67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
Size

274KB
MD5

b4f4482d2a695274a0fa26b766075879
SHA1

96e28b50847a68b6223327d81edf2c85875f72a4
SHA256

67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f
SHA512

524f80018d259a6964db4e6550ba027a05d77a2da8d5d14736710a563477701278a16a0b42e47a3c2d783b78f02b4a65ba4d01b3ecf2f39df2e40e8035fe9ebc
SSDEEP

6144:SbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:SPcrfR6ZnOkx2LIa

Score

8^/10

upx vmprotect

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\Y90drs20uc.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\c0lcHQR8cN95.xny	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\ShLYFoDPTwUR8w.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\cEPFfQP1eHbF.lpf	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\ykztC1lzzExh4T.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\BnbaR0IHgb2l.bmm	Explorer.EXE
File created	C:\Windows\System32\drivers\HZDbtMEI.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\4OjzlRE9t8hFK.usx	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\OBekCNLptWn.sys	Explorer.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1656-0-0x00000000002E0000-0x000000000036C000-memory.dmp	upx
behavioral2/memory/1656-5-0x00000000002E0000-0x000000000036C000-memory.dmp	upx
behavioral2/memory/1656-6-0x00000000002E0000-0x000000000036C000-memory.dmp	upx
behavioral2/memory/1656-19-0x00000000002E0000-0x000000000036C000-memory.dmp	upx
behavioral2/memory/1656-24-0x00000000002E0000-0x000000000036C000-memory.dmp	upx
behavioral2/memory/1656-37-0x00000000002E0000-0x000000000036C000-memory.dmp	upx
behavioral2/memory/1656-69-0x00000000002E0000-0x000000000036C000-memory.dmp	upx
behavioral2/memory/1656-82-0x00000000002E0000-0x000000000036C000-memory.dmp	upx

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000f00000002326e-105.dat	vmprotect
behavioral2/files/0x0011000000023222-133.dat	vmprotect
behavioral2/files/0x001d000000023222-161.dat	vmprotect
behavioral2/files/0x0021000000023222-189.dat	vmprotect

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\ \Windows\System32\Ftgf0Vfw.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\qHvVhqIUrpCGu.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\qm6UzpEePa6.hdo	Explorer.EXE
File opened for modification	C:\Windows\system32\1mKtgi6W2UF.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\lnGLnQSToC6Uve.ded	Explorer.EXE
File opened for modification	C:\Windows\system32\CpLBdDWEy2Lvy.hmt	Explorer.EXE
File opened for modification	C:\Windows\system32\l6fP0Y4ig3bLTS.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\B0tiR73Avl.cog	Explorer.EXE
File opened for modification	C:\Windows\system32\AUAw7aKVYUIoWh.sys	Explorer.EXE

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\TuggRavE3t.irn	Explorer.EXE
File opened for modification	C:\Program Files (x86)\1RUcWk8KUzz8ak.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\WX6Q7VmiaM.sys	Explorer.EXE
File opened for modification	C:\Program Files\SMAGbBSw3x.sys	Explorer.EXE
File opened for modification	C:\Program Files\MSBuild\39669920.js	Explorer.EXE
File opened for modification	C:\Program Files\MSBuild\5619e5b0.js	Explorer.EXE
File opened for modification	C:\Program Files\zL8ktPSf1V.xmy	Explorer.EXE
File opened for modification	C:\Program Files (x86)\fgxBIaju6qTkKC.sys	Explorer.EXE
File opened for modification	C:\Program Files\2UEBYagO6qf.hqf	Explorer.EXE
File opened for modification	C:\Program Files\MSBuild\47c03f68.html	Explorer.EXE
File opened for modification	C:\Program Files\YFbzo44pvUdY.sys	Explorer.EXE
File opened for modification	C:\Program Files\3FwLnvCJIyJ3S.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\FHcBuaRi3oQ.phk	Explorer.EXE
File opened for modification	C:\Program Files\MSBuild\lib\64738bf8.js	Explorer.EXE
File opened for modification	C:\Program Files\yYuWndkAcs.ehu	Explorer.EXE
File opened for modification	C:\Program Files (x86)\3mX3YMdphbSnc.siv	Explorer.EXE
File opened for modification	C:\Program Files (x86)\qqVPdB4JjP4AfM.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\UNnr59oqCds4.bri	Explorer.EXE
File opened for modification	C:\Program Files\MSBuild\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files\EGxA33UUzl.sys	Explorer.EXE
File opened for modification	C:\Program Files\25riAx8KaW.uuf	Explorer.EXE

