dcrat | 5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5

Analysis

max time kernel
97s
max time network
156s
platform
windows10_x64
resource
win10v20210408
submitted
24-06-2021 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e765a8048bcd67f293f11db938e77c3.exe
Size

83KB
MD5

2e765a8048bcd67f293f11db938e77c3
SHA1

edcadd564cd6ef074655165ae572af2a1ba6ef6e
SHA256

5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5
SHA512

7a8c0352a689e209dcbfa727c905f7f92f450165d79756fb6ee5df2a0cc5f92a772a5ece083c3e1b5f80c702bfcd2f03cc74e7b5d7a69a659287906dbf6d9ec8

Score

10^/10

dcrat bootkit discovery evasion infostealer persistence rat trojan vmprotect

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies system executable filetype association 2 TTPs 21 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

fastpdf_ext_process.exefastpdf_ext_process.exefastpdf_ext_process.exeSZipUpdate.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit\ = "{221A55C1-C316-4b79-A259-0CED2417600D}"	fastpdf_ext_process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit\ = "{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}"	fastpdf_ext_process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit\ = "{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}"	fastpdf_ext_process.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit	fastpdf_ext_process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit\ = "{221A55C1-C316-4b79-A259-0CED2417600D}"	fastpdf_ext_process.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit	fastpdf_ext_process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit\ = "{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}"	SZipUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit	SZipUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit	fastpdf_ext_process.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit	fastpdf_ext_process.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Thorzip	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Thorzip\ = "{E1E3163A-D2B0-4C20-A859-1B420ECB881A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit	SZipUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit\ = "{221A55C1-C316-4b79-A259-0CED2417600D}"	SZipUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit\ = "{221A55C1-C316-4b79-A259-0CED2417600D}"	fastpdf_ext_process.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit	fastpdf_ext_process.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit	fastpdf_ext_process.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit	fastpdf_ext_process.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit	fastpdf_ext_process.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit	fastpdf_ext_process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit\ = "{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}"	fastpdf_ext_process.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 41 IoCs

Processes:

IMedia-553.exesyzs03_1000219144.exeIMediaB.exeIMediaT.exeIMediaDesk.exeIMedia.exeMarket.exeTinst.exeQMEmulatorService.exeAppMarket.exesyzs_dl_svr.execef_frame_render.execef_frame_render.execef_frame_render.exeFastpdf_setup_ver21042017.420.1.1.1.exeleishenzip_247915520_tiangua_001.exeFlashZip_2710.execef_frame_render.exeOfficeDownloaderInstall_0_100016_lanshan.exeSZipMd5Tool.exeSetup_10011.exefpprotect.exeSZipUpdate.exefastpdf_ext_process64.exefastpdf_ext_process.exefastpdf_ext_process64.exefastpdf_ext_process64.exefastpdf_ext_process.exeSZipService.exepic_soft45181.exefastpdf_ext_process.exefastpdf.exefastpdf.exeBalomaKeaft.exeSZipMd5Tool.exeInstall.exeSZipMd5Tool.exeThorFileManager.exeThorReport.exe

pid	process
1400	IMedia-553.exe
844	syzs03_1000219144.exe
2892	IMediaB.exe
1648	IMediaT.exe
1028	IMediaDesk.exe
504	IMedia.exe
2504
3928	Market.exe
2132	Tinst.exe
1948	QMEmulatorService.exe
744	AppMarket.exe
1220	syzs_dl_svr.exe
2188	cef_frame_render.exe
4120	cef_frame_render.exe
4168	cef_frame_render.exe
4472	Fastpdf_setup_ver21042017.420.1.1.1.exe
4544	leishenzip_247915520_tiangua_001.exe
4600	FlashZip_2710.exe
4644	cef_frame_render.exe
4776	OfficeDownloaderInstall_0_100016_lanshan.exe
4724	SZipMd5Tool.exe
4888	Setup_10011.exe
5116	fpprotect.exe
3940	SZipUpdate.exe
3176	fastpdf_ext_process64.exe
3948	fastpdf_ext_process.exe
4508	fastpdf_ext_process64.exe
1232	fastpdf_ext_process64.exe
4856	fastpdf_ext_process.exe
4352	SZipService.exe
4944	pic_soft45181.exe
4864	fastpdf_ext_process.exe
2064	fastpdf.exe
804	fastpdf.exe
2956	BalomaKeaft.exe
3940	SZipUpdate.exe
4512	SZipMd5Tool.exe
5192	Install.exe
5216	SZipMd5Tool.exe
5560	ThorFileManager.exe
5572	ThorReport.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2956-272-0x0000000000AA0000-0x000000000137B000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cef_frame_render.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	cef_frame_render.exe

Loads dropped DLL 64 IoCs

Processes:

2e765a8048bcd67f293f11db938e77c3.exesyzs03_1000219144.exerundll32.exerundll32.exeQMEmulatorService.exeAppMarket.execef_frame_render.exe

pid	process
1456	2e765a8048bcd67f293f11db938e77c3.exe
1456	2e765a8048bcd67f293f11db938e77c3.exe
1456	2e765a8048bcd67f293f11db938e77c3.exe
1456	2e765a8048bcd67f293f11db938e77c3.exe
1456	2e765a8048bcd67f293f11db938e77c3.exe
1456	2e765a8048bcd67f293f11db938e77c3.exe
1456	2e765a8048bcd67f293f11db938e77c3.exe
1456	2e765a8048bcd67f293f11db938e77c3.exe
1456	2e765a8048bcd67f293f11db938e77c3.exe
1456	2e765a8048bcd67f293f11db938e77c3.exe
844	syzs03_1000219144.exe
2332	rundll32.exe
4040	rundll32.exe
3008
2096
3008
1948	QMEmulatorService.exe
1948	QMEmulatorService.exe
1948	QMEmulatorService.exe
1948	QMEmulatorService.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
744	AppMarket.exe
2188	cef_frame_render.exe
2188	cef_frame_render.exe
2188	cef_frame_render.exe
2188	cef_frame_render.exe
2188	cef_frame_render.exe
2188	cef_frame_render.exe
744	AppMarket.exe
744	AppMarket.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

IMedia-553.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IMedia-553.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IMedia-553.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

syzs03_1000219144.exeQMEmulatorService.exeAppMarket.exeleishenzip_247915520_tiangua_001.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	syzs03_1000219144.exe
File opened for modification	\??\PhysicalDrive0	QMEmulatorService.exe
File opened for modification	\??\PhysicalDrive0	AppMarket.exe
File opened for modification	\??\PhysicalDrive0	leishenzip_247915520_tiangua_001.exe

Drops file in System32 directory 4 IoCs

Processes:

QMEmulatorService.exeSZipMd5Tool.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db	QMEmulatorService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db	QMEmulatorService.exe
File created	C:\Windows\system32\SZipOverlayIcon.dll	SZipMd5Tool.exe
File created	C:\Windows\system32\SZipOverlayIcon64.dll	SZipMd5Tool.exe

Drops file in Program Files directory 64 IoCs

Processes:

Tinst.exeFastpdf_setup_ver21042017.420.1.1.1.exeIMedia-553.exe

description	ioc	process
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\normal\98.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\window\small_tab\gift_hover.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\gamecenter\heart.png	Tinst.exe
File created	C:\Program Files (x86)\fastpdf\qt5gui.dll	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	C:\Program Files (x86)\IMedia\IMedia64.dll	IMedia-553.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\hover\36.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\hover\19.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\hover\2.png	Tinst.exe
File created	C:\Program Files (x86)\fastpdf\vcruntime140.dll	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\static\media\slick.ced611da.eot	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\TGVoiceBuddy\Res\JoinGame\button_h.png	Tinst.exe
File created	C:\Program Files (x86)\fastpdf\res\uninstall\44.png	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	C:\Program Files (x86)\fastpdf\msvcr100.dll	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\hardwarecheck\transition1.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\hover\29.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\hover\9.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\webctrl\loading\15.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\locale\zh_TW.pak	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\static\media\slick.d41f55a7.ttf	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\TGVoiceBuddy\I18N\1046\StringBundle.xml	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\AERequire\bg.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\hover\4.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\normal\56.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\locale\vi.pak	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\I18N\1042\StringBundle.xml	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\static\media\newback_video.9862b89c.webm	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\TGVoiceBuddy\I18N\1054\GFStringBundle.xml	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\uires\window\min_hover.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\WXFace\WX_default_face.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\zlib.dll	Tinst.exe
File created	C:\Program Files (x86)\fastpdf\ressrc\chs\dpisetting.ini	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\hover\20.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\locale\de.pak	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\locales\zh-CN.pak	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\lottery_btn_hover.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\hover\0.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\normal\10.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\aisee.html	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\normal\48.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\webctrl\loading\11.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\window\small_tab\game_hover.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\locale\id.pak	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\button\qqfeedback_splitline.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\button\tvoice_tips.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\hover\15.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\hover\25.png	Tinst.exe
File created	C:\Program Files (x86)\fastpdf\res\uninstall\52.png	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	C:\Program Files (x86)\fastpdf\kdumprep.exe	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	C:\Program Files (x86)\fastpdf\api-ms-win-crt-convert-l1-1-0.dll	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\button\tvoice_tips20.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\Logon\qqlogin_select.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\window\tab\store_hover.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\bg1.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\gamecenter\approve_normal.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\wangze.1cda17f.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\SSOCommon.dll	Tinst.exe
File created	C:\Program Files (x86)\fastpdf\res\uninstall\10001.xml	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\hardwarecheck\animation\color.apng	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\RadioButton\radiobutton_checkedhoverTexture.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\normal\24.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\normal\19.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\CheckButton\checkbutton_checkedhoverTexture.gft	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\msvcr100.dll	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\module\runtime.f72bec7a.js	Tinst.exe

