5b21389d0ba14359062ed7c624cfceb142814a2a7296bfb48025041fa166df3b

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BACKUP_Tools20h2.exe
Size

8.2MB
MD5

dcc902f7e63d513c373f2772c0f37296
SHA1

f4007377ea9383d3dcb39e48b416b82b4b4bca95
SHA256

d7acc6749510f234edd24f0e4cd48fffc18b7385c788254fc3824639ec8f0f3a
SHA512

4de65826224baa795269ba456807ee0b934e20896086eab9ca9566ba48a59d1788dc304f65f8e43e0b467aa73a7d832ffe8d897f712f352bb6413254dba8a517
SSDEEP

196608:j8g9l203H/1DzUnUsXXVoFLFi1UHdAel6J00aPrS:j8gr2k/1D9sXXV+LM1tmQ00T

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	FPTW64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	FPTW64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	FPTW64.exe
File created	C:\Windows\system32\drivers\pmxdrv.sys	FPTW64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	FPTW64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	FPTW64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw64.exe
File opened for modification	C:\Windows\system32\drivers\pmxdrv.sys	fptw.exe

Executes dropped EXE 43 IoCs

pid	Process
640	M1.exe
2404	acpidump.exe
320	dd.exe
1628	dmp.exe
2356	Rar.exe
1940	Rar.exe
2868	devconW64.exe
2328	AMIDEVW64.EXE
1752	skhot.exe
2540	AFUVW64.EXE
2800	FPTW64.exe
1812	FPTW64.exe
2304	FPTW64.exe
2596	FPTW64.exe
2472	FPTW64.exe
896	FPTW64.exe
1608	FPTW64.exe
576	FPTW64.exe
452	FPTW64.exe
2404	FPTW64.exe
1012	FPTW64.exe
1060	FPTW64.exe
916	fptw64.exe
1244	fptw64.exe
1040	fptw.exe
2280	fptw.exe
2392	fptw.exe
1984	fptw.exe
2956	fptw.exe
1544	fptw.exe
2660	FPTW64.exe
2560	FPTW64.exe
2032	FPTW64.exe
2584	FPTW64.exe
2552	fptw64.exe
2356	fptw64.exe
3044	fptw64.exe
2848	fptw64.exe
2964	Rar.exe
2720	Rar.exe
1200	Rar.exe
2728	Rar.exe
1132	Rar.exe

