89180b430afa5712246b5dfce921e7bd02d396dc9195d094ba2e875ec2dbd8ea

Resubmissions

25/04/2023, 19:16

230425-xysg4acd95 7

25/04/2023, 19:10

230425-xvwekscd83 8

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/04/2023, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SetupExitLag_v4272.exe
Size

19.7MB
MD5

0e0e61bc0176794218f18d35330b0e40
SHA1

88cf1a12e45b0edb7fe810c3394299ef2de19b4e
SHA256

89180b430afa5712246b5dfce921e7bd02d396dc9195d094ba2e875ec2dbd8ea
SHA512

903519017cb52c7e7d614f757370872f3a1c076fcf827c8f3118799559204231472ab05b09b9a3e75476dc5d570b9cd5e947d0652792dafebc935cb966c65243
SSDEEP

393216:gUrhBxbvYVjC4OoNvZtTrfCuy9PxkjjlyKXRYa61GDIOZAsqbP7PWZi2u1f:g4aIoJZtffCdZxOlpOUZZZqzrWZA1f

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SETAA54.tmp	snetcfg.exe
File opened for modification	C:\Windows\system32\DRIVERS\ndextlag.sys	snetcfg.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETAA54.tmp	snetcfg.exe

Executes dropped EXE 3 IoCs

pid	Process
1716	SetupExitLag_v4272.tmp
1932	DriverCacheCleaner.exe
888	snetcfg.exe

Loads dropped DLL 6 IoCs

pid	Process
1532	SetupExitLag_v4272.exe
1716	SetupExitLag_v4272.tmp
1716	SetupExitLag_v4272.tmp
1716	SetupExitLag_v4272.tmp
1552	Process not Found
1212	Process not Found

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\ndextlag_lwf.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	snetcfg.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\SET3100.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\SET3101.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\ndextlag.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\SET3100.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\SET3101.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\SET3102.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_neutral_17444b81168ee7c2\ndextlag_lwf.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\ndextlag.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\SET3102.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_neutral_17444b81168ee7c2\ndextlag_lwf.PNF	DrvInst.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	snetcfg.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	snetcfg.exe
File created	C:\Windows\INF\oem2.PNF	snetcfg.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	888	snetcfg.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeBackupPrivilege	1044	vssvc.exe
Token: SeRestorePrivilege	1044	vssvc.exe
Token: SeAuditPrivilege	1044	vssvc.exe
Token: SeBackupPrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	1292	DrvInst.exe
Token: SeRestorePrivilege	1292	DrvInst.exe
Token: SeRestorePrivilege	1292	DrvInst.exe
Token: SeRestorePrivilege	1292	DrvInst.exe
Token: SeRestorePrivilege	1292	DrvInst.exe
Token: SeRestorePrivilege	1292	DrvInst.exe
Token: SeRestorePrivilege	1292	DrvInst.exe
Token: SeLoadDriverPrivilege	1292	DrvInst.exe
Token: SeLoadDriverPrivilege	1292	DrvInst.exe
Token: SeLoadDriverPrivilege	1292	DrvInst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1716	1532	SetupExitLag_v4272.exe	28
PID 1532 wrote to memory of 1716	1532	SetupExitLag_v4272.exe	28
PID 1532 wrote to memory of 1716	1532	SetupExitLag_v4272.exe	28
PID 1532 wrote to memory of 1716	1532	SetupExitLag_v4272.exe	28
PID 1532 wrote to memory of 1716	1532	SetupExitLag_v4272.exe	28
PID 1532 wrote to memory of 1716	1532	SetupExitLag_v4272.exe	28
PID 1532 wrote to memory of 1716	1532	SetupExitLag_v4272.exe	28
PID 1716 wrote to memory of 1932	1716	SetupExitLag_v4272.tmp	29
PID 1716 wrote to memory of 1932	1716	SetupExitLag_v4272.tmp	29
PID 1716 wrote to memory of 1932	1716	SetupExitLag_v4272.tmp	29
PID 1716 wrote to memory of 1932	1716	SetupExitLag_v4272.tmp	29
PID 1716 wrote to memory of 888	1716	SetupExitLag_v4272.tmp	31
PID 1716 wrote to memory of 888	1716	SetupExitLag_v4272.tmp	31
PID 1716 wrote to memory of 888	1716	SetupExitLag_v4272.tmp	31
PID 1716 wrote to memory of 888	1716	SetupExitLag_v4272.tmp	31
PID 2016 wrote to memory of 1932	2016	DrvInst.exe	34
PID 2016 wrote to memory of 1932	2016	DrvInst.exe	34
PID 2016 wrote to memory of 1932	2016	DrvInst.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4272.exe
"C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4272.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\is-0HEPQ.tmp\SetupExitLag_v4272.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0HEPQ.tmp\SetupExitLag_v4272.tmp" /SL5="$70124,19829384,887296,C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4272.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\DriverCacheCleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\DriverCacheCleaner.exe"
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe
    "C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe" -v -l ndextlag_lwf.inf -c s -i nt_ndextlag
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:888

