99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1

Analysis

max time kernel
299s
max time network
304s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe
Size

5.4MB
MD5

d2ecf5f2a271da094867f6dc31b3d60e
SHA1

b8b7ec24a5c6f1a0ad96e989003516b656256d2e
SHA256

99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1
SHA512

9b6f1a5ccf1c7312cf0a7bcbf253516d8ae9f56cc5408d6fd209e0bc26eca9237b6fed0fddd94746bba14c4f5560f279cf933647facf31a77762e05f66ff365d
SSDEEP

49152:wDShb1KwGF4Ilow5sADndfK0IptgSoP6MRM2BTXwmlPJmqHc4h/:VQK0/lX9PJhHc

Score

10^/10

discovery evasion execution persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1984 created 256	1984	99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe	1

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe
2712	powershell.exe
2708	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
1720	5wvh09jhyqcmazc3nisl.exe
2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe
480	Process not Found
2784	main.exe
1136	main.exe

Loads dropped DLL 23 IoCs

pid	Process
480	Process not Found
2784	main.exe
2784	main.exe
2784	main.exe
2784	main.exe
2784	main.exe
2784	main.exe
2784	main.exe
2784	main.exe
2784	main.exe
2784	main.exe
480	Process not Found
480	Process not Found
1136	main.exe
1136	main.exe
1136	main.exe
1136	main.exe
1136	main.exe
1136	main.exe
1136	main.exe
1136	main.exe
1136	main.exe
1136	main.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1784	icacls.exe
1264	icacls.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2720	sc.exe
2812	sc.exe
2796	sc.exe
2788	sc.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2540	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 908eda60f61ddb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1984	99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe
1984	99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe
2796	powershell.exe
2712	powershell.exe
2708	powershell.exe
1720	5wvh09jhyqcmazc3nisl.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeRestorePrivilege	1784	icacls.exe
Token: SeSecurityPrivilege	1264	icacls.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2796	1968	cmd.exe	33
PID 1968 wrote to memory of 2796	1968	cmd.exe	33
PID 1968 wrote to memory of 2796	1968	cmd.exe	33
PID 1968 wrote to memory of 2712	1968	cmd.exe	34
PID 1968 wrote to memory of 2712	1968	cmd.exe	34
PID 1968 wrote to memory of 2712	1968	cmd.exe	34
PID 1968 wrote to memory of 2708	1968	cmd.exe	35
PID 1968 wrote to memory of 2708	1968	cmd.exe	35
PID 1968 wrote to memory of 2708	1968	cmd.exe	35
PID 2676 wrote to memory of 2540	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	39
PID 2676 wrote to memory of 2540	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	39
PID 2676 wrote to memory of 2540	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	39
PID 2676 wrote to memory of 2788	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	42
PID 2676 wrote to memory of 2788	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	42
PID 2676 wrote to memory of 2788	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	42
PID 2676 wrote to memory of 2720	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	44
PID 2676 wrote to memory of 2720	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	44
PID 2676 wrote to memory of 2720	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	44
PID 2676 wrote to memory of 2812	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	46
PID 2676 wrote to memory of 2812	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	46
PID 2676 wrote to memory of 2812	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	46
PID 2676 wrote to memory of 2796	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	48
PID 2676 wrote to memory of 2796	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	48
PID 2676 wrote to memory of 2796	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	48
PID 2676 wrote to memory of 1784	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	51
PID 2676 wrote to memory of 1784	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	51
PID 2676 wrote to memory of 1784	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	51
PID 2676 wrote to memory of 1264	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	53
PID 2676 wrote to memory of 1264	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	53
PID 2676 wrote to memory of 1264	2676	h7p7bf7rqgd6uelifhix1es1l4jk.exe	53