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\t3l8BJ0mGs.sys	Explorer.EXE
File opened for modification	C:\Windows\1CNvHJWVrszvD.asr	Explorer.EXE
File opened for modification	C:\Windows\err_1656.log	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
File created	C:\Windows\VWEqYY.sys	Explorer.EXE
File opened for modification	C:\Windows\cjk9XFlXdqTwXB.sys	Explorer.EXE
File opened for modification	C:\Windows\KIzvFACUrUx.bod	Explorer.EXE
File opened for modification	C:\Windows\dpbO8IZvCFAg.kjf	Explorer.EXE
File opened for modification	C:\Windows\aV2u08ASgOmzI.sys	Explorer.EXE
File opened for modification	C:\Windows\19YoUa8udh.uit	Explorer.EXE
File opened for modification	C:\Windows\WvA5yR1EbPvN.sys	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Explorer.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1156	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE
3116	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3116	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
Token: SeTcbPrivilege	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
Token: SeDebugPrivilege	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
Token: SeDebugPrivilege	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
Token: SeDebugPrivilege	3116	Explorer.EXE
Token: SeDebugPrivilege	3116	Explorer.EXE
Token: SeDebugPrivilege	3116	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE
Token: SeDebugPrivilege	3116	Explorer.EXE
Token: SeBackupPrivilege	3116	Explorer.EXE
Token: SeDebugPrivilege	3116	Explorer.EXE
Token: SeDebugPrivilege	380	dwm.exe
Token: SeBackupPrivilege	380	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3116	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3116	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 3116	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	46
PID 1656 wrote to memory of 3116	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	46
PID 1656 wrote to memory of 3116	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	46
PID 1656 wrote to memory of 3116	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	46
PID 1656 wrote to memory of 3116	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	46
PID 1656 wrote to memory of 620	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	3
PID 1656 wrote to memory of 620	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	3
PID 1656 wrote to memory of 620	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	3
PID 1656 wrote to memory of 620	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	3
PID 1656 wrote to memory of 620	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	3
PID 1656 wrote to memory of 1428	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	98
PID 1656 wrote to memory of 1428	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	98
PID 1656 wrote to memory of 1428	1656	67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe	98
PID 1428 wrote to memory of 1156	1428	cmd.exe	100
PID 1428 wrote to memory of 1156	1428	cmd.exe	100
PID 1428 wrote to memory of 1156	1428	cmd.exe	100
PID 3116 wrote to memory of 380	3116	Explorer.EXE	9
PID 3116 wrote to memory of 380	3116	Explorer.EXE	9
PID 3116 wrote to memory of 380	3116	Explorer.EXE	9
PID 3116 wrote to memory of 380	3116	Explorer.EXE	9
PID 3116 wrote to memory of 380	3116	Explorer.EXE	9
PID 3116 wrote to memory of 380	3116	Explorer.EXE	9

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:380

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe
  "C:\Users\Admin\AppData\Local\Temp\67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\67b01ab9c3348aa89160478c0c3611fa541f4ca7d3428e231dcbeee4d2aeeb4f.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
2KB

MD5
adf1b2e1e89eba448400b4d4c1c66863

SHA1
7cec24140330f0d5805ddd31c808ce7098fc8ae6

SHA256
5662ba91c2993d12b16a4e4e90684f7407a0719666bdbc8b3665b07c630dfb7d

SHA512
4f2192b20e610e50b2f17a526474768da9eec44032a3ad9f7900fc909a10aee27724e13f8bde6e4cfa96283578f4418edb997152a773859ed494ccb6e09dc09a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
cecdfa49341ff31d9354fcf2ffa1d068

SHA1
6f2166ae4d4a47a653731d577b55029d4ac037ac

SHA256
9fa4b6bb08ee1191afe035fb077f54b5f382fa7f19b410dc4c8a8057686c8a21

SHA512
4f41e922c5ddabace2f7699eeb1ae0c6919b8825787e6a3f905af8396e0ef7b26c3cdb575d834baf55df258d03154a729a970aeeba41dd16fddb74338aeeb343

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
599B

MD5
02f0a29ee61ccf6a719db3cd108d8c6f

SHA1
78993d8eaa19ae6ecb5614d38e3528d7d1f5f658

SHA256
6470e6b7adaa270e7553e197e71ed23e280352c83c43b5c32c978f991e8111bd

SHA512
e0f5b18d6350f2bf87fb54bf0ec9dbb3f08fa01c8b45a42af152b120117d4301e9e9543bbff06824b4bac7487e4ca29618dd8c46e7b5dedb663220d33929df64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
484B

MD5
d4347bdc91cdefecbbb78130fc8275d1

SHA1
a11dc53c818e24fb6511f2eacafc7ea39b5b8a8f

SHA256
b3939fad78ac120fd2f202c539d557d74cb760b90428db15a01bacbd7e4e3402

SHA512
4971ca83bec1ae47ef2d66ec39c8f78000f6076619605ce0747194e6dca178042fb461f46e24c4178763c7c04ed3d79fa27bc0e2f2b13062dc8ec38253be2819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
6fd8ac00bdb4f13dcd28c15254b3a92b

SHA1
c3825f12815f2f54a0dd2e7a5f46a033095da7d4

SHA256
cd4844653e41ae67dfdf2cc2410622fedd75e7bd7b5e7930093438a0d22348ba

SHA512
afc25bf5cfed3b4c6767a30632c213abdc8fcb82a13b84a0c10aac2ca9e0be770511652a55ad1ec8b342cf1042a94d0b164aa2e4d7a5ebb386afa69d9a71c8ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
504B