Drops file in Windows directory 1 IoCs

Processes:

leishenzip_247915520_tiangua_001.exe

description ioc process

File created C:\Windows\Tasks\ThorUpdate.job leishenzip_247915520_tiangua_001.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5808 5572 WerFault.exe ThorReport.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2300 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\ThorUpdate.job	leishenzip_247915520_tiangua_001.exe

pid	pid_target	process	target process
5808	5572	WerFault.exe	ThorReport.exe

pid	process
2300	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

ie4uinit.exeie4uinit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "12"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

SZipService.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache SZipService.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	SZipService.exe

Modifies registry class 64 IoCs

Processes:

fastpdf_ext_process.exeSZipMd5Tool.exeFastpdf_setup_ver21042017.420.1.1.1.exeSZipUpdate.exeregsvr32.exeie4uinit.exeThorFileManager.exefastpdf_ext_process.exefastpdf_ext_process.exeregsvr32.exeie4uinit.exesyzs03_1000219144.exerundll32.exefastpdf.exefastpdf_ext_process64.exefastpdf_ext_process64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{221A55C1-C316-4b79-A259-0CED2417600D}\ProgID\ = "Fastpdfmenu.CPdfmenushell.1"	fastpdf_ext_process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0af4c9cd-825f-5677-8e7d-856f0e27270d}\TypeLib\ = "{47c05740-b821-5f6f-b07a-e45adf9de811}"	SZipMd5Tool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387A0E1A-EB04-49D6-ADE2-A6C57F6D2736}\Implemented Categories\{AD5C5A19-F6F1-4B2F-B80E-AD28204A75E9}	Fastpdf_setup_ver21042017.420.1.1.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\ qimage_extract_text\Icon = "C:\\Program Files (x86)\\fastpdf\\fastpdf.exe,0"	SZipUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{215F2AE7-8096-4A6E-8D0F-6CAB3A3E634D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.html	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.img	ThorFileManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dwg\Shell\ kother_to_pdf\Icon = "C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe,0"	SZipUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx	SZipUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ fastpdf_64bit\ = "{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}"	fastpdf_ext_process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{221A55C1-C316-4b79-A259-0CED2417600D}\InprocServer32\ThreadingModel = "Apartment"	fastpdf_ext_process.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\EditFlags = "2"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\Content Type = "application/xhtml+xml"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\thorzip.rar\Shell\Open	ThorFileManager.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387A0E1A-EB04-49D6-ADE2-A6C57F6D2736}\Implemented Categories\{AD5C5A19-F6F1-4B2F-B80E-AD28204A75E9}\time = "1624536008"	Fastpdf_setup_ver21042017.420.1.1.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E808D11-17BE-4704-AAFD-99739E17EE21}\InprocServer32\ = "C:\\Program Files (x86)\\fastpdf\\kofficeaddin.dll"	fastpdf_ext_process.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4D722F57-3CEB-4697-AC22-9B6829F9842F}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pptx\Shell\ kother_to_pdf\ = "转换为PDF格式"	SZipUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}	fastpdf_ext_process.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ fastpdf_32bit	fastpdf_ext_process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.img\ = "thorzip.img"	ThorFileManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\thorzip.isz\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\雷神压缩\\ThorFileManager.exe\" \"%1\""	ThorFileManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\thorzip.uue\Shell	ThorFileManager.exe
Key created	\REGISTRY\MACHINE\Software\Classes\syzs.apk\DefalutIcon	syzs03_1000219144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ fastpdf_64bit\ = "{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}"	SZipUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ fastpdf_64bit\ = "{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}"	fastpdf_ext_process.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69E78CAF-C120-4D42-B44D-8BF12EFF4E45}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\thorzip.zip\ = "压缩文件"	ThorFileManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	ThorFileManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\thorzip.isz	ThorFileManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pdf\Shell\ print\Icon = "C:\\Program Files (x86)\\fastpdf\\fastpdf.exe,0"	SZipUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\ kother_to_pdf\Icon = "C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe,0"	SZipUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dwg\Shell\ kother_to_pdf	SZipUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{215F2AE7-8096-4A6E-8D0F-6CAB3A3E634D}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\雷神压缩\\ThorShell64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.partial\OpenWithProgIds\IE.AssocFile.PARTIAL	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\thorzip.zipx\Shell\Open\Command	ThorFileManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\thorzip.cab\ = "压缩文件"	ThorFileManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\thorzip.ace\DefaultIcon	ThorFileManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0af4c9cd-825f-5677-8e7d-856f0e27270d}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\ShiningZip\\SZipExplorer64.dll"	SZipMd5Tool.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	fastpdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\thorzip.cab	ThorFileManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\thorzip.alz\Shell\Open	ThorFileManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\command	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\thorzip.iso\DefaultIcon	ThorFileManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\thorzip.isz\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\雷神压缩\\ThorFileManager.exe\",0"	ThorFileManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69E78CAF-C120-4D42-B44D-8BF12EFF4E45}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{221A55C1-C316-4b79-A259-0CED2417600D}\ProgID	SZipUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dwg\Shell	SZipUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{60D7BB01-CD27-4D13-AE76-17BD82A461E5}\InprocServer32\ = "C:\\Program Files (x86)\\fastpdf\\fastpdf_ext64.dll"	fastpdf_ext_process64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ fastpdf_32bit\ = "{221A55C1-C316-4b79-A259-0CED2417600D}"	fastpdf_ext_process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\thorzip.alz\ = "压缩文件"	ThorFileManager.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\s	fastpdf_ext_process64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Thorzip\ = "{E1E3163A-D2B0-4C20-A859-1B420ECB881A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5732"	ie4uinit.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cef_frame_render.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	cef_frame_render.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	cef_frame_render.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	cef_frame_render.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	cef_frame_render.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	cef_frame_render.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	cef_frame_render.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

IMediaB.exe

pid	process
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe
2892	IMediaB.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

612

pid	process
612

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

IMediaB.exeTinst.exeFastpdf_setup_ver21042017.420.1.1.1.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2892	IMediaB.exe
Token: SeDebugPrivilege	2132	Tinst.exe
Token: SeDebugPrivilege	4472	Fastpdf_setup_ver21042017.420.1.1.1.exe
Token: SeDebugPrivilege	4472	Fastpdf_setup_ver21042017.420.1.1.1.exe
Token: SeIncreaseQuotaPrivilege	4848	wmic.exe
Token: SeSecurityPrivilege	4848	wmic.exe
Token: SeTakeOwnershipPrivilege	4848	wmic.exe
Token: SeLoadDriverPrivilege	4848	wmic.exe
Token: SeSystemProfilePrivilege	4848	wmic.exe
Token: SeSystemtimePrivilege	4848	wmic.exe
Token: SeProfSingleProcessPrivilege	4848	wmic.exe
Token: SeIncBasePriorityPrivilege	4848	wmic.exe
Token: SeCreatePagefilePrivilege	4848	wmic.exe
Token: SeBackupPrivilege	4848	wmic.exe
Token: SeRestorePrivilege	4848	wmic.exe
Token: SeShutdownPrivilege	4848	wmic.exe
Token: SeDebugPrivilege	4848	wmic.exe
Token: SeSystemEnvironmentPrivilege	4848	wmic.exe
Token: SeRemoteShutdownPrivilege	4848	wmic.exe
Token: SeUndockPrivilege	4848	wmic.exe
Token: SeManageVolumePrivilege	4848	wmic.exe
Token: 33	4848	wmic.exe
Token: 34	4848	wmic.exe
Token: 35	4848	wmic.exe
Token: 36	4848	wmic.exe
Token: SeIncreaseQuotaPrivilege	4848	wmic.exe
Token: SeSecurityPrivilege	4848	wmic.exe
Token: SeTakeOwnershipPrivilege	4848	wmic.exe
Token: SeLoadDriverPrivilege	4848	wmic.exe
Token: SeSystemProfilePrivilege	4848	wmic.exe
Token: SeSystemtimePrivilege	4848	wmic.exe
Token: SeProfSingleProcessPrivilege	4848	wmic.exe
Token: SeIncBasePriorityPrivilege	4848	wmic.exe
Token: SeCreatePagefilePrivilege	4848	wmic.exe
Token: SeBackupPrivilege	4848	wmic.exe
Token: SeRestorePrivilege	4848	wmic.exe
Token: SeShutdownPrivilege	4848	wmic.exe
Token: SeDebugPrivilege	4848	wmic.exe
Token: SeSystemEnvironmentPrivilege	4848	wmic.exe
Token: SeRemoteShutdownPrivilege	4848	wmic.exe
Token: SeUndockPrivilege	4848	wmic.exe
Token: SeManageVolumePrivilege	4848	wmic.exe
Token: 33	4848	wmic.exe
Token: 34	4848	wmic.exe
Token: 35	4848	wmic.exe
Token: 36	4848	wmic.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