Loads dropped DLL 64 IoCs

pid	Process
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
320	dd.exe
320	dd.exe
320	dd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
1012	FPTW64.exe
1012	FPTW64.exe
2908	cmd.exe
1060	FPTW64.exe
1060	FPTW64.exe
2908	cmd.exe
916	fptw64.exe
916	fptw64.exe
2908	cmd.exe
1244	fptw64.exe
1244	fptw64.exe
2908	cmd.exe
1040	fptw.exe
1040	fptw.exe
2908	cmd.exe
2280	fptw.exe
2280	fptw.exe
2908	cmd.exe
2392	fptw.exe
2392	fptw.exe
2908	cmd.exe
1984	fptw.exe
1984	fptw.exe
2908	cmd.exe
2956	fptw.exe
2956	fptw.exe
2908	cmd.exe
1544	fptw.exe
1544	fptw.exe
2908	cmd.exe
2660	FPTW64.exe
2660	FPTW64.exe
2908	cmd.exe
2560	FPTW64.exe
2560	FPTW64.exe
2908	cmd.exe
2032	FPTW64.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019c2f-231.dat	upx
behavioral1/memory/320-233-0x0000000003B50000-0x0000000003B75000-memory.dmp	upx
behavioral1/memory/1628-257-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/files/0x00050000000193e7-297.dat	upx
behavioral1/memory/1752-302-0x0000000000400000-0x00000000005A3000-memory.dmp	upx
behavioral1/memory/1752-305-0x0000000000400000-0x00000000005A3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2908	2940	BACKUP_Tools20h2.exe	28
PID 2940 wrote to memory of 2908	2940	BACKUP_Tools20h2.exe	28
PID 2940 wrote to memory of 2908	2940	BACKUP_Tools20h2.exe	28
PID 2940 wrote to memory of 2908	2940	BACKUP_Tools20h2.exe	28
PID 2940 wrote to memory of 2908	2940	BACKUP_Tools20h2.exe	28
PID 2940 wrote to memory of 2908	2940	BACKUP_Tools20h2.exe	28
PID 2940 wrote to memory of 2908	2940	BACKUP_Tools20h2.exe	28
PID 2908 wrote to memory of 540	2908	cmd.exe	30
PID 2908 wrote to memory of 540	2908	cmd.exe	30
PID 2908 wrote to memory of 540	2908	cmd.exe	30
PID 2908 wrote to memory of 540	2908	cmd.exe	30
PID 2908 wrote to memory of 540	2908	cmd.exe	30
PID 2908 wrote to memory of 540	2908	cmd.exe	30
PID 2908 wrote to memory of 540	2908	cmd.exe	30
PID 2908 wrote to memory of 336	2908	cmd.exe	31
PID 2908 wrote to memory of 336	2908	cmd.exe	31
PID 2908 wrote to memory of 336	2908	cmd.exe	31
PID 2908 wrote to memory of 336	2908	cmd.exe	31
PID 2908 wrote to memory of 336	2908	cmd.exe	31
PID 2908 wrote to memory of 336	2908	cmd.exe	31
PID 2908 wrote to memory of 336	2908	cmd.exe	31
PID 336 wrote to memory of 488	336	net.exe	32
PID 336 wrote to memory of 488	336	net.exe	32
PID 336 wrote to memory of 488	336	net.exe	32
PID 336 wrote to memory of 488	336	net.exe	32
PID 336 wrote to memory of 488	336	net.exe	32
PID 336 wrote to memory of 488	336	net.exe	32
PID 336 wrote to memory of 488	336	net.exe	32
PID 2908 wrote to memory of 1488	2908	cmd.exe	33
PID 2908 wrote to memory of 1488	2908	cmd.exe	33
PID 2908 wrote to memory of 1488	2908	cmd.exe	33
PID 2908 wrote to memory of 1488	2908	cmd.exe	33
PID 2908 wrote to memory of 1488	2908	cmd.exe	33
PID 2908 wrote to memory of 1488	2908	cmd.exe	33
PID 2908 wrote to memory of 1488	2908	cmd.exe	33
PID 2908 wrote to memory of 1604	2908	cmd.exe	34
PID 2908 wrote to memory of 1604	2908	cmd.exe	34
PID 2908 wrote to memory of 1604	2908	cmd.exe	34
PID 2908 wrote to memory of 1604	2908	cmd.exe	34
PID 2908 wrote to memory of 1604	2908	cmd.exe	34
PID 2908 wrote to memory of 1604	2908	cmd.exe	34
PID 2908 wrote to memory of 1604	2908	cmd.exe	34
PID 1604 wrote to memory of 1648	1604	cmd.exe	35
PID 1604 wrote to memory of 1648	1604	cmd.exe	35
PID 1604 wrote to memory of 1648	1604	cmd.exe	35
PID 1604 wrote to memory of 1648	1604	cmd.exe	35
PID 1604 wrote to memory of 1648	1604	cmd.exe	35
PID 1604 wrote to memory of 1648	1604	cmd.exe	35
PID 1604 wrote to memory of 1648	1604	cmd.exe	35
PID 2908 wrote to memory of 1196	2908	cmd.exe	36
PID 2908 wrote to memory of 1196	2908	cmd.exe	36
PID 2908 wrote to memory of 1196	2908	cmd.exe	36
PID 2908 wrote to memory of 1196	2908	cmd.exe	36
PID 2908 wrote to memory of 1196	2908	cmd.exe	36
PID 2908 wrote to memory of 1196	2908	cmd.exe	36
PID 2908 wrote to memory of 1196	2908	cmd.exe	36
PID 1196 wrote to memory of 588	1196	cmd.exe	37
PID 1196 wrote to memory of 588	1196	cmd.exe	37
PID 1196 wrote to memory of 588	1196	cmd.exe	37
PID 1196 wrote to memory of 588	1196	cmd.exe	37
PID 1196 wrote to memory of 588	1196	cmd.exe	37
PID 1196 wrote to memory of 588	1196	cmd.exe	37
PID 1196 wrote to memory of 588	1196	cmd.exe	37
PID 2908 wrote to memory of 1996	2908	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\BACKUP_Tools20h2.exe
"C:\Users\Admin\AppData\Local\Temp\BACKUP_Tools20h2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\START.BAT" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\chcp.com
    chcp 1252
    3⤵
    PID:540
- - C:\Windows\SysWOW64\net.exe
    NET FILE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 FILE
      4⤵
      PID:488
- - C:\Windows\SysWOW64\chcp.com
    chcp 850
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
      4⤵
      PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildLab"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildLab"
      4⤵
      PID:588
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "hkey_current_user\software\microsoft\windows\currentversion\explorer\shell folders" /v desktop
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\reg.exe
      reg query "hkey_current_user\software\microsoft\windows\currentversion\explorer\shell folders" /v desktop
      4⤵
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\M1.exe
