Overview

overview

10

Static

static

6

D02D012970...94.exe

windows7-x64

1

D02D012970...94.exe

windows10-2004-x64

1

DBm0yQwt.exe.ViR.exe

windows7-x64

10

DBm0yQwt.exe.ViR.exe

windows10-2004-x64

10

ca6ec46ee9...52.apk

android-9-x86

8

ca6ec46ee9...52.apk

android-10-x64

8

ca6ec46ee9...52.apk

android-11-x64

8

calc.exe

windows10-2004-x64

5

ccc71c83c8...B3.exe

windows7-x64

7

ccc71c83c8...B3.exe

windows10-2004-x64

10

ccc71c83c8...68.exe

windows7-x64

7

ccc71c83c8...68.exe

windows10-2004-x64

3

cd2d085998...-0.dll

windows7-x64

8

cd2d085998...-0.dll

windows10-2004-x64

8

cdffb7e75b...ss.exe

windows7-x64

3

cdffb7e75b...ss.exe

windows10-2004-x64

3

cf7382c25a...c9.exe

windows7-x64

6

cf7382c25a...c9.exe

windows10-2004-x64

3

cgi19-alpt...e_.exe

windows7-x64

7

cgi19-alpt...e_.exe

windows10-2004-x64

7

chrst.exe

windows7-x64

3

chrst.exe

windows10-2004-x64

3

ci05l2a.exe

windows7-x64

ci05l2a.exe

windows10-2004-x64

cl.exe

windows7-x64

7

cl.exe

windows10-2004-x64

7

clean.exe

windows7-x64

3

clean.exe

windows10-2004-x64

3

coinvault.exe

windows7-x64

9

coinvault.exe

windows10-2004-x64

6

com_loader.exe

windows7-x64

3

com_loader.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cgi19-alptsevs-h555.exe_.exe

  • Size

    569KB

  • MD5

    e9b9c39dd91c7fac1ee0b92e018a21bd

  • SHA1

    1ddcf37b32f90f864b51adba3f4bd3a0f5ea935f

  • SHA256

    388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b

  • SHA512

    dee5a5da3fe70e5d15f48ba9e8d9204a2de641b91e22a8e3ddb7dfaa1aafd6d943bb21188985bb8d40836fc6e24ee2df9a9d988f5ea8048d30517cd6bf7e3add

  • SSDEEP

    12288:j3nZMhJ+ubNmz0C4nkspjhPMy7NxkIXGUikyjk0y0xjYfYK4zjibVWidV3BtGN:j3nZqfbkz94h9P1+sbi3j2Bwjifv3BAN

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 20 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies data under HKEY_USERS 20 IoCs
  • Runs ping.exe 1 TTPs 30 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe
    "C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Windows\SysWOW64\svschost.exe
      "C:\Windows\system32\svschost.exe" -i
      2⤵
      • Executes dropped EXE
      PID:4600
    • C:\Windows\SysWOW64\nsf.exe
      "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1376
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2796
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2164
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3976
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3952
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:216
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2084
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:372
    • C:\Windows\SysWOW64\svschost.exe
      "C:\Windows\system32\svschost.exe" -i
      2⤵
      • Executes dropped EXE
      PID:3180
    • C:\Windows\SysWOW64\nsf.exe
      "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4424
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1428
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3896
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4632
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1488
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3464
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2076
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3760
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1936
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4112
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3412
    • C:\Windows\SysWOW64\svschost.exe
      "C:\Windows\system32\svschost.exe" -s
      2⤵
      • Executes dropped EXE
      PID:3492
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:892
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5016
    • C:\Windows\SysWOW64\svschost.exe
      "C:\Windows\system32\svschost.exe" -i
      2⤵
      • Executes dropped EXE
      PID:3680
    • C:\Windows\SysWOW64\nsf.exe
      "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2168
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2256
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3660
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3064
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2316
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4188
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:760
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4264
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4580
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5108
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2220
    • C:\Windows\SysWOW64\svschost.exe
      "C:\Windows\system32\svschost.exe" -s
      2⤵
      • Executes dropped EXE
      PID:348
    • C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2428
    • C:\Windows\SysWOW64\svschost.exe
      "C:\Windows\system32\svschost.exe" -s
      2⤵
      • Executes dropped EXE
      PID:1392
  • C:\Windows\SysWOW64\svschost.exe
    C:\Windows\SysWOW64\svschost.exe
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    PID:3976
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\dvsdlk\svchost.exe" /f
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:756
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2280
    • C:\ProgramData\rbnedwdels\svchost.exe
      "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini" /accepteula
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:1372
    • C:\ProgramData\rbnedwdels\svchost.exe
      "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\BackupRepair.cfg" /accepteula
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:2460
    • C:\ProgramData\rbnedwdels\svchost.exe
      "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF" /accepteula
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:2212
    • C:\ProgramData\rbnedwdels\svchost.exe
      "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\Mozilla Firefox\install.log" /accepteula
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:1888
    • C:\ProgramData\rbnedwdels\svchost.exe
      "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\Mozilla Firefox\uninstall\uninstall.log" /accepteula
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:3180
    • C:\ProgramData\rbnedwdels\svchost.exe
      "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll" /accepteula
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:868
    • C:\ProgramData\rbnedwdels\svchost.exe
      "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll" /accepteula
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:2244
    • C:\ProgramData\rbnedwdels\svchost.exe
      "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\uninstall.log" /accepteula
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:4000
    • C:\ProgramData\rbnedwdels\svchost.exe
      "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\temporary_multiselect_24.png" /accepteula
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:3452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini
    Filesize