AppMarket.exefastpdf_ext_process64.exefastpdf_ext_process64.exefastpdf_ext_process64.exe

pid process

744 AppMarket.exe
3176 fastpdf_ext_process64.exe
4508 fastpdf_ext_process64.exe
1232 fastpdf_ext_process64.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AppMarket.exe

pid process

744 AppMarket.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

IMedia-553.exeIMediaB.exeIMedia.exerundll32.exe

pid process

1400 IMedia-553.exe
1400 IMedia-553.exe
1400 IMedia-553.exe
2892 IMediaB.exe
2892 IMediaB.exe
504 IMedia.exe
4040 rundll32.exe

pid	process
744	AppMarket.exe
3176	fastpdf_ext_process64.exe
4508	fastpdf_ext_process64.exe
1232	fastpdf_ext_process64.exe

pid	process
744	AppMarket.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2e765a8048bcd67f293f11db938e77c3.exeIMedia-553.exeIMediaT.exeIMediaDesk.exerundll32.exesyzs03_1000219144.exeTinst.exeAppMarket.exe

description	pid	process	target process
PID 1456 wrote to memory of 1400	1456	2e765a8048bcd67f293f11db938e77c3.exe	IMedia-553.exe
PID 1456 wrote to memory of 1400	1456	2e765a8048bcd67f293f11db938e77c3.exe	IMedia-553.exe
PID 1456 wrote to memory of 1400	1456	2e765a8048bcd67f293f11db938e77c3.exe	IMedia-553.exe
PID 1456 wrote to memory of 844	1456	2e765a8048bcd67f293f11db938e77c3.exe	syzs03_1000219144.exe
PID 1456 wrote to memory of 844	1456	2e765a8048bcd67f293f11db938e77c3.exe	syzs03_1000219144.exe
PID 1456 wrote to memory of 844	1456	2e765a8048bcd67f293f11db938e77c3.exe	syzs03_1000219144.exe
PID 1400 wrote to memory of 2892	1400	IMedia-553.exe	IMediaB.exe
PID 1400 wrote to memory of 2892	1400	IMedia-553.exe	IMediaB.exe
PID 1400 wrote to memory of 2892	1400	IMedia-553.exe	IMediaB.exe
PID 1400 wrote to memory of 1648	1400	IMedia-553.exe	IMediaT.exe
PID 1400 wrote to memory of 1648	1400	IMedia-553.exe	IMediaT.exe
PID 1400 wrote to memory of 1648	1400	IMedia-553.exe	IMediaT.exe
PID 1400 wrote to memory of 1028	1400	IMedia-553.exe	IMediaDesk.exe
PID 1400 wrote to memory of 1028	1400	IMedia-553.exe	IMediaDesk.exe
PID 1400 wrote to memory of 1028	1400	IMedia-553.exe	IMediaDesk.exe
PID 1648 wrote to memory of 3720	1648	IMediaT.exe	schtasks.exe
PID 1648 wrote to memory of 3720	1648	IMediaT.exe	schtasks.exe
PID 1648 wrote to memory of 3720	1648	IMediaT.exe	schtasks.exe
PID 1400 wrote to memory of 504	1400	IMedia-553.exe	IMedia.exe
PID 1400 wrote to memory of 504	1400	IMedia-553.exe	IMedia.exe
PID 1400 wrote to memory of 504	1400	IMedia-553.exe	IMedia.exe
PID 1028 wrote to memory of 2332	1028	IMediaDesk.exe	rundll32.exe
PID 1028 wrote to memory of 2332	1028	IMediaDesk.exe	rundll32.exe
PID 1028 wrote to memory of 2332	1028	IMediaDesk.exe	rundll32.exe
PID 1648 wrote to memory of 2300	1648	IMediaT.exe	schtasks.exe
PID 1648 wrote to memory of 2300	1648	IMediaT.exe	schtasks.exe
PID 1648 wrote to memory of 2300	1648	IMediaT.exe	schtasks.exe
PID 2332 wrote to memory of 4040	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 4040	2332	rundll32.exe	rundll32.exe
PID 844 wrote to memory of 3928	844	syzs03_1000219144.exe	Market.exe
PID 844 wrote to memory of 3928	844	syzs03_1000219144.exe	Market.exe
PID 844 wrote to memory of 3928	844	syzs03_1000219144.exe	Market.exe
PID 844 wrote to memory of 2132	844	syzs03_1000219144.exe	Tinst.exe
PID 844 wrote to memory of 2132	844	syzs03_1000219144.exe	Tinst.exe
PID 844 wrote to memory of 2132	844	syzs03_1000219144.exe	Tinst.exe
PID 2132 wrote to memory of 2120	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 2120	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 2120	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 3144	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 3144	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 3144	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 1268	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 1268	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 1268	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 3924	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 3924	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 3924	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 920	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 920	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 920	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 3828	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 3828	2132	Tinst.exe	Netsh.exe
PID 2132 wrote to memory of 3828	2132	Tinst.exe	Netsh.exe
PID 844 wrote to memory of 744	844	syzs03_1000219144.exe	AppMarket.exe
PID 844 wrote to memory of 744	844	syzs03_1000219144.exe	AppMarket.exe
PID 844 wrote to memory of 744	844	syzs03_1000219144.exe	AppMarket.exe
PID 744 wrote to memory of 1220	744	AppMarket.exe	syzs_dl_svr.exe
PID 744 wrote to memory of 1220	744	AppMarket.exe	syzs_dl_svr.exe
PID 744 wrote to memory of 1220	744	AppMarket.exe	syzs_dl_svr.exe
PID 744 wrote to memory of 2188	744	AppMarket.exe	cef_frame_render.exe
PID 744 wrote to memory of 2188	744	AppMarket.exe	cef_frame_render.exe
PID 744 wrote to memory of 2188	744	AppMarket.exe	cef_frame_render.exe
PID 744 wrote to memory of 4120	744	AppMarket.exe	cef_frame_render.exe
PID 744 wrote to memory of 4120	744	AppMarket.exe	cef_frame_render.exe

C:\Users\Admin\AppData\Local\Temp\2e765a8048bcd67f293f11db938e77c3.exe
"C:\Users\Admin\AppData\Local\Temp\2e765a8048bcd67f293f11db938e77c3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\IMedia-553.exe
  "C:\Users\Admin\AppData\Local\Temp\IMedia-553.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Program Files (x86)\IMedia\IMediaB.exe
    "C:\Program Files (x86)\IMedia\IMediaB.exe" install
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2892
- - C:\Program Files (x86)\IMedia\IMediaT.exe
    "C:\Program Files (x86)\IMedia\IMediaT.exe" install
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /TN _Newdd_ddddfgd_sdfqefjkjkjkj_IMedia_e3df_TEE /f
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc ONLOGON /tn _Newdd_ddddfgd_sdfqefjkjkjkj_IMedia_e3df_TEE /tr "\"C:\Program Files (x86)\IMedia\IMediaB.exe\" taskactive" /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2300
- - C:\Program Files (x86)\IMedia\IMediaDesk.exe
    "C:\Program Files (x86)\IMedia\IMediaDesk.exe" install
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" /s "C:\Program Files (x86)\IMedia\IMedia64.dll" DllGetClassObjectEx
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" /s "C:\Program Files (x86)\IMedia\IMedia64.dll" DllGetClassObjectEx
        5⤵
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4040
- - C:\Program Files (x86)\IMedia\IMedia.exe
    "C:\Program Files (x86)\IMedia\IMedia.exe" install
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:504
- C:\Users\Admin\AppData\Local\Temp\syzs03_1000219144.exe
  "C:\Users\Admin\AppData\Local\Temp\syzs03_1000219144.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Market.exe
    "C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Market.exe"
    3⤵
    - Executes dropped EXE
    PID:3928
- - C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\Tinst.exe
    "C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\Tinst.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\Netsh.exe
      "C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="AppMarket" dir=in program="c:\program files\txgameassistant\appmarket\AppMarket.exe" action=allow
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\Netsh.exe
      "C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="TInst" dir=in program="c:\program files\txgameassistant\appmarket\TInst.exe" action=allow
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\Netsh.exe
      "C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="bugreport" dir=in program="c:\program files\txgameassistant\appmarket\bugreport.exe" action=allow
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\Netsh.exe
      "C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="QQExternal" dir=in program="c:\program files\txgameassistant\appmarket\QQExternal.exe" action=allow
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\Netsh.exe
      "C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="GameDownload" dir=in program="c:\program files\txgameassistant\appmarket\GameDownload.exe" action=allow
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\Netsh.exe
      "C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="TUpdate" dir=in program="c:\program files\txgameassistant\appmarket\GF186\TUpdate.exe" action=allow
      4⤵
      PID:3828
- - C:\Program Files\TxGameAssistant\AppMarket\AppMarket.exe
    "C:\Program Files\TxGameAssistant\AppMarket\AppMarket.exe" -from TGBDownloader
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.exe
      "C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.exe" --conf-path="C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.cfg" --daemon --log="C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.log"
      4⤵
      Executes dropped EXE
      PID:1220
  - - C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe
      "C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=gpu-process --field-trial-handle=2452,8097416899223817802,3708015007604891121,131072 --disable-features=OutOfBlinkCors --no-sandbox --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.10.1683.80" --lang=en-US --gpu-preferences=KAAAAAAAAADgAAAgAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --service-request-channel-token=2570819452904947331 --mojo-platform-channel-handle=2460 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2188
  - - C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe
      "C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=utility --field-trial-handle=2452,8097416899223817802,3708015007604891121,131072 --disable-features=OutOfBlinkCors --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.10.1683.80" --lang=en-US --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --service-request-channel-token=17424558141508763651 --mojo-platform-channel-handle=3000 /prefetch:8
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:4120
  - - C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe
      "C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=renderer --no-sandbox --force-device-scale-factor=1.00 --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --field-trial-handle=2452,8097416899223817802,3708015007604891121,131072 --disable-features=OutOfBlinkCors --lang=en-US --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.10.1683.80" --disable-pdf-extension=1 --ppapi-flash-path="PepperFlash\pepflashplayer.dll" --ppapi-flash-version=18.0.0.209 --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=7463845140031021878 --renderer-client-id=3 --mojo-platform-channel-handle=3092 /prefetch:1
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:4168
  - - C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe
      "C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=gpu-process --field-trial-handle=2452,8097416899223817802,3708015007604891121,131072 --disable-features=OutOfBlinkCors --disable-gpu-sandbox --use-gl=disabled --no-sandbox --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.10.1683.80" --lang=en-US --gpu-preferences=KAAAAAAAAADoAAAgAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --service-request-channel-token=7726310884295432536 --mojo-platform-channel-handle=3736 /prefetch:2
      4⤵
      Executes dropped EXE
      PID:4644
- C:\Users\Admin\AppData\Local\Temp\Fastpdf_setup_ver21042017.420.1.1.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Fastpdf_setup_ver21042017.420.1.1.1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- - C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe
    "C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe" /ext:1
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3176
  - - C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe
      "C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe" /action:install
      4⤵
      Modifies system executable filetype association
      Executes dropped EXE
      Modifies registry class
      PID:3948
- - C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe
    "C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe" /ext:1
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:4508
  - - C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe
      "C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe" /action:install
      4⤵
      Modifies system executable filetype association
      Executes dropped EXE
      Modifies registry class
      PID:4856
- - C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe
    "C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe" /ext:1
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1232
  - - C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe
      "C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe" /action:install
      4⤵
      Modifies system executable filetype association
      Executes dropped EXE
      Modifies registry class
      PID:4864
- - C:\Program Files (x86)\fastpdf\fastpdf.exe
    "C:\Program Files (x86)\fastpdf\fastpdf.exe" -refreshdesktop=1
    3⤵
    - Executes dropped EXE
    PID:2064
  - - C:\Windows\system32\ie4uinit.exe
      "C:\Windows\system32\ie4uinit.exe" -show
      4⤵
      Modifies Internet Explorer settings
      Modifies registry class
      PID:5344
- - C:\Program Files (x86)\fastpdf\fastpdf.exe
    "C:\Program Files (x86)\fastpdf\fastpdf.exe" -associate=1
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:804
  - - C:\Windows\system32\ie4uinit.exe
      "C:\Windows\system32\ie4uinit.exe" -show
      4⤵
      Modifies Internet Explorer settings
      Modifies registry class
      PID:5420
- C:\Users\Admin\AppData\Local\Temp\leishenzip_247915520_tiangua_001.exe
  "C:\Users\Admin\AppData\Local\Temp\leishenzip_247915520_tiangua_001.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:4544
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\雷神压缩\ThorShell64.dll
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\雷神压缩\ThorHelp64.dll
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\雷神压缩\ThorService.dll
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s C:\Users\Admin\AppData\Roaming\雷神压缩\ThorShell64.dll
    3⤵
    PID:5236
  - - C:\Windows\system32\regsvr32.exe
      /s C:\Users\Admin\AppData\Roaming\雷神压缩\ThorShell64.dll
      4⤵
      Modifies system executable filetype association
      Modifies registry class
      PID:5264
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s C:\Users\Admin\AppData\Roaming\雷神压缩\ThorHelp64.dll
    3⤵
    PID:5332
  - - C:\Windows\system32\regsvr32.exe
      /s C:\Users\Admin\AppData\Roaming\雷神压缩\ThorHelp64.dll
      4⤵
      Modifies registry class
      PID:5376
- - C:\Users\Admin\AppData\Roaming\雷神压缩\ThorFileManager.exe
    "C:\Users\Admin\AppData\Roaming\雷神压缩\ThorFileManager.exe" --register_application
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:5560
- - C:\Users\Admin\AppData\Roaming\雷神压缩\ThorReport.exe
    "C:\Users\Admin\AppData\Roaming\雷神压缩\ThorReport.exe"
    3⤵
    - Executes dropped EXE
    PID:5572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 376
      4⤵
      Program crash
      PID:5808
- C:\Users\Admin\AppData\Local\Temp\FlashZip_2710.exe
  "C:\Users\Admin\AppData\Local\Temp\FlashZip_2710.exe" -8122a41aa4ae
  2⤵
  - Executes dropped EXE
  PID:4600
- - C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
    "C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCWNYmzoMeWFUU0CM2Dtga35YuzOEd3hN6CIB20FaUT10MxhIaCtAGtPOMDxEPyeMSm2ET0QMbW2FqhSNiGtFdl6IoCU0j1HZsj4ZsmYNu2YI25oZFmfYXybYnmgMH9ZMXmJUP3UNejGVCh8OJDJA703OaGkJNjZZLD9Yu3yZbjxIH55MR2CYDxZMTWFRnipOsTFMG4nZyTtck3PYaz9MRudZtXLholy -2596b1ef9f0a=27
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:4724
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\ShiningZip\ZipCnu64.dll"
      4⤵
      PID:2252
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\ShiningZip\ZipCnu64.dll"
        5⤵
        
