dcrat | 6145b4b0d7c1cd9f2fb4e5af83194c149867abff5808ed7b185077b75dc05166

Analysis

max time kernel
104s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
27-06-2021 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PianoScrap.exe
Size

84KB
MD5

7bca14e2fe5de5d8b6008d5136b3836a
SHA1

dc3fa497624ec58cd1e2f687b8246e817201b4d5
SHA256

6145b4b0d7c1cd9f2fb4e5af83194c149867abff5808ed7b185077b75dc05166
SHA512

1ba56070522c9ec0200e6a35b4365847f176892f82cdb49af650a16f22d385962672acdc248a5cebb21598381c239544db86363e79c88c096638d5075b22ca63

Score

10^/10

dcrat bootkit discovery evasion infostealer persistence rat spyware stealer trojan vmprotect

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

k52zip20210520-220-21.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit\ = "{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_32bit\ = "{221A55C1-C316-4b79-A259-0CED2417600D}"	k52zip20210520-220-21.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 25 IoCs

Processes:

pic_soft45181.exeInstall.exeupdate.exeIMedia-553.exeIMediaB.exeIMediaT.exeIMediaDesk.exeIMedia.exesyzs03_1000219144.exeMarket.exeTinst.exeQMEmulatorService.exeAppMarket.exesyzs_dl_svr.execef_frame_render.execef_frame_render.execef_frame_render.execef_frame_render.exeFastpdf_setup_ver21042017.420.1.1.1.exeleishenzip_247915520_tiangua_001.exeFlashZip_2710.exeSZipMd5Tool.exefpprotect.exek52zip20210520-220-21.exeOfficeDownloaderInstall_0_100016_lanshan.exe

pid	process
204	pic_soft45181.exe
768	Install.exe
2188	update.exe
976	IMedia-553.exe
2208	IMediaB.exe
820	IMediaT.exe
3028	IMediaDesk.exe
3588	IMedia.exe
2224	syzs03_1000219144.exe
2028	Market.exe
2112	Tinst.exe
3932	QMEmulatorService.exe
4044	AppMarket.exe
3720	syzs_dl_svr.exe
1584	cef_frame_render.exe
3252	cef_frame_render.exe
3228	cef_frame_render.exe
4348	cef_frame_render.exe
4500	Fastpdf_setup_ver21042017.420.1.1.1.exe
4568	leishenzip_247915520_tiangua_001.exe
4628	FlashZip_2710.exe
4688	SZipMd5Tool.exe
4788	fpprotect.exe
4840	k52zip20210520-220-21.exe
4904	OfficeDownloaderInstall_0_100016_lanshan.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1124-286-0x00000000003D0000-0x0000000000CB1000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cef_frame_render.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	cef_frame_render.exe

Loads dropped DLL 64 IoCs

Processes:

PianoScrap.exeInstall.exesyzs03_1000219144.exerundll32.exerundll32.exeQMEmulatorService.exeAppMarket.execef_frame_render.exe

pid	process
644	PianoScrap.exe
644	PianoScrap.exe
644	PianoScrap.exe
644	PianoScrap.exe
644	PianoScrap.exe
644	PianoScrap.exe
768	Install.exe
768	Install.exe
768	Install.exe
644	PianoScrap.exe
644	PianoScrap.exe
644	PianoScrap.exe
644	PianoScrap.exe
644	PianoScrap.exe
644	PianoScrap.exe
2224	syzs03_1000219144.exe
1272	rundll32.exe
2112	rundll32.exe
3092
3092
3932	QMEmulatorService.exe
3932	QMEmulatorService.exe
3932	QMEmulatorService.exe
3932	QMEmulatorService.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
4044	AppMarket.exe
1584	cef_frame_render.exe
1584	cef_frame_render.exe
1584	cef_frame_render.exe
1584	cef_frame_render.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

IMedia-553.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IMedia-553.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IMedia-553.exe

Drops Chrome extension 1 IoCs

Processes:

update.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dknlfmhongfkfakmhhnmgfgnhhcbmldm\3.6.21_0\manifest.json	update.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

syzs03_1000219144.exeQMEmulatorService.exeAppMarket.exeleishenzip_247915520_tiangua_001.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	syzs03_1000219144.exe
File opened for modification	\??\PhysicalDrive0	QMEmulatorService.exe
File opened for modification	\??\PhysicalDrive0	AppMarket.exe
File opened for modification	\??\PhysicalDrive0	leishenzip_247915520_tiangua_001.exe

Drops file in System32 directory 2 IoCs

Processes:

QMEmulatorService.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db	QMEmulatorService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db	QMEmulatorService.exe

Drops file in Program Files directory 64 IoCs

Processes:

Tinst.exeFastpdf_setup_ver21042017.420.1.1.1.exesyzs_dl_svr.exe

description	ioc	process
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\intro_pic01.d360b15.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\static\media\Prompt.923b79b8.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\module\reactVendors.c0b644f7.js	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\api-ms-win-crt-conio-l1-1-0.dll	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\normal\30.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\window\small_tab\game_hover.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\module\page-test.19145448.js	Tinst.exe
File opened for modification	C:\Program Files (x86)\fastpdf\res\uninstall\59.png	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\normal\11.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\module\reactVendors.65643bbf.js	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\RenderService.dll	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\hover\24.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\GameDownload.exe	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\ucrtbase.dll	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\api-ms-win-crt-stdio-l1-1-0.dll	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\Logon\Checkbox_Sel_hover.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\normal\38.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\TGVoiceBuddy\I18N\config-zh_CN.xml	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\static\media\about-logo-oversea.c2d6b12a.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\I18N\1042\StringBundle.xml	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\RadioButton\radiobutton_checkedNormalTexture.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\normal\6.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\module\lib-halo-util.bc1a720c.js	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\static\media\pictureQuality.4338715c.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\wangze.1cda17f.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\uires\window\close_hover.png	Tinst.exe
File created	C:\Program Files (x86)\fastpdf\translations\qt_da.qm	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\I18N\1033\GFStringBundle.xml	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\normal\78.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\icudtl.dat	Tinst.exe
File created	C:\Program Files (x86)\fastpdf\kdumprep.exe	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\gamemigrate\icon.png	Tinst.exe
File created	C:\Program Files (x86)\fastpdf\fphelper.exe	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	\??\c:\program files\txgameassistant\appmarket\uires\window\logo.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\module\common.5076be6a.js	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\hardwarecheck\transition4.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\img\logo.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\natives_blob.bin	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\normal\20.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\normal\62.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\TGVoiceBuddy\I18N\config-vi.xml	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\Menu\menuItemEx_arrowTexture.bmp	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\Menu\menuItemEx_delTexture.bmp	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\RemoteControl\connected_bkg.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\normal\48.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\webctrl\loading\17.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Theme.xml	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\locale\vi.pak	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\module\i18n-zh_CN.6d2c634c.js	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\button\menu_hover.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\hardwarecheck\button\unfold_down.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\hover\0.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\icon_tips_warm.31717cf.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\live.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\voice.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\xPlatform.dll	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\hover\34.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\hover\5.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\tvoice_entry\oversea\normal\8.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\webapp\images\icon_queto.7bdf372.png	Tinst.exe
File created	\??\c:\program files\txgameassistant\appmarket\pages\syzsweb\module\lib-waterbear.39010de7.js	Tinst.exe
File opened for modification	C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.log	syzs_dl_svr.exe
File created	C:\Program Files (x86)\fastpdf\translations\qt_he.qm	Fastpdf_setup_ver21042017.420.1.1.1.exe
File created	\??\c:\program files\txgameassistant\appmarket\AppMarket\Res\Logon\default_face.png	Tinst.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4676 4656 WerFault.exe ThorReport.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1008 schtasks.exe

pid	pid_target	process	target process
4676	4656	WerFault.exe	ThorReport.exe

pid	process
1008	schtasks.exe

Modifies registry class 64 IoCs

Processes:

rundll32.exesyzs03_1000219144.exek52zip20210520-220-21.exeFastpdf_setup_ver21042017.420.1.1.1.exeTinst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69E78CAF-C120-4D42-B44D-8BF12EFF4E45}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\syzs.apk\Shell\Open\Command	syzs03_1000219144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ fastpdf_64bit\ = "{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\ print\command	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.png\Shell\ kother_to_pdf	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tiff\Shell\ kother_to_pdf\ = "转换为PDF格式"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xlsx\Shell	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E808D11-17BE-4704-AAFD-99739E17EE21}\InprocServer32	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\Software\Classes\syzs.apk\Shell\Open\Command	syzs03_1000219144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	Fastpdf_setup_ver21042017.420.1.1.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.bmp\Shell\ kother_to_pdf\command\ = "\"C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe\" /from:14 /type:24 /kpath:\"%1\""	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dwg\Shell\ kother_to_pdf\command\ = "\"C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe\" /from:14 /type:41 /kpath:\"%1\""	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dxf\Shell\ kother_to_pdf\command	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\ qimage_extract_text	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\ qimage_extract_text\ = "图片文字提取"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E808D11-17BE-4704-AAFD-99739E17EE21}\InprocServer32\ = "C:\\Program Files (x86)\\fastpdf\\kofficeaddin.dll"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TencentMobileGameAssistant\DefaultIcon\DefaultIcon = "C:\\Program Files\\TxGameAssistant\\AppMarket\\AppMarket.exe,1"	Tinst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\syzs.apk\DefalutIcon\ = "C:\\Program Files\\TxGameAssistant\\AppMarket\\apk.ico"	syzs03_1000219144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\syzs.apk\Shell\Open	syzs03_1000219144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387A0E1A-EB04-49D6-ADE2-A6C57F6D2736}\Implemented Categories\	Fastpdf_setup_ver21042017.420.1.1.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{221A55C1-C316-4b79-A259-0CED2417600D}\ProgID\ = "Fastpdfmenu.CPdfmenushell.1"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{221A55C1-C316-4b79-A259-0CED2417600D}\VersionIndependentProgID	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pdf\Shell\ print\command	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\ print\ = "打印(&P)"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tiff\Shell\ kother_to_pdf\command	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.doc\Shell\ kother_to_pdf\Icon = "C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe,0"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xls\Shell	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pptx\Shell\ kother_to_pdf\command\ = "\"C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe\" /from:14 /type:23 /kpath:\"%1\""	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E808D11-17BE-4704-AAFD-99739E17EE21}\ = "Kingsoft Internet Security Office Addin"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\ print\Icon = "C:\\Program Files (x86)\\fastpdf\\fastpdf.exe,0"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ppt	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.png\Shell\ qimage_extract_text\command	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\ qimage_extract_text\command	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E808D11-17BE-4704-AAFD-99739E17EE21}\ProgID\ = "KisOfficeAddin.Component.1"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69E78CAF-C120-4D42-B44D-8BF12EFF4E45}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pdf	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\ kother_to_pdf\ = "转换为PDF格式"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tif\Shell\ kother_to_pdf	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ppt\Shell\ kother_to_pdf\ = "转换为PDF格式"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\ qimage_extract_text\Icon = "C:\\Program Files (x86)\\fastpdf\\fastpdf.exe,0"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.png\Shell\ qimage_extract_text\Icon = "C:\\Program Files (x86)\\fastpdf\\fastpdf.exe,0"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\ qimage_extract_text\command\ = "\"C:\\Program Files (x86)\\fastpdf\\fastpdf.exe\" /ocr:1 /from:50 /filepath:\"%1\""	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TencentMobileGameAssistant	Tinst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\syzs.apk\Shell	syzs03_1000219144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\Shell\ kother_to_pdf\command	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xls\Shell\ kother_to_pdf\command\ = "\"C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe\" /from:14 /type:22 /kpath:\"%1\""	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\syzs.apk	syzs03_1000219144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{221A55C1-C316-4b79-A259-0CED2417600D}\InprocServer32\ = "C:\\Program Files (x86)\\fastpdf\\kpdfmenu.dll"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pdf\Shell\ print\Icon = "C:\\Program Files (x86)\\fastpdf\\fastpdf.exe,0"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.png\Shell\ print\Icon = "C:\\Program Files (x86)\\fastpdf\\fastpdf.exe,0"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.doc\Shell\ kother_to_pdf\command	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xls\Shell\ kother_to_pdf\Icon = "C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe,0"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pptx\Shell	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pptx\Shell\ kother_to_pdf\Icon = "C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe,0"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ fastpdf_32bit\ = "{221A55C1-C316-4b79-A259-0CED2417600D}"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.bmp\Shell\ kother_to_pdf\Icon = "C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe,0"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\ kother_to_pdf\Icon = "C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe,0"	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tiff\Shell\ kother_to_pdf\Icon = "C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe,0"	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.doc\Shell	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.png\Shell\ qimage_extract_text\command\ = "\"C:\\Program Files (x86)\\fastpdf\\fastpdf.exe\" /ocr:1 /from:50 /filepath:\"%1\""	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{221A55C1-C316-4b79-A259-0CED2417600D}\InprocServer32	k52zip20210520-220-21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\ kother_to_pdf\command\ = "\"C:\\Program Files (x86)\\fastpdf\\pdfconverter.exe\" /from:14 /type:24 /kpath:\"%1\""	k52zip20210520-220-21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xls	k52zip20210520-220-21.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cef_frame_render.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	cef_frame_render.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	cef_frame_render.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	cef_frame_render.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Install.exeupdate.exe

pid	process
768	Install.exe
768	Install.exe
768	Install.exe
768	Install.exe
768	Install.exe
768	Install.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe
2188	update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeupdate.exe

description	pid	process
Token: SeDebugPrivilege	768	Install.exe
Token: SeDebugPrivilege	768	Install.exe
Token: SeDebugPrivilege	768	Install.exe
Token: SeDebugPrivilege	768	Install.exe
Token: SeTcbPrivilege	768	Install.exe
Token: SeTcbPrivilege	768	Install.exe
Token: SeDebugPrivilege	768	Install.exe
Token: SeDebugPrivilege	768	Install.exe
Token: SeDebugPrivilege	768	Install.exe
Token: SeDebugPrivilege	768	Install.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeTcbPrivilege	2188	update.exe
Token: SeTcbPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe
Token: SeDebugPrivilege	2188	update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AppMarket.exe

pid process

4044 AppMarket.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AppMarket.exe

pid process

4044 AppMarket.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

IMedia-553.exeIMediaB.exeIMedia.exerundll32.exe

pid process

976 IMedia-553.exe
976 IMedia-553.exe
976 IMedia-553.exe
2208 IMediaB.exe
2208 IMediaB.exe
3588 IMedia.exe
2112 rundll32.exe

pid	process
4044	AppMarket.exe

pid	process
4044	AppMarket.exe

pid	process
976	IMedia-553.exe
976	IMedia-553.exe
976	IMedia-553.exe
2208	IMediaB.exe
2208	IMediaB.exe
3588	IMedia.exe
2112	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PianoScrap.exepic_soft45181.exeInstall.exeIMedia-553.exeIMediaT.exeIMediaDesk.exerundll32.exesyzs03_1000219144.exeTinst.exe

