89180b430afa5712246b5dfce921e7bd02d396dc9195d094ba2e875ec2dbd8ea

Resubmissions

25/04/2023, 19:16

230425-xysg4acd95 7

25/04/2023, 19:10

230425-xvwekscd83 8

Analysis

max time kernel
15s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
25/04/2023, 19:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

SetupExitLag_v4272.exe
Size

19.7MB
MD5

0e0e61bc0176794218f18d35330b0e40
SHA1

88cf1a12e45b0edb7fe810c3394299ef2de19b4e
SHA256

89180b430afa5712246b5dfce921e7bd02d396dc9195d094ba2e875ec2dbd8ea
SHA512

903519017cb52c7e7d614f757370872f3a1c076fcf827c8f3118799559204231472ab05b09b9a3e75476dc5d570b9cd5e947d0652792dafebc935cb966c65243
SSDEEP

393216:gUrhBxbvYVjC4OoNvZtTrfCuy9PxkjjlyKXRYa61GDIOZAsqbP7PWZi2u1f:g4aIoJZtffCdZxOlpOUZZZqzrWZA1f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1544	SetupExitLag_v4272.tmp
4564	DriverCacheCleaner.exe
3212	snetcfg.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\ndextlag.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\ndextlag.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_17444b81168ee7c2\ndextlag_lwf.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\SETCDB5.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\SETCDC5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\SETCDE6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\SETCDE6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_17444b81168ee7c2\ndextlag.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	snetcfg.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\SETCDB5.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	snetcfg.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	snetcfg.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_17444b81168ee7c2\ndextlag.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\SETCDC5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_17444b81168ee7c2\ndextlag_lwf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	snetcfg.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\ndextlag_lwf.inf	DrvInst.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	snetcfg.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	3876	svchost.exe
Token: SeSecurityPrivilege	3876	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 1544	1020	SetupExitLag_v4272.exe	82
PID 1020 wrote to memory of 1544	1020	SetupExitLag_v4272.exe	82
PID 1020 wrote to memory of 1544	1020	SetupExitLag_v4272.exe	82
PID 1544 wrote to memory of 4564	1544	SetupExitLag_v4272.tmp	86
PID 1544 wrote to memory of 4564	1544	SetupExitLag_v4272.tmp	86
PID 1544 wrote to memory of 4564	1544	SetupExitLag_v4272.tmp	86
PID 1544 wrote to memory of 3212	1544	SetupExitLag_v4272.tmp	89
PID 1544 wrote to memory of 3212	1544	SetupExitLag_v4272.tmp	89
PID 3876 wrote to memory of 864	3876	svchost.exe	92
PID 3876 wrote to memory of 864	3876	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4272.exe
"C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4272.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Temp\is-EN76S.tmp\SetupExitLag_v4272.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EN76S.tmp\SetupExitLag_v4272.tmp" /SL5="$80044,19829384,887296,C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4272.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\DriverCacheCleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\DriverCacheCleaner.exe"
    3⤵
    - Executes dropped EXE
    PID:4564
- - C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\WinpkFilter\lwf\win10\amd64\snetcfg.exe
    "C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\WinpkFilter\lwf\win10\amd64\snetcfg.exe" -v -l ndextlag_lwf.inf -c s -i nt_ndextlag
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0f4bef62-f6b0-ea4e-983f-ec83d7c1a014}\ndextlag_lwf.inf" "9" "4dcf12917" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\WinpkFilter\lwf\win10\amd64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-EN76S.tmp\SetupExitLag_v4272.tmp

Filesize
3.1MB

MD5
5173d5dc7cbf0152255381845c78d927

SHA1
4d1a5ddec740e6763b9a64aa9112164e93719953

SHA256
8d892a27e6d5559ee2dc12f801f3abee78c25891b1e91a0469548fb2866b6fe1

SHA512
cd8439a6892d1c15ee10cc4d4ede8c89d43ae2314750661e4ed926910272cefbb5d151fc987ca9c8e61017a1babb4aba685a6e3e13a5b387f06d622ed3d90872

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\DriverCacheCleaner.exe

Filesize
199KB

MD5
ce7f11b82c1b3c95a9d821ece82b776b

SHA1
5594ec728d90584e6ba7f9a279e0946da1fc8475

SHA256
fc1f60df0e0e74e3d7e258cc80eada0745423076465662daf1787fc02f682ee8

SHA512
617490454fa971ddd50ecca8245c1f1177d0e77ce2599a7a0d8888961313d39c99685a2df1be0005de6f6d5d0dd26d4247adc20f1b002a02376b371e814ee1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\DriverCacheCleaner.exe