        PID:4552
  - - C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
      "C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNgm1oYejFcU4CZ2Dthaj5ZujOZdmhN6yIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Aq=S -2596b1ef9f0a=27
      4⤵
      Executes dropped EXE
      PID:5216
    - - C:\Users\Admin\AppData\Local\ShiningZip\SZipMPage.exe
        
        "C:\Users\Admin\AppData\Local\ShiningZip\SZipMPage.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNUm1oMeDFZUiCN2jtUa35NuzONdihN6iIA2tFNUG1YMyhOaTtEG0PYM2xIP3eMSD2NTjQPbT2EqwSMiDtUdy6IoCU0j3HMsG4YsxYOuTYF2joZFDfcX5bOnWgIH9ZMXSJAPtUZeTGEC58YJjJV7j3OaTkNNiZMLT9guwyPbTxAHg5LRTCED2ZMTTFkn4pMsjFAG3nNyGtJkiPYaT90RwdItCL0ozyYWTSQIwTZZDVZgh9Y0jGgsxnYkzWkH9zMJAO=v=N -2596b1ef9f0a=27
        5⤵
        
        PID:5748
      - C:\Users\Admin\AppData\Local\ShiningZip\SZipMPage.exe
        
        "C:\Users\Admin\AppData\Local\ShiningZip\SZipMPage.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCWNYm0oZeDFgU1CN2DtNam5Yu2OYd5hM6iIA2tFNUG1YMyhOaTtEG0PYM2xIP3eMSD2NTjQPbT2EqwSMiDtUdy6IoCU0j3HMsG4YsxYOuTYF2joZFDfcX5bOnWgIH9ZMXSJAPtUZeTGEC58YJjJV7j3OaTkNNiZMLT9guwyPbTxAHg5LRTCED2ZMTTFkn4pMsjFAG3nNyGtJkiPYaT90RwdItCL0ozyYWTSQIwTZZDVZgh9Y0jGgsxnYkzWkH9zMJAO=v=N -2596b1ef9f0a=27
        6⤵
        
        PID:5900
    - - C:\Users\Admin\AppData\Local\ShiningZip\SZipTray.exe
        
        "C:\Users\Admin\AppData\Local\ShiningZip\SZipTray.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNMmyoOeTFNUkCO2WtUay5MuGOEdyhN6yIA2tFNUG1YMyhOaTtEG0PYM2xIP3eMSD2NTjQPbX2sqiSaiWtQdi6OojUEj2HNsy4wsiYdujYE2ioOFjfEXsbInngVHyZbXCJIP6UIemGhC08dJHJA763Layk9NkZbLC95uiyabWx5Hn5aRHCVDvZaT2FVnqpasSF5Gjnbyit9kGPbaG9FRzdatFLpopycWCS9I0TcZ2Vtgf9Y0mGpsynakiWIHszIJmO1vkNNgSpI46vIgjYY11TZdjqd5ihNkGTMSyjY0znMzyZM3GzITybNT2QUiw6N1jyciwUNWmPRrmEYv2mUP29MfGLFxlkZnjnAyzgI6imwCiDYh2U9QufZnmjlXndI2jypS79IAmYxDhTb8mXQWi7OkjdEWshI4mGlLuHdoGXVmyRdzCHIg6PMzSHwiiZctGrFpyMYpWD03i8OyirJETaa5GFFsuKWFm1lCwMITi1wEiiZuGTxksob3WjFXp6bPi4IX6NIaljJZ1AbDkB1ihmapWS4MiLfaXl04=v -2596b1ef9f0a=27
        5⤵
        
        PID:6080
    - - C:\Users\Admin\AppData\Local\ShiningZip\SZipTray.exe
        
        "C:\Users\Admin\AppData\Local\ShiningZip\SZipTray.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNMmyoOeTFNUkCO2WtUay5MuGOEdyhN6yIA2tFNUG1YMyhOaTtEG0PYM2xIP3eMSD2NTjQPbX2sqiSaiWtQdi6OojUEj3HNsi4wsiYdujYE2ioOFjfIXsbInngVHyZbXCJIP6UIemGhC08dJHJA763Layk9NkZbLC95uiyabWx5Hn5aRHCVDvZaT2FVnqpasSF5Gjnbyit9kkPLa29lRtdZt3LMovycW3SlI5TbZmVcgu9c0GG5snnIkiWwHizbJWOQv1NIgjpo4ivMgjYl1lTMdTqd5hhYkjTASyjY0znAzwZM32zUT1bMTmQQi56M1myYi5UNWWPMr3EMvWmVPl9NfjLhxlkYn2nMyigL6CmJCjDbh2U5QmfanWjcXidO2nysSi9bAGYFDuTZ8CXIW67MkSdwWiha4WG5L0HZoXXJm0RIzjHogxPLzCHJiwZYtXrJphMbpSDI368IyirIEsaI5mFRssKbFG11ChMaTW14EiiOuiTJksoa3WjJXm6dPW45XfNda2jVZpAeDWBEiimfpXS0M=L -2596b1ef9f0a=27
        5⤵
        