description	pid	process	target process
PID 644 wrote to memory of 204	644	PianoScrap.exe	pic_soft45181.exe
PID 644 wrote to memory of 204	644	PianoScrap.exe	pic_soft45181.exe
PID 644 wrote to memory of 204	644	PianoScrap.exe	pic_soft45181.exe
PID 204 wrote to memory of 768	204	pic_soft45181.exe	Install.exe
PID 204 wrote to memory of 768	204	pic_soft45181.exe	Install.exe
PID 204 wrote to memory of 768	204	pic_soft45181.exe	Install.exe
PID 768 wrote to memory of 2188	768	Install.exe	update.exe
PID 768 wrote to memory of 2188	768	Install.exe	update.exe
PID 768 wrote to memory of 2188	768	Install.exe	update.exe
PID 644 wrote to memory of 976	644	PianoScrap.exe	IMedia-553.exe
PID 644 wrote to memory of 976	644	PianoScrap.exe	IMedia-553.exe
PID 644 wrote to memory of 976	644	PianoScrap.exe	IMedia-553.exe
PID 976 wrote to memory of 2208	976	IMedia-553.exe	IMediaB.exe
PID 976 wrote to memory of 2208	976	IMedia-553.exe	IMediaB.exe
PID 976 wrote to memory of 2208	976	IMedia-553.exe	IMediaB.exe
PID 976 wrote to memory of 820	976	IMedia-553.exe	IMediaT.exe
PID 976 wrote to memory of 820	976	IMedia-553.exe	IMediaT.exe
PID 976 wrote to memory of 820	976	IMedia-553.exe	IMediaT.exe
PID 976 wrote to memory of 3028	976	IMedia-553.exe	IMediaDesk.exe
PID 976 wrote to memory of 3028	976	IMedia-553.exe	IMediaDesk.exe
PID 976 wrote to memory of 3028	976	IMedia-553.exe	IMediaDesk.exe
PID 820 wrote to memory of 3620	820	IMediaT.exe	schtasks.exe
PID 820 wrote to memory of 3620	820	IMediaT.exe	schtasks.exe
PID 820 wrote to memory of 3620	820	IMediaT.exe	schtasks.exe
PID 976 wrote to memory of 3588	976	IMedia-553.exe	IMedia.exe
PID 976 wrote to memory of 3588	976	IMedia-553.exe	IMedia.exe
PID 976 wrote to memory of 3588	976	IMedia-553.exe	IMedia.exe
PID 644 wrote to memory of 2224	644	PianoScrap.exe	syzs03_1000219144.exe
PID 644 wrote to memory of 2224	644	PianoScrap.exe	syzs03_1000219144.exe
PID 644 wrote to memory of 2224	644	PianoScrap.exe	syzs03_1000219144.exe
PID 3028 wrote to memory of 1272	3028	IMediaDesk.exe	rundll32.exe
PID 3028 wrote to memory of 1272	3028	IMediaDesk.exe	rundll32.exe
PID 3028 wrote to memory of 1272	3028	IMediaDesk.exe	rundll32.exe
PID 820 wrote to memory of 1008	820	IMediaT.exe	schtasks.exe
PID 820 wrote to memory of 1008	820	IMediaT.exe	schtasks.exe
PID 820 wrote to memory of 1008	820	IMediaT.exe	schtasks.exe
PID 1272 wrote to memory of 2112	1272	rundll32.exe	rundll32.exe
PID 1272 wrote to memory of 2112	1272	rundll32.exe	rundll32.exe
PID 2224 wrote to memory of 2028	2224	syzs03_1000219144.exe	Market.exe
PID 2224 wrote to memory of 2028	2224	syzs03_1000219144.exe	Market.exe
PID 2224 wrote to memory of 2028	2224	syzs03_1000219144.exe	Market.exe
PID 2224 wrote to memory of 2112	2224	syzs03_1000219144.exe	Tinst.exe
PID 2224 wrote to memory of 2112	2224	syzs03_1000219144.exe	Tinst.exe
PID 2224 wrote to memory of 2112	2224	syzs03_1000219144.exe	Tinst.exe
PID 2112 wrote to memory of 2176	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 2176	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 2176	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 3988	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 3988	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 3988	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 864	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 864	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 864	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 3240	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 3240	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 3240	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 296	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 296	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 296	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 3452	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 3452	2112	Tinst.exe	Netsh.exe
PID 2112 wrote to memory of 3452	2112	Tinst.exe	Netsh.exe
PID 2224 wrote to memory of 4044	2224	syzs03_1000219144.exe	AppMarket.exe
PID 2224 wrote to memory of 4044	2224	syzs03_1000219144.exe	AppMarket.exe

C:\Users\Admin\AppData\Local\Temp\PianoScrap.exe
"C:\Users\Admin\AppData\Local\Temp\PianoScrap.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:204

C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Mtkantu\update.exe
C:\Users\Admin\AppData\Local\Mtkantu\update.exe
4⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Users\Admin\AppData\Local\Temp\IMedia-553.exe
"C:\Users\Admin\AppData\Local\Temp\IMedia-553.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\Program Files (x86)\IMedia\IMediaB.exe
"C:\Program Files (x86)\IMedia\IMediaB.exe" install
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Program Files (x86)\IMedia\IMediaT.exe
"C:\Program Files (x86)\IMedia\IMediaT.exe" install
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /TN _Newdd_ddddfgd_sdfqefjkjkjkj_IMedia_e3df_TEE /f
4⤵
PID:3620

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc ONLOGON /tn _Newdd_ddddfgd_sdfqefjkjkjkj_IMedia_e3df_TEE /tr "\"C:\Program Files (x86)\IMedia\IMediaB.exe\" taskactive" /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:1008

C:\Program Files (x86)\IMedia\IMediaDesk.exe
"C:\Program Files (x86)\IMedia\IMediaDesk.exe" install
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s "C:\Program Files (x86)\IMedia\IMedia64.dll" DllGetClassObjectEx
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s "C:\Program Files (x86)\IMedia\IMedia64.dll" DllGetClassObjectEx
5⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Program Files (x86)\IMedia\IMedia.exe
"C:\Program Files (x86)\IMedia\IMedia.exe" install
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Users\Admin\AppData\Local\Temp\syzs03_1000219144.exe
"C:\Users\Admin\AppData\Local\Temp\syzs03_1000219144.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224

C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Market.exe
"C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Market.exe"
3⤵
- Executes dropped EXE
PID:2028

C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\Tinst.exe
"C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\Tinst.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="AppMarket" dir=in program="c:\program files\txgameassistant\appmarket\AppMarket.exe" action=allow
4⤵
PID:2176

C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="TInst" dir=in program="c:\program files\txgameassistant\appmarket\TInst.exe" action=allow
4⤵
PID:3988

C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="bugreport" dir=in program="c:\program files\txgameassistant\appmarket\bugreport.exe" action=allow
4⤵
PID:864

C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="QQExternal" dir=in program="c:\program files\txgameassistant\appmarket\QQExternal.exe" action=allow
4⤵
PID:3240

C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="GameDownload" dir=in program="c:\program files\txgameassistant\appmarket\GameDownload.exe" action=allow
4⤵
PID:296

C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="TUpdate" dir=in program="c:\program files\txgameassistant\appmarket\GF186\TUpdate.exe" action=allow
4⤵
PID:3452

C:\Program Files\TxGameAssistant\AppMarket\AppMarket.exe
"C:\Program Files\TxGameAssistant\AppMarket\AppMarket.exe" -from TGBDownloader
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4044

C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.exe
"C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.exe" --conf-path="C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.cfg" --daemon --log="C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.log"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3720

C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe
"C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=gpu-process --field-trial-handle=2436,8307116009778811807,9599027874831567486,131072 --disable-features=OutOfBlinkCors --no-sandbox --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.10.1708.80" --lang=en-US --gpu-preferences=KAAAAAAAAADgAAAgAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --service-request-channel-token=7753079695411510147 --mojo-platform-channel-handle=2444 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584

C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe
"C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=utility --field-trial-handle=2436,8307116009778811807,9599027874831567486,131072 --disable-features=OutOfBlinkCors --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.10.1708.80" --lang=en-US --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --service-request-channel-token=16989262538948898650 --mojo-platform-channel-handle=2956 /prefetch:8
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3252

C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe
"C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=renderer --no-sandbox --force-device-scale-factor=1.00 --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --field-trial-handle=2436,8307116009778811807,9599027874831567486,131072 --disable-features=OutOfBlinkCors --lang=en-US --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.10.1708.80" --disable-pdf-extension=1 --ppapi-flash-path="PepperFlash\pepflashplayer.dll" --ppapi-flash-version=18.0.0.209 --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=7902515587783230137 --renderer-client-id=4 --mojo-platform-channel-handle=3224 /prefetch:1
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:3228

C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe
"C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=gpu-process --field-trial-handle=2436,8307116009778811807,9599027874831567486,131072 --disable-features=OutOfBlinkCors --disable-gpu-sandbox --use-gl=disabled --no-sandbox --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.10.1708.80" --lang=en-US --gpu-preferences=KAAAAAAAAADoAAAgAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --service-request-channel-token=17412538878081941302 --mojo-platform-channel-handle=3636 /prefetch:2
4⤵
- Executes dropped EXE
PID:4348

C:\Users\Admin\AppData\Local\Temp\Fastpdf_setup_ver21042017.420.1.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\Fastpdf_setup_ver21042017.420.1.1.1.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
PID:4500

C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe
"C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe" /ext:1
3⤵
PID:5084

C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe
"C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe" /action:install
4⤵
PID:1012

C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe
"C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe" /ext:1
3⤵
PID:4196

C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe
"C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe" /action:install
4⤵
PID:4476

C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe
"C:\Program Files (x86)\fastpdf\fastpdf_ext_process64.exe" /ext:1
3⤵
PID:2148

C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe
"C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe" /action:install
4⤵
PID:344

C:\Program Files (x86)\fastpdf\fastpdf.exe
"C:\Program Files (x86)\fastpdf\fastpdf.exe" -refreshdesktop=1
3⤵
PID:4912

C:\Windows\system32\ie4uinit.exe
"C:\Windows\system32\ie4uinit.exe" -show
4⤵
PID:3732

C:\Program Files (x86)\fastpdf\fastpdf.exe
"C:\Program Files (x86)\fastpdf\fastpdf.exe" -associate=1
3⤵
PID:4944