    m1
    3⤵
    - Executes dropped EXE
    PID:640
- - C:\Windows\SysWOW64\chcp.com
    chcp 866
    3⤵
    PID:1280
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\acpidump.exe
    acpidump -s
    3⤵
    - Executes dropped EXE
    PID:2404
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\dd.exe
    DD.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\dmp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\dmp.exe"
      4⤵
      Executes dropped EXE
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
    ..\rar.exe m -hp123 -ma4 RW.dmp 1\*.* -x*.exe
    3⤵
    - Executes dropped EXE
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
    ..\rar.exe a RE.rar *.rw *.dmp
    3⤵
    - Executes dropped EXE
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\devconW64.exe
    devconw64 listclass net
    3⤵
    - Executes dropped EXE
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\AMIDEVW64.EXE
    AMIDEVw64 /dms ConfigV.dms
    3⤵
    - Executes dropped EXE
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\skhot.exe
    skhot /capture=2 /convert=result0.png
    3⤵
    - Executes dropped EXE
    PID:1752
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\AFUVW64.EXE
    afuVw64 w64_AFUBAK5.ROM /O
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\15.0.1.1347\FPTW64.exe
    fptw64 -i
    3⤵
    - Executes dropped EXE
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\15.0.1.1347\FPTW64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Executes dropped EXE
    PID:1812
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.5.12.1111\FPTW64.exe
    fptw64 -i
    3⤵
    - Executes dropped EXE
    PID:2304
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.5.12.1111\FPTW64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Executes dropped EXE
    PID:2596
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.0.36.1158\FPTW64.exe
    fptw64 -i
    3⤵
    - Executes dropped EXE
    PID:2472
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.0.36.1158\FPTW64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Executes dropped EXE
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\13.0.37.1556\FPTW64.exe
    fptw64 -i
    3⤵
    - Executes dropped EXE
    PID:1608
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\13.0.37.1556\FPTW64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Executes dropped EXE
    PID:576
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\12.0.64.1551\FPTW64.exe
    fptw64 -i
    3⤵
    - Executes dropped EXE
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\12.0.64.1551\FPTW64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Executes dropped EXE
    PID:2404
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\11.8.79.3722\FPTW64.exe
    fptw64 -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1012
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\11.8.79.3722\FPTW64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1060
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\11.11.50.1466\fptw64.exe
    fptw64 -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:916
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\11.11.50.1466\fptw64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1244
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\10.0.30.1072\fptw.exe
    fptw -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\10.0.30.1072\fptw.exe
    fptw -bios -d bios-region.bin
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2280
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\8.1.60.1561\fptw.exe
    fptw -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\8.1.60.1561\fptw.exe
    fptw -bios -d bios-region.bin
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\9.5.40.1868\fptw.exe
    fptw -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2956
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\9.5.40.1868\fptw.exe
    fptw -bios -d bios-region.bin
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1544
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\4.0.20.1316\FPTW64.exe
    fptw64 -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\4.0.20.1316\FPTW64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.1.70.2340\FPTW64.exe
    fptw64 -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\3.1.70.2340\FPTW64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.0.5.3107\fptw64.exe
    fptw64 -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.0.5.3107\fptw64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.1.5.1162\fptw64.exe
    fptw64 -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.1.5.1162\fptw64.exe
    fptw64 -bios -d bios-region.bin
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
    rar a results20.rar re.rar
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
    rar a results20.rar info.txt
    3⤵
    - Executes dropped EXE
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
    rar a results20.rar fpt-info.txt
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
    rar a results20.rar read_1.1.5.1162.error.log
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
    rar a results20.rar result0.png
    3⤵
    - Executes dropped EXE
    PID:1132
- - C:\Windows\SysWOW64\chcp.com
    chcp 866
    3⤵
    PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\11.8.79.3722\READ.BAT