        PID:5296
- C:\Users\Admin\AppData\Local\Temp\OfficeDownloaderInstall_0_100016_lanshan.exe
  "C:\Users\Admin\AppData\Local\Temp\OfficeDownloaderInstall_0_100016_lanshan.exe"
  2⤵
  - Executes dropped EXE
  PID:4776
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic bios get SerialNumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic bios get SerialNumber
    3⤵
    PID:1052
- C:\Users\Admin\AppData\Local\Temp\Setup_10011.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup_10011.exe"
  2⤵
  - Executes dropped EXE
  PID:4888
- - C:\Windows\SysWOW64\sc.exe
    sc create BalomaKeaft binpath= "C:\Users\Admin\AppData\Local\BalomaKeaft\BalomaKeaft.exe" DisplayName= "BalomaKeaft Service" start= auto
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\SC.exe
    SC start BalomaKeaft
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\sc.exe
    sc description BalomaKeaft ""
    3⤵
    PID:5508
- C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
  C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe"
    3⤵
    - Executes dropped EXE
    PID:5192
  - - C:\Users\Admin\AppData\Local\Mtkantu\update.exe
      C:\Users\Admin\AppData\Local\Mtkantu\update.exe
      4⤵
      PID:5708
- C:\Users\Admin\AppData\Local\Temp\k52zip20210520-220-21.exe
  C:\Users\Admin\AppData\Local\Temp\k52zip20210520-220-21.exe
  2⤵
  PID:5236
- - C:\Program Files (x86)\k52zip\kzip_casual64.exe
    "C:\Program Files (x86)\k52zip\kzip_casual64.exe" --worker=kzip_ext --register
    3⤵
    PID:3960
  - - C:\Program Files (x86)\k52zip\kzip_main.exe
      "C:\Program Files (x86)\k52zip\kzip_main.exe" -action=rptinject -res:1 -hres:"Invalid window handle"
      4⤵
      PID:4716
- - C:\Program Files (x86)\k52zip\kzip_main.exe
    "C:\Program Files (x86)\k52zip\kzip_main.exe" -action:assext
    3⤵
    PID:5124
- - C:\Program Files (x86)\k52zip\krecommend.exe
    "C:\Program Files (x86)\k52zip\krecommend.exe" /product:11 /type:1 /sence:1
    3⤵
    PID:5368
- C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
  C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
  2⤵
  PID:4164
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\PhotoViewer\ShellExt64.dll
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s C:\Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll
    3⤵
    PID:5800
  - - C:\Windows\system32\regsvr32.exe
      /s C:\Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll
      4⤵
      PID:5832
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
    3⤵
    PID:5812
  - - C:\Windows\system32\regsvr32.exe
      /s C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
      4⤵
      PID:5828
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s C:\Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll
    3⤵
    PID:5808
- - C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
    "C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -unregdigitext
    3⤵
    PID:3176
- - C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
    "C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -regall
    3⤵
    PID:4080
- - C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
    "C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -deloldshellext
    3⤵
    PID:5944
- - C:\Users\Admin\AppData\Roaming\PhotoViewer\PdfReader.exe
    "C:\Users\Admin\AppData\Roaming\PhotoViewer\PdfReader.exe" -regall
    3⤵
    PID:4624
- - C:\Users\Admin\AppData\Roaming\PhotoViewer\Report.exe
    "C:\Users\Admin\AppData\Roaming\PhotoViewer\Report.exe"
    3⤵
    PID:5056

C:\Program Files\TxGameAssistant\AppMarket\QMEmulatorService.exe
"C:\Program Files\TxGameAssistant\AppMarket\QMEmulatorService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1948

C:\Program Files (x86)\fastpdf\fpprotect.exe
"C:\Program Files (x86)\fastpdf\fpprotect.exe"
1⤵
- Executes dropped EXE
PID:5116
- C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe
  "C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe" -action:check_plugin_register
  2⤵
  PID:3940
- C:\Program Files (x86)\fastpdf\fastpdf.exe
  "C:\Program Files (x86)\fastpdf\fastpdf.exe" -sactive=1
  2⤵
  PID:5288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4
1⤵
PID:3164

C:\Users\Admin\AppData\Local\ShiningZip\SZipService.exe
C:\Users\Admin\AppData\Local\ShiningZip\SZipService.exe -3ba07688d9f4
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4352
- C:\Users\Admin\AppData\Local\ShiningZip\SZipUpdate.exe
  C:\Users\Admin\AppData\Local\ShiningZip\SZipUpdate.exe -e61475c863c7=27 -c9c0eef9ccd6=LCTNNmioOeDFZUkCN2jtga55YuWOJdlhM6SIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Qq=S -2596b1ef9f0a=27
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Modifies registry class
  PID:3940
- C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
  C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe -e61475c863c7=27 -c9c0eef9ccd6=LCTNEm2oNeDFFUiCN22tMa25ZuTOldjhZ6SIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Qq=S -2596b1ef9f0a=27
  2⤵
  - Executes dropped EXE
  PID:4512
- - C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
    "C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNgm1oYejFcU4CZ2Dthaj5ZujOZdmhN6yIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Qq=S -2596b1ef9f0a=27
    3⤵
    PID:5664

C:\Users\Admin\AppData\Local\BalomaKeaft\BalomaKeaft.exe
C:\Users\Admin\AppData\Local\BalomaKeaft\BalomaKeaft.exe
1⤵
- Executes dropped EXE
PID:2956

\??\c:\windows\syswow64\svchost.exe
c:\windows\syswow64\svchost.exe -k szpsrvrgroup -s szpsrvr
1⤵
PID:3160
- C:\Users\Admin\AppData\Local\Zipdktp\SZipConfig.exe
  C:\Users\Admin\AppData\Local\Zipdktp\SZipConfig.exe -e61475c863c7=27 -c9c0eef9ccd6=LCTNImwoZeDFgUwCY2ztVal5NuDOMdwhO6CIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Yq=S -2596b1ef9f0a=27
  2⤵
  PID:4132

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k thorzip_updatesvc
1⤵
PID:5452

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k thorzip_updatesvc
1⤵
PID:5488

C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
"C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNRmjoOeDFIU5CO2Dtdam5NuGOQd0hM6yIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2IqgS -2596b1ef9f0a=27
1⤵
PID:6104

C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
"C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNEm2oNeDFFUiCN22tMa25ZuTOldjhZ6SIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Iq=S -2596b1ef9f0a=27
1⤵
PID:6128
- C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
  "C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNgm1oYejFcU4CZ2Dthaj5ZujOZdmhN6yIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Iq=S -2596b1ef9f0a=27
  2⤵
  PID:4556

C:\Program Files (x86)\k52zip\kzipservice.exe
"C:\Program Files (x86)\k52zip\kzipservice.exe"
1⤵
PID:4596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k PhotoviewerService
1⤵
PID:4684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k PhotoviewerService
1⤵
PID:5212

C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
"C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -regcapturehotkey
1⤵
PID:1920

C:\Users\Admin\AppData\Local\kfastpic\11\kfpnewupdate.exe
"C:\Users\Admin\AppData\Local\kfastpic\11\kfpnewupdate.exe" /from:17
1⤵
PID:4520

C:\Program Files (x86)\k52zip\kzip_main.exe
"C:\Program Files (x86)\k52zip\kzip_main.exe" -from:shell_ext -menu_item:0 -action:showmenu
1⤵
PID:4504

C:\Program Files (x86)\fastpdf\fastpdf.exe
"C:\Program Files (x86)\fastpdf\fastpdf.exe" /setdefault:1
1⤵
PID:5984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Bootkit

T1067

Change Default File Association

T1042

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IMedia\IMedia.exe

MD5
903c1b83b7b9106440dda28aa3698a6a

SHA1
625b83e7f3f784e024685b1b61846e633a40425d

SHA256
eba964b6534b490cd29bef1bdba67cfd748bbfdf32b8aa81fb68f2fda2d498b4

SHA512
d9fe1fbdd39d22d064661b698c0d896186637765a6e005788f7508f57e2ee38d488e5eccd56450be7d3ec95d5b955de9aa6ba03b41b542b2b118835be508c0c2

Download Submit
C:\Program Files (x86)\IMedia\IMedia.exe

MD5
903c1b83b7b9106440dda28aa3698a6a

SHA1
625b83e7f3f784e024685b1b61846e633a40425d

SHA256
eba964b6534b490cd29bef1bdba67cfd748bbfdf32b8aa81fb68f2fda2d498b4

SHA512
d9fe1fbdd39d22d064661b698c0d896186637765a6e005788f7508f57e2ee38d488e5eccd56450be7d3ec95d5b955de9aa6ba03b41b542b2b118835be508c0c2

Download Submit
C:\Program Files (x86)\IMedia\IMedia64.dll

MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
C:\Program Files (x86)\IMedia\IMediaB.exe

MD5
1c1a7e640e4c5bc026f4d4be3e027160

SHA1
e597a0bbb3509755ed4734d7bb690811ef83cee1

SHA256
e25c758f34ee0ddae57f999f4fb8aae8dba138554978a803c3abaff5f014e44b

SHA512
76fbf0dbe42521e0a2cdcc283073fecf47efec3350b88267900fac65a09ac30854f74c9837960594a6d0bebf73460e7c9fc090f2db99c3f4103d318f5eb6eedb

Download Submit
C:\Program Files (x86)\IMedia\IMediaB.exe

MD5
1c1a7e640e4c5bc026f4d4be3e027160

SHA1
e597a0bbb3509755ed4734d7bb690811ef83cee1

SHA256
e25c758f34ee0ddae57f999f4fb8aae8dba138554978a803c3abaff5f014e44b

SHA512
76fbf0dbe42521e0a2cdcc283073fecf47efec3350b88267900fac65a09ac30854f74c9837960594a6d0bebf73460e7c9fc090f2db99c3f4103d318f5eb6eedb

Download Submit
C:\Program Files (x86)\IMedia\IMediaDesk.exe

MD5
dde40d98050d34f343fe04d899c3be81

SHA1
05a3d59b179cf41ae25bc9d0d00db9ac3715a097

SHA256
449a1f593cb542a546a393d2d12eec23fc9b5a84462edb9c0ad1f4f943e1431f

SHA512
542b708eab706734eccbc581ee7636354d6aa1d3b202d709832d998c53cce543b591922638af0109a4afbbe1f01e2789690f7ba802f2ef724dde85bb1bf98fbe