MD5
95a7a6f58fc278d92bea760c1bffcb3f

SHA1
b6ee25892ae86888fdceb010ea218d0ee2c92866

SHA256
6bdba5ab9c57b16d8e4e7f8b4411427fdcb04090987ef602b2fb8c6a7f3c07a7

SHA512
e33779b92f4e567f0eebf23f157d410219396a8fc048f8e23177f541f66b2cad1f27f5cdf653605e1847120b3fe495062bbb4ab1a108f78b4bf7ebd2db8ee4a3

Download Submit
C:\Windows\WvA5yR1EbPvN.sys

Filesize
415KB

MD5
9cb06daeb033d7b6cf5f0a7ee3849c5e

SHA1
3fdde9ae15b82e77b4a0898b4e675cdc3cc27c09

SHA256
ac05af04aa4828fa7b83781d949913ce78ea7b858d8a9020b9c7479d01f6a7c4

SHA512
81f4c594d9df56f975b675fcec5cf2ac0e31a6905374de80d2e09dff427b479abfdcc76a1be5ef5ee4c2cc2a90f971712d78d3e15cf2a5cab2f2434476e58dc8

Download Submit
C:\Windows\aV2u08ASgOmzI.sys

Filesize
447KB

MD5
2988f46e976afe9a45e84d0e7578958f

SHA1
7918988bdf593b0bd008afad01794c41b4676887

SHA256
453407f10d38d3bd6b4808ea8f4d9fe423557bf37dc7cd569b3abc7dc3279bdc

SHA512
71708bd6fcd79997d98410949a56780eaf375143b60e44ba9fd39544168ef577fa944d7ed001a26f25b772dd4d16c708fdd96addbf8c4efbf2b3dec472e836d6

Download Submit
C:\Windows\cjk9XFlXdqTwXB.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
C:\Windows\t3l8BJ0mGs.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
memory/380-214-0x000001F177EE0000-0x000001F177EE3000-memory.dmp

Filesize
12KB

Download
memory/380-216-0x000001F177EE0000-0x000001F177EE3000-memory.dmp

Filesize
12KB

Download
memory/380-217-0x000001F177FC0000-0x000001F177FC4000-memory.dmp

Filesize
16KB

Download
memory/380-218-0x000001F177F00000-0x000001F177FAF000-memory.dmp

Filesize
700KB

Download
memory/380-221-0x000001F177F00000-0x000001F177FAF000-memory.dmp

Filesize
700KB

Download
memory/620-41-0x000001DFCD520000-0x000001DFCD548000-memory.dmp

Filesize
160KB

Download
memory/620-65-0x000001DFCD520000-0x000001DFCD548000-memory.dmp

Filesize
160KB

Download
memory/620-70-0x000001DFCD640000-0x000001DFCD641000-memory.dmp

Filesize
4KB

Download
memory/620-39-0x000001DFCD510000-0x000001DFCD513000-memory.dmp

Filesize
12KB

Download
memory/1656-0-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/1656-69-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/1656-5-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/1656-6-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/1656-82-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/1656-19-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/1656-24-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/1656-37-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/3116-85-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3116-31-0x0000000002710000-0x0000000002713000-memory.dmp

Filesize
12KB

Download
memory/3116-89-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3116-90-0x000000000A4C0000-0x000000000A56F000-memory.dmp

Filesize
700KB

Download
memory/3116-43-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3116-87-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3116-86-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3116-44-0x00000000081A0000-0x0000000008251000-memory.dmp

Filesize
708KB

Download
memory/3116-36-0x00007FFE6EAB0000-0x00007FFE6EAC0000-memory.dmp

Filesize
64KB

Download
memory/3116-35-0x00000000081A0000-0x0000000008251000-memory.dmp

Filesize
708KB

Download
memory/3116-34-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3116-32-0x00000000081A0000-0x0000000008251000-memory.dmp

Filesize
708KB

Download
memory/3116-33-0x0000000002710000-0x0000000002713000-memory.dmp

Filesize
12KB

Download
memory/3116-88-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3116-209-0x000000000A4C0000-0x000000000A56F000-memory.dmp

Filesize
700KB

Download
memory/3116-210-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3116-211-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/3116-212-0x00000000026E0000-0x00000000026EA000-memory.dmp

Filesize
40KB

Download
memory/3116-213-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3116-29-0x0000000002710000-0x0000000002713000-memory.dmp

Filesize
12KB

Download
memory/3116-215-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3116-84-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3116-83-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3116-81-0x00007FF6FD0D0000-0x00007FF6FD0D1000-memory.dmp

Filesize
4KB

Download
memory/3116-219-0x000000000A700000-0x000000000A704000-memory.dmp

Filesize
16KB

Download
memory/3116-220-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3116-80-0x00007FFE6EAB0000-0x00007FFE6EAC0000-memory.dmp

Filesize
64KB

Download