    129B

    MD5

    d221387bc8a67ebffcebb0db658af8e1

    SHA1

    b068428cb49884a8d454f2c913561507832f7af7

    SHA256

    d061e9195f801dd95cb76384d8e2c04093de0287d840be85925f1bab63c606ed

    SHA512

    c500a19580c2d43357051ad6f61abbf700e61497c4d290b15348ae35c647dd7ec21dded95885e0b05b4d17de64041b412833f4a7c3ae57ec8b042e8f558224a2

    Download Submit

  • C:\PrograDDDDDDDDDDDDDDDDDDDD.DDD
    Filesize

    480KB

    MD5

    5fa7233f183fe8e51eac957ee81c8fb4

    SHA1

    64269cc8ec4742a2d5c334034b3913bb0cd6305b

    SHA256

    8d8f9061e8baf2097feda5d5f7c3dfcdead5629c66ff7244168c6d4813fe3b27

    SHA512

    9be783bede91b13ea51bf66f5867779822b535064d24d14ced3cff7f1428acea73e6a1192b1f3fef0df78e46a65c1ddb508bfff2da8078bdf4c75eef451d2ee2

    Download Submit

  • C:\Program FileDDDDDDDDDDDDDDDDDDDDDDDD.DDD
    Filesize

    21KB

    MD5

    457fd380a3fd6c803e54aab550b912cc

    SHA1

    4f719f97d6da1aee83278ec257776f3693c5532b

    SHA256

    9dff2f86ac4776f0840997dca28f99c3eb2afd809dc96f0865864e45b4486032

    SHA512

    48d1eda96204442398801c85a1b445a4aa63d937d6cf3a7d2386a0936efe59ca16751e213afc08f575a0e6bafb7689cfd487b3608edb2ca2fa6f949fcce0a536

    Download Submit

  • C:\Program Files\CCCCCCCCCCCCCCCCCCCCCCC.CCC
    Filesize

    23KB

    MD5

    f90b1538c8b7e0b83272c34cd85a1d95

    SHA1

    d2a257fd1e9040fb6cef11404d97b693dcd46146

    SHA256

    83f9dbe116ee436a5a8d3868160691f8a36fa7a3d170a3d1ccc752e2bc10814b

    SHA512

    9d3297b18545a86ada150b794194637ef68fae1e1033c0e78ee59224df4b6065198887910231575ef5b6668d900a46ebb1076744919da34382199fbf7cbe0e14

    Download Submit

  • C:\Program Files\MozilDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD
    Filesize

    1KB

    MD5

    832680331c4242c8b67e6907680742e6

    SHA1

    401cc6d755fce777ae33155c47a308faf7a117b2

    SHA256

    3cb151e9262ef78d4a13f0aa5a9bdc047b51f3b7027e0db18ebb9e8134c270ec

    SHA512

    7643a1333dbcdaa545a3f942172701d261eb2bd56bed18621d2d45c8be4968aaf26c7174a1d7b8a0ef0850143461438186983317402b7c6b0aa5d490acf8e80c

    Download Submit

  • C:\Program Files\VideoLAN\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD
    Filesize

    48KB

    MD5

    a9dc2568baf863c13620966bcb8c8376

    SHA1

    b31b9d39d4561d3d6be451e9812e2cb8f8837e08

    SHA256

    20a1cf229dc5df7d499bf4d074c8c8bf75b60040ddc871108fe3234005ce7387

    SHA512

    79a8058d426cf296060cfc26fc88cad09835a4c07b6be02c0ffa8cb7d871fb8e84c95287fbf256056d131275f816103d3b04fa098b2083a56a466d2a84228bdd