Download Submit
C:\Program Files (x86)\IMedia\IMediaDesk.exe

MD5
dde40d98050d34f343fe04d899c3be81

SHA1
05a3d59b179cf41ae25bc9d0d00db9ac3715a097

SHA256
449a1f593cb542a546a393d2d12eec23fc9b5a84462edb9c0ad1f4f943e1431f

SHA512
542b708eab706734eccbc581ee7636354d6aa1d3b202d709832d998c53cce543b591922638af0109a4afbbe1f01e2789690f7ba802f2ef724dde85bb1bf98fbe

Download Submit
C:\Program Files (x86)\IMedia\IMediaT.exe

MD5
767d847e1d357c33940d4f714f90da96

SHA1
14172fd6e5e99c526478cda0b472689c900504b7

SHA256
815a4e28a3d3d8b797916b9c95fb83d5d3bfc1dbee4eee9ba35466d219b30c18

SHA512
5da6d3597865885e9c603f68cc7c1860b3df4fb80725592fcf702cc0c4be97cb6c44c698f267c3931c3e440af8dc7bcd9d7abc74a9e88d381c5cfb04af742c5d

Download Submit
C:\Program Files (x86)\IMedia\IMediaT.exe

MD5
767d847e1d357c33940d4f714f90da96

SHA1
14172fd6e5e99c526478cda0b472689c900504b7

SHA256
815a4e28a3d3d8b797916b9c95fb83d5d3bfc1dbee4eee9ba35466d219b30c18

SHA512
5da6d3597865885e9c603f68cc7c1860b3df4fb80725592fcf702cc0c4be97cb6c44c698f267c3931c3e440af8dc7bcd9d7abc74a9e88d381c5cfb04af742c5d

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Market.exe

MD5
da12dfb041b409e76d6661e7ad02eb9b

SHA1
598694fb09f1ba710610cbe18e0887a4dca37943

SHA256
3934a331888c62d6efd436e71f335849ca401cd4aea2edab8f563cb04edd132f

SHA512
22fecd0ce6587f12c83ee702547c448d1ea958ba1e3c90786f6edbd7c544bf9cb2324120f8aac6c59e7036297542e41686a60f04e603a5bd9de7371730661c0d

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Market.exe

MD5
da12dfb041b409e76d6661e7ad02eb9b

SHA1
598694fb09f1ba710610cbe18e0887a4dca37943

SHA256
3934a331888c62d6efd436e71f335849ca401cd4aea2edab8f563cb04edd132f

SHA512
22fecd0ce6587f12c83ee702547c448d1ea958ba1e3c90786f6edbd7c544bf9cb2324120f8aac6c59e7036297542e41686a60f04e603a5bd9de7371730661c0d

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\AECommonDll.dll

MD5
56bf4cf65918a67a3ab14046c756b552

SHA1
0d3138919585bedfd5fc8eb4333beb57016ca24f

SHA256
c6872ce41e31e68be9e4461243ae19e6012966ab43a0d513f775ff940ba39eae

SHA512
60a7ce0a2a1043de26339eadc8b7735053e6e3dffbb462aa4cbf9a0bd782d42fafca8f0769121a57c12ed117e866db430bd4b658fd63ac07416d305bed304266

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\AowGame.xml

MD5
59cb1bafb0fe0e415f03cd9b49069164

SHA1
e812c08598766acb454c5f5c76b966b6873cdc8b

SHA256
0103f094c6865ef2c4c0213190a5d13f337b0a9bddf58f4a1910bf91ceadb2c9

SHA512
09c019bd1bed60fc3b8d274d2f514cea240ec2d98476a8937dde20369d8472f23ad0d7a33c11b52fa28a465a3ee1ae5bda63ee5f9f76c27b0fc0e18045dd4918

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\Config.ini

MD5
ba50063cd1a85f562d5c6a92f28fc062

SHA1
41d01f5bc2c800424277dc39ddfb4a70bdbaf00e

SHA256
1d02987a9b23cb3c11ad6c8123446efcd8e43c0069a616ff09dfc80426a82861

SHA512
2fe0aa3e2b6dd171f25d792991328737a15905d290a3d32c4fbe6bc452976c6cd88e157b98a032f1348e53d26e4eeae9928d430e700849baa95e9c73207079b3

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\TInst.exe

MD5
67def83aee9714097ae67fa55a757383

SHA1
bede677829357926277f7d4b45de84e22c432a4b

SHA256
57de79e660ba1484f506a8aa90cfdb087aa7db99737d488efc74363c4d78882d

SHA512
bc4cc54cc33c4cb043925aa5b3e5cb090acaa86ce5a0b844982a2569ada69993d6e58c72b029e39d1165b965a10871b82b3bb22a6ddf21c1811f28ad9cb672ac

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\Tinst.exe

MD5
67def83aee9714097ae67fa55a757383

SHA1
bede677829357926277f7d4b45de84e22c432a4b

SHA256
57de79e660ba1484f506a8aa90cfdb087aa7db99737d488efc74363c4d78882d

SHA512
bc4cc54cc33c4cb043925aa5b3e5cb090acaa86ce5a0b844982a2569ada69993d6e58c72b029e39d1165b965a10871b82b3bb22a6ddf21c1811f28ad9cb672ac

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\aowgameex2.dat

MD5
a860fbdb56190eededbb9527abc20e32

SHA1
248c422cce200525f90679f49c1f9a22133a5de5

SHA256
a7f94e7cf4f162bdc89f7a191c3fd8a073a68f156ee43b13942267f62a4436e7

SHA512
776336b8a2d478ce685c346634526959ee11bff8c064f0177445af096641ad2657ccde5a0da571cda98c2a33c9d25c095bdfae4cc2ac7c47d7690216c1a6c1de

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-console-l1-1-0.dll

MD5
11e55839fcb3a53bdfed2a27fb7d5e80

SHA1
e585a1ed88696cd310c12f91ffa27f17f354b4f4

SHA256
f6bdc8ffd172b44f4d169707d9a457aeef619872661229b8629ee4f15eefff0d

SHA512
bec9419e35de03cc145b3c974833f73f1a5082d886de4739351b93bb4cc6c0234efd0e35ad845faba83fa600c4a7d5343eaae949a837d00d5528e6db79438ee4

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-datetime-l1-1-0.dll

MD5
9f3cf9f22836c32d988d7c7e0a977e1b

SHA1
1e7bbd6175bdb04826e60de07aa496493c9b3a3b

SHA256
7d588a5a958e32875d7bd346d1371e6ebfd9d5d2ede47755942badfc9c74e207

SHA512
16c98e6aec67ffe4558c6d3f881301490be5d8a714c1adc6735005613251adb8e1c2cb9b1c0d2504a9a99c61a06b0e30c944ca603fc00fbb18cd20ba1c9bd697

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-debug-l1-1-0.dll

MD5
64978e199a7239d2c911876447a7f05b

SHA1
0048ce6724db08c64441ce6e573676bc8ae94bf9

SHA256
92b947f1d6236f86ed7e105cff19e23c13d1968861426511b775905e1d26b47a

SHA512
9c64211895473ffc7162b56b0b8e732dec54cf03ea9b9b36fe3cc3339c35fc71fc7173d4e146989db399cb1bcb063079378bb6f778f7d2591cd545550038397c

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-errorhandling-l1-1-0.dll

MD5
9d74d89f2679c0c5ddb35a1ef30bd182

SHA1
22eaed07a6e477a4001f9467b5462cf4cc15cc16

SHA256
e207ffc6fef144e5d393e79de75f8f20d223f1ac33a011eeb822d30fa2031046

SHA512
725626e961d32398ea5aa120ac0339deeb493fc02ee7ef4d8e586173fdbf768b5cbb1f16f093ae4ecfee87e661170f8f832777640a353df5d651af4a62a2d819

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-file-l1-1-0.dll

MD5
d826d27c73d9f2420fb39fbe0745c7f0

SHA1
6e68e239f1a58185c7dad0fcfaac9ecfd2e5726c

SHA256
c0e5d482bd93bf71a73c01d0c1ec0722ea3260eba1f4c87e797bae334b5e9870

SHA512
c49843eb10e4e54c66e0e194dbd29ceab9094bdfe745b6a858cb03e34d73a6326f54804e5e5505deacc87146cbdfba17a0f02e62e76c685bce0cd1ff41962ff4

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-file-l1-2-0.dll

MD5
ec4f2cb68dcf7e96516eb284003be8bb

SHA1
fb9237719b5e21b9db176e41bdf125e6e7c01b11

SHA256
3816bbb7dd76d8fc6a7b83a0ed2f61b23dd5fc0843d3308ee077cb725d5c9088

SHA512
6cbda80c476a9fcf46458cac45229c96dc9df251230531e25088e834cd954db9ff4561e744f76495f9c57a4068b7635c72c6f9ff838436c54142297ee310b236

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-file-l1-2-1.dll

MD5
a32230b9bfdb8813e94d095222aafa11

SHA1
04b9d7d2a3f92a0054af2547fb6176385cc9738b

SHA256
7068d2b8aea252294e6b5c3bf3630475d0a91e11877f11a04e8ed1f91196410f

SHA512
6484c7c7fe574d797c74c285353040dfa364b9a9425cbfa4a4c8bba698176656c78e228a33c9eeae39a97caf2ab192f1f02dba472824f8a5757db5f14c76e2b0

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-file-l2-1-0.dll

MD5
b9287eb7bcbfdcec2e8d4198fd266509

SHA1
1375b6ff6121ec140668881f4a0b02f0c517f6c7

SHA256
096409422ecd1894e4d6289fd2d1c7490bd83daff0c1e3d16c36c78bd477b895

SHA512
b86348d3f42d0ff465066a14c281088c73ec5e03efacdaabe27a410b054a8a81b438d7e5d030b0d95f53b07783911b8b8200581d4e0b6f1b3cc79f4aae1d67df