C:\Windows\system32\ie4uinit.exe
"C:\Windows\system32\ie4uinit.exe" -show
4⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\leishenzip_247915520_tiangua_001.exe
"C:\Users\Admin\AppData\Local\Temp\leishenzip_247915520_tiangua_001.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4568

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\雷神压缩\ThorShell64.dll
3⤵
PID:2304

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\雷神压缩\ThorHelp64.dll
3⤵
PID:4356

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\雷神压缩\ThorService.dll
3⤵
PID:868

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Roaming\雷神压缩\ThorShell64.dll
3⤵
PID:4552

C:\Windows\system32\regsvr32.exe
/s C:\Users\Admin\AppData\Roaming\雷神压缩\ThorShell64.dll
4⤵
PID:4300

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Roaming\雷神压缩\ThorHelp64.dll
3⤵
PID:3624

C:\Windows\system32\regsvr32.exe
/s C:\Users\Admin\AppData\Roaming\雷神压缩\ThorHelp64.dll
4⤵
PID:4764

C:\Users\Admin\AppData\Roaming\雷神压缩\ThorFileManager.exe
"C:\Users\Admin\AppData\Roaming\雷神压缩\ThorFileManager.exe" --register_application
3⤵
PID:4620

C:\Users\Admin\AppData\Roaming\雷神压缩\ThorReport.exe
"C:\Users\Admin\AppData\Roaming\雷神压缩\ThorReport.exe"
3⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 376
4⤵
- Program crash
PID:4676

C:\Users\Admin\AppData\Local\Temp\FlashZip_2710.exe
"C:\Users\Admin\AppData\Local\Temp\FlashZip_2710.exe" -8122a41aa4ae
2⤵
- Executes dropped EXE
PID:4628

C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
"C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCWNYmzoMeWFUU0CM2Dtga35YuzOEd3hN6CIB20FaUT10MxhIaCtAGtPOMDxEPyeMSm2ET0QMbW2FqhSNiGtFdl6IoCU0j1HZsj4ZsmYNu2YI25oZFmfYXybYnmgMH9ZUXGJlPhUbemG9CT8YJ3JJ7h3caCk5NlZeLG9Uu=y -2596b1ef9f0a=27
3⤵
- Executes dropped EXE
PID:4688

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\ShiningZip\ZipCnu64.dll"
4⤵
PID:4152

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\ShiningZip\ZipCnu64.dll"
5⤵
PID:2456

C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
"C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNgm1oYejFcU4CZ2Dthaj5ZujOZdmhN6yIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Aq=S -2596b1ef9f0a=27
4⤵
PID:4600

C:\Users\Admin\AppData\Local\ShiningZip\SZipTray.exe
"C:\Users\Admin\AppData\Local\ShiningZip\SZipTray.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNMmyoOeTFNUkCO2WtUay5MuGOEdyhN6yIA2tFNUG1YMyhOaTtEG0PYM2xIP3eMSD2NTjQPbX2sqiSaiWtQdi6OojUEj2HNsy4wsiYdujYE2ioOFjfEXsbInngVHyZbXCJIP6UIemGhC08dJHJA763Layk9NkZbLC95uiyabWx5Hn5aRHCVDvZaT2FVnqpasSF5Gjnbyit9kGPbaG9FRzdatFLpopycWCS9I0TcZ2Vtgf9Y0mGpsynakiWIHszIJmO1vkNNgSpI46vIgjYY11TZdjqd5ihNkGTMSyjY0znMzyZM3GzITybNT2QUiw6N1jyciwUNWmPRrmEYv2mUP29MfGLFxlkZnjnAyzgI6imwCiDYh2U9QufZnmjlXndI2jypS79IAmYxDhTb8mXQWi7OkjdEWshI4mGlLuHdoGXVmyRdzCHIg6PMzSHwiiZctGrFpyMYpWD03i8OyirJETaa5GFFsuKWFm1lCwMITi1wEiiZuGTxksob3WjFXp6bPi4IX6NIaljJZ1AbDkB1ihmapWS4MiLfaXl04=v -2596b1ef9f0a=27
5⤵
PID:4940

C:\Users\Admin\AppData\Local\ShiningZip\SZipTray.exe
"C:\Users\Admin\AppData\Local\ShiningZip\SZipTray.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNMmyoOeTFNUkCO2WtUay5MuGOEdyhN6yIA2tFNUG1YMyhOaTtEG0PYM2xIP3eMSD2NTjQPbX2sqiSaiWtQdi6OojUEj3HNsi4wsiYdujYE2ioOFjfIXsbInngVHyZbXCJIP6UIemGhC08dJHJA763Layk9NkZbLC95uiyabWx5Hn5aRHCVDvZaT2FVnqpasSF5Gjnbyit9kkPLa29lRtdZt3LMovycW3SlI5TbZmVcgu9c0GG5snnIkiWwHizbJWOQv1NIgjpo4ivMgjYl1lTMdTqd5hhYkjTASyjY0znAzwZM32zUT1bMTmQQi56M1myYi5UNWWPMr3EMvWmVPl9NfjLhxlkYn2nMyigL6CmJCjDbh2U5QmfanWjcXidO2nysSi9bAGYFDuTZ8CXIW67MkSdwWiha4WG5L0HZoXXJm0RIzjHogxPLzCHJiwZYtXrJphMbpSDI368IyirIEsaI5mFRssKbFG11ChMaTW14EiiOuiTJksoa3WjJXm6dPW45XfNda2jVZpAeDWBEiimfpXS0M=L -2596b1ef9f0a=27
5⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\OfficeDownloaderInstall_0_100016_lanshan.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeDownloaderInstall_0_100016_lanshan.exe"
2⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic bios get SerialNumber
3⤵
PID:4936

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic bios get SerialNumber
3⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\Setup_10011.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_10011.exe"
2⤵
PID:5000

C:\Windows\SysWOW64\sc.exe
sc create LnockRarsly binpath= "C:\Users\Admin\AppData\Local\LnockRarsly\LnockRarsly.exe" DisplayName= "LnockRarsly Service" start= auto
3⤵
PID:4104

C:\Windows\SysWOW64\SC.exe
SC start LnockRarsly
3⤵
PID:420

C:\Windows\SysWOW64\sc.exe
sc description LnockRarsly ""
3⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\k52zip20210520-220-21.exe
C:\Users\Admin\AppData\Local\Temp\k52zip20210520-220-21.exe
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Modifies registry class
PID:4840

C:\Program Files (x86)\k52zip\kzip_casual64.exe
"C:\Program Files (x86)\k52zip\kzip_casual64.exe" --worker=kzip_ext --register
3⤵
PID:4148

C:\Program Files (x86)\k52zip\kzip_main.exe
"C:\Program Files (x86)\k52zip\kzip_main.exe" -action:assext
3⤵
PID:4360

C:\Program Files (x86)\k52zip\krecommend.exe
"C:\Program Files (x86)\k52zip\krecommend.exe" /product:11 /type:1 /sence:1
3⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
2⤵
PID:4864

C:\Program Files\TxGameAssistant\AppMarket\QMEmulatorService.exe
"C:\Program Files\TxGameAssistant\AppMarket\QMEmulatorService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:3932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x248
1⤵
PID:4424

C:\Program Files (x86)\fastpdf\fpprotect.exe
"C:\Program Files (x86)\fastpdf\fpprotect.exe"
1⤵
- Executes dropped EXE
PID:4788

C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe
"C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe" -action:check_plugin_register
2⤵
PID:4840

C:\Users\Admin\AppData\Local\ShiningZip\SZipService.exe
C:\Users\Admin\AppData\Local\ShiningZip\SZipService.exe -3ba07688d9f4
1⤵
PID:2524

C:\Users\Admin\AppData\Local\ShiningZip\SZipUpdate.exe
C:\Users\Admin\AppData\Local\ShiningZip\SZipUpdate.exe -e61475c863c7=27 -c9c0eef9ccd6=LCTNNmioOeDFZUkCN2jtga55YuWOJdlhM6SIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Qq=S -2596b1ef9f0a=27
2⤵
PID:4892

C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe -e61475c863c7=27 -c9c0eef9ccd6=LCTNEm2oNeDFFUiCN22tMa25ZuTOldjhZ6SIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Qq=S -2596b1ef9f0a=27
2⤵
PID:5008

C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
"C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNgm1oYejFcU4CZ2Dthaj5ZujOZdmhN6yIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Qq=S -2596b1ef9f0a=27
3⤵
PID:764

\??\c:\windows\syswow64\svchost.exe
c:\windows\syswow64\svchost.exe -k szpsrvrgroup -s szpsrvr
1⤵
PID:4872