    Download Submit

  • C:\Windows\SysWOW64\NoSafeMode.dll
    Filesize

    12KB

    MD5

    6bb3bca23fdff5b013863d8423267251

    SHA1

    2e6b80241d1a9269cc30e13663e6f910a0893450

    SHA256

    bdb1a0b687ced575e71702b7b4554063e697791bc2b2a286a0e4dfd528739670

    SHA512

    de6230dfe87df4840314983573c94ce332f5bfe9996de852c6e47844e785a4e7a8e4084a6d9ed1fd4aac78b896d2158a201ff202635c205bf50e2507c1165478

    Download Submit

  • C:\Windows\SysWOW64\cfwin32.dll
    Filesize

    394KB

    MD5

    53894890dc01bbcace449f6590a1597b

    SHA1

    b27c93ef650d79a49150e61cd668b01bee543a30

    SHA256

    2f3f037b07737101076f50664ea3af10f76970febdcba4bd0e38d5a0eca4f6dd

    SHA512

    2ab1d894688ba8ee4129c575a116e7d01840d553a3956c3c158921e0794207ae9d0396c4c848c9e6592f40466e893ed19165e5eb34c53e02fe19fb65265c3a5a

    Download Submit

  • C:\Windows\SysWOW64\csrss32.dll
    Filesize

    172KB

    MD5

    492e8e81ef6ecd3998c2215d9db3a6da

    SHA1

    55a457f585172196c2ccc530cd834d421a83276f

    SHA256

    769371d3a4195187b9fa8b3ee56aa8ff6eb52c6c0d819420ed2ce5d732faae25

    SHA512

    21b62e018f889cc12e643cd6e1da922e1920f10219cf36e07e439acee62706d1589b337207a6a0566e2dbbd6e266aaa4cf8b95d1f88f60b15349bb20e7901bf5

    Download Submit

  • C:\Windows\SysWOW64\csrss64.dll
    Filesize

    180KB

    MD5

    ac281938245639d5298a6c5c395cb7d0

    SHA1

    7b5db71ea5913cc8056eecb336fdb9f9ad23309c

    SHA256

    a80e55673477e4bfae1ad75fc00e8ce28fa1af8f78fe51778fb78acf965a3283

    SHA512

    5f1893a661d323f4932c96467f86621be4a3a3b58a41d00758a300b2075187fd4e31f0d903cbb9418d3dda9809f3143774e7b46bdb34ae63460b24d4c8b55452

    Download Submit

  • C:\Windows\SysWOW64\nsf.exe
    Filesize

    47KB

    MD5

    e6d58e0a4511695312f13d1b9f154187

    SHA1

    a23d75e1a3462e66db08f7664683e186c9e8e5fb

    SHA256

    ff16042183c0ed025c523ea1ae3edd679fd929dfbda0089756186f5bcba5b35b

    SHA512

    09b154123d8e21a7c93f8d99009e0e322a2ede7f4c8f12bcdebd0078787efb0f9d3b5e43a7b3936b933bd974777fccefbc3af24b834e8cd7137d2931cfeff833

    Download Submit

  • C:\Windows\SysWOW64\sdelete.dll
    Filesize

    152KB

    MD5

    bc60849f0105976d8afc33731ae50c68

    SHA1

    90010c2da0343756ce9a37671e69436f478c83b6

    SHA256

    6e7ca1cc6fd03a1487d876ccd05c411c57ef1687a5c7e6ca007f00e2cb973fe8

    SHA512

    6555aafa9854c0c42161ec5b938e386d9e6a5fee8d9d63f5134cdf9db59b8630b17a8260ab2b0f921ec343fbbb918481f00c641553ebbf53fe983feaeb1bf380

    Download Submit

  • C:\Windows\SysWOW64\svschost.exe
    Filesize

    38KB

    MD5

    4fc8de89c54224746fbdcb486ed92514

    SHA1

    1ca774ffbb0eead4b4e06a5f13059933af530754

    SHA256

    ea32a0b440e81208eb10a500ea90855eb413bd2f756a581a1644bdec4453d96b

    SHA512

    b7479e94ff2183c23df99407b54282d97d1b0aeb32b2c52fbb30ae5ac626ab0641521d03d1f4f2e0b6fcb0c98cc04b61d897f9b450a456e988157cd038823fc1

    Download Submit

  • memory/1376-40-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1376-38-0x0000000010000000-0x000000001000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1376-33-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2168-154-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2168-158-0x0000000010000000-0x000000001000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2168-160-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4424-47-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4424-43-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download