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4053e1ae-6ba0-4411-18b8-397e420bad6a}\ndextlag_lwf.inf" "9" "6c8f67763" "00000000000003C4" "WinSta0\Default" "0000000000000320" "208" "C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{089e6c4f-d670-557f-d18e-64782311fe19} Global\{4d2a1956-ff59-3928-888d-5e2868f68b48} C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\ndextlag_lwf.inf C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\ndextlag.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C8" "00000000000003AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab33FF.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA8FE.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0HEPQ.tmp\SetupExitLag_v4272.tmp

Filesize
3.1MB

MD5
5173d5dc7cbf0152255381845c78d927

SHA1
4d1a5ddec740e6763b9a64aa9112164e93719953

SHA256
8d892a27e6d5559ee2dc12f801f3abee78c25891b1e91a0469548fb2866b6fe1

SHA512
cd8439a6892d1c15ee10cc4d4ede8c89d43ae2314750661e4ed926910272cefbb5d151fc987ca9c8e61017a1babb4aba685a6e3e13a5b387f06d622ed3d90872

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\DriverCacheCleaner.exe

Filesize
199KB

MD5
ce7f11b82c1b3c95a9d821ece82b776b

SHA1
5594ec728d90584e6ba7f9a279e0946da1fc8475

SHA256
fc1f60df0e0e74e3d7e258cc80eada0745423076465662daf1787fc02f682ee8

SHA512
617490454fa971ddd50ecca8245c1f1177d0e77ce2599a7a0d8888961313d39c99685a2df1be0005de6f6d5d0dd26d4247adc20f1b002a02376b371e814ee1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WINPKF~1\lwf\win7\amd64\ndextlag.sys

Filesize
48KB

MD5
f0b1cf0cc7871760ce300201b77d9694

SHA1
7a2be67a9b0be2704432fabbf54c48ca7cb6ade0

SHA256
acbcd7f4ee9dd59bade03cfa5fa22401c780fd762a84df8db64791de53868ba7

SHA512
e7b8bc6c9060558901880efc4245e030de4d117311c313c2f8456ec8b328ac590efae4e0c838250603f9d3f6624be84340bc3a3d3f7f8ad39f223b0bcec72bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64\ndextlag.cat

Filesize
14KB

MD5
0b727ab2f6edd5216ba331f755815f17

SHA1
facbdbe98bf760131a8131ffd4f16fa10dae9380

SHA256
b9ad4669382e2c81926c6664bf8b6318c927e054460fc27362f514491c80ad1c

SHA512
32e0248ff2f82641ef43dabc0dce50f57e3279e8f74f4225f4151777c773b9e27de747b71a3a108f1745d2305e34e6d0c985f62ff8a3397ea1f5d9a459665362

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\i386\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4053E~1\ndextlag.sys

Filesize
48KB

MD5
f0b1cf0cc7871760ce300201b77d9694

SHA1
7a2be67a9b0be2704432fabbf54c48ca7cb6ade0

SHA256
acbcd7f4ee9dd59bade03cfa5fa22401c780fd762a84df8db64791de53868ba7

SHA512
e7b8bc6c9060558901880efc4245e030de4d117311c313c2f8456ec8b328ac590efae4e0c838250603f9d3f6624be84340bc3a3d3f7f8ad39f223b0bcec72bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4053e1ae-6ba0-4411-18b8-397e420bad6a}\ndextlag.cat

Filesize
14KB

MD5
0b727ab2f6edd5216ba331f755815f17

SHA1
facbdbe98bf760131a8131ffd4f16fa10dae9380

SHA256
b9ad4669382e2c81926c6664bf8b6318c927e054460fc27362f514491c80ad1c

SHA512
32e0248ff2f82641ef43dabc0dce50f57e3279e8f74f4225f4151777c773b9e27de747b71a3a108f1745d2305e34e6d0c985f62ff8a3397ea1f5d9a459665362