Filesize
1KB

MD5
2539d2d3e01e11f204080146f8c326a5

SHA1
b0c9b4e75eb53ef0e786f174d108e777b9fce656

SHA256
674d1e119f602058ba4ba6e3cdcc197a0145f4a7469d574f40620b9b5b559469

SHA512
8d3118414b150cccf5ec521523ae983b666d75881bbc82abe2335a74b2ad78a3e334d4569ef194429f16250ebbd34744cf147fcaf3634eb5afc9b55e2e6b06fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.0.5.3107\idrvdll.DLL

Filesize
64KB

MD5
51b8d21ffd2d877519448a76fd38587f

SHA1
65238dc9a1039c22f3e734ee4b789a13fd94f2d4

SHA256
2895b244b7b36cf03ed8334a5bbca98df94b5a47bd9e5dbedbc769ca12f89003

SHA512
007208d2762cbe943e37cf91b9d2e4d71c35230f56ae076bd43b3bde23ef3bbc8091678b636eee7de3f34f7b6ecee67c65daf4a496f9ad7328a0a37f9057bf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.0.5.3107\pmxdll.DLL

Filesize
116KB

MD5
e37ac55433a42fa512d01281db662486

SHA1
1bbd415c39e73e417b4c28bd084901f0d77a57a2

SHA256
ff012c9b218945644fcd09961c12e92cd0012c3a4f618efb5c2f67e2eb76a893

SHA512
066d2754d34211e41e62a6973bb40e56045931ed04d4940bd4a9cee8534ce152d0c145ec1ce35972274287a8faa393ee2a524f5e37907a3860f02d607022d540

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\9.5.40.1868\READ.BAT

Filesize
1KB

MD5
654c244a2df82d8347369fffaef9f71c

SHA1
63881d5b1e44dc7164402de34452e795ad149f2d

SHA256
e6620aca696946f2f244119df1ce6a7df5b9ee109c84593ea5410a63a3cdc7d7

SHA512
b00f161bd4147ac634d479eef825d83ee348e9933abf9dd9906845217c94dc843031fa94394a3999b8e6a5f55f9505bbfa554b0ca05e52fea2dc159f07971b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\M1.exe

Filesize
68KB

MD5
a0f2b7fc387c1d2dfef7101bd3dd83c1

SHA1
1779e5587c4ce7282a715294e4fa755a08f7c2da

SHA256
bf6fd787e1097648ff47371a83068247f296e419cb061fb1c1b89a30caffb25d

SHA512
7e580e1c9077785837f5458174819208124d2569ac54575a15ada3506c1d654a22cef1ab3378d97a86bd6e7c304ee61c2e9df26f513a663356d3e8e599f9e85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\START.BAT

Filesize
16KB

MD5
8a8431a21d2818c9b8c4a57931796441

SHA1
a98e0d671892d7125938544cb7e745eb1de57743

SHA256
320b89dc635b40cefd1c9db6778c2e50308650a672f66b5f9f1bdc4b5640ad3d

SHA512
d7f164d31da994d3eb60d9759bb5e9b9cf9bad68898d6373886f01ab45f88b74a2319e50dfd2547c4da6b09d42e80353890acf04e64e45530768a00454adc662

