219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
Size

274KB
MD5

5f78b5cb52e44a34c8403dc025eb9c86
SHA1

06d1ed39ebf8ecab97b1e0d493508423dc6c1819
SHA256

219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573
SHA512

37fc19419918f6cedb14267a395babbff6ed649741b31c7bbdc50a4598302d2ebf2d7ab591393babeefb63e816f6b798b9d228d77a3ab01ddb086d8e77160578
SSDEEP

6144:abTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:aPcrfR6ZnOkx2LIa

Score

8^/10

upx vmprotect

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\sjgFyfs5f.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\5LZIbR1iJZy.qka	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\HUcW039lMqW.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\6m1DddAPQFH.fzt	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\9BEso4SRc8vPy.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\WUT2cErQRH0Erp.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\xMlTZ986Hw.xft	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\4s1t4SFwRCa.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\QyxEILhmPO.jom	Explorer.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1060-0-0x0000000000380000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/1060-11-0x0000000000380000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/1060-15-0x0000000000380000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/1060-20-0x0000000000380000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/1060-23-0x0000000000380000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/1060-24-0x0000000000380000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/1060-55-0x0000000000380000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/1060-62-0x0000000000380000-0x000000000040C000-memory.dmp	upx

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000023238-93.dat	vmprotect
behavioral2/files/0x000600000002323c-121.dat	vmprotect
behavioral2/files/0x000700000002323c-149.dat	vmprotect
behavioral2/files/0x0010000000023239-177.dat	vmprotect

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\qkxBfGqgsSID.ull	Explorer.EXE
File opened for modification	C:\Windows\system32\jN1mPH9UsPND8.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\U5SxsuMydbw.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\f7FiWorCgCZwm.vgr	Explorer.EXE
File opened for modification	C:\Windows\system32\esEgZLco7mz1O6.lop	Explorer.EXE
File created	C:\Windows\system32\ \Windows\System32\PjoYLC.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\MgicM7Izay.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\wBgI5eEkHj.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\MVHu8G99N7.cmy	Explorer.EXE

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\edDSZTTkws.sys	Explorer.EXE
File opened for modification	C:\Program Files\Internet Explorer\5615d1fe.js	Explorer.EXE
File opened for modification	C:\Program Files\Internet Explorer\lib\646eca53.js	Explorer.EXE
File opened for modification	C:\Program Files\Internet Explorer\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files (x86)\HEHaZTdsDwloEV.pdp	Explorer.EXE
File opened for modification	C:\Program Files\R93wJNkOA3.ojo	Explorer.EXE
File opened for modification	C:\Program Files (x86)\3CPvHm7QNNC.rpe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\frPIW1AfUXAQD.sys	Explorer.EXE
File opened for modification	C:\Program Files\Internet Explorer\3963e154.js	Explorer.EXE
File opened for modification	C:\Program Files\Internet Explorer\47bcd9a9.html	Explorer.EXE
File opened for modification	C:\Program Files (x86)\ErpSJHEGj2wFH.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\9vOzl8xaHBc.izj	Explorer.EXE
File opened for modification	C:\Program Files (x86)\HSkMGaADIP.jbg	Explorer.EXE
File opened for modification	C:\Program Files\movI5ucPDL.bgn	Explorer.EXE
File opened for modification	C:\Program Files (x86)\7bz5DcODHuBO.sys	Explorer.EXE
File opened for modification	C:\Program Files\Rrx0lhHFGmfyE.sys	Explorer.EXE
File opened for modification	C:\Program Files\oAjKjgJVnNqPD4.hdi	Explorer.EXE
File opened for modification	C:\Program Files\tUOdYl43h4.sys	Explorer.EXE
File opened for modification	C:\Program Files\0HNFDenktkmr.sys	Explorer.EXE
File opened for modification	C:\Program Files\Lt1mAnOckvP7pj.zwl	Explorer.EXE
File opened for modification	C:\Program Files\VH5tz7XE32.sys	Explorer.EXE