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-handle-l1-1-0.dll

MD5
6a35a52d536e34ba060a19d06b1dac80

SHA1
0494a9cbf898e5babb6e697fc2de04a128d2fc35

SHA256
a369ef130749bf8cd9f67055179e6f537f200c060af47493d49473912a95021e

SHA512
a8aeb58bcf4b314212c2ab5a8fd3c2edeb97e680f774171d4a79390aa23bb62a414aef0ecd5286ffb68b7ed8f6e713ff1892d6d4cc2cbb67de916c6062e762d9

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-heap-l1-1-0.dll

MD5
ee5c2fb7bc23bfd06ff32556cc7c3b4d

SHA1
5d60ebf016219bbec340d353a4fa541fff596d3f

SHA256
efc9f0e32bce971900ddf66a1a9e68daa3bfb2099a1ba9f24c6ee82da2cbd6e8

SHA512
5d1b8a130c27d8eb63ca0c836bdf63e76afb311de26ed4f25b073bda843ebfa25e136849e3882822257e3783058f30af818a96764d60821a40329cff4e1badac

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-interlocked-l1-1-0.dll

MD5
48a5e206d92f3102256ec65e8d570ee0

SHA1
76024fad398dfa4734afce0cc2e5ac117f090ba6

SHA256
a272ae4fc60e511f48950b08f106fcdd3bc86831df908ee78d630f1ae921880c

SHA512
65407da566b571e050c25448be6042e84b0c1c7248422cba00b543af9de425a723b0c7c54c4eb6f534e42b1679a058562d500875ddc4f2b52e6b8e6107b1b575

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-libraryloader-l1-1-0.dll

MD5
e33f52e89dfc376eaf7aa655f260ca76

SHA1
b66e1f934f491544190714966031b6dfd2e349ec

SHA256
0bd03e89a539aaa3100e2f7d9a058964730320e55aee1f85be8fd243eea7017a

SHA512
95cb889599801ba7fa225b633d0fe25fdcc8b495dee5eba05b15a6e53a8a3643b5defe1a881236c40f4fa4365d6775ece067dbb526afdf2015f4d1355c9dfc57

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-localization-l1-2-0.dll

MD5
dbb81fcc74c59490008ee59bffff5a6d

SHA1
edbb465ab3bea3a4df3f05e5a4e816edbe195c3b

SHA256
f33e6ac5d3e1c4f1d89564fb6aeeac170486c073b67694380755049dbc48eec1

SHA512
2847a73e952bd5f2448264e0bfc8dc1dcd37f8b02d6d6f525ef0cb69c8e634fdcc4637876361b22c53244659039ed305c015435834b61eea15015fed45e9c374

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-memory-l1-1-0.dll

MD5
0ee9e0c830a7534dcfc9be72146796f9

SHA1
cecc860b494135482ae693f8e252301073a98578

SHA256
8f3f0fd765a37f48162f0bd00c3047e79b4eda355223bfcbed4d35b51349cfcc

SHA512
47161e02f4478464ab45c1e3bf9d244d34613e0e68ebe48511a9a0c4e7f8ddb0c1dfd59707c6968c5d76d5027cd19ef748d1235bf74b976410ea6672a6a4bcaf

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-namedpipe-l1-1-0.dll

MD5
1557093add722d1c5a97c359bfcd0d77

SHA1
a8ce995f00a12a81a13d3ef47ce0834178ed69a4

SHA256
3a20635a223e68418c22858413e8c603aac25723de1cb0f54dd675349ec3213d

SHA512
b7acd6882b4d36b52f1e49e4b61ddd025de8503f765b72c94ec5a0d85b6ced513c348f7c4898675728c851a2632ad71c78937cdec9dff994b7b27ed2d85cdddd

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-processenvironment-l1-1-0.dll

MD5
2a61e4e21bf255107884b6520af5bbcc

SHA1
884eb1a835bcde4e7fd98134f0be797229f4239a

SHA256
64742ee0729cbe72555247b0165fae03bea7a6b0147869253dae3bb0072173e8

SHA512
d0ca104904352586bbd3da654125b3df9355fe250938a465e8e900d135cec397f1118fdf54829b076df82b8e45fcd7656c2c7aa33ad3c0af5189f7a55e43f498

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-processthreads-l1-1-0.dll

MD5
d5c4b8f7260563f72150a84fe884ee31

SHA1
dae1185359ed25a4974504cd1ceaacde28d4318e

SHA256
02839f3b2bdf6adfc89d2f800cc8acda59a40c3e7ce14ef3026f4c72e202297d

SHA512
09ca23413eecf1df94aa36e53fc6fff0f402f21eda2ef79be6aa087818a5bb82ed98db790a2b5cf4ef91a8f70d8e27f56313bc2054a26872d2cad611c472f0b7

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-processthreads-l1-1-1.dll

MD5
f61b9ecb79cd20fc2e8fce87286cfe43

SHA1
7a48accbe43e156f886f1f2836f74e1043feec59

SHA256
bfa24f94ba095174b82d3657f8ecc689eab8ff380c69b1c9a7e311eb70d66386

SHA512
42ab62087bbc9fc9c9003ae96ebb9e9bbfa3db4eb74bd6746da035d53d1002015d8482ecb92620ec65c42b8b2b41d9b0a7793e105b0cf8cb6f713a2bc03241db

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-profile-l1-1-0.dll

MD5
a472bd416bdc12668523670360650910

SHA1
831d930ef9917e0dccacd8e7f7fd6f3d90082441

SHA256
48dceeea29558966c391cda34e5755386c2e7e252ea0a03d8d1f21e3cb370c5b

SHA512
166134e6c3403f4437e10afb514a55677481d3b03f7cfdf17917a0bb6fa1f387feae58d7dd5dfbc375eae66d24f10c3163ba5958c22beb6978c0b778c2883b6f

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5
525a156e0ff61306fd44bf7937cacfae

SHA1
6a9a88317a55c939c0cb9f77256f5c3f961d0562

SHA256
41c69b545d931045a280f83b2f5fbe0ea18c35ac42dfca54b661b42fe8e4f982

SHA512
c99147eba45e9561b7a2802b0c15a2df2ac886ce95a95f2980f8bf4d1dff92a69b94f11cd17383b577303f24295b1b7e52b8c80ad26c0bb08862c726b9cd8841

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\da12dfb041b409e76d6661e7ad02eb9b\Setup\api-ms-win-core-string-l1-1-0.dll

MD5
e57ec98e69961e45cc7a4e0666d26b7d

SHA1
70462a1d68bf49908fcb7186743a47a1affc5d7d

SHA256
52c9b061c4c74eeb70019edde2b690c7e9d9744979a3b718d6687b3a83f00def

SHA512
4a450bcbce0eb3f98f78af07673227a55cdf8e7840fa892196cbb8d0f90551b32731f70f171644f8097fda97d57caa4b7430023671b19881764613231a20cdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMedia-553.exe

MD5
78b3398cb13acd149db2a5c1c356fbc4

SHA1
f5746e719ff984ab9176250903a674e538665835

SHA256
53580dbf677b57a87a0850e0901a1efd6b64ef712938454462fad12ab2568ed3

SHA512
507c2b129563714a470ee08b9279d50e899e234ba3b2ef52d7874df42756e745ad9afa39c54d61f7aab97f7fb14f2e7570666208363dc6341c96778f2032a166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMedia-553.exe

MD5
78b3398cb13acd149db2a5c1c356fbc4

SHA1
f5746e719ff984ab9176250903a674e538665835

SHA256
53580dbf677b57a87a0850e0901a1efd6b64ef712938454462fad12ab2568ed3

SHA512
507c2b129563714a470ee08b9279d50e899e234ba3b2ef52d7874df42756e745ad9afa39c54d61f7aab97f7fb14f2e7570666208363dc6341c96778f2032a166

Download Submit
C:\Users\Admin\AppData\Local\Temp\syzs03_1000219144.exe

MD5
978f6dedc60783400095644b456890e9

SHA1
6c4436ab56188ac5ba8786cd76f0de15996f6fe8

SHA256
f2d4cc7e40d526ad84229d06e4ffd05d68c22359e6c4b5695087a7d8b735aeab

SHA512
0ce5c41bae0988e8e82f5c1723a907e8de99c951ca93f990ea3bc02d14d3d8ce4616622a6323f7ae41fc29773368488729ee281bee1f95f9d1f0a31034df5e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\syzs03_1000219144.exe

MD5
978f6dedc60783400095644b456890e9

SHA1
6c4436ab56188ac5ba8786cd76f0de15996f6fe8

SHA256
f2d4cc7e40d526ad84229d06e4ffd05d68c22359e6c4b5695087a7d8b735aeab

SHA512
0ce5c41bae0988e8e82f5c1723a907e8de99c951ca93f990ea3bc02d14d3d8ce4616622a6323f7ae41fc29773368488729ee281bee1f95f9d1f0a31034df5e3d

Download Submit
C:\Users\Admin\AppData\Roaming\IMedia\Config\SoftInfo.ini

MD5
cd738748e9ab1cf713c9e07e5fbe1dfc

SHA1
d069563efb4b34cd15e2586b6df218f7036e4095

SHA256
bff42cbb497bb24fafc4beb32942d000e6b32c361e5c85903fd199ff91d6c816

SHA512
f0f4f5833c284eda753b575037ec41deaf6dc22ea4517515152ef586bd1467c9d68bfb4fcc523cf305dbdecb79f5fdfe15e52a2812b847f0ef26b3780865fc3f

Download Submit
C:\Users\Admin\AppData\Roaming\IMedia\SoftInfoConfig.cfg

MD5
86303559a33932e1a9dbc9c95e0f2a6f

SHA1
7c8c7ef982f6ae627850b961db751c87c266fe53

SHA256
8886067d7f8bb36f1c065fa47423961b425b807f91b0248eaa869983b9841ba2

SHA512
c1e3709315185425536b55e698fc9908ecc6de1f7e0f1c4b18426b4b1b15fd6b9b1877f1f49463c0fc0d0cda5195c407224d8d116768177234d037c141b22990