C:\Users\Admin\AppData\Local\LnockRarsly\LnockRarsly.exe
C:\Users\Admin\AppData\Local\LnockRarsly\LnockRarsly.exe
1⤵
PID:1124

C:\Program Files (x86)\k52zip\kzipservice.exe
"C:\Program Files (x86)\k52zip\kzipservice.exe"
1⤵
PID:1540

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k thorzip_updatesvc
1⤵
PID:2996

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k thorzip_updatesvc
1⤵
PID:4212

C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
"C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNRmjoOeDFIU5CO2Dtdam5NuGOQd0hM6yIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2IqgS -2596b1ef9f0a=27
1⤵
PID:4972

C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
"C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNEm2oNeDFFUiCN22tMa25ZuTOldjhZ6SIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Iq=S -2596b1ef9f0a=27
1⤵
PID:4960

C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe
"C:\Users\Admin\AppData\Local\ShiningZip\SZipMd5Tool.exe" -e61475c863c7=27 -c9c0eef9ccd6=LCTNgm1oYejFcU4CZ2Dthaj5ZujOZdmhN6yIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Iq=S -2596b1ef9f0a=27
2⤵
PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Bootkit

T1067

Change Default File Association

T1042

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IMedia\IMedia.exe
MD5
903c1b83b7b9106440dda28aa3698a6a

SHA1
625b83e7f3f784e024685b1b61846e633a40425d

SHA256
eba964b6534b490cd29bef1bdba67cfd748bbfdf32b8aa81fb68f2fda2d498b4

SHA512
d9fe1fbdd39d22d064661b698c0d896186637765a6e005788f7508f57e2ee38d488e5eccd56450be7d3ec95d5b955de9aa6ba03b41b542b2b118835be508c0c2

Download Submit
C:\Program Files (x86)\IMedia\IMedia.exe
MD5
903c1b83b7b9106440dda28aa3698a6a

SHA1
625b83e7f3f784e024685b1b61846e633a40425d

SHA256
eba964b6534b490cd29bef1bdba67cfd748bbfdf32b8aa81fb68f2fda2d498b4

SHA512
d9fe1fbdd39d22d064661b698c0d896186637765a6e005788f7508f57e2ee38d488e5eccd56450be7d3ec95d5b955de9aa6ba03b41b542b2b118835be508c0c2

Download Submit
C:\Program Files (x86)\IMedia\IMedia64.dll
MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
C:\Program Files (x86)\IMedia\IMediaB.exe
MD5
1c1a7e640e4c5bc026f4d4be3e027160

SHA1
e597a0bbb3509755ed4734d7bb690811ef83cee1

SHA256
e25c758f34ee0ddae57f999f4fb8aae8dba138554978a803c3abaff5f014e44b

SHA512
76fbf0dbe42521e0a2cdcc283073fecf47efec3350b88267900fac65a09ac30854f74c9837960594a6d0bebf73460e7c9fc090f2db99c3f4103d318f5eb6eedb

Download Submit
C:\Program Files (x86)\IMedia\IMediaB.exe
MD5
1c1a7e640e4c5bc026f4d4be3e027160

SHA1
e597a0bbb3509755ed4734d7bb690811ef83cee1

SHA256
e25c758f34ee0ddae57f999f4fb8aae8dba138554978a803c3abaff5f014e44b

SHA512
76fbf0dbe42521e0a2cdcc283073fecf47efec3350b88267900fac65a09ac30854f74c9837960594a6d0bebf73460e7c9fc090f2db99c3f4103d318f5eb6eedb

Download Submit
C:\Program Files (x86)\IMedia\IMediaDesk.exe
MD5
dde40d98050d34f343fe04d899c3be81

SHA1
05a3d59b179cf41ae25bc9d0d00db9ac3715a097

SHA256
449a1f593cb542a546a393d2d12eec23fc9b5a84462edb9c0ad1f4f943e1431f

SHA512
542b708eab706734eccbc581ee7636354d6aa1d3b202d709832d998c53cce543b591922638af0109a4afbbe1f01e2789690f7ba802f2ef724dde85bb1bf98fbe

Download Submit
C:\Program Files (x86)\IMedia\IMediaDesk.exe
MD5
dde40d98050d34f343fe04d899c3be81

SHA1
05a3d59b179cf41ae25bc9d0d00db9ac3715a097

SHA256
449a1f593cb542a546a393d2d12eec23fc9b5a84462edb9c0ad1f4f943e1431f

SHA512
542b708eab706734eccbc581ee7636354d6aa1d3b202d709832d998c53cce543b591922638af0109a4afbbe1f01e2789690f7ba802f2ef724dde85bb1bf98fbe

Download Submit
C:\Program Files (x86)\IMedia\IMediaT.exe
MD5
767d847e1d357c33940d4f714f90da96

SHA1
14172fd6e5e99c526478cda0b472689c900504b7

SHA256
815a4e28a3d3d8b797916b9c95fb83d5d3bfc1dbee4eee9ba35466d219b30c18

SHA512
5da6d3597865885e9c603f68cc7c1860b3df4fb80725592fcf702cc0c4be97cb6c44c698f267c3931c3e440af8dc7bcd9d7abc74a9e88d381c5cfb04af742c5d

Download Submit
C:\Program Files (x86)\IMedia\IMediaT.exe
MD5
767d847e1d357c33940d4f714f90da96

SHA1
14172fd6e5e99c526478cda0b472689c900504b7

SHA256
815a4e28a3d3d8b797916b9c95fb83d5d3bfc1dbee4eee9ba35466d219b30c18

SHA512
5da6d3597865885e9c603f68cc7c1860b3df4fb80725592fcf702cc0c4be97cb6c44c698f267c3931c3e440af8dc7bcd9d7abc74a9e88d381c5cfb04af742c5d

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Market.exe
MD5
18df1e63b5727813dfd905716b221725

SHA1
29921b658a623304e776ca88c4ba75fb8dbbc50e

SHA256
3374f218c91c86a65752bdc280fea9a15c762c19a614dcef89e469e98da051be

SHA512
cfdfaca33097c3c180b7b5812bdeefbe5af5a573c20acb97de96b1a41e57fecffaf39d327edcd73b75794574780d7402fd473da2973a4c62da1af9ccab5351c2

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Market.exe
MD5
18df1e63b5727813dfd905716b221725

SHA1
29921b658a623304e776ca88c4ba75fb8dbbc50e

SHA256
3374f218c91c86a65752bdc280fea9a15c762c19a614dcef89e469e98da051be

SHA512
cfdfaca33097c3c180b7b5812bdeefbe5af5a573c20acb97de96b1a41e57fecffaf39d327edcd73b75794574780d7402fd473da2973a4c62da1af9ccab5351c2

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\AECommonDll.dll
MD5
59faca178b523741d75a277ab626a4c9

SHA1
e36d9eba4487d924651b8f9988f37e3c18a41466

SHA256
05788e4ecf1b38de0620cc2f992667448fe5b5fba0c691c1e3fbe534c39a32c1

SHA512
072a32a10920d92cf56e3943f62ae6f79675480991416fa018e65b26a7c12bc5d9ff77daf7ba8ff434f8b0374df87c64544377ae91e7ea3250fa992f0ce3fc44

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\AowGame.xml
MD5
9cc2c97efb9dac1e97016d1140eab2f7

SHA1
e255eee738f1855ce77c1bcdc6f3cca26bad7d73

SHA256
6d2032da1e05606743add334794457ed0fba2776c0aa7455cb12c96249ae4a84

SHA512
491e52d6aac0c84c521be51863c61aa8f667ee3faa3fc64d7eeeebbf6928b92df6d4702a57a3a1a2e10bdd5321aac6208bd0a1a7ab263f41ab437f7d179350b2

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\Config.ini
MD5
ba50063cd1a85f562d5c6a92f28fc062

SHA1
41d01f5bc2c800424277dc39ddfb4a70bdbaf00e

SHA256
1d02987a9b23cb3c11ad6c8123446efcd8e43c0069a616ff09dfc80426a82861

SHA512
2fe0aa3e2b6dd171f25d792991328737a15905d290a3d32c4fbe6bc452976c6cd88e157b98a032f1348e53d26e4eeae9928d430e700849baa95e9c73207079b3

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\TInst.exe
MD5
3d826ed60697912da8607c5ada582fe6

SHA1
555a6ec7f20843580e2f3763788b899fecd483aa

SHA256
41ba3ca1aeb0661995ca422be34b8d67deb227e49d91eb2588eaaf6be775628d

SHA512
37ddcdf095b08f20381959e5295f6d28c001f6b20b2f0d8984362f6ca63dedadb7cb7730355a0f2048542c0728893a8d816b52157c5c6d7f2cc5a983cf1f7102