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4053e1ae-6ba0-4411-18b8-397e420bad6a}\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Windows\INF\oem2.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_neutral_17444b81168ee7c2\ndextlag_lwf.PNF

Filesize
8KB

MD5
e6e68d094495aded0cc946199149ed11

SHA1
9f0f32a14b1bffe3456818db4fe4d102f4a87f2c

SHA256
bfc989d4ccc62e022ce544e591c4ea1d7d8a5cef5dd64b2f485fa72f1fb0f5a7

SHA512
82a8c56da47d3373c8710b4afdcba4c4de933dc98f0d3533af06675377032d275e9698685c6b7e124b713f71d0fac354749d84f83819ef86d85ebd46d41afab9

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
c06d3bcd7772b65bfe6391190bebc8b6

SHA1
3673641a68200688382db83cda2edbeae569c27c

SHA256
d34f92bf19301c60f573a5c0f861f6045521afdff348e383835f9087324bfd69

SHA512
5d00dfb1279e4fcfb7cdaf5d9bbe056f080349a515127f9667d969924d45ea2634c6f9f98d878ed0b2349a9f36ddff9dffb3119e96784407ee212dff496d5f4e

Download Submit
C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\SET3101.tmp

Filesize
14KB

MD5
0b727ab2f6edd5216ba331f755815f17

SHA1
facbdbe98bf760131a8131ffd4f16fa10dae9380

SHA256
b9ad4669382e2c81926c6664bf8b6318c927e054460fc27362f514491c80ad1c

SHA512
32e0248ff2f82641ef43dabc0dce50f57e3279e8f74f4225f4151777c773b9e27de747b71a3a108f1745d2305e34e6d0c985f62ff8a3397ea1f5d9a459665362

Download Submit
C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\SET3102.tmp

Filesize
48KB

MD5
f0b1cf0cc7871760ce300201b77d9694

SHA1
7a2be67a9b0be2704432fabbf54c48ca7cb6ade0

SHA256
acbcd7f4ee9dd59bade03cfa5fa22401c780fd762a84df8db64791de53868ba7

SHA512
e7b8bc6c9060558901880efc4245e030de4d117311c313c2f8456ec8b328ac590efae4e0c838250603f9d3f6624be84340bc3a3d3f7f8ad39f223b0bcec72bdf

Download Submit
C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\ndextlag.cat

Filesize
14KB

MD5
0b727ab2f6edd5216ba331f755815f17

SHA1
facbdbe98bf760131a8131ffd4f16fa10dae9380

SHA256
b9ad4669382e2c81926c6664bf8b6318c927e054460fc27362f514491c80ad1c

SHA512
32e0248ff2f82641ef43dabc0dce50f57e3279e8f74f4225f4151777c773b9e27de747b71a3a108f1745d2305e34e6d0c985f62ff8a3397ea1f5d9a459665362

Download Submit
C:\Windows\System32\DriverStore\Temp\{5e38f11a-82f3-16a4-e7a8-876bcd265c1c}\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Windows\Temp\Cab317F.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar31A1.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Users\Admin\AppData\Local\Temp\is-0HEPQ.tmp\SetupExitLag_v4272.tmp

Filesize
3.1MB

MD5
5173d5dc7cbf0152255381845c78d927

SHA1
4d1a5ddec740e6763b9a64aa9112164e93719953

SHA256
8d892a27e6d5559ee2dc12f801f3abee78c25891b1e91a0469548fb2866b6fe1

SHA512
cd8439a6892d1c15ee10cc4d4ede8c89d43ae2314750661e4ed926910272cefbb5d151fc987ca9c8e61017a1babb4aba685a6e3e13a5b387f06d622ed3d90872

Download Submit
\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\DriverCacheCleaner.exe

Filesize
199KB

MD5
ce7f11b82c1b3c95a9d821ece82b776b

SHA1
5594ec728d90584e6ba7f9a279e0946da1fc8475

SHA256
fc1f60df0e0e74e3d7e258cc80eada0745423076465662daf1787fc02f682ee8

SHA512
617490454fa971ddd50ecca8245c1f1177d0e77ce2599a7a0d8888961313d39c99685a2df1be0005de6f6d5d0dd26d4247adc20f1b002a02376b371e814ee1a5

Download Submit
\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
\Users\Admin\AppData\Local\Temp\is-48CIU.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
memory/1532-93-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1532-54-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1716-223-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1716-62-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1716-94-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1716-277-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1932-214-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download