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\amifldrv64.sys

Filesize
28KB

MD5
a28314d05ddd77037cc0553866e18efc

SHA1
974d310cc9fe92f38719104e9af85426129d8758

SHA256
a0cb0ac518d7f7a8e50ea96d0e64c0cf53d7ed99bcab9951fc95e888c02660d4

SHA512
fdc55db944221e7566fdeba67dc12f47e48d05e84069fb0a9aa58b8d219a61a39d3f3758432229541b4fe8e3367fac0c4bc53b9f03feecaf943697115bdb35f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\devconW64.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fpt-info.txt

Filesize
4KB

MD5
5b1b7e01401eaa65ac8e7532f0cb6871

SHA1
f5b82ef0c900d97907bd513a84b2459ebb44b6a4

SHA256
c0af1e5b4da4fed82c98d841b562c91ec44b4c4c0976144ef3883dca675a0e11

SHA512
47cb7ce45b82d568833339015a5f0f41feac33b877a17b1a8ee273fe4a6cba91222b7330e2d76866c7e012cd2cc407ff4467416263fa5c89c7f9615a7f4fcfbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\results20.rar

Filesize
75KB

MD5
8e49e8260bf0209b6934a41dc41b151b

SHA1
ee3bf5380963a7e4716af1f2d0995ec4feddc58c

SHA256
9af064c596ae840a05df18423b8bab5ce11edfa46f80bf29492e51716351ff28

SHA512
64bcf221e991537e40c5c07d7f361ce95b0ef031ecb189470a65c458ead828d3f912769db00e6d95e0223258c0daee8c8e7e56ba5e6f4d2584a931af6411fb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\APIC.bin

Filesize
128B

MD5
286bbbf8610fc0d9f55663f6d03932a7

SHA1
33dbb0ab152ea2139ef1732490c909ec5450f819

SHA256
0f4c1ce30064bac479127411cc4099c9aab643d6a27f5f4d598fe54139c68fa6

SHA512
f8d3d73d4c51b34f89eaaea1b8e4ad9371994e2488bc0ffaf08067ef694aa34813720e2be4737fc015962d3e81b251f636c68c169ae8e5849d7c27a71bb97d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\DSDT.bin

Filesize
8KB

MD5
4b4fe10afd327a4054e99815f40ed554

SHA1
5e1c680043492141d39f7b05f737fbd9697d6ed3

SHA256
9a66a69d91626514723042903c08e466b1ed833622492f135651e820aaadb6a3

SHA512
3215f88641fc558440c61799673b9a6ba008f700653ae084693dee8a90112b6d1d5691d32edb1bc645ffa3fb68c9586964a3e5e4cc0d7d1f38b522e2a75d0d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\DigitalProductId.bin

Filesize
164B

MD5
9805127d8c04e87b4806714a7708c3b2

SHA1
bbf9a1e4ba9abf3c3a6c07182eb9fe762457a386

SHA256
43c69cc1487e0610ab0856e01516b85558bf79134e23ddd2ec28ebc660b3d296

SHA512
c79e09117f636f26e890232ea1c0325bbc6105af1dbd6d09846720721abb8a866f70596f12e7cf27874d2c60026e37e2bac7333c16dd733a32e495ce4b786d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\FACP.bin

Filesize
244B

MD5
72a626e98c379ebb39399bad41776570

SHA1
84491268a8bb4c552a42e2ded99b11ed48733c6d

SHA256
a06f103947414cc38af3c15300081a99781fa358481c2f28ff641ffa3b09b4a7

SHA512
b6cc404c81931eca1c6582a2cb893960f78f604b8c115467d6b30b2183185b53cbc60ae41bc890b3e3de803dbba53753d5d0c72fffdaa0ff23d92a8cebab35e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\HPET.bin

Filesize
56B

MD5
9b672ef5b1d83233fe8d23abd039dae1

SHA1
1ea83ec008da6c854da46f53a751c10201d1d1b9

SHA256
84eaf829ebfcd0f0f24a5a861a139fdfebafafe1d01e70b11d93881507bb4b40

SHA512
acab9633923f32e55e687964840566efeaada992a03ef9b8aedbd799a04ee56c8169174a97de9cac8551046deadbc1344de3ff1673a274bbb56e716a2b9b6584