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256
- C:\Users\Admin\AppData\Local\Temp\99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe
  C:\Users\Admin\AppData\Local\Temp\99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe
  2⤵
  PID:1192
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k "C:\Users\Admin\AppData\Local\Temp\9ctfdx2utan4rg04o6.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2708
- - C:\Users\Admin\AppData\Local\Temp\5wvh09jhyqcmazc3nisl.exe
    "C:\Users\Admin\AppData\Local\Temp\5wvh09jhyqcmazc3nisl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\h7p7bf7rqgd6uelifhix1es1l4jk.exe
    "C:\Users\Admin\AppData\Local\Temp\h7p7bf7rqgd6uelifhix1es1l4jk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\taskkill.exe
      taskkill.exe /F /FI "SERVICES eq RDP-Controller"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2540
  - - C:\Windows\system32\sc.exe
      sc.exe stop RDP-Controller
      4⤵
      Launches sc.exe
      PID:2788
  - - C:\Windows\system32\sc.exe
      sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
      4⤵
      Launches sc.exe
      PID:2720
  - - C:\Windows\system32\sc.exe
      sc.exe failure RDP-Controller reset= 1 actions= restart/10000
      4⤵
      Launches sc.exe
      PID:2812
  - - C:\Windows\system32\sc.exe
      sc.exe start RDP-Controller
      4⤵
      Launches sc.exe
      PID:2796
  - - C:\Windows\system32\icacls.exe
      icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1784
  - - C:\Windows\system32\icacls.exe
      icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1264

C:\Users\Admin\AppData\Local\Temp\99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe
"C:\Users\Admin\AppData\Local\Temp\99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5wvh09jhyqcmazc3nisl.exe

Filesize
96KB

MD5
319865d78cc8df6270e27521b8182bff

SHA1
716e70b00aa2d154367028de896c7d76c9d24350

SHA256
a78945e7532ecdb29b9448a1f3eef2f45ec2f01ca070b9868258cbcd31eac23f

SHA512
78cd48c8ba558dffc204a70dbff13889984f80f268a715fec7fc018a7718a11822975f775d44a927c5815aa2ccc0d78502264354bf5d8c0502b5a0a323948611

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ctfdx2utan4rg04o6.bat

Filesize
259B

MD5
261a842203adb67547c83de132c7a076

SHA1
6c1a1112d2797e2e66aa5238f00533cd4eb77b3d

SHA256
49adf0fc74600629f12adf366ecbacdff87b24e7f2c8dea532ea074690ef5f84

SHA512
7787c5f10ec18b8970f22b26f5bb82c4a299928edb116a0b92fb000f2a141ccb4c8bcab3ab91d5e3277abda8f2d6fe80434e4aef5ee8a5cd3223cfb9989a6337

Download Submit
C:\Users\Admin\AppData\Local\Temp\h7p7bf7rqgd6uelifhix1es1l4jk.exe

Filesize
10.1MB

MD5
7d1755e8e41a6c2f08d2faeffdf9dad1

SHA1
c04d89f1054f2ee34b548126a5add4eee4751ae4

SHA256
44cf4321c138c4cacecc95deba735f508c96049e7f0e8f0538684dc4f0c1e9a5

SHA512
b099238838b0d8b258529126b3c279ac735feff778d52c3117eb3cd587267a145a09bc1317fb412b2c810ea8b2232a8218fe459e33ac99f9b48decfdc62e4816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dfd3210cea2ad488691dd123fc9afe23

SHA1
67980c0482ccf7d1cc250eac7c223af5d16a810a

SHA256
145bc302f89d5a5ec1fdf550e74f5bee9744f341268802574603132bee6e81ce

SHA512
270fe4074faaede4683becc513a45f97f2e61fc4eef81a8163790ee63abc22153392ecce8b3eb5241d77a7cd2bc07a4fc68065a5bae66df209a17fcf5775bee5

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl

Filesize
456B

MD5
40ab00517f4227f2c3c334f1d16b65b4

SHA1
f8d57af017e2209b4fb24122647fd7f71b67c87c

SHA256
4baf4b78d05a28af7dee7dbbce2b4edf6053d9239c1756c932be9f2feee4ef85

SHA512
75d74306f043b864295f09a60c19a43494c226664733c99318989ce5c22cb9395bb407fb5c8c0268ad9184a79813304ed5fc943a6b53db54f5f225cda31650e3

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

Filesize
112KB

MD5
be6174ae2b452da9d00f9c7c4d8a675b

SHA1
0abd2c76c82416ae9c30124c43802e2e49c8ed28

SHA256
a62bdf318386aaab93f1d25144cfbdc1a1125aaad867efc4e49fe79590181ebf

SHA512
5631b1595f8cee8c0dfa991852259fee17ea8b73a9eed900a10450bbb7c846acfc88c32930be379d60efa6ae1bbbead0a605a9f36e20129b53bca36b13ba5858

