nullmixer | a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ba00a7f8bf0f2d0237bd01bb12a825b.exe
Size

3.3MB
MD5

7ba00a7f8bf0f2d0237bd01bb12a825b
SHA1

1af2a65956ba61ded056f90ef48e08abb7e4e6b5
SHA256

a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2
SHA512

9b99656efbb22c6eb0e3cee3a5949d3f5cbf1e24821b30d3ee33bfcea5a0928cc96a05daf19cbf88041e75030f3168727045bb1630a0ddf2edd6d6465eab761b
SSDEEP

98304:JK0LsE9LvEbGRN0nM1BOhu3uiJgR2qpNeJ:JK4sIoGDhBuu8j8J

Score

10^/10

nullmixer privateloader risepro smokeloader vidar xmrig 706 pub6 aspackv2 backdoor dropper evasion loader miner spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://znegs.xyz/

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	zaiqa_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	zaiqa_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	zaiqa_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	zaiqa_7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	zaiqa_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	zaiqa_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	zaiqa_7.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/4220-139-0x0000000004930000-0x00000000049CD000-memory.dmp	family_vidar
behavioral2/memory/4220-148-0x0000000000400000-0x0000000002CC2000-memory.dmp	family_vidar

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral2/memory/2472-220-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2472-222-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2472-224-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2472-226-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2472-228-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2472-227-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2472-229-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2472-230-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2472-231-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2472-234-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2472-235-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023223-44.dat	aspack_v212_v242
behavioral2/files/0x0006000000023223-47.dat	aspack_v212_v242
behavioral2/files/0x000600000002321f-51.dat	aspack_v212_v242
behavioral2/files/0x0006000000023221-59.dat	aspack_v212_v242
behavioral2/files/0x0006000000023221-58.dat	aspack_v212_v242
behavioral2/files/0x000600000002321e-54.dat	aspack_v212_v242
behavioral2/files/0x0006000000023223-49.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	7ba00a7f8bf0f2d0237bd01bb12a825b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	zaiqa_4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	zaiqa_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	chrome2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	services64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	zaiqa_7.exe

Executes dropped EXE 17 IoCs

pid	Process
3020	setup_installer.exe
1636	setup_install.exe
1836	zaiqa_6.exe
1100	zaiqa_7.exe
4220	zaiqa_3.exe
5112	zaiqa_1.exe
1336	zaiqa_2.exe
816	zaiqa_4.exe
4204	zaiqa_5.exe
2804	zaiqa_8.exe
4080	zaiqa_9.exe
4312	chrome2.exe
3500	zaiqa_1.exe
1388	setup.exe
4612	winnetdriv.exe
2116	services64.exe
4456	sihost64.exe

Loads dropped DLL 5 IoCs

pid	Process
1636	setup_install.exe
1636	setup_install.exe
1636	setup_install.exe
1636	setup_install.exe
1636	setup_install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
391	raw.githubusercontent.com
404	pastebin.com
405	pastebin.com
21	iplogger.org
22	iplogger.org
23	iplogger.org
390	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ipinfo.io
12	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2472	2116	services64.exe	133

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\winnetdriv.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1348	1636	WerFault.exe	91

