c5da0c48c4abb688415f8d11a374647d047f2d99e8b01145567ab68d30b86a69

Analysis

max time kernel
28s
max time network
126s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30/01/2023, 19:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Size

607KB
MD5

9893de16867126eeb989265cd99fd201
SHA1

71e0c3ee67daffada30a0bcd3abafaf59cfa8b5d
SHA256

13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377
SHA512

d7e175b821f3cef659c57b0f46abc35bb11f3dd47c8acdf1aa534c5faa88131e82aa2eebb0e5bfdb16a545356af975daac64a70085eee64196c5e5dfc92995ea
SSDEEP

12288:o6pGFv42oseLA5Gt/arlTT6zncVUJ7vnK6U:o6pEA25WQm/cTT6DNK6U

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1520	netsh.exe
1284	netsh.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe"	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe"	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
File opened for modification	C:\Windows\winlogon.exe	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
592	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1668	vssadmin.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\1foxoaa2.exe \"%l\" "	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki"	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
Token: SeBackupPrivilege	1620	vssvc.exe
Token: SeRestorePrivilege	1620	vssvc.exe
Token: SeAuditPrivilege	1620	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1956	WMIC.exe
Token: SeSecurityPrivilege	1956	WMIC.exe
Token: SeTakeOwnershipPrivilege	1956	WMIC.exe
Token: SeLoadDriverPrivilege	1956	WMIC.exe
Token: SeSystemProfilePrivilege	1956	WMIC.exe
Token: SeSystemtimePrivilege	1956	WMIC.exe
Token: SeProfSingleProcessPrivilege	1956	WMIC.exe
Token: SeIncBasePriorityPrivilege	1956	WMIC.exe
Token: SeCreatePagefilePrivilege	1956	WMIC.exe
Token: SeBackupPrivilege	1956	WMIC.exe
Token: SeRestorePrivilege	1956	WMIC.exe
Token: SeShutdownPrivilege	1956	WMIC.exe
Token: SeDebugPrivilege	1956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1956	WMIC.exe
Token: SeRemoteShutdownPrivilege	1956	WMIC.exe
Token: SeUndockPrivilege	1956	WMIC.exe
Token: SeManageVolumePrivilege	1956	WMIC.exe
Token: 33	1956	WMIC.exe
Token: 34	1956	WMIC.exe
Token: 35	1956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1956	WMIC.exe
Token: SeSecurityPrivilege	1956	WMIC.exe
Token: SeTakeOwnershipPrivilege	1956	WMIC.exe
Token: SeLoadDriverPrivilege	1956	WMIC.exe
Token: SeSystemProfilePrivilege	1956	WMIC.exe
Token: SeSystemtimePrivilege	1956	WMIC.exe
Token: SeProfSingleProcessPrivilege	1956	WMIC.exe
Token: SeIncBasePriorityPrivilege	1956	WMIC.exe
Token: SeCreatePagefilePrivilege	1956	WMIC.exe
Token: SeBackupPrivilege	1956	WMIC.exe
Token: SeRestorePrivilege	1956	WMIC.exe
Token: SeShutdownPrivilege	1956	WMIC.exe
Token: SeDebugPrivilege	1956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1956	WMIC.exe
Token: SeRemoteShutdownPrivilege	1956	WMIC.exe
Token: SeUndockPrivilege	1956	WMIC.exe
Token: SeManageVolumePrivilege	1956	WMIC.exe
Token: 33	1956	WMIC.exe
Token: 34	1956	WMIC.exe
Token: 35	1956	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1144	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	28
PID 1112 wrote to memory of 1144	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	28
PID 1112 wrote to memory of 1144	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	28
PID 1112 wrote to memory of 1144	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	28
PID 1144 wrote to memory of 592	1144	cmd.exe	30
PID 1144 wrote to memory of 592	1144	cmd.exe	30
PID 1144 wrote to memory of 592	1144	cmd.exe	30
PID 1144 wrote to memory of 592	1144	cmd.exe	30
PID 1112 wrote to memory of 432	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	31
PID 1112 wrote to memory of 432	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	31
PID 1112 wrote to memory of 432	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	31
PID 1112 wrote to memory of 432	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	31
PID 432 wrote to memory of 1996	432	csc.exe	33
PID 432 wrote to memory of 1996	432	csc.exe	33
PID 432 wrote to memory of 1996	432	csc.exe	33
PID 432 wrote to memory of 1996	432	csc.exe	33
PID 1112 wrote to memory of 1796	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	34
PID 1112 wrote to memory of 1796	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	34
PID 1112 wrote to memory of 1796	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	34
PID 1112 wrote to memory of 1796	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	34
PID 1112 wrote to memory of 1656	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	36
PID 1112 wrote to memory of 1656	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	36
PID 1112 wrote to memory of 1656	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	36
PID 1112 wrote to memory of 1656	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	36
PID 1112 wrote to memory of 1848	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	37
PID 1112 wrote to memory of 1848	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	37
PID 1112 wrote to memory of 1848	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	37
PID 1112 wrote to memory of 1848	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	37
PID 1796 wrote to memory of 1668	1796	cmd.exe	39
PID 1796 wrote to memory of 1668	1796	cmd.exe	39
PID 1796 wrote to memory of 1668	1796	cmd.exe	39
PID 1796 wrote to memory of 1668	1796	cmd.exe	39
PID 1112 wrote to memory of 1576	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	43
PID 1112 wrote to memory of 1576	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	43
PID 1112 wrote to memory of 1576	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	43
PID 1112 wrote to memory of 1576	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	43
PID 1112 wrote to memory of 1856	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	41
PID 1112 wrote to memory of 1856	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	41
PID 1112 wrote to memory of 1856	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	41
PID 1112 wrote to memory of 1856	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	41
PID 1112 wrote to memory of 836	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	44
PID 1112 wrote to memory of 836	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	44
PID 1112 wrote to memory of 836	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	44
PID 1112 wrote to memory of 836	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	44
PID 1112 wrote to memory of 852	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	51
PID 1112 wrote to memory of 852	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	51
PID 1112 wrote to memory of 852	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	51
PID 1112 wrote to memory of 852	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	51
PID 1112 wrote to memory of 1708	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	48
PID 1112 wrote to memory of 1708	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	48
PID 1112 wrote to memory of 1708	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	48
PID 1112 wrote to memory of 1708	1112	13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe	48
PID 1848 wrote to memory of 1956	1848	cmd.exe	46
PID 1848 wrote to memory of 1956	1848	cmd.exe	46
PID 1848 wrote to memory of 1956	1848	cmd.exe	46
PID 1848 wrote to memory of 1956	1848	cmd.exe	46
PID 852 wrote to memory of 1520	852	cmd.exe	53
PID 852 wrote to memory of 1520	852	cmd.exe	53
PID 852 wrote to memory of 1520	852	cmd.exe	53
PID 852 wrote to memory of 1520	852	cmd.exe	53
PID 1708 wrote to memory of 1284	1708	cmd.exe	54
PID 1708 wrote to memory of 1284	1708	cmd.exe	54
PID 1708 wrote to memory of 1284	1708	cmd.exe	54
PID 1708 wrote to memory of 1284	1708	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
"C:\Users\Admin\AppData\Local\Temp\13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dvdjz44a\dvdjz44a.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D9F.tmp" "c:\ProgramData\CSCAE2E4628383E4EC6933C686CF2A72B56.TMP"
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:1576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1foxoaa2.exe