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\err_1060.log	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
File opened for modification	C:\Windows\GL1Z0dC3zWP.vyk	Explorer.EXE
File opened for modification	C:\Windows\jVHpBnfbnJXM.ahe	Explorer.EXE
File opened for modification	C:\Windows\0j4WmQrIZgm.sys	Explorer.EXE
File opened for modification	C:\Windows\KfsSmZMkO0.byf	Explorer.EXE
File opened for modification	C:\Windows\0SdhpCQKBlr0g.sys	Explorer.EXE
File opened for modification	C:\Windows\WFPjKYMYGrQbWS.sys	Explorer.EXE
File opened for modification	C:\Windows\kDs8ufzuuoMcm.elo	Explorer.EXE
File created	C:\Windows\ZtjCKGWBR.sys	Explorer.EXE
File opened for modification	C:\Windows\ELtlRfFVrVMi.sys	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Explorer.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1500	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3148	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
Token: SeTcbPrivilege	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
Token: SeDebugPrivilege	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
Token: SeDebugPrivilege	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
Token: SeDebugPrivilege	3148	Explorer.EXE
Token: SeDebugPrivilege	3148	Explorer.EXE
Token: SeDebugPrivilege	3148	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeDebugPrivilege	3148	Explorer.EXE
Token: SeBackupPrivilege	3148	Explorer.EXE
Token: SeDebugPrivilege	3148	Explorer.EXE
Token: SeDebugPrivilege	428	dwm.exe
Token: SeBackupPrivilege	428	dwm.exe
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	428	dwm.exe
Token: SeCreatePagefilePrivilege	428	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3148	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3148	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 3148	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	44
PID 1060 wrote to memory of 3148	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	44
PID 1060 wrote to memory of 3148	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	44
PID 1060 wrote to memory of 3148	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	44
PID 1060 wrote to memory of 3148	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	44
PID 1060 wrote to memory of 644	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	5
PID 1060 wrote to memory of 644	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	5
PID 1060 wrote to memory of 644	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	5
PID 1060 wrote to memory of 644	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	5
PID 1060 wrote to memory of 644	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	5
PID 1060 wrote to memory of 4900	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	99
PID 1060 wrote to memory of 4900	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	99
PID 1060 wrote to memory of 4900	1060	219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe	99
PID 4900 wrote to memory of 1500	4900	cmd.exe	101
PID 4900 wrote to memory of 1500	4900	cmd.exe	101
PID 4900 wrote to memory of 1500	4900	cmd.exe	101
PID 3148 wrote to memory of 428	3148	Explorer.EXE	10
PID 3148 wrote to memory of 428	3148	Explorer.EXE	10
PID 3148 wrote to memory of 428	3148	Explorer.EXE	10
PID 3148 wrote to memory of 428	3148	Explorer.EXE	10
PID 3148 wrote to memory of 428	3148	Explorer.EXE	10
PID 3148 wrote to memory of 428	3148	Explorer.EXE	10

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:644
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe
  "C:\Users\Admin\AppData\Local\Temp\219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\219b8ecb49ab73378fc40ed08171a05765db0194ffc300e198dcbe698773f573.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
2KB

MD5
2818084a9e9c1a6ea4afcabc2addedaa

SHA1
13c59025d416f769fffeb9e239b2e16c8b5f7868

SHA256
6f4fa276959221d8e18c0531d8d6e374bc3630f0d2a9cb3bc53d9332b31fe4f0

SHA512
2c0222371add59a2f3dc64fc5fc8e4a72076c279c2f8697fe84afc948b2d9f8033b5e47a67f2167fc65b6749c2c558b672fad16b683f5d4769678a434821577b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
91a2dd953cb6f8edfa3c5a3b7c680f68

SHA1
45fabdf01269f6ff34cee0a3304d97e8dbb74486

SHA256
9806b25d68e91516099c89be4870be1aadc6be2de5611dc24e426026ebf5ffbd

SHA512
f1555dc73fe7e5a137385fbb158c587651345f2cb8c28ff11590fe65accdb8cf753b775e804f3f33d30e4c3cd94331356715f63b7856ad567ac98bec639f0bda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
599B

MD5
a87c1c0bd5b4f68755a9cc6b52c6c2be

SHA1
23d9859148cd758aa9eac8e5e5b3fa7b16968b28

SHA256
44b9e82998f53b67924b619840930d3c0e22877283dd612da9b55a36ea034666

SHA512
93c5fb66c5a95440be30a29ec04a09e3a174af66e584bd8fbcb2aabe74d643fba82f5ec6915b5d1fa3ba4d3eae7c60f8d5dc46438e420b4a46924c203e601cac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
484B

MD5
51caa4a21324fde45fd8efda093e8582

SHA1
b74eaf01caa8c2a71384c192161ac730de672352

SHA256
c4fdc69ff617fea0d396a913288c46db42e926e39a788ff55113f3b208198789

SHA512
d119ea45dae3c0d8fabe6ec24034e02d0f63b400c9d1577b8f8e20dbc5a2e82cf43b56523ddd032476aa20c46627a732cdd9b355fb20d41399a24344bbe1f7b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
8b961725f00df1e5bff7251100656833

SHA1
6930180a7e48e3980499bc3393a4317ad19d4b72

SHA256
dc7c55cb96eb93d5aa66d2cbb0b34e9bcd2c992f2bbc956e541b97c011aa531a

SHA512
e21c6aa32303444cb62a1e596486d895c6750cb5d54fb4302551984987caa6c0aa1f8753ce0367fc73085a39da5a75325bc594bdb60a9158a6f55b482103fc60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
504B

MD5
4253995ec9af5c9cde64ef9a5eb8e3b4

SHA1
1bfed69d683cfe7d0aaa2b946709d46f76ae518b

SHA256
3be6405acb58a5990c6ed69bef73bf08e163fbd154d4e0aaf8646ee0b83d81ce

SHA512
dd220dcee09e9cc745e62dde876de91c2649c0b73bfe7b784acd2edd05c575c84efe89dd275357640900de50d06f1ba622243836603faddb5a1a6ba4f5cdf640

Download Submit
C:\Windows\0SdhpCQKBlr0g.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
C:\Windows\0j4WmQrIZgm.sys