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2900	schtasks.exe
1952	schtasks.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	zaiqa_2.exe
1336	zaiqa_2.exe
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1336	zaiqa_2.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	zaiqa_8.exe
Token: SeDebugPrivilege	1836	zaiqa_6.exe
Token: SeCreateGlobalPrivilege	2044	dwm.exe
Token: SeChangeNotifyPrivilege	2044	dwm.exe
Token: 33	2044	dwm.exe
Token: SeIncBasePriorityPrivilege	2044	dwm.exe
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeDebugPrivilege	4312	chrome2.exe
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeDebugPrivilege	2116	services64.exe
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeLockMemoryPrivilege	2472	explorer.exe
Token: SeLockMemoryPrivilege	2472	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3384	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3020	2652	7ba00a7f8bf0f2d0237bd01bb12a825b.exe	90
PID 2652 wrote to memory of 3020	2652	7ba00a7f8bf0f2d0237bd01bb12a825b.exe	90
PID 2652 wrote to memory of 3020	2652	7ba00a7f8bf0f2d0237bd01bb12a825b.exe	90
PID 3020 wrote to memory of 1636	3020	setup_installer.exe	91
PID 3020 wrote to memory of 1636	3020	setup_installer.exe	91
PID 3020 wrote to memory of 1636	3020	setup_installer.exe	91
PID 1636 wrote to memory of 2224	1636	setup_install.exe	94
PID 1636 wrote to memory of 2224	1636	setup_install.exe	94
PID 1636 wrote to memory of 2224	1636	setup_install.exe	94
PID 1636 wrote to memory of 3016	1636	setup_install.exe	119
PID 1636 wrote to memory of 3016	1636	setup_install.exe	119
PID 1636 wrote to memory of 3016	1636	setup_install.exe	119
PID 1636 wrote to memory of 2884	1636	setup_install.exe	118
PID 1636 wrote to memory of 2884	1636	setup_install.exe	118
PID 1636 wrote to memory of 2884	1636	setup_install.exe	118
PID 1636 wrote to memory of 1192	1636	setup_install.exe	117
PID 1636 wrote to memory of 1192	1636	setup_install.exe	117
PID 1636 wrote to memory of 1192	1636	setup_install.exe	117
PID 1636 wrote to memory of 1228	1636	setup_install.exe	116
PID 1636 wrote to memory of 1228	1636	setup_install.exe	116
PID 1636 wrote to memory of 1228	1636	setup_install.exe	116
PID 1636 wrote to memory of 2796	1636	setup_install.exe	115
PID 1636 wrote to memory of 2796	1636	setup_install.exe	115
PID 1636 wrote to memory of 2796	1636	setup_install.exe	115
PID 1636 wrote to memory of 1960	1636	setup_install.exe	114
PID 1636 wrote to memory of 1960	1636	setup_install.exe	114
PID 1636 wrote to memory of 1960	1636	setup_install.exe	114
PID 1636 wrote to memory of 4044	1636	setup_install.exe	113
PID 1636 wrote to memory of 4044	1636	setup_install.exe	113
PID 1636 wrote to memory of 4044	1636	setup_install.exe	113
PID 1636 wrote to memory of 2780	1636	setup_install.exe	95
PID 1636 wrote to memory of 2780	1636	setup_install.exe	95
PID 1636 wrote to memory of 2780	1636	setup_install.exe	95
PID 2796 wrote to memory of 1836	2796	cmd.exe	97
PID 2796 wrote to memory of 1836	2796	cmd.exe	97
PID 1960 wrote to memory of 1100	1960	cmd.exe	96
PID 1960 wrote to memory of 1100	1960	cmd.exe	96
PID 1960 wrote to memory of 1100	1960	cmd.exe	96
PID 2884 wrote to memory of 4220	2884	cmd.exe	98
PID 2884 wrote to memory of 4220	2884	cmd.exe	98
PID 2884 wrote to memory of 4220	2884	cmd.exe	98
PID 2224 wrote to memory of 5112	2224	cmd.exe	112
PID 2224 wrote to memory of 5112	2224	cmd.exe	112
PID 2224 wrote to memory of 5112	2224	cmd.exe	112
PID 3016 wrote to memory of 1336	3016	cmd.exe	110
PID 3016 wrote to memory of 1336	3016	cmd.exe	110
PID 3016 wrote to memory of 1336	3016	cmd.exe	110
PID 1192 wrote to memory of 816	1192	cmd.exe	111
PID 1192 wrote to memory of 816	1192	cmd.exe	111
PID 1192 wrote to memory of 816	1192	cmd.exe	111
PID 1228 wrote to memory of 4204	1228	cmd.exe	99
PID 1228 wrote to memory of 4204	1228	cmd.exe	99
PID 4044 wrote to memory of 2804	4044	cmd.exe	107
PID 4044 wrote to memory of 2804	4044	cmd.exe	107
PID 2780 wrote to memory of 4080	2780	cmd.exe	100
PID 2780 wrote to memory of 4080	2780	cmd.exe	100
PID 816 wrote to memory of 4312	816	zaiqa_4.exe	106
PID 816 wrote to memory of 4312	816	zaiqa_4.exe	106
PID 5112 wrote to memory of 3500	5112	zaiqa_1.exe	102
PID 5112 wrote to memory of 3500	5112	zaiqa_1.exe	102
PID 5112 wrote to memory of 3500	5112	zaiqa_1.exe	102
PID 816 wrote to memory of 1388	816	zaiqa_4.exe	104
PID 816 wrote to memory of 1388	816	zaiqa_4.exe	104
PID 816 wrote to memory of 1388	816	zaiqa_4.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ba00a7f8bf0f2d0237bd01bb12a825b.exe
"C:\Users\Admin\AppData\Local\Temp\7ba00a7f8bf0f2d0237bd01bb12a825b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_1.exe
        
        zaiqa_1.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_9.exe
        
        zaiqa_9.exe
        5⤵
        Executes dropped EXE
        
        PID:4080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 500
      4⤵
      Program crash
      PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_5.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c zaiqa_2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3016

