread context of 1768	1660	cscservice.exe	41

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1176	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
1996	HdAudio.exe
1996	HdAudio.exe
1996	HdAudio.exe
1996	HdAudio.exe
1276	winhv.exe
1276	winhv.exe
1564	winhv.exe
1996	HdAudio.exe
1276	winhv.exe
1996	HdAudio.exe
1276	winhv.exe
1996	HdAudio.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
Token: SeDebugPrivilege	1176	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
Token: SeDebugPrivilege	1996	HdAudio.exe
Token: SeDebugPrivilege	1276	winhv.exe
Token: SeDebugPrivilege	1564	winhv.exe
Token: SeDebugPrivilege	1660	cscservice.exe
Token: SeDebugPrivilege	1768	cscservice.exe
Token: SeDebugPrivilege	320	HdAudio.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 864	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	27
PID 1524 wrote to memory of 864	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	27
PID 1524 wrote to memory of 864	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	27
PID 1524 wrote to memory of 864	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	27
PID 1524 wrote to memory of 1176	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	29
PID 1524 wrote to memory of 1176	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	29
PID 1524 wrote to memory of 1176	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	29
PID 1524 wrote to memory of 1176	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	29
PID 1524 wrote to memory of 1176	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	29
PID 1524 wrote to memory of 1176	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	29
PID 1524 wrote to memory of 1176	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	29
PID 1524 wrote to memory of 1176	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	29
PID 1524 wrote to memory of 1176	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	29
PID 1524 wrote to memory of 1996	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	30
PID 1524 wrote to memory of 1996	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	30
PID 1524 wrote to memory of 1996	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	30
PID 1524 wrote to memory of 1996	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	30
PID 1176 wrote to memory of 552	1176	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	31
PID 1176 wrote to memory of 552	1176	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	31
PID 1176 wrote to memory of 552	1176	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	31
PID 1176 wrote to memory of 552	1176	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	31
PID 1996 wrote to memory of 1276	1996	HdAudio.exe	32
PID 1996 wrote to memory of 1276	1996	HdAudio.exe	32
PID 1996 wrote to memory of 1276	1996	HdAudio.exe	32
PID 1996 wrote to memory of 1276	1996	HdAudio.exe	32
PID 1524 wrote to memory of 1660	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	33
PID 1524 wrote to memory of 1660	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	33
PID 1524 wrote to memory of 1660	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	33
PID 1524 wrote to memory of 1660	1524	3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe	33
PID 1276 wrote to memory of 1304	1276	winhv.exe	34
PID 1276 wrote to memory of 1304	1276	winhv.exe	34
PID 1276 wrote to memory of 1304	1276	winhv.exe	34
PID 1276 wrote to memory of 1304	1276	winhv.exe	34
PID 1276 wrote to memory of 1564	1276	winhv.exe	36
PID 1276 wrote to memory of 1564	1276	winhv.exe	36
PID 1276 wrote to memory of 1564	1276	winhv.exe	36
PID 1276 wrote to memory of 1564	1276	winhv.exe	36
PID 1276 wrote to memory of 1564	1276	winhv.exe	36
PID 1276 wrote to memory of 1564	1276	winhv.exe	36
PID 1276 wrote to memory of 1564	1276	winhv.exe	36
PID 1276 wrote to memory of 1564	1276	winhv.exe	36
PID 1276 wrote to memory of 1564	1276	winhv.exe	36
PID 1564 wrote to memory of 1968	1564	winhv.exe	37
PID 1564 wrote to memory of 1968	1564	winhv.exe	37
PID 1564 wrote to memory of 1968	1564	winhv.exe	37
PID 1564 wrote to memory of 1968	1564	winhv.exe	37
PID 1276 wrote to memory of 320	1276	winhv.exe	38
PID 1276 wrote to memory of 320	1276	winhv.exe	38
PID 1276 wrote to memory of 320	1276	winhv.exe	38
PID 1276 wrote to memory of 320	1276	winhv.exe	38
PID 1660 wrote to memory of 1196	1660	cscservice.exe	39
PID 1660 wrote to memory of 1196	1660	cscservice.exe	39
PID 1660 wrote to memory of 1196	1660	cscservice.exe	39
PID 1660 wrote to memory of 1196	1660	cscservice.exe	39
PID 1660 wrote to memory of 1768	1660	cscservice.exe	41
PID 1660 wrote to memory of 1768	1660	cscservice.exe	41
PID 1660 wrote to memory of 1768	1660	cscservice.exe	41
PID 1660 wrote to memory of 1768	1660	cscservice.exe	41
PID 1660 wrote to memory of 1768	1660	cscservice.exe	41
PID 1660 wrote to memory of 1768	1660	cscservice.exe	41
PID 1660 wrote to memory of 1768	1660	cscservice.exe	41
PID 1660 wrote to memory of 1768	1660	cscservice.exe	41
PID 1660 wrote to memory of 1768	1660	cscservice.exe	41
PID 1768 wrote to memory of 1732	1768	cscservice.exe	42

C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
"C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
  2⤵
  PID:864
- C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
  "C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 896
    3⤵
    PID:552
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
      4⤵
      PID:1304
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 508
        5⤵
        Loads dropped DLL
        
        PID:1968
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:320
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
    3⤵
    PID:1196
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 516
      4⤵
      PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
514B

MD5
e0b7f3c47fc960d14f876c8cf80e81ac

SHA1
3e1889ad48d141b40b6d0b490e29181a3d03af4d

SHA256
2681d41575a45c1241cd99fa55243126cc6c7a1bc34adabea1747ebcf19f0067

SHA512
52153f64b05715c5a298c11d7243bf8886345863b86bb33d0d408a48d046c017ebaa2b16d67c4c52e311cdeffe95e12f44f4e0516dc2a789718adf0635b3b960

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
514B

MD5
e0b7f3c47fc960d14f876c8cf80e81ac

SHA1
3e1889ad48d141b40b6d0b490e29181a3d03af4d

SHA256
2681d41575a45c1241cd99fa55243126cc6c7a1bc34adabea1747ebcf19f0067

SHA512
52153f64b05715c5a298c11d7243bf8886345863b86bb33d0d408a48d046c017ebaa2b16d67c4c52e311cdeffe95e12f44f4e0516dc2a789718adf0635b3b960

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
12KB

MD5
296a14988b04c9aee9fa406f9d7e638e

SHA1
7d00c62bc6d39aad3f8993bf4abfabb4efacd97f

SHA256
59afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1

SHA512
3ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
51KB

MD5
90ca9ef857133b48966dd0bf39fdca1c

SHA1
47f948dfdd4b12605a7b658d461419b4d1807446

SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1

SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60

Download Submit
memory/320-135-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/320-116-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1176-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1176-75-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1176-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1176-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1176-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1176-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1176-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1176-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1176-85-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1276-84-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1276-89-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1524-109-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1524-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1524-55-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1524-56-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1564-134-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1564-110-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-132-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-90-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-133-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-136-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-76-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-111-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-86-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download