Download Submit
C:\Users\Admin\AppData\Roaming\IMedia\SoftInfoConfig.cfg

MD5
86303559a33932e1a9dbc9c95e0f2a6f

SHA1
7c8c7ef982f6ae627850b961db751c87c266fe53

SHA256
8886067d7f8bb36f1c065fa47423961b425b807f91b0248eaa869983b9841ba2

SHA512
c1e3709315185425536b55e698fc9908ecc6de1f7e0f1c4b18426b4b1b15fd6b9b1877f1f49463c0fc0d0cda5195c407224d8d116768177234d037c141b22990

Download Submit
C:\Users\Admin\AppData\Roaming\IMedia\SoftInfoConfig.cfg

MD5
86303559a33932e1a9dbc9c95e0f2a6f

SHA1
7c8c7ef982f6ae627850b961db751c87c266fe53

SHA256
8886067d7f8bb36f1c065fa47423961b425b807f91b0248eaa869983b9841ba2

SHA512
c1e3709315185425536b55e698fc9908ecc6de1f7e0f1c4b18426b4b1b15fd6b9b1877f1f49463c0fc0d0cda5195c407224d8d116768177234d037c141b22990

Download Submit
C:\Users\Admin\AppData\Roaming\IMedia\SoftInfoConfig.cfg

MD5
86303559a33932e1a9dbc9c95e0f2a6f

SHA1
7c8c7ef982f6ae627850b961db751c87c266fe53

SHA256
8886067d7f8bb36f1c065fa47423961b425b807f91b0248eaa869983b9841ba2

SHA512
c1e3709315185425536b55e698fc9908ecc6de1f7e0f1c4b18426b4b1b15fd6b9b1877f1f49463c0fc0d0cda5195c407224d8d116768177234d037c141b22990

Download Submit
\Program Files (x86)\IMedia\IMedia64.dll

MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
\Program Files (x86)\IMedia\IMedia64.dll

MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
\Program Files (x86)\IMedia\IMedia64.dll

MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
\Program Files (x86)\IMedia\IMedia64.dll

MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
\Program Files (x86)\IMedia\IMedia64.dll

MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
\Program Files (x86)\IMedia\IMedia64.dll

MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA261.tmp\NSISdl.dll

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA261.tmp\NSISdl.dll

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA261.tmp\NSISdl.dll

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA261.tmp\NSISdl.dll

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA261.tmp\NSISdl.dll

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA261.tmp\NSISdl.dll

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA261.tmp\NSISdl.dll

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA261.tmp\System.dll

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA261.tmp\System.dll

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA261.tmp\System.dll

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dll

MD5
2814acbd607ba47bdbcdf6ac3076ee95

SHA1
50ab892071bed2bb2365ca1d4bf5594e71c6b13b

SHA256
5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67

SHA512
34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

Download Submit
memory/504-142-0x0000000000000000-mapping.dmp

Download
memory/744-197-0x0000000000000000-mapping.dmp

Download
memory/804-250-0x0000000003D50000-0x0000000003E61000-memory.dmp

Filesize
1.1MB

Download
memory/804-246-0x0000000000000000-mapping.dmp

Download
memory/804-252-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/844-125-0x0000000000000000-mapping.dmp

Download
memory/920-195-0x0000000000000000-mapping.dmp

Download
memory/1028-136-0x0000000000000000-mapping.dmp

Download
memory/1052-221-0x0000000000000000-mapping.dmp

Download
memory/1220-198-0x0000000000000000-mapping.dmp

Download
memory/1232-231-0x0000000000000000-mapping.dmp

Download
memory/1232-241-0x0000000002BB0000-0x0000000002CC5000-memory.dmp

Filesize
1.1MB

Download
memory/1248-232-0x0000000000000000-mapping.dmp

Download
memory/1268-193-0x0000000000000000-mapping.dmp

Download
memory/1400-120-0x0000000000000000-mapping.dmp

Download
memory/1648-133-0x0000000000000000-mapping.dmp

Download
memory/2064-251-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/2064-245-0x0000000000000000-mapping.dmp

Download
memory/2064-249-0x0000000003B50000-0x0000000003C61000-memory.dmp

Filesize
1.1MB

Download
memory/2064-269-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2120-191-0x0000000000000000-mapping.dmp

Download
memory/2132-164-0x0000000000000000-mapping.dmp

Download
memory/2188-199-0x0000000000000000-mapping.dmp

Download
memory/2252-227-0x0000000000000000-mapping.dmp

Download
memory/2300-149-0x0000000000000000-mapping.dmp

Download
memory/2332-148-0x0000000000000000-mapping.dmp

Download
memory/2892-130-0x0000000000000000-mapping.dmp

Download
memory/2892-162-0x0000000003150000-0x00000000033D9000-memory.dmp

Filesize
2.5MB

Download
memory/2956-271-0x00000000018B0000-0x00000000018B1000-memory.dmp

Filesize
4KB

Download
memory/2956-272-0x0000000000AA0000-0x000000000137B000-memory.dmp

Filesize
8.9MB

Download
memory/3144-192-0x0000000000000000-mapping.dmp

Download
memory/3176-224-0x0000000002C90000-0x0000000002DA5000-memory.dmp

Filesize
1.1MB

Download
memory/3176-222-0x0000000000000000-mapping.dmp

Download
memory/3720-141-0x0000000000000000-mapping.dmp

Download
memory/3828-196-0x0000000000000000-mapping.dmp

Download
memory/3924-194-0x0000000000000000-mapping.dmp

Download
memory/3928-159-0x0000000000000000-mapping.dmp

Download
memory/3940-219-0x0000000002090000-0x00000000020E7000-memory.dmp

Filesize
348KB

Download
memory/3940-220-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/3940-218-0x0000000000000000-mapping.dmp

Download
memory/3940-255-0x0000000000000000-mapping.dmp

Download
memory/3948-225-0x0000000000780000-0x000000000079A000-memory.dmp

Filesize
104KB

Download
memory/3948-223-0x0000000000000000-mapping.dmp

Download
memory/3948-226-0x00000000007B0000-0x0000000000807000-memory.dmp

Filesize
348KB

Download
memory/4040-152-0x0000000000000000-mapping.dmp

Download
memory/4084-244-0x0000000000000000-mapping.dmp

Download
memory/4120-200-0x0000000000000000-mapping.dmp

Download
memory/4164-236-0x0000000000000000-mapping.dmp

Download
memory/4164-307-0x0000000010000000-0x00000000100E0000-memory.dmp

Filesize
896KB

Download
memory/4168-201-0x0000000000000000-mapping.dmp

Download
memory/4472-202-0x0000000000000000-mapping.dmp

Download
memory/4472-203-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4504-317-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4508-228-0x0000000000000000-mapping.dmp

Download
memory/4508-235-0x0000000002C40000-0x0000000002D55000-memory.dmp

Filesize
1.1MB

Download
memory/4512-256-0x0000000000000000-mapping.dmp

Download
memory/4512-257-0x0000000010000000-0x0000000010158000-memory.dmp

Filesize
1.3MB

Download
memory/4520-318-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/4544-205-0x0000000010000000-0x00000000100E8000-memory.dmp

Filesize
928KB

Download
memory/4544-204-0x0000000000000000-mapping.dmp

Download
memory/4552-229-0x0000000000000000-mapping.dmp

Download
memory/4588-230-0x0000000000000000-mapping.dmp

Download
memory/4596-303-0x0000000036E70000-0x0000000036E80000-memory.dmp

Filesize
64KB

Download
memory/4600-209-0x0000000000000000-mapping.dmp

Download
memory/4644-210-0x0000000000000000-mapping.dmp

Download
memory/4716-316-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/4724-212-0x0000000000000000-mapping.dmp

Download
memory/4776-211-0x0000000000000000-mapping.dmp

Download
memory/4848-213-0x0000000000000000-mapping.dmp

Download
memory/4856-234-0x0000000000000000-mapping.dmp

Download
memory/4856-240-0x00000000007A0000-0x00000000007F7000-memory.dmp

Filesize
348KB

Download
memory/4856-238-0x0000000000680000-0x000000000069A000-memory.dmp

Filesize
104KB

Download
memory/4864-239-0x0000000000000000-mapping.dmp

Download
memory/4864-242-0x0000000000640000-0x000000000065A000-memory.dmp

Filesize
104KB

Download
memory/4868-233-0x0000000000000000-mapping.dmp

Download
memory/4888-215-0x0000000002111000-0x0000000002115000-memory.dmp

Filesize
16KB

Download
memory/4888-214-0x0000000000000000-mapping.dmp

Download
memory/4944-237-0x0000000000000000-mapping.dmp

Download
memory/5116-217-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/5116-216-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5124-305-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/5192-260-0x0000000000000000-mapping.dmp

Download
memory/5216-261-0x0000000000000000-mapping.dmp

Download
memory/5236-302-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/5236-262-0x0000000000000000-mapping.dmp

Download
memory/5264-263-0x0000000000000000-mapping.dmp

Download
memory/5288-312-0x0000000003C30000-0x0000000003D41000-memory.dmp

Filesize
1.1MB

Download
memory/5288-313-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/5288-314-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/5332-267-0x0000000000000000-mapping.dmp

Download
memory/5344-268-0x0000000000000000-mapping.dmp

Download
memory/5368-306-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/5376-270-0x0000000000000000-mapping.dmp

Download
memory/5420-273-0x0000000000000000-mapping.dmp

Download
memory/5508-276-0x0000000000000000-mapping.dmp

Download
memory/5560-277-0x0000000000000000-mapping.dmp

Download
memory/5572-278-0x0000000000000000-mapping.dmp

Download
memory/5664-279-0x0000000000000000-mapping.dmp

Download
memory/5708-283-0x0000000000000000-mapping.dmp

Download
memory/5900-284-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/5984-319-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download