C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_7.exe
zaiqa_7.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
PID:1100

C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_6.exe
zaiqa_6.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_3.exe
zaiqa_3.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_5.exe
zaiqa_5.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_1.exe" -a
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1706400063 0
1⤵
- Executes dropped EXE
PID:4612

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1388

C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
  2⤵
  PID:2556
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2900
- C:\Users\Admin\AppData\Roaming\services64.exe
  "C:\Users\Admin\AppData\Roaming\services64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:744
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1952
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    - Executes dropped EXE
    PID:4456
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472

C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_8.exe
zaiqa_8.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1636 -ip 1636
1⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_2.exe
zaiqa_2.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1336

C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_4.exe
zaiqa_4.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\libstdc++-6.dll

Filesize
141KB

MD5
a6e8af5994891678163bbdd770b034be

SHA1
0d2c961b4a12bdb4304fe450f4940ff2b81c3975

SHA256
8c405f354fcfbc197cc369c1bfbaf84171ae8d5eb9f808c46c0c86cd1e49f7c4

SHA512
9a03627c9f962d0ecb952dc0df5e565d5019901a42d6966b6661e50f24af243cadc4f9a3c2ef7b9b75cdb0a59a1bc311285a17ae66e0f86c0d6b277b619a0387

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\setup_install.exe

Filesize
193KB

MD5
e58b080b2e1f788a695e16b4a9eebe19

SHA1
728310a44ea8aee95e79b34f9ef147b01e9c4035

SHA256
c2f157043f262283432c21f70d9c7ea8d6e6195e4938859c38726de71b0f3394

SHA512
289ed310b8d471c279582f932bdf2db873c1f050caee4557e2c018beb93ecfd60406799e29a52373260a7715d26a2af7ce25f84cd329db914cf70b2e14eaeb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\setup_install.exe

Filesize
140KB

MD5
4b640047562e349754f9a6dfd90c85d0

SHA1
f29a9c12a40871010b8aa1203dfc0e21f76c38c1

SHA256
d885530cea1ac5bf36532b2cf7b1c6326020d56a3231fa575a8fed5b1df7ea98

SHA512
83038bbd7fef132c70d8b361d0e500c195caa149bec6cee962082f73277153708a3fc9793fbc4323d5a9d7fc60bda67231235e7621ad679d7c0ca8753d4a0c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\setup_install.exe

Filesize
287KB

MD5
a52a590e1f8f93cd1d4108293415975c

SHA1
49db2a15b6f32c6189f24a8ae6e4bb33d0485f05

SHA256
12d2f007dcc8cb316493fe0f61fd330fdec70f872ae81693e12f9fcc47590149

SHA512
47893f8117466821b89b29836e638bc76d2ee93e57179ba49d2242eb066fa01ff4e0033f194099065e29278b4d4ba653cca00e270f85ccd6cb91b7d3285d6161

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_1.exe

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_2.exe

Filesize
21KB

MD5
4a82245219fb3a1749055171ddf93ed7

SHA1
103d506e994871f7b3e2b84c20126be9e45510ba

SHA256
1c09ac979b89ee734314539f76f52613b8c6ca929aa0ab85ad3cd934f0367806

SHA512
8208b93fbd4eef0bf915990ca07677e0c7b37bff8ad650647ec47cabc1e6c2b2000567bb01d3761f00c47135c1646828c3478c87c1e94762edd990086d520b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_2.txt

Filesize
188KB

MD5
44dc205a5701b53f391a3a750c2c4712

SHA1
14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc

SHA256
508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768

SHA512
02890434c81867499e0911e8062797bf7fc184e05b6de2ab14ffa6f95c48f88e07250b4e5a7ff565bbf45d66d8d7cb5c1009b85085ee3a6bbdac218f356c5749

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_3.exe

Filesize
488KB

MD5
18ac7ce1cc1949d00107476d6db9751d

SHA1
a0374cc33e13ad75dc4b0d12b952ab0a0ae74f62

SHA256
71112eaea043fc0908c610dcc661ebb6c214b0de046f96765ed574503d049be7

SHA512
095eb90f2145da4af3cf1101c0714d764478c340badeb7ebb41ed071afa3abe87cd0267274f85de0cbc8fd4cb24d77054d4bdddc51e68718c5fef1789a6fef3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_3.txt

