2132faa1b6fff1d8a8a51a64b463d95f2ec0b244d66aad8abb44776f40bd0fc6

Analysis

max time kernel
93s
max time network
91s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
15/07/2023, 16:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Patch.exe
Size

839KB
MD5

f8b1eabcbc118609bb2260031829f87f
SHA1

62970ae57302ae52f1291a9c728a6a81ffa2ec73
SHA256

2132faa1b6fff1d8a8a51a64b463d95f2ec0b244d66aad8abb44776f40bd0fc6
SHA512

18296e7748c964b823fbacc5ffe3f1debc7d946855040810d73e649e653cb13f8590a83375b9bce0e4966148e5abf096b1a5472a10fac31d97f62beda71ccc29
SSDEEP

24576:nprTzqF5dnTVW3hr7ALun+zO9Biek/uaOkjrlHOmnve:Ra5IF7P+zO9B9k/uarpHjm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2640	Patch.exe
2640	Patch.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\atlthunk.dll	Patch.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\killproces.bat	Patch.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\killproces.bat	Patch.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.dll	Patch.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrodistdll.dll	Patch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4760	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "5"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5e00310000000000ef56e68210004143524f42417e310000460009000400efbeef56e682ef56e6822e00000028af01000000070000000000000000000000000000004af7f4004100630072006f00620061007400200044004300000018000000	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "7"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5600310000000000ef56e68210004163726f62617400400009000400efbeef56e682ef56e6822e0000002aaf01000000060000000000000000000000000000004ed0f4004100630072006f00620061007400000016000000	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000030000000200000001000000ffffffff	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 5600310000000000e356bc53100057696e646f777300400009000400efbe724a0b5de356bc532e0000006b050000000001000000000000000000000000000000247fe600570069006e0064006f0077007300000016000000	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e8096f2fd3decdbb44f81d16a3438bcf4de260001002600efbe1100000046bb3c4e95add9015588a8349cadd9015588a8349cadd90114000000	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Patch.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	Patch.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2812	AUDIODG.EXE
Token: SeDebugPrivilege	4760	taskkill.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2640	Patch.exe
2640	Patch.exe
2640	Patch.exe
2640	Patch.exe
2640	Patch.exe
2640	Patch.exe
2640	Patch.exe
2640	Patch.exe
2640	Patch.exe
2640	Patch.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 4460	2640	Patch.exe	70
PID 2640 wrote to memory of 4460	2640	Patch.exe	70
PID 2640 wrote to memory of 4460	2640	Patch.exe	70
PID 4460 wrote to memory of 4760	4460	cmd.exe	72
PID 4460 wrote to memory of 4760	4460	cmd.exe	72
PID 4460 wrote to memory of 4760	4460	cmd.exe	72

C:\Users\Admin\AppData\Local\Temp\Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Patch.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Program Files\Adobe\Acrobat DC\Acrobat\killproces.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /f /t /im acrotray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4188

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Adobe\Acrobat DC\Acrobat\killproces.bat

Filesize
48B

MD5
0395e0bacec066cfa168a85c267a9f06

SHA1
f5857540ccfd514c4eb58355e7e84ae603d01ee2

SHA256
06795f74afb1ed8c4ac870ba773847b21cd01adadfe01a6e8813aea86a9bc0a7

SHA512
472670ba32d4a8d4d8a38d90e66817937e55960249636b2204ec5b11c5005ff8df191354017556cf675026235f52fe263693442d4053dd426b0205fc7731f062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
d65faf22dcf989292c7eb0d02e48be83

SHA1
9ef298b3b5df57b4da71e8e932e393cf713c184e

SHA256
4e412093c7f59cd7e08dd90feb906f0dbedcc8b8e9f6a67727416c19b042664b

SHA512
1970a04b5405e954dbd13593a8fa3d794497469e934b92bdad746767e6de8b795168f7582491c344b0b9c0d2038fd1e392977fc6900e99fa956698bad67ab550

Download Submit
\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
9KB

MD5
780d14604d49e3c634200c523def8351

SHA1
e208ef6f421d2260070a9222f1f918f1de0a8eeb

SHA256
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

SHA512
a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

Download Submit
\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
825KB

MD5
1e4c47cb43d537d50a60592b42345da9

SHA1
0433554c251dc75b8ba4251663aa1a3bce641306

SHA256
6f8650fa49a74fbbabb51f1cced99d11732c177ecb1049ec59ebc79b16daf1ed

SHA512
d6e316cf0a45f479d84ba74917407220ba9421f9edd656835487fb6ccb79f7bbf78a44e885d1f9c440cb5ac4387f3f9b943b505148efc34fd73db22f83b03288

Download Submit
memory/2640-119-0x0000000074420000-0x0000000074507000-memory.dmp

Filesize
924KB

Download
memory/2640-141-0x0000000074420000-0x0000000074507000-memory.dmp

Filesize
924KB

Download