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\MCFG.bin

Filesize
60B

MD5
adc30654a738dbd8a67ba86b9d5da120

SHA1
97a556fd69fd4baf9d365bab1b85be60048eb4d8

SHA256
94e216956b92cfd45272412b1dc263b700bbd97a9fdbb6a6148cc8195ffd6d2b

SHA512
dee2a5b3311c8f170c31714d511a3ff49b1e410415c96fcbf62659e05589bb2e7c56330afe59a29866a777806e63652a7babd94a1d3b1837e8071b3277667bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\PCMP.bin

Filesize
232B

MD5
ce08cdb5d86e7a526d687d623c6bb28b

SHA1
f299ff4e88fe85afd7588b50077417ad7226a73b

SHA256
413ffd75e7b6cc8d19f7c97aff9567b7ca5d0b6ebad5f3bbc201782d25f39727

SHA512
0af969d4ce4a7857338b39abc190014f05f196bf1fb8e3b83478c29748d72683eef33a7e5d4d8808b379b4fc390a701950c776ab688930e28f278ad3e5b34b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\RSDT.bin

Filesize
56B

MD5
f902721f3c950e0fb0aa2d5fe0e24443

SHA1
356dfff8563b72f83ac195c4afb757e927a40f69

SHA256
bd4ad0bc9e5f4d726ee21dcc1536154b31c6a65bb6bf81fc5b956d4cbcc521b2

SHA512
00eca23a1ffa160f2c41328e822ffaee7c5793de802c05da1f1b54470c0533ed38f2dfc34e1e3a6e85428a7e31877585a2adeb4b0910c90b0bcfbbcd23da9395

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\SMBIOS.bin

Filesize
401B

MD5
93d3d3498cef19263e98d8301ac2d02a

SHA1
336891dcaa91d3699b5c05860934aa0e45ed528c

SHA256
6b48b9ffa5981f50dc34a544e02d74d01055c7087c7aa8109f662a2c10f27838

SHA512
134a6be429414e85b3c202dffb800495b92a24263454d2348e3ddeea4eee1aca7eb0d3bdef597d63ed3148f0a8fedcb366cfb126585f8fda3d09a71dfb58a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\WAET.bin

Filesize
40B

MD5
e9edceea24484054848b49ca61a8e4c2

SHA1
8f1ee8cfb8d2ad53f55168db5875edca8ff9d505

SHA256
b3d8554056143136a6398958f589e5a09afdc181efc3eb0e08d5d7181ed29d95

SHA512
771e25361fde1f263237ab9ba0a888acdc3ab2df33dad559ca6e761d089df649f93ff00c7ce07b6eea116899af9066a6dc52cb00fccff0e49007200c4a628872

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\lowmem.1.bin

Filesize
128KB

MD5
15e6b61e56acf608c463487172696dcd

SHA1
70c370a21d365e4bf1ac87ffa6d9b62b76b72b39

SHA256
b3bc85ff410f5144670362aaee6c3c57ce04489341e0d9c41428eba82f091842

SHA512
ed1127dc02aac8d774a5fd943103463ff002d163e151c00c8033609ea83535a8a555a7fba04b1e7e07df21032db768b09f84a0c30a6a4b662111c6e89cfbacc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\lowmem.2.bin

Filesize
128KB

MD5
85e78252784b57317aa1701cd7b46b6a

SHA1
a05690fe4b921a3f3d365b595b8f511d3196a4af

SHA256
112f27693e04543c36a0a93e3a6d3785eaaa303925f2628f947d3fde5225f9f1

SHA512
bd646a22eeecac3f13a2cacca8c2e9523b29fcc8db7e134fb426428030e92d1e77f1ddf072948d26c9d9044abbd79d3b6f916379badc4652fc47056fbaf4924e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\pkey.txt