Filesize
555KB

MD5
8595f5515fac09b73ff463056cb07a15

SHA1
80f39da9a52cffb70edaa4d7de82f543ba4d417e

SHA256
8223619e305ec5063e9e2c1490fa25f6e924c317b08fd5eed938bb5de2e57de1

SHA512
26f0a15484a8780fedcea91f9d90ab4b81a91598fad4cad54f45fd18eccf73914215851909bf8acadeafc7b89c656c98ec988a46aa43e17a364b39b5d8ac477a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_4.exe

Filesize
381KB

MD5
6e19de90efe6710dd07182bfd8c4a7c9

SHA1
44d6363d4f9d5b516e00ee9c189185009a22085a

SHA256
c3351fc984933786076fbfdcf4b4edfdcdb9a322851f97bb1f9d4b0e07dd2fa7

SHA512
20d6df44a73a3fda9d0859d9ac5fe4bcb18e94b8e8c549dbfd6a422892dd8411470ac4deb90dcf6f3f8ca48dc0670db39b567ab09e2457e18739372628b88093

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_4.txt

Filesize
513KB

MD5
6165de567602641b168294db2c515d9b

SHA1
d6d7c7425e275872c2e3aee21c122046e939dbb4

SHA256
0079d1cab1ce14ae4efdf61c15f123dd5864bce50a312f38c22104736691ea30

SHA512
f09d548712a925fd87a8dab226a25ef4338db5fe0bc3d09ff8025711b90ff04238b3233a62f0cbb0279329fe0fe2f92fd90fdc1e39d6ffbf53210c929aea47f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_5.exe

Filesize
5KB

MD5
2004cf8be15fd5919bbc08b5cde7d16e

SHA1
d1dd80090ba67d428b8bb1880deea78b5da6ac93

SHA256
e478e4da90a9d2606662c27d203a1bd32b0d009117c85a9819d301ae0876ae5f

SHA512
38225205f9354ae4d4111d8f8f319e5e8292f69a1b1e9d68b262274b666822c2001d3565981402fcc997ee5531fab59d446477ddf9d48fe5eb96125811c995fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_5.txt

Filesize
545KB

MD5
46272eff6494a472c0cd2755aa3ad4ab

SHA1
2929c56135fd3ee3e913832d77a10d48814d007f

SHA256
d114dc6dee72c6a69364d9a3d43fc382ec6ed5802e8267a44d625aec785b9d42

SHA512
c07107b0f3a706c7fd0e94c7a418c1f9028ec95da9f1b4e758db975df737913059e1a95f0bc43e165b037d2331da03effe61be57a9346becba0511f90f51542f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_6.exe

Filesize
186KB

MD5
28e40b1adae683f70b178d025ea7bf64

SHA1
24851934bbb9a67c6d07e48503e6296c91fff502

SHA256
1cde227af526781ff9553ffef5d3eb52bc5e78240150d8bddd20644f4bf80af5

SHA512
f02b499b6e10411affba70caf96694f6297f6b754c00b6a179421f5aa21a21bb8f8863d87fea358a280979dfede22a06188abc695e5be4ed578bb60d73aada57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_7.exe

Filesize
334KB

MD5
4e7e0abca0620a131437ba4a20a20420

SHA1
b9afa521a24fbf30ae1f50778b46024deadd989f

SHA256
7a9cd7ccc5b87c2c9880e845e4a495deb6de90b6a6b6254b57852323b381f681

SHA512
a3a013b5ed263e7ccada1df731bc44324b994580d3af781f0fe487f191924cb1140dee3fbaba388eb7a3a920ce1d5f0528228247f0f9586e6cb7a773c2365ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_7.txt

Filesize
371KB

MD5
4599ff664f9a446df95f96bd8e76815b

SHA1
fb5c83a89c10ca5b2a4af77a1031c068b64baf24

SHA256
93eeb10d3e8ee50141926d7ca1bcfacb14f5afc0ca149357ed0aabfe5e996ad5

SHA512
b83a0b881b613ab571ad34883a8b70c944903169ae0e0370d8256d258d7140c19101136e988dbeadc1d1e08a4d9885e56cc76bbfc9cb8cca5136224301aea704