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

Filesize
872B

MD5
578da7f3dcda8f84634165bfb3caed3a

SHA1
dbe8370f7a197a427547100188ad675d4330cbf9

SHA256
405ad8786a50493564bd1ac738eb3275ab646601e4a457277157ca55b568b663

SHA512
b419954184d87add08c0b95bce0354dd29a78f127e293f73d6545ebb1c2a050a1e99e12e9e1bb54e213e113f6e7986073d356da7d356d18de7bcdb2ff69e6fbd

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

Filesize
214B

MD5
26702faab91b6b144715714a96728f39

SHA1
cbdc34fc8fd3559cd49475fb5bc76176a5f88ff8

SHA256
83d30846dd5576de38a512b17163419d22ff35f2f5b0fe613c401e8a5a25b7a4

SHA512
50d35d3dcd60b6e57c1a277e6c3e7afbb5c2b46425732fc5a9fd3c0a55febf5ab3f05411a83cec230aac40199774ff78f30848d57d1e04a11b9e60777b038289

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

Filesize
955B

MD5
8831684a10b8cb4431682973a81e647f

SHA1
ad4f55dd96bb7b54e141fb28cba430fc891c444a

SHA256
689c1fe15d0d6c463e90cd346d54974327f9ff7f78490b9dc98ccc03de850b5a

SHA512
995a543c23696c824628fdf98cc52e1c38a08af2cc4f92b1e6d94c1935669abbaa521f7b2713471437cbe6395708e5e5ba19cc4efc5f0eacbb99b083e3c4c100

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log

Filesize
1KB

MD5
38dcab5f749f0d8692743956a60081df

SHA1
4506995771440eb1feda5da2ddd9b47cdfaed476

SHA256
6182cb0cabd5030ea36a86ab407c8a4a7652ed8263285a521b37e2a47fb52416

SHA512
d101af3647155884dfaeae999cb1d3305f3943fc00419f92fcf3c3dc46ae999a93f5d3ea6b69270d629b38add65d53f3d8107d6cb7e66bd0e2c9307b7e035cd4

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

Filesize
8KB

MD5
27535cee6740dfc50a78a0322415e67c

SHA1
e80541cf15c8ed4c5eeda8d8c24674a5b8a27f61

SHA256
fb0cdbf4e0215ae1866e97860c2ac3dd96e7498bfe2af3d82378041cdff7f292

SHA512
25f11a8262b5a2f59bd6c9d8673b5ad5a140eae8c007244810b2924eb08b5cf54ae19e61be5139319877278d11868bbd85bd2e6c67f5fad4e2a458e2844ebc0c

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

Filesize
60KB

MD5
688fdfae15f328a84e8f19f8f4193af2

SHA1
c65d4cda0c93b84154dfbc065ae78b9e2f7ecfa8

SHA256
8d37ff2458fde376a41e9e702a9049ff89e78b75669c0f681cfcafba9d49688e

SHA512
f19bc7f204dbe3449abe9494bfff8be632f20f1b4b8272f0af71c4cec344a20617c0909c024cb4a4e0c6b266d386cb127554dc70f3a6aa7a81daf1a8748f5d2d

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ntcp2.keys

Filesize
80B

MD5
e5a9d8eabd21e0ea2b7ffb65e70d0c3e

SHA1
1c96963613377f11b5a24b80424f657003225e91

SHA256
c6729e8b43a374c57e17295953345e6458f26aaddce28eff4d9835e81414bad5

SHA512
3887e3d2286d405e5769a68fa7f72bb01e7f64d3d8d3911a12a19ab318b871269167b775ebecdb41bce456ec85a85157a4ddb9868e64350d044f3c4d28b25d52

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.info

Filesize
721B

MD5
18bc70df66cd35bf0e5364c730838f7a

SHA1
00762a4ff787763d9d6bb2f71065db375c5ae1b2

SHA256
9f509f4758d39a366e277e7127cfae7e8d0faa0f685d4f1923134cb5903e7da6

SHA512
bc193511e76452e1106d3c2a5d3b2dca74f5bc2299433edf44cd54586ab46fee4305693f38a4587e61ba999d5354908bf97e68e1b481ca83ea728a59046b89a5