Filesize
29B

MD5
cad6c6bee6c11c88f5e2f69f0be6deb7

SHA1
289d74c3bebe6cca4e1d2e084482ad6d21316c84

SHA256
dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

SHA512
e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\RE.rar

Filesize
73KB

MD5
46216febf9fc0a995e627217e0727293

SHA1
adcec81c4af142b4d36f6e40e90397c1fc65fb1a

SHA256
37115422290e4a28294fecf6dad27e529e075eca6d79b7414968acd31ba1ace2

SHA512
77a33ab65ea3377f3383e0a13a91b367c8a513c0184203267cd7679a39b181233fd487cae316b85f53744c9b7fcc91f46c2b3e649e37825f6d5924531ba30a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\READ.BAT

Filesize
232B

MD5
516474fd7acfa16af69a215d58644248

SHA1
27e6525de8f4656ae535b29daef51246a0e4134b

SHA256
5c0774ab19091f3ab6645bdbbc822a3fada3febb7caea1f7ba8424aa7b715753

SHA512
e05f0312494306f042daba47889677bb06ecf61ffc99a476fe306a244d6bd65074e853d8310b7688b88ce3ef79b254514cfaf70ceb60519c8332e339721b93ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\RW.dmp

Filesize
73KB

MD5
8bb584713ea145f7301c714e8ea86727

SHA1
d3f16d4925b4b73e3a8c9891f1569c843b5fd8a2

SHA256
874dae594b2330ea442213c9a7626303514bf198cef8a90a0741658882013845

SHA512
a246b913dc2e0d1f59b560f32691594f12b3a31313907d1c3c23507563c10f4bc8534f962c3738172d7a08593aa4059f69d8d1aed80e8bc2f718408e9b7bf6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\dd.exe

Filesize
238KB

MD5
b14c0a1c859dc9bf4e4fce07fe79d70b

SHA1
fd004a7ddb616aea0dd85f71313be0845acbf645

SHA256
5af0c8913c87f7396797ad42482112e99ad825bfd3ea1979a5ee31f165c93f24

SHA512
7fbf1bc6912a2ee1156a0e0bd6d280516fc5f1ecfefa77ed058d9e32b790165cd2da77415350bc27e0b0e62cdbba5df655c5e76224890aaff78c07524403122c

Download Submit
C:\Windows\System32\drivers\pmxdrv.sys

Filesize
30KB

MD5
0bee791c7c7ace453c134e73633c497d

SHA1
17bdfa70fe84e515183e5fa675d72d5d0e2090e8

SHA256
82b30461dbf40ac15fce6a83b9bad2ebd05b27dea1b784eaa096422fe8927b7b

SHA512
8db0975ac6a765538219f44596d54201af35ee7afaabc36f34f8121562868ff1fdd986925b705aa09806e3800a06cf4a7969d34f63413fd3c32e39f9761e54ac

Download Submit
C:\Windows\System32\drivers\pmxdrv.sys

Filesize
42KB

MD5
3807073232994eca5dafe266b9674743

SHA1
9e5fcaea33c9a181c56f7d0e4d9c42f8edead252

SHA256
b1a8ee1222eea5f199028d90b9b77c2acf46d6d84a9e125403b2888c6f681c72

SHA512
810ba4e3eec0565b790b85aa47fcc84edab7e4d527329c053a7de16e5d399b5512b1af1e7d45bef3378f9eface713624abd1fceb7ca50dcf7b384c693dda2c09

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\14.5.12.1111\FPTW64.exe

Filesize
3.0MB

MD5
dd47511e48967fd7754234aa16cb91c0

SHA1
f4b05c4906ddc0c20e933e19b0b46ad554ab58d8

SHA256
6779f19dd83525b8fd53dd39d33bce6d1662c1572a360ce99477e3279f87a67b

SHA512
f3a2fd245086f0a00e5e018420014e2a70373d844bf226cbd241f46ddcf00ac4641a7fc3dfeb050fb4318d79bdb30edc39865c8c1da92491b8248a70b9d3a053

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\15.0.1.1347\FPTW64.exe

Filesize
1.5MB

MD5
e6953868d73883864c8bab098db7446d

SHA1
670080db311a72a784a72714952d97d53736a32b

SHA256
ebe6ad0a6cc1de67cde39984768310eb4194aa05aceebb1d6a7b843d91b03747

SHA512
24d20f9af29f973076537b6d25218d7e1d8305be6a1a6a4b349517b94399e9eda589036d132adc79175c61013647d44cd16600914c19b8e85038b43087aca8cf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AFUVW64.EXE