Filesize
28KB

MD5
32cd8514153a46ee366d5e9186b139e9

SHA1
1cb05fe99c7ac62961927f749135cd4752c6d549

SHA256
bd4e4cfef330ad0fa00a4c74d5f291f9d8f34c513d4ea1bd18b11387b4f94e3a

SHA512
11fe04323c4550793da87e6b64691a65710e00cf620dc9989fe504f3b659d8ab127e616ceae68260c5f3aeafcfa32b375cf4e332772bb5a6c015885f214d612d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D9F.tmp

Filesize
25KB

MD5
90438c3e84a36b5e1f756ff969f5b725

SHA1
c25e552170fc28c2c932ccab652c426b46fad463

SHA256
35925fb6c0e2c4af71d003f2a33e8d963990ffbf16618f089c99e48382532c40

SHA512
a8702bd10d71d5678d8ab19280dda3cc98710fe543c9cdfdd6807e220a664205d4fbde7bd9d76edecc74a573b52d34616a2583efec880512a282d3e745459b20

Download Submit
\??\c:\ProgramData\CSCAE2E4628383E4EC6933C686CF2A72B56.TMP

Filesize
24KB

MD5
c11803174c89129c0273c673ef8451ea

SHA1
052eaca85fec5a3229f1c4ed540839af85050e40

SHA256
b54fe0781b01459def0738363bc7cb098fdf3e6fb879f6d281725ff934f45607

SHA512
6aee353c6e68b5e02080e5f88f55dd0a19313ba6a52cb89073c49e8e3fe138854de1acd68d92e4c1581d54c52ac1c09a684bbb5a252e2f91bd9917d99e0e9983

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\akdihpg4.ico

Filesize
23KB

MD5
8c9a5448905c6ad6f5a15ad8f102fa56

SHA1
185575a9708fe9ff122423e459eeed7098ad11d4

SHA256
fc65491d373c30593f9ef53d83959625dc384bc42d551aa77a666d4e9b538104

SHA512
2032d1f19ac0734339626531cd77ce0509dbba93260c87505d20998ab66aa3dceee4c94e10d8620cdcc62eacf9e63bbe5357afa2a09abdaa51ca0fde8b9aed50

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvdjz44a\dvdjz44a.0.cs

Filesize
1KB

MD5
f84e073ca77fb8e1c20a3c937b28f3d6

SHA1
1e3cc210487fce28c913b2a2610934f52fb5ce34

SHA256
1f36c03b13656f0d85c639069b35b9bf4bdb7538311dd38a881e9cfda2d903bc

SHA512
be72aaeb1757b37daac3f9940d82478f734e38e47c86117c76aa848127e489236f5ef23e6f7d5b2b72896ec420fb1dcb384405d8a29f03336ad882cd9b5ca1a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvdjz44a\dvdjz44a.cmdline

Filesize
236B

MD5
e7d1756fa096e65d4503584674fe3c58

SHA1
bc57a0cacbc7ace9ac6c448f1a5e7280f7920985

SHA256
00ba8ce1e31bcbe95e3f615afc7f456c20b076c67f53f45ab58d7757f03dcb93

SHA512
eff1256104ac04a8cf943823afaf1f22481f0f898227a00574c9b34d4a5c3a83658fcb24059663efe8dfccccd0571b8e0caeb8a25f9332c4c4ede588e842787d

Download Submit
memory/1112-66-0x0000000004170000-0x000000000418A000-memory.dmp

Filesize
104KB

Download
memory/1112-54-0x0000000000820000-0x00000000008BA000-memory.dmp

Filesize
616KB

Download
memory/1112-55-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download