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.keys

Filesize
455B

MD5
21a30086bb9087cf2c2fa3787beaeed2

SHA1
617dd4aeb519b2018e9f745a8d102e17d8c69a3b

SHA256
947853f5e135ab926da4e07cb79fa0ed2e9ac8c9ae509e7842033ddbb1791c77

SHA512
2d987f1dc1ae2a7c9165280ccc593fe9d83de8bda64372aadb6b98f2f88ebb44cb0177f731b9734fa7e8196b4867cf4f5b10f25d1fa8b44e5515e6f2dbd9f901

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ssu2.keys

Filesize
96B

MD5
fb567add684d0113ae9abc5b00883ab0

SHA1
a09ca990b91ff77ae5049e1cb19c3ec7b30d0233

SHA256
b67b1a95415c35477bc78ac920580b1ceaef02daae94b23352c04ead7c7b2e15

SHA512
16af8806032e838e7e11196fba819036a2e6d13eb2e15fb9f934f30b672181f1fff446641a701698a03a999461843acb25d5b9f9187359eb7ecb7f973b768451

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log

Filesize
1KB

MD5
94eed79f76fdc3abe19e9a401d514c01

SHA1
4013dd05df3e381fb5c5e90d559f756811658e98

SHA256
27f8ad549a4e926a727a34d71ae2eec08be97b328de2f76b1959d83fd62a4e25

SHA512
5bb62c2127df01e650df3e8d017f7ec51a2d14bae401d82ea49ed4fe4c38554d6e4979f9939ca46e696823df9c4e328a55b99b22b9d5e4f42ee8eefdef2672a3

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log

Filesize
860B

MD5
a2efd39a358c629fb35a9640cb3f3d97

SHA1
6ca4fee4d5074f776413c0089f5ba7c1ff3d9b85

SHA256
7f496d9f85b628bfe144dba70ef80a755d7e0bb1cfc6b8a0e75493827bc2b039

SHA512
54650d27d807ba264deeaae5e8b55ff17d3d2bff15967575ee705b369544ce6585c5dfc162adfac45f27e1b667b0ca95cad3a27360ebbf4dd0dd9a2e61ad858b

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log

Filesize
1019B

MD5
2b4ed79d7c52ecd96456545227b30fd1

SHA1
cd0a5f22d723667314c2691aa21a3580e3011eb9

SHA256
b712e7edd8f4c464e9398f2d847fc6110936c62bfccd7e5ada241cbd8ae95236

SHA512
1f67b6a7dd4c16fa6aad1a67e6b6b44b1acfe672bb7a3012902cc2c6963241f82a26d25de8eff091324916e7eb099c06be862e5e3ce088153ba650bc88509935

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log

Filesize
1005B

MD5
024ebd3091cbfa5ddc502eed49a05572

SHA1
12dc7e310f8224ee68fff69ce617366221a16865

SHA256
5a9aa4e0cce2aefb9cfffb68846e2aeef112a59d0c5050f3df988831903538c4

SHA512
23692250914655669bbc95a4c702921652d3c6ff4ad3f0e20ff76f988f5c01878f6eda904a7d47f6d60cc825b5e05b23da8d7e8728ccdd2e0cc0163e589138c7

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log

Filesize
979B

MD5
14af6ebf27d11d5a360e13c501b5c166

SHA1
9903274c8c0f658afa3ebae938a68715341ac6ff

SHA256
35d7664d2d08dc46ac9f9450ca56ed29f2af333b12b8725d4b73a0e7ef283899

SHA512
7d56d6da1b16f213860c5718dc21421f519b8834ef2ff63b7095e5f92b11459c04ecc9f30c353829f176f54569d80840dea9505638162719a991dba5cb2dca29

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg

Filesize
10.0MB

MD5
312704a6232d74733de04c6e00f8cf21

SHA1
2b4820ac82c5b851464d6563fa6ea0cb3e3629c2

SHA256
8d11890f2b70ba2abb4b017b05f3bb1d20eca6ad3eb84f0251e0857c77682c9b

SHA512
5c32b9a8267c57ce640e7612bdecd7d7ec67f4e0ab48dd97a53373d220765ab234bc28779f524e788e1e03d8857ccd7755a22f19e1a34ae36fd6f33444016f01