Filesize
199KB

MD5
ce7f11b82c1b3c95a9d821ece82b776b

SHA1
5594ec728d90584e6ba7f9a279e0946da1fc8475

SHA256
fc1f60df0e0e74e3d7e258cc80eada0745423076465662daf1787fc02f682ee8

SHA512
617490454fa971ddd50ecca8245c1f1177d0e77ce2599a7a0d8888961313d39c99685a2df1be0005de6f6d5d0dd26d4247adc20f1b002a02376b371e814ee1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\WINPKF~1\lwf\win10\amd64\ndextlag.cat

Filesize
11KB

MD5
41ce1b9d8fb8432898d8b086753139a9

SHA1
88fa6a06942242d3f05ff316e444efa4734bcb47

SHA256
476005d1e2be816c06cf62fa18715dd50d9a09bc7984d0ae33cf917288174917

SHA512
73bb5d2893cea2f421cf32245a822728f7bd42924bb0f78099c0893fd67d6be868932848d77c1edb0e1f9992a6ea3703788e9ceeccbbe9152b6137d7d3e1ffc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\WINPKF~1\lwf\win10\amd64\ndextlag.sys

Filesize
58KB

MD5
4bbbac5d7cb5e2e65ac400f01bf267fd

SHA1
318a2b1dfb4871c72ec27fffafe8488b7f0453a5

SHA256
70013fcd32f4745347cbd45c1cc911c0d6939048727f1c8dbcc1da36edf20fa9

SHA512
86aa1a9ff8f0df4feec57f4d2d1572a4e0fbea0de5cafc88c728a5737c77d80ad98926ab9d3c5cd5817dbf9f49e63179895fd1d6199a72996783b65505f1b6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\WinpkFilter\lwf\win10\amd64\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\WinpkFilter\lwf\win10\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\WinpkFilter\lwf\win10\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\WinpkFilter\lwf\win7\i386\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MI16T.tmp\WinpkFilter\tools\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0F4BE~1\ndextlag.cat

Filesize
11KB

MD5
41ce1b9d8fb8432898d8b086753139a9

SHA1
88fa6a06942242d3f05ff316e444efa4734bcb47

SHA256
476005d1e2be816c06cf62fa18715dd50d9a09bc7984d0ae33cf917288174917

SHA512
73bb5d2893cea2f421cf32245a822728f7bd42924bb0f78099c0893fd67d6be868932848d77c1edb0e1f9992a6ea3703788e9ceeccbbe9152b6137d7d3e1ffc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0F4BE~1\ndextlag.sys

Filesize
58KB

MD5
4bbbac5d7cb5e2e65ac400f01bf267fd

SHA1
318a2b1dfb4871c72ec27fffafe8488b7f0453a5

SHA256
70013fcd32f4745347cbd45c1cc911c0d6939048727f1c8dbcc1da36edf20fa9

SHA512
86aa1a9ff8f0df4feec57f4d2d1572a4e0fbea0de5cafc88c728a5737c77d80ad98926ab9d3c5cd5817dbf9f49e63179895fd1d6199a72996783b65505f1b6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0f4bef62-f6b0-ea4e-983f-ec83d7c1a014}\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Windows\INF\oem3.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_17444b81168ee7c2\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\SETCDC5.tmp

Filesize
11KB

MD5
41ce1b9d8fb8432898d8b086753139a9

SHA1
88fa6a06942242d3f05ff316e444efa4734bcb47

SHA256
476005d1e2be816c06cf62fa18715dd50d9a09bc7984d0ae33cf917288174917

SHA512
73bb5d2893cea2f421cf32245a822728f7bd42924bb0f78099c0893fd67d6be868932848d77c1edb0e1f9992a6ea3703788e9ceeccbbe9152b6137d7d3e1ffc6

Download Submit
C:\Windows\System32\DriverStore\Temp\{dee2e779-db1b-ae45-983a-489874d59d27}\SETCDE6.tmp

Filesize
58KB

MD5
4bbbac5d7cb5e2e65ac400f01bf267fd

SHA1
318a2b1dfb4871c72ec27fffafe8488b7f0453a5

SHA256
70013fcd32f4745347cbd45c1cc911c0d6939048727f1c8dbcc1da36edf20fa9

SHA512
86aa1a9ff8f0df4feec57f4d2d1572a4e0fbea0de5cafc88c728a5737c77d80ad98926ab9d3c5cd5817dbf9f49e63179895fd1d6199a72996783b65505f1b6b0

Download Submit
memory/1020-166-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1020-133-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1544-170-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1544-139-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download