Filesize
447KB

MD5
587168dfb4f83975c6491b896e7ca89f

SHA1
657108fc554b8d696a49d95746b7a9eb919915ea

SHA256
529d5a31f6268d0a46bd1df0c236d8f9345cb71e53df1633d14a0cff247e18c5

SHA512
7292a29fdcbed7fbe1f927479699e3982f84ba3d3b31496cc7635c94d31ee17413a96b1135e19aef9d24839b8919c8364898e990e6f6d48c9ce538a44433a32a

Download Submit
C:\Windows\ELtlRfFVrVMi.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
C:\Windows\WFPjKYMYGrQbWS.sys

Filesize
415KB

MD5
f5fb6bb3a700a814054ce952e8c3b6a1

SHA1
3fa8a291e42667ccde09064ed1cf4f8582c3710f

SHA256
d186b3eedd548e159ee39c075acb4d145539ecfbeb647bda3d821741c6e72379

SHA512
c0b894e30588f23d80f6308bb6573c9b55c52c6d0889cae08e811da8db6e5fa59401e821781812f714674f0346893dffce2fdd38ca696762d98466346404201a

Download Submit
memory/428-218-0x000002804BCF0000-0x000002804BCF3000-memory.dmp

Filesize
12KB

Download
memory/428-214-0x000002804BDD0000-0x000002804BDD4000-memory.dmp

Filesize
16KB

Download
memory/428-212-0x000002804BD10000-0x000002804BDBF000-memory.dmp

Filesize
700KB

Download
memory/428-211-0x000002804BCF0000-0x000002804BCF3000-memory.dmp

Filesize
12KB

Download
memory/428-210-0x000002804BCF0000-0x000002804BCF3000-memory.dmp

Filesize
12KB

Download
memory/428-219-0x000002804BD10000-0x000002804BDBF000-memory.dmp

Filesize
700KB

Download
memory/644-75-0x000001AB58400000-0x000001AB58401000-memory.dmp

Filesize
4KB

Download
memory/644-38-0x000001AB583C0000-0x000001AB583E8000-memory.dmp

Filesize
160KB

Download
memory/1060-55-0x0000000000380000-0x000000000040C000-memory.dmp

Filesize
560KB

Download
memory/1060-23-0x0000000000380000-0x000000000040C000-memory.dmp

Filesize
560KB

Download
memory/1060-20-0x0000000000380000-0x000000000040C000-memory.dmp

Filesize
560KB

Download
memory/1060-15-0x0000000000380000-0x000000000040C000-memory.dmp

Filesize
560KB

Download
memory/1060-11-0x0000000000380000-0x000000000040C000-memory.dmp

Filesize
560KB

Download
memory/1060-0-0x0000000000380000-0x000000000040C000-memory.dmp

Filesize
560KB

Download
memory/1060-24-0x0000000000380000-0x000000000040C000-memory.dmp

Filesize
560KB

Download
memory/1060-62-0x0000000000380000-0x000000000040C000-memory.dmp

Filesize
560KB

Download
memory/3148-206-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3148-28-0x00000000022E0000-0x00000000022E3000-memory.dmp

Filesize
12KB

Download
memory/3148-83-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3148-81-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3148-80-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3148-79-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3148-84-0x0000000008CE0000-0x0000000008D8F000-memory.dmp

Filesize
700KB

Download
memory/3148-197-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3148-198-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3148-78-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3148-77-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3148-76-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3148-74-0x00000000081B0000-0x0000000008261000-memory.dmp

Filesize
708KB

Download
memory/3148-73-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3148-72-0x00007FF900C20000-0x00007FF900C30000-memory.dmp

Filesize
64KB

Download
memory/3148-205-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/3148-34-0x00007FF900C20000-0x00007FF900C30000-memory.dmp

Filesize
64KB

Download
memory/3148-207-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3148-208-0x0000000008CE0000-0x0000000008D8F000-memory.dmp

Filesize
700KB

Download
memory/3148-209-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3148-35-0x00000000081B0000-0x0000000008261000-memory.dmp

Filesize
708KB

Download
memory/3148-33-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3148-30-0x00000000022E0000-0x00000000022E3000-memory.dmp

Filesize
12KB

Download
memory/3148-213-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3148-32-0x00000000022E0000-0x00000000022E3000-memory.dmp

Filesize
12KB

Download
memory/3148-215-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3148-216-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3148-217-0x0000000008D90000-0x0000000008D94000-memory.dmp

Filesize
16KB

Download
memory/3148-31-0x00000000081B0000-0x0000000008261000-memory.dmp

Filesize
708KB

Download
memory/3148-82-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3148-220-0x00007FF672E80000-0x00007FF672E81000-memory.dmp

Filesize
4KB

Download
memory/3148-221-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-222-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-223-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-224-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-225-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-227-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-226-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-229-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-231-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-232-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-233-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3148-234-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-235-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-236-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3148-237-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-239-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-241-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-245-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-243-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-246-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-247-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3148-248-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-250-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-249-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-251-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-252-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-254-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3148-255-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download