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_8.exe

Filesize
8KB

MD5
c85639691074f9d98ec530901c153d2b

SHA1
cac948e5b1f9d7417e7c5ead543fda1108f0e9ed

SHA256
55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4

SHA512
4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_9.exe

Filesize
130KB

MD5
0c2053be2b16ae6f1c46ceb0d367f894

SHA1
d4c61b6b9f32093c66cba85e22ed3f9f90041bab

SHA256
f08442854f897ccdabc5cf6cdc8123c0ac21cf2a5802cb112bae59319183e162

SHA512
d5a4e2f9e10eb5aabb96760f63dcb39ea0a946d1d0474b1abcd6bb39aa4152db31e04abc842109f053ade94aa9a9e828449bea32598f8a142f7fe3c64619cd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCCBFB807\zaiqa_9.txt

Filesize
529KB

MD5
1938b302c10157360c8e76e7bce6dec1

SHA1
3444e064ce4e932ded5f5bb20fe6d1c214d2dad2

SHA256
ea00abbc07542807a7b470245bb66ad41f88e1ef73f04c0d100c2ab5d19b7699

SHA512
f1320f237c669d394ef0311130d88609ff072b5effffd3476af7bf9ee234e15719e9741256efc9598835af5693b016e7588881da4fa307218d8b2555ea5dd2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe

Filesize
43KB

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
128KB

MD5
7bb600bb155da3450e8d9820917a6a10

SHA1
c74cc836b0fe659784862ec7cde6138403c525a5

SHA256
9a6b77dc51ae735866423f5ed5c060df2382553bc8e8b15c2c8beb97913464a0

SHA512
1fb20f6da9d79e890cb11a44ce317b0c50a597cba3336ba09697b7d44c9fad8174c15081481b127d9e1b1860e6eb86b3142b5b60d9ad3ddd83c9634821f5d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
271KB

MD5
776e75ccd1ab3a70fd4cbef7f309f3b3

SHA1
cd6b073ce601c57a807c1c8db7f262764cf24c76

SHA256
fef7a8408c77f455cf0233e7ec44e3848125fae7bda299d23b11f38799573047

SHA512
44ea2280c8bafae8dc805913c0d38fe58a4e2a1d0f25626d85411db30d0bc7974dca4ea8552bfd3a0cd0489c9162f3237bd7a1f5b888335d3b9a4764abb2745b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
63KB

MD5
5a54d77780f5f1bd16abe82137db897e

SHA1
3f8f1909ad97bca2dd9892fea9559b2c017cefa9

SHA256
bcab4f29f53d95910c6de909ba529c295c4acf7789fbce30614eb6283fbebffc

SHA512
d57081dfae8899a216bf20ee1a860a00a56f42453d145286c0dcce343a643f006842450ec20991f7c1b41693a2fe94995f8b4e169f5211bbe007741370f498a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
498KB

MD5
231b9d1881474a26e3d9b891310c9aef

SHA1
e69c0c3c36c60b56e72087c794796d689119891b

SHA256
c383e9ce9db7d4d3725fa3a26f57531a404cad23e4aa932c9678129721f3c083

SHA512
441e7aec9c47f90f66a93d2d09e388805a8130cf404c807e9753df7472bf4adb85fe2480c6326741531603bfcf7c1810e66737fd5f7e588008e095fb59160dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
407KB

MD5
b5fea6d8a11d1d3f2e6be4055518e996

SHA1
2f734a1f02f3c68f9073ed7665b9de84ad7919be

SHA256
6a5da9d2f29574510e207099921ea241ad4058657f00e514bb0eebaa05c07280

SHA512
4e1aa28ac4649fb1459293ca21306f46a0cc2b59e7ec288c22ab5d7cb699019fb33aad063aceeaa76ad8f702700faa6d633554250a24a556879d54570a2111b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
986KB

MD5
f94fba196057526f36430243504c21fd

SHA1
e33c6110ffdd5bb2e443cabb22b9e11215802c70

SHA256
0b8d303b71a94729a26e898debfcd948a963efeab27250121d284b8a4a1ea171

SHA512
dcc79a2627b1905ca30f1bbb57f9a8ccdec11459fec3759e61b29f990a0251c5819e355b436747d2855b31bdc0327b27057b393f6297d0a3945644eda109eafa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
be0b4b1c809dc419f44b990378cbae31