Download Submit
\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

Filesize
102KB

MD5
7a8e8a0842d8d65713dee5393e806755

SHA1
af6f3a52009fbf62c21a290efc34a94c151b683e

SHA256
51c131081921626d22faf44977d5e4dcfe00e5d6cddeda877a82f13631be7c2e

SHA512
d1b8d93b7efbeaa348d3a01293ad5d92bc8f28eb2554df5e6e71506d00d135390082c52c18d0bc3f0439b068777d8b2c43aaed930c72e5ffab2593eeac470cf4

Download Submit
\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

Filesize
90KB

MD5
fdcf93acd089b505b524ddfa0ff947f9

SHA1
a2bada5807ba001758dbce46da634332a5cc14c2

SHA256
adfe373f98cabf338577963dcea279103c19ff04b1742dc748b9477dc0156bb4

SHA512
110455dc5c3f090a1341ee6d09d9b327cd03999c70d4a2c0b762b91bc334b0448e750cb1fd7b34ce729b8e1cd33b55a4e1fa1187586c2ff8850b2fd907afe03e

Download Submit
\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll

Filesize
8.7MB

MD5
676064a5cc4729e609539f9c9bd9d427

SHA1
f77ba3d5b6610b345bfd4388956c853b99c9eb60

SHA256
77d203e985a0bc72b7a92618487389b3a731176fdfc947b1d2ead92c8c0e766b

SHA512
4c876e9c1474e321c94ea81058b503d695f2b5c9dca9182c515f1ae6de065099832fd0337d011476c553958808c7d6f748566734deee6af1e74b45a690181d02

Download Submit
\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Filesize
87KB

MD5
4e320e2f46342d6d4657d2adbf1f22d0

SHA1
a5acfe6397dffc61d243206885c389ea05428755

SHA256
7d4a26158f41de0bfd7e76d99a474785957a67f7b53ee8ad376d69abc6e33cc8

SHA512
e8e044fd17b36d188bb5ee8e5f7bfc9aecc01ab17e954d6996b900bc60d6d57afd782c7e01df7cc76a84e04ce16f77fe882f2d86e5113f25c1c3d385cfae37a5

Download Submit
\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll

Filesize
103KB

MD5
91a0dd29773fbfb7112c5fcff1873c13

SHA1
e1eaf1efb134caa7da5aaa362830a68ab705c023

SHA256
ae2d023ebbfeefd5a26eaa255ad3862c9a1c276bb0b46ff88ea9a9999406d6b6

SHA512
f7a665a218bb2ccec32326b0e0a9845b2981f17445b5cb54bba7d6ef9e200b4538ebd19916c2dacb0bbe1b409c14a499b23ba707874ae1f1b154279c90dc33dd

Download Submit
\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll

Filesize
126KB

MD5
c89542aba45ce1084760ae8de6eae09e

SHA1
603560a3e4b6a8cb906ca98c907373adbf4d3b1c

SHA256
1b6e559dc0cb37ebb2311c7cbf01b039f0dc1c3ec6da057837451a531b1e2cb0

SHA512
60a0eb698afe25cdddb133fc937fee478f1e0f8af72b825c19bb2d544fafcc217babf6dd3d01704a106677e92aae3dd57538e34731c950da17f5715df0732ff6

Download Submit
\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll

Filesize
36KB

MD5
e3e4492e2c871f65b5cea8f1a14164e2

SHA1
81d4ad81a92177c2116c5589609a9a08a5ccd0f2

SHA256
32ff81be7818fa7140817fa0bc856975ae9fcb324a081d0e0560d7b5b87efb30

SHA512
59de035b230c9a4ad6a4ebf4befcd7798ccb38c7eda9863bc651232db22c7a4c2d5358d4d35551c2dd52f974a22eb160baee11f4751b9ca5bf4fb6334ec926c6

Download Submit
\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll

Filesize
113KB

MD5
d0f0423aeee6b6ff6754d860603d46d0

SHA1
a06f3b9605b3398ba68154da39adf26ddee41743

SHA256
81da68f52df2ed997c374ccbefc56849650770fb30eda8f202bbc7fc3fe6a51d

SHA512
c30faede4520ff1c859b8b39e351112cfc60daeca98b1359f9f86ab79bcfb996ba84f35a5b178b4abec66152864720e58f741ae13d06b64913e240a1f9e6a633