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\Tinst.exe
MD5
3d826ed60697912da8607c5ada582fe6

SHA1
555a6ec7f20843580e2f3763788b899fecd483aa

SHA256
41ba3ca1aeb0661995ca422be34b8d67deb227e49d91eb2588eaaf6be775628d

SHA512
37ddcdf095b08f20381959e5295f6d28c001f6b20b2f0d8984362f6ca63dedadb7cb7730355a0f2048542c0728893a8d816b52157c5c6d7f2cc5a983cf1f7102

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\aowgameex2.dat
MD5
a860fbdb56190eededbb9527abc20e32

SHA1
248c422cce200525f90679f49c1f9a22133a5de5

SHA256
a7f94e7cf4f162bdc89f7a191c3fd8a073a68f156ee43b13942267f62a4436e7

SHA512
776336b8a2d478ce685c346634526959ee11bff8c064f0177445af096641ad2657ccde5a0da571cda98c2a33c9d25c095bdfae4cc2ac7c47d7690216c1a6c1de

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\api-ms-win-core-console-l1-1-0.dll
MD5
11e55839fcb3a53bdfed2a27fb7d5e80

SHA1
e585a1ed88696cd310c12f91ffa27f17f354b4f4

SHA256
f6bdc8ffd172b44f4d169707d9a457aeef619872661229b8629ee4f15eefff0d

SHA512
bec9419e35de03cc145b3c974833f73f1a5082d886de4739351b93bb4cc6c0234efd0e35ad845faba83fa600c4a7d5343eaae949a837d00d5528e6db79438ee4

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\api-ms-win-core-datetime-l1-1-0.dll
MD5
9f3cf9f22836c32d988d7c7e0a977e1b

SHA1
1e7bbd6175bdb04826e60de07aa496493c9b3a3b

SHA256
7d588a5a958e32875d7bd346d1371e6ebfd9d5d2ede47755942badfc9c74e207

SHA512
16c98e6aec67ffe4558c6d3f881301490be5d8a714c1adc6735005613251adb8e1c2cb9b1c0d2504a9a99c61a06b0e30c944ca603fc00fbb18cd20ba1c9bd697

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\api-ms-win-core-debug-l1-1-0.dll
MD5
64978e199a7239d2c911876447a7f05b

SHA1
0048ce6724db08c64441ce6e573676bc8ae94bf9

SHA256
92b947f1d6236f86ed7e105cff19e23c13d1968861426511b775905e1d26b47a

SHA512
9c64211895473ffc7162b56b0b8e732dec54cf03ea9b9b36fe3cc3339c35fc71fc7173d4e146989db399cb1bcb063079378bb6f778f7d2591cd545550038397c

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\api-ms-win-core-errorhandling-l1-1-0.dll
MD5
9d74d89f2679c0c5ddb35a1ef30bd182

SHA1
22eaed07a6e477a4001f9467b5462cf4cc15cc16

SHA256
e207ffc6fef144e5d393e79de75f8f20d223f1ac33a011eeb822d30fa2031046

SHA512
725626e961d32398ea5aa120ac0339deeb493fc02ee7ef4d8e586173fdbf768b5cbb1f16f093ae4ecfee87e661170f8f832777640a353df5d651af4a62a2d819

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\api-ms-win-core-file-l1-1-0.dll
MD5
d826d27c73d9f2420fb39fbe0745c7f0

SHA1
6e68e239f1a58185c7dad0fcfaac9ecfd2e5726c

SHA256
c0e5d482bd93bf71a73c01d0c1ec0722ea3260eba1f4c87e797bae334b5e9870

SHA512
c49843eb10e4e54c66e0e194dbd29ceab9094bdfe745b6a858cb03e34d73a6326f54804e5e5505deacc87146cbdfba17a0f02e62e76c685bce0cd1ff41962ff4

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\api-ms-win-core-file-l1-2-0.dll
MD5
ec4f2cb68dcf7e96516eb284003be8bb

SHA1
fb9237719b5e21b9db176e41bdf125e6e7c01b11

SHA256
3816bbb7dd76d8fc6a7b83a0ed2f61b23dd5fc0843d3308ee077cb725d5c9088

SHA512
6cbda80c476a9fcf46458cac45229c96dc9df251230531e25088e834cd954db9ff4561e744f76495f9c57a4068b7635c72c6f9ff838436c54142297ee310b236

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\api-ms-win-core-file-l1-2-1.dll
MD5
a32230b9bfdb8813e94d095222aafa11

SHA1
04b9d7d2a3f92a0054af2547fb6176385cc9738b

SHA256
7068d2b8aea252294e6b5c3bf3630475d0a91e11877f11a04e8ed1f91196410f

SHA512
6484c7c7fe574d797c74c285353040dfa364b9a9425cbfa4a4c8bba698176656c78e228a33c9eeae39a97caf2ab192f1f02dba472824f8a5757db5f14c76e2b0

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\api-ms-win-core-file-l2-1-0.dll
MD5
b9287eb7bcbfdcec2e8d4198fd266509

SHA1
1375b6ff6121ec140668881f4a0b02f0c517f6c7

SHA256
096409422ecd1894e4d6289fd2d1c7490bd83daff0c1e3d16c36c78bd477b895

SHA512
b86348d3f42d0ff465066a14c281088c73ec5e03efacdaabe27a410b054a8a81b438d7e5d030b0d95f53b07783911b8b8200581d4e0b6f1b3cc79f4aae1d67df

Download Submit
C:\Temp\TxGameDownload\Component\AppMarket\18df1e63b5727813dfd905716b221725\Setup\api-ms-win-core-handle-l1-1-0.dll
MD5
6a35a52d536e34ba060a19d06b1dac80

SHA1
0494a9cbf898e5babb6e697fc2de04a128d2fc35

SHA256
a369ef130749bf8cd9f67055179e6f537f200c060af47493d49473912a95021e

SHA512
a8aeb58bcf4b314212c2ab5a8fd3c2edeb97e680f774171d4a79390aa23bb62a414aef0ecd5286ffb68b7ed8f6e713ff1892d6d4cc2cbb67de916c6062e762d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Mtkantu\cfg.dat
MD5
6a2274e8df79a84c37dd063d0282ad5f

SHA1
8215feb80bce29fd1c901c6572e7dbbaaf7eebb6

SHA256
a96226b966a4c01f273d7ff86281c44e943d2ad75b2ad2fcde4e092f96d0fe1d

SHA512
399e13e4718cfb0f6f5a7f9df2a2ea99a5893d6169adda9a7afe83cfeff5d7500a58133bf6605884db5e7430f3e441d51f82f5ccea0057420f572f59f8b2fd17

Download Submit
C:\Users\Admin\AppData\Local\Mtkantu\update.exe
MD5
70c61db7fd0623b87799787dd79298ed

SHA1
8dcaf3b4a36dc3df4dcb17df3f1d3e87762a5bda

SHA256
11274d7d914519b9b3c0dbf4afbd26ef1ab76a47e716f46d65c5c4c2874bf621

SHA512
b3c526801d860694898f1ee7fb1e33037e653ae76086e46e396c3099e012fc83cc3510d6c881ac2d3588ed34ed40479530e07b0067887cd9b7f558010905941a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMedia-553.exe
MD5
78b3398cb13acd149db2a5c1c356fbc4

SHA1
f5746e719ff984ab9176250903a674e538665835

SHA256
53580dbf677b57a87a0850e0901a1efd6b64ef712938454462fad12ab2568ed3

SHA512
507c2b129563714a470ee08b9279d50e899e234ba3b2ef52d7874df42756e745ad9afa39c54d61f7aab97f7fb14f2e7570666208363dc6341c96778f2032a166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMedia-553.exe
MD5
78b3398cb13acd149db2a5c1c356fbc4

SHA1
f5746e719ff984ab9176250903a674e538665835

SHA256
53580dbf677b57a87a0850e0901a1efd6b64ef712938454462fad12ab2568ed3

SHA512
507c2b129563714a470ee08b9279d50e899e234ba3b2ef52d7874df42756e745ad9afa39c54d61f7aab97f7fb14f2e7570666208363dc6341c96778f2032a166

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\7z.dll
MD5
d6486f5ff18881f5161126dcc85cb6d4