SHA1
5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806

SHA256
530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53

SHA512
5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24

Download Submit
C:\Windows\winnetdriv.exe

Filesize
186KB

MD5
d0c299ec3c6c472f64f3240df92dd586

SHA1
3b9f2d69cfeeebf13d5ea7f9554eb43e7955bf15

SHA256
74feba1689da658900be6647f4647c5cbd6ac47d335d38999354d6701e79d77a

SHA512
6d28ff69cdc6fa7c22a55a394eda4fc54470bccb2fec88e02b423a3cf5122a641d090f4ba5bedb5d36d90a7ed1274818df9e8e4727134c767d72677919e6f0d9

Download Submit
C:\Windows\winnetdriv.exe

Filesize
268KB

MD5
1771f622fc79b9c65828df17eec5fb18

SHA1
b5b8b99c4501147d0a479a3b42a6a44072e2c005

SHA256
fb8a89f4f561bef222219f899e3a13f83879a5da1b0b302ff8854d8550641d85

SHA512
d4a2671878ab4e610a4fed541684867cad590d310ea207089f97016eaef823f8a46a1706177c41f811441b850b717cdff1610eba1b712f7d5ebfa145bc50ef36

Download Submit
memory/816-98-0x00000000007F0000-0x00000000008DE000-memory.dmp

Filesize
952KB

Download
memory/816-101-0x0000000072BB0000-0x0000000073360000-memory.dmp

Filesize
7.7MB

Download
memory/816-136-0x0000000072BB0000-0x0000000073360000-memory.dmp

Filesize
7.7MB

Download
memory/1336-119-0x0000000002DC0000-0x0000000002DC9000-memory.dmp

Filesize
36KB

Download
memory/1336-135-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download
memory/1336-113-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/1388-134-0x0000000002680000-0x0000000002764000-memory.dmp

Filesize
912KB

Download
memory/1636-75-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1636-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1636-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1636-150-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1636-73-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1636-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1636-146-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1636-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1636-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1636-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1636-153-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1636-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1636-144-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1636-76-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1636-77-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1636-74-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1636-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1636-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1636-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1636-66-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1636-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1636-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1636-48-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1636-78-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1636-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1836-107-0x0000000002930000-0x0000000002958000-memory.dmp

Filesize
160KB

Download
memory/1836-100-0x00000000027F0000-0x00000000027F6000-memory.dmp

Filesize
24KB

Download
memory/1836-97-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-165-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-95-0x0000000000760000-0x0000000000798000-memory.dmp

Filesize
224KB

Download
memory/1836-103-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/1836-110-0x0000000002800000-0x0000000002806000-memory.dmp

Filesize
24KB

Download
memory/2116-223-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/2116-201-0x000000001CB60000-0x000000001CB70000-memory.dmp

Filesize
64KB

Download
memory/2116-200-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/2116-199-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/2472-226-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2472-232-0x00000000028D0000-0x00000000028F0000-memory.dmp

Filesize
128KB

Download
memory/2472-225-0x0000000002830000-0x0000000002850000-memory.dmp

Filesize
128KB

Download
memory/2472-224-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2472-228-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2472-222-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2472-237-0x00000000028F0000-0x0000000002910000-memory.dmp

Filesize
128KB

Download
memory/2472-236-0x00000000028F0000-0x0000000002910000-memory.dmp

Filesize
128KB

Download
memory/2472-235-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2472-220-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2472-234-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2472-227-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2472-229-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2472-230-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2472-231-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2804-108-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/2804-178-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/2804-109-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/2804-106-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/3384-175-0x0000000003220000-0x0000000003236000-memory.dmp

Filesize
88KB

Download
memory/4220-155-0x0000000002F90000-0x0000000003090000-memory.dmp

Filesize
1024KB

Download
memory/4220-139-0x0000000004930000-0x00000000049CD000-memory.dmp

Filesize
628KB

Download
memory/4220-148-0x0000000000400000-0x0000000002CC2000-memory.dmp

Filesize
40.8MB

Download
memory/4312-185-0x0000000003590000-0x00000000035A2000-memory.dmp

Filesize
72KB

Download
memory/4312-159-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-123-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/4312-198-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-183-0x0000000001D30000-0x0000000001D3E000-memory.dmp

Filesize
56KB

Download
memory/4312-184-0x0000000001D20000-0x0000000001D30000-memory.dmp

Filesize
64KB

Download
memory/4312-182-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/4456-218-0x0000000003A90000-0x0000000003AA0000-memory.dmp

Filesize
64KB

Download
memory/4456-217-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/4456-216-0x0000000000DB0000-0x0000000000DB6000-memory.dmp

Filesize
24KB

Download
memory/4456-233-0x00007FFADD200000-0x00007FFADDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-157-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download