Filesize
1005KB

MD5
f9355dfc8035cdd51d2b7acc1b853996

SHA1
140747473700289123c2f4d01ec50f051a43881f

SHA256
0468b93604934767612754af2565457ae57e56df2f7ec2018a724714d43d0b74

SHA512
942dc781c64b9acf3e5af8e66d21060e37be2c999ed2b121c0264fb6c77d4603d3c709d07f5e4493c44a8adb62d573074f969ddc9be3fe1ecfaa9b8aaf08a800

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AMIDEVW64.EXE

Filesize
455KB

MD5
9adfcdac59db3286690c7eede8da2528

SHA1
0b54d251438a634bd13b49a1f20587cf03d4598d

SHA256
13037eedd91f9313ec0d807947db65c639642e5ae6497e87d12fa6d19951f78e

SHA512
fde1700cdb4212593ec2733944a169c7d02f436ca6831719a33482fbfd0be289697c9aa6ce7ddfb6c245e87952b35416929bbf69753d21a24197ac6c2d1243cc

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe

Filesize
478KB

MD5
55dbf06a7f3a908ab0fbd2abde77a03b

SHA1
9c94cb77bf931b66faf022440632ce9c1a3133eb

SHA256
d5312fd74c6241b4eaebe28bb57c2b8ef2a019a5636f2bf3f4bc549900700816

SHA512
1cd7e3ec1274751cf03138d08bf17ff91d6a56e0167ded53e73e1a05a06c6b56cc8d6db3c16f587f5d13894fa159410e748275861a4cd784450bf7e148f5d882

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\acpidump.exe

Filesize
85KB

MD5
2d5bf8b5e54166fe430e410cc93e2f90

SHA1
49ecda2faceab5d3eecbde25dd8a51d53210b074

SHA256
995dc83501a36a1c4f6f527f3d9f6898e45750d836da8b0787ae0221bf5af71e

SHA512
ad64b42075dce4b6b45a57455390e4eec977ea4f38e85aabc455df302c5969172c23d4dcd61296b30a880fe664e70a3288ca4913d3608cd362483e72839abf6f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rwe\1\dmp.exe

Filesize
49KB

MD5
08129b3c0ba363ff8f82acc745ac91d4

SHA1
0efba2786a0865dc300dd95cbeaa17c0f0fd8070

SHA256
b9e49b6a86fcca5e1eaca8a743b6f44d8567c03a1f59840492847dcaffc8643d

SHA512
5da0f3c9c4d04e42d620de4951e77dc90ebf15ce9c60245c08d16be285176abe4a81297afede88dd7dc3c1b9caab5f2fe86468658a7145595f14f828d00f7ced

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\skhot.exe

Filesize
589KB

MD5
98631cfe5b6e5a768abc256d43b5db2c

SHA1
99ceee1579751af5c86dd71ee2af814e88099f2b

SHA256
5f890248a7eb1b1abd023268ecfca75ea46eb8362ed1af2c3ff8e3151c09236f

SHA512
028a88c9c31a5afb5bbe37b9454876bc1ef614da0c9d4233e6c276d5aa687349e1d4f6ab4fcfed299240b89138e56574e698ce12aec03868c495f692449cf5a9

Download Submit
memory/320-242-0x0000000003B60000-0x0000000003B85000-memory.dmp

Filesize
148KB

Download
memory/320-243-0x0000000003B60000-0x0000000003B85000-memory.dmp

Filesize
148KB

Download
memory/320-233-0x0000000003B50000-0x0000000003B75000-memory.dmp

Filesize
148KB

Download
memory/1040-402-0x0000000000100000-0x0000000000115000-memory.dmp

Filesize
84KB

Download
memory/1544-433-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/1628-257-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1752-305-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/1752-302-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/2280-405-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/2908-303-0x0000000002870000-0x0000000002A13000-memory.dmp

Filesize
1.6MB

Download
memory/2908-301-0x0000000002870000-0x0000000002A13000-memory.dmp

Filesize
1.6MB

Download