SHA1
4e3d8456a9af18ca190063c425907bdeaf3d4a14

SHA256
0bab62532bf3ce4c7ecaf13c023f58c2246971e8ab888fd1a828c60a2109dbe0

SHA512
62f27de0b5944f0feaf72cd6852e28148ea540bdcc96b27d91c10b12dd618e3a152adea848d7d67c087191aa1a14e9db86038d9cb7a5f5b5b758ca994941d7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\DuiLib.dll
MD5
19b65fd4f0929b10808562a26f94b097

SHA1
9fd183755d1ef10b90dd13acb7dbcd1365385d52

SHA256
f611f99d5f73a9aba2552c0c13470af8bc99adb195c246bafee94199d963cb83

SHA512
1f36814054a68bfbb069bac4d0a9a5ed4f0d624f09761f42e668eabb3e81b582dbdb4a444beb8cd9d6d4d5cd3c29c5ef63b44cdf989e06dd272dde712cba878b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe
MD5
cfe78a8e6bae19a071ef95f788e97acf

SHA1
38c8de8a3bf0208fcce18e4759e8b1d9ba91f5c8

SHA256
da1a3e7c261c5c04a81c98176dc0b979177985d89d8f7ce031032d4e073fc2dd

SHA512
de6a95173c835759a83788da8ba370d45e19fbda739cf691d38bd45c41879eabd0f19d8f7b1f62d8e4632a677c8459e97c4bb55990b2e3b0514c79fe7b495da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe
MD5
cfe78a8e6bae19a071ef95f788e97acf

SHA1
38c8de8a3bf0208fcce18e4759e8b1d9ba91f5c8

SHA256
da1a3e7c261c5c04a81c98176dc0b979177985d89d8f7ce031032d4e073fc2dd

SHA512
de6a95173c835759a83788da8ba370d45e19fbda739cf691d38bd45c41879eabd0f19d8f7b1f62d8e4632a677c8459e97c4bb55990b2e3b0514c79fe7b495da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\pic.7z
MD5
bfc25051a4ad54bbd98f17192ef29f8f

SHA1
94e79c4b4e356256a009683b49574c9364661dac

SHA256
8847e549efab5f409d70129f793eb51b6a52577c1abd1746870d7d4b0a887391

SHA512
869951aac40b24cc4e0ced314ae05340915973036a91f34df0dfa5e86fa84361537574811a183a6e81f73e17c50969b94f22a3f9064ed504ba996a298779afb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
MD5
33094d00b807ee9759c38901455ada0c

SHA1
005ee3ca0a418e89c91f714a79b3330507c9d036

SHA256
ee8a6bcf0c410b3201b679196b3bf24b0e569931a73cda09efb9fea3ff3b18bf

SHA512
81d4ea464227badab87b03f75d989ee41fb9f3fcf3a978c53495901db9ec7507c3ab4aa51296e3b48d47b2d3f41cc4cc881250f8b8f5a95527fc91fd16fbcd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
MD5
33094d00b807ee9759c38901455ada0c

SHA1
005ee3ca0a418e89c91f714a79b3330507c9d036

SHA256
ee8a6bcf0c410b3201b679196b3bf24b0e569931a73cda09efb9fea3ff3b18bf

SHA512
81d4ea464227badab87b03f75d989ee41fb9f3fcf3a978c53495901db9ec7507c3ab4aa51296e3b48d47b2d3f41cc4cc881250f8b8f5a95527fc91fd16fbcd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\syzs03_1000219144.exe
MD5
978f6dedc60783400095644b456890e9

SHA1
6c4436ab56188ac5ba8786cd76f0de15996f6fe8

SHA256
f2d4cc7e40d526ad84229d06e4ffd05d68c22359e6c4b5695087a7d8b735aeab

SHA512
0ce5c41bae0988e8e82f5c1723a907e8de99c951ca93f990ea3bc02d14d3d8ce4616622a6323f7ae41fc29773368488729ee281bee1f95f9d1f0a31034df5e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\syzs03_1000219144.exe
MD5
978f6dedc60783400095644b456890e9

SHA1
6c4436ab56188ac5ba8786cd76f0de15996f6fe8

SHA256
f2d4cc7e40d526ad84229d06e4ffd05d68c22359e6c4b5695087a7d8b735aeab

SHA512
0ce5c41bae0988e8e82f5c1723a907e8de99c951ca93f990ea3bc02d14d3d8ce4616622a6323f7ae41fc29773368488729ee281bee1f95f9d1f0a31034df5e3d

Download Submit
C:\Users\Admin\AppData\Roaming\IMedia\Config\SoftInfo.ini
MD5
cd738748e9ab1cf713c9e07e5fbe1dfc

SHA1
d069563efb4b34cd15e2586b6df218f7036e4095

SHA256
bff42cbb497bb24fafc4beb32942d000e6b32c361e5c85903fd199ff91d6c816

SHA512
f0f4f5833c284eda753b575037ec41deaf6dc22ea4517515152ef586bd1467c9d68bfb4fcc523cf305dbdecb79f5fdfe15e52a2812b847f0ef26b3780865fc3f

Download Submit
C:\Users\Admin\AppData\Roaming\IMedia\SoftInfoConfig.cfg
MD5
86303559a33932e1a9dbc9c95e0f2a6f

SHA1
7c8c7ef982f6ae627850b961db751c87c266fe53

SHA256
8886067d7f8bb36f1c065fa47423961b425b807f91b0248eaa869983b9841ba2

SHA512
c1e3709315185425536b55e698fc9908ecc6de1f7e0f1c4b18426b4b1b15fd6b9b1877f1f49463c0fc0d0cda5195c407224d8d116768177234d037c141b22990

Download Submit
C:\Users\Admin\AppData\Roaming\IMedia\SoftInfoConfig.cfg
MD5
86303559a33932e1a9dbc9c95e0f2a6f

SHA1
7c8c7ef982f6ae627850b961db751c87c266fe53

SHA256
8886067d7f8bb36f1c065fa47423961b425b807f91b0248eaa869983b9841ba2

SHA512
c1e3709315185425536b55e698fc9908ecc6de1f7e0f1c4b18426b4b1b15fd6b9b1877f1f49463c0fc0d0cda5195c407224d8d116768177234d037c141b22990

Download Submit
C:\Users\Admin\AppData\Roaming\IMedia\SoftInfoConfig.cfg
MD5
86303559a33932e1a9dbc9c95e0f2a6f

SHA1
7c8c7ef982f6ae627850b961db751c87c266fe53

SHA256
8886067d7f8bb36f1c065fa47423961b425b807f91b0248eaa869983b9841ba2

SHA512
c1e3709315185425536b55e698fc9908ecc6de1f7e0f1c4b18426b4b1b15fd6b9b1877f1f49463c0fc0d0cda5195c407224d8d116768177234d037c141b22990

Download Submit
C:\Users\Admin\AppData\Roaming\IMedia\SoftInfoConfig.cfg
MD5
86303559a33932e1a9dbc9c95e0f2a6f

SHA1
7c8c7ef982f6ae627850b961db751c87c266fe53

SHA256
8886067d7f8bb36f1c065fa47423961b425b807f91b0248eaa869983b9841ba2

SHA512
c1e3709315185425536b55e698fc9908ecc6de1f7e0f1c4b18426b4b1b15fd6b9b1877f1f49463c0fc0d0cda5195c407224d8d116768177234d037c141b22990

Download Submit
\Program Files (x86)\IMedia\IMedia64.dll
MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
\Program Files (x86)\IMedia\IMedia64.dll
MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
\Program Files (x86)\IMedia\IMedia64.dll
MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
\Program Files (x86)\IMedia\IMedia64.dll
MD5
48f1abb480690cea0992905cdcbb131c

SHA1
744ee09ea4094622ebc7374ead52370939a10f39

SHA256
32835910ecf2df98d5973991ecf3676752d7dc67728f4adc1def50609c7b7c8b

SHA512
709b714bc2129709b613737c3c0f7ca72244f43f7a433ce64441d7f4a9a072a6eb85f4a9bddf9f7a7f5cc24c18eea677e8194938e75e40289a73b122a5e6ebe3

Download Submit
\Users\Admin\AppData\Local\Temp\Mtkantu\3.0.1\ImgCommon.dll
MD5
52317cfc906bb75c72a414b495990542

SHA1
e052b0035e1160ebbcce88e9abf0495f62c3c30e

SHA256
25dfbd39c31f948726eb34884dcde2e10e496eef76e1e22f7162bc44c3692912

SHA512
b1831efb471c2462918db2e512169abd4b2f2493ca8e0c58c0b3a561b6d61205b2d931727cbc201811e99cd5c15d6d512cf7c60ea56c7b8d723ca9752f4283fc