Download Submit
\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll

Filesize
89KB

MD5
4c086c8f48c4d0f8c20410e60340aec9

SHA1
77481360a98f3018f92a57b66e1dc7a6ec0dd0e8

SHA256
0a8fcb54df736100f5792b6ce57ae165553712cb1e5701e4e0dd7620e6089f59

SHA512
cdbcc2fd4195a6fa5a343234a745e3e7a558f68a496d376fdf6a86d585c9fa39a64f0ceb20a2d2e6e30e59ba46f62493e500d6eeb033fa981daa60f00ee42f14

Download Submit
memory/1136-257-0x000007FEF7430000-0x000007FEF7455000-memory.dmp

Filesize
148KB

Download
memory/1136-258-0x000007FEF7460000-0x000007FEF7483000-memory.dmp

Filesize
140KB

Download
memory/1136-259-0x000007FEF7410000-0x000007FEF7430000-memory.dmp

Filesize
128KB

Download
memory/1136-256-0x000000013F6B0000-0x000000013F6CF000-memory.dmp

Filesize
124KB

Download
memory/1192-43-0x0000000000A30000-0x0000000000A6C000-memory.dmp

Filesize
240KB

Download
memory/1192-9-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1192-16-0x0000000000A30000-0x0000000000A6C000-memory.dmp

Filesize
240KB

Download
memory/1192-44-0x0000000000400000-0x0000000000976000-memory.dmp

Filesize
5.5MB

Download
memory/1720-61-0x000000013FDD0000-0x000000013FDF0000-memory.dmp

Filesize
128KB

Download
memory/1984-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1984-6-0x0000000000400000-0x0000000000976000-memory.dmp

Filesize
5.5MB

Download
memory/1984-0-0x0000000140000000-0x0000000140033000-memory.dmp

Filesize
204KB

Download
memory/1984-8-0x0000000002870000-0x00000000028AC000-memory.dmp

Filesize
240KB

Download
memory/2676-181-0x000000013F540000-0x000000013FF6D000-memory.dmp

Filesize
10.2MB

Download
memory/2712-36-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2712-37-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/2784-190-0x000007FEF73A0000-0x000007FEF73C5000-memory.dmp

Filesize
148KB

Download
memory/2784-191-0x000007FEF57D0000-0x000007FEF6095000-memory.dmp

Filesize
8.8MB

Download
memory/2784-199-0x000007FEF7400000-0x000007FEF7424000-memory.dmp

Filesize
144KB

Download
memory/2784-198-0x000007FEF7E60000-0x000007FEF7E80000-memory.dmp

Filesize
128KB

Download
memory/2784-196-0x000007FEF7460000-0x000007FEF7485000-memory.dmp

Filesize
148KB

Download
memory/2784-202-0x000007FEF57D0000-0x000007FEF6095000-memory.dmp

Filesize
8.8MB

Download
memory/2784-195-0x000000013F5A0000-0x000000013F5BF000-memory.dmp

Filesize
124KB

Download
memory/2784-197-0x000007FEF7430000-0x000007FEF7453000-memory.dmp

Filesize
140KB

Download
memory/2784-185-0x000007FEF7460000-0x000007FEF7485000-memory.dmp

Filesize
148KB

Download
memory/2784-187-0x000007FEF7E60000-0x000007FEF7E80000-memory.dmp

Filesize
128KB

Download
memory/2784-188-0x000007FEF7400000-0x000007FEF7424000-memory.dmp

Filesize
144KB

Download
memory/2784-200-0x000007FEF73D0000-0x000007FEF73F8000-memory.dmp

Filesize
160KB

Download
memory/2784-184-0x000000013F5A0000-0x000000013F5BF000-memory.dmp

Filesize
124KB

Download
memory/2784-186-0x000007FEF7430000-0x000007FEF7453000-memory.dmp

Filesize
140KB

Download
memory/2784-189-0x000007FEF73D0000-0x000007FEF73F8000-memory.dmp

Filesize
160KB

Download
memory/2784-201-0x000007FEF73A0000-0x000007FEF73C5000-memory.dmp

Filesize
148KB

Download
memory/2796-25-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-29-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-28-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-27-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-26-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2796-30-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-24-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2796-23-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download