Download Submit
\Users\Admin\AppData\Local\Temp\Mtkantu\7z.dll
MD5
d6486f5ff18881f5161126dcc85cb6d4

SHA1
4e3d8456a9af18ca190063c425907bdeaf3d4a14

SHA256
0bab62532bf3ce4c7ecaf13c023f58c2246971e8ab888fd1a828c60a2109dbe0

SHA512
62f27de0b5944f0feaf72cd6852e28148ea540bdcc96b27d91c10b12dd618e3a152adea848d7d67c087191aa1a14e9db86038d9cb7a5f5b5b758ca994941d7d1

Download Submit
\Users\Admin\AppData\Local\Temp\Mtkantu\DuiLib.dll
MD5
19b65fd4f0929b10808562a26f94b097

SHA1
9fd183755d1ef10b90dd13acb7dbcd1365385d52

SHA256
f611f99d5f73a9aba2552c0c13470af8bc99adb195c246bafee94199d963cb83

SHA512
1f36814054a68bfbb069bac4d0a9a5ed4f0d624f09761f42e668eabb3e81b582dbdb4a444beb8cd9d6d4d5cd3c29c5ef63b44cdf989e06dd272dde712cba878b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\NSISdl.dll
MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\NSISdl.dll
MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\NSISdl.dll
MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\NSISdl.dll
MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\NSISdl.dll
MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\NSISdl.dll
MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\NSISdl.dll
MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\NSISdl.dll
MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\NSISdl.dll
MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\System.dll
MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\System.dll
MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E4C.tmp\System.dll
MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dll
MD5
2814acbd607ba47bdbcdf6ac3076ee95

SHA1
50ab892071bed2bb2365ca1d4bf5594e71c6b13b

SHA256
5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67

SHA512
34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

Download Submit
memory/204-120-0x0000000000000000-mapping.dmp

Download
memory/296-198-0x0000000000000000-mapping.dmp

Download
memory/344-247-0x0000000000930000-0x000000000094A000-memory.dmp

Filesize
104KB

Download
memory/344-245-0x0000000000000000-mapping.dmp

Download
memory/344-248-0x0000000002070000-0x00000000020C7000-memory.dmp

Filesize
348KB

Download
memory/420-263-0x0000000000000000-mapping.dmp

Download
memory/764-279-0x0000000000000000-mapping.dmp

Download
memory/768-123-0x0000000000000000-mapping.dmp

Download
memory/820-145-0x0000000000000000-mapping.dmp

Download
memory/864-196-0x0000000000000000-mapping.dmp

Download
memory/868-238-0x0000000000000000-mapping.dmp

Download
memory/976-137-0x0000000000000000-mapping.dmp

Download
memory/1008-166-0x0000000000000000-mapping.dmp

Download
memory/1012-228-0x0000000000000000-mapping.dmp

Download
memory/1012-231-0x00000000005D0000-0x0000000000627000-memory.dmp

Filesize
348KB

Download
memory/1012-230-0x0000000000570000-0x000000000058A000-memory.dmp

Filesize
104KB

Download
memory/1124-285-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1124-286-0x00000000003D0000-0x0000000000CB1000-memory.dmp

Filesize
8.9MB

Download
memory/1272-164-0x0000000000000000-mapping.dmp

Download
memory/1512-244-0x0000000000000000-mapping.dmp

Download
memory/1540-276-0x0000000036730000-0x0000000036740000-memory.dmp

Filesize
64KB

Download
memory/1584-202-0x0000000000000000-mapping.dmp

Download
memory/2028-174-0x0000000000000000-mapping.dmp

Download
memory/2112-169-0x0000000000000000-mapping.dmp

Download
memory/2112-179-0x0000000000000000-mapping.dmp

Download
memory/2148-242-0x0000000000000000-mapping.dmp

Download
memory/2148-246-0x0000000002C30000-0x0000000002D45000-memory.dmp

Filesize
1.1MB

Download
memory/2176-194-0x0000000000000000-mapping.dmp

Download
memory/2188-131-0x0000000000000000-mapping.dmp

Download
memory/2208-177-0x0000000003610000-0x0000000003899000-memory.dmp

Filesize
2.5MB

Download
memory/2208-142-0x0000000000000000-mapping.dmp

Download
memory/2224-159-0x0000000000000000-mapping.dmp

Download
memory/2304-234-0x0000000000000000-mapping.dmp

Download
memory/2456-236-0x0000000000000000-mapping.dmp

Download
memory/2476-269-0x0000000000000000-mapping.dmp

Download
memory/3028-148-0x0000000000000000-mapping.dmp

Download
memory/3228-204-0x0000000000000000-mapping.dmp

Download
memory/3240-197-0x0000000000000000-mapping.dmp

Download
memory/3252-203-0x0000000000000000-mapping.dmp

Download
memory/3452-199-0x0000000000000000-mapping.dmp

Download
memory/3588-153-0x0000000000000000-mapping.dmp

Download
memory/3620-152-0x0000000000000000-mapping.dmp

Download
memory/3624-277-0x0000000000000000-mapping.dmp

Download
memory/3720-201-0x0000000000000000-mapping.dmp

Download
memory/3732-266-0x0000000000000000-mapping.dmp

Download
memory/3988-195-0x0000000000000000-mapping.dmp

Download
memory/4044-200-0x0000000000000000-mapping.dmp

Download
memory/4104-249-0x0000000000000000-mapping.dmp

Download
memory/4132-297-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/4152-232-0x0000000000000000-mapping.dmp

Download
memory/4196-233-0x0000000000000000-mapping.dmp

Download
memory/4196-240-0x0000000002D00000-0x0000000002E15000-memory.dmp

Filesize
1.1MB

Download
memory/4300-275-0x0000000000000000-mapping.dmp

Download
memory/4348-205-0x0000000000000000-mapping.dmp

Download
memory/4356-237-0x0000000000000000-mapping.dmp

Download
memory/4360-301-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/4476-239-0x0000000000000000-mapping.dmp

Download
memory/4476-243-0x0000000000710000-0x0000000000767000-memory.dmp

Filesize
348KB

Download
memory/4500-209-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/4500-208-0x0000000000000000-mapping.dmp

Download
memory/4552-274-0x0000000000000000-mapping.dmp

Download
memory/4568-211-0x0000000010000000-0x00000000100E8000-memory.dmp

Filesize
928KB

Download
memory/4568-210-0x0000000000000000-mapping.dmp

Download
memory/4600-261-0x0000000000000000-mapping.dmp

Download
memory/4620-283-0x0000000000000000-mapping.dmp

Download
memory/4628-215-0x0000000000000000-mapping.dmp

Download
memory/4656-284-0x0000000000000000-mapping.dmp

Download
memory/4688-216-0x0000000000000000-mapping.dmp

Download
memory/4764-278-0x0000000000000000-mapping.dmp

Download
memory/4788-217-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4788-218-0x0000000000690000-0x00000000006AC000-memory.dmp

Filesize
112KB

Download
memory/4840-219-0x0000000000000000-mapping.dmp

Download
memory/4840-260-0x0000000000000000-mapping.dmp

Download
memory/4840-273-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4840-221-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/4840-220-0x0000000000590000-0x00000000005E7000-memory.dmp

Filesize
348KB

Download
memory/4864-302-0x0000000010000000-0x00000000100E0000-memory.dmp

Filesize
896KB

Download
memory/4892-251-0x0000000000000000-mapping.dmp

Download
memory/4904-223-0x0000000000000000-mapping.dmp

Download
memory/4912-250-0x0000000000000000-mapping.dmp

Download
memory/4912-267-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4912-255-0x00000000042A0000-0x00000000043B1000-memory.dmp

Filesize
1.1MB

Download
memory/4912-259-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/4936-225-0x0000000000000000-mapping.dmp

Download
memory/4944-257-0x0000000003F80000-0x0000000004091000-memory.dmp

Filesize
1.1MB

Download
memory/4944-252-0x0000000000000000-mapping.dmp

Download
memory/4944-258-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/5000-226-0x0000000000000000-mapping.dmp

Download
memory/5000-235-0x0000000002101000-0x0000000002105000-memory.dmp

Filesize
16KB

Download
memory/5008-262-0x0000000010000000-0x0000000010158000-memory.dmp

Filesize
1.3MB

Download
memory/5008-253-0x0000000000000000-mapping.dmp

Download
memory/5084-227-0x0000000000000000-mapping.dmp

Download
memory/5084-229-0x0000000002CC0000-0x0000000002DD5000-memory.dmp

Filesize
1.1MB

Download