Overview

overview

10

Static

static

grs.exe

windows7_x64

10

grs.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    174s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    24-03-2022 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    grs.exe

  • Size

    3.2MB

  • MD5

    5692bc30e83b7a435a60f1d76794db03

  • SHA1

    b7b37a93db95321fb31c57645b4c61e1c5e4fc77

  • SHA256

    9631d8bd74d4a0384cae4396e9b0fa5f5898496028e24a274f3d571ce5c22b3a

  • SHA512

    12751643c5bb0938aff3535c86c4977e66c44920ced333a69922c4bc86286bad9df98de896d9c54d347a7465fe0373999bff65ac11f485d50e27ef469d847d0a

Score
10/10
smokeloadersocelarsbackdoorpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

socelars

C2

http://www.fddnice.pw/

http://www.sokoinfo.pw/

http://www.zzhlike.pw/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

C2

http://perseus007.xyz/upload/

http://lambos1.xyz/upload/

http://cipluks.com/upload/

http://ragnar77.com/upload/

http://aslauk.com/upload/

http://qunersoo.xyz/upload /

http://hostunes.info/upload/

http://leonisdas.xyz/upload/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Executes dropped EXE 10 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SystemNetworkService
      2⤵
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      PID:4672
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
    1⤵
    • Drops file in System32 directory
    PID:1140
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
    1⤵
      PID:1184
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
      1⤵
        PID:1324
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
        1⤵
          PID:1496
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
          1⤵
            PID:1604
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
            1⤵
              PID:2004
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
              1⤵
              • Enumerates connected drives
              PID:2648
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2676
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
              1⤵
                PID:2688
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                1⤵
                  PID:2500
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k netsvcs -p
                  1⤵
                    PID:1540
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                    1⤵
                      PID:4100
                    • C:\Users\Admin\AppData\Local\Temp\grs.exe
                      "C:\Users\Admin\AppData\Local\Temp\grs.exe"
                      1⤵
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:916
                      • C:\Users\Admin\AppData\Local\Temp\agdsk.exe
                        "C:\Users\Admin\AppData\Local\Temp\agdsk.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3204
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c taskkill /f /im chrome.exe
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4944
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im chrome.exe
                            4⤵
                            • Kills process with taskkill
                            PID:1388
                      • C:\Users\Admin\AppData\Local\Temp\jg4_4jaa.exe
                        "C:\Users\Admin\AppData\Local\Temp\jg4_4jaa.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:856
                      • C:\Users\Admin\AppData\Local\Temp\wf-game.exe
                        "C:\Users\Admin\AppData\Local\Temp\wf-game.exe"
                        2⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:4236
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" "C:\Program Files\patch.dll",patch
                          3⤵
                          • Loads dropped DLL
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3940
                      • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
                        "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4264
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3492
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff2dd146f8,0x7fff2dd14708,0x7fff2dd14718
                          3⤵
                            PID:544
                        • C:\Users\Admin\AppData\Local\Temp\ujqb.exe
                          "C:\Users\Admin\AppData\Local\Temp\ujqb.exe"
                          2⤵
                          • Executes dropped EXE
                          • Checks computer location settings
                          • Suspicious use of WriteProcessMemory
                          PID:3140
                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
                            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1176
                        • C:\Users\Admin\AppData\Local\Temp\pub2.exe
                          "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:2872
                        • C:\Users\Admin\AppData\Local\Temp\pzyh.exe
                          "C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
                          2⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Suspicious use of WriteProcessMemory
                          PID:5016
                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                            3⤵
                            • Executes dropped EXE
                            PID:2600
                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                            3⤵
                            • Executes dropped EXE
                            PID:3784

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Registry Run Keys / Startup Folder

                      1
                      T1060

                      Privilege Escalation

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Credentials in Files

                      1
                      T1081

                      Discovery

                      Query Registry

                      4
                      T1012

                      System Information Discovery

                      5
                      T1082

                      Peripheral Device Discovery

                      2
                      T1120

                      Lateral Movement

                      Collection

                      Data from Local System

                      1
                      T1005

                      Exfiltration

                      Command and Control

                      Web Service

                      1
                      T1102

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Program Files\patch.dat
                        MD5

                        e0951976d9544f909a27f759bb3b7f85

                        SHA1

                        f85ab0b98b6b46d2c52a61ae57e6cc381049cd4a

                        SHA256

                        bb0c68cfd8555c4526f36a4a1aabff3ab9565cc1ca8535de1f99f6dcf60c6652

                        SHA512

                        023e61bd1ffab2e909e585a84f2c63fb4748ca118264ec6aac2335df1d286d84f2a97cc983a491af5834b07102951563d29613d2ecc71df1ca43c0e7554d9992

                        Download Submit
                      • C:\Program Files\patch.dll
                        MD5

                        75ca86f2b605a5924edeb57b180620e7

                        SHA1

                        df2fda930efd40c2ae7c59533e5097bd631c3b47

                        SHA256

                        00cb52b80d015d1b692158ce9ca867b99b1ac82d9538090a09881b9edaa0c417

                        SHA512

                        d68b04f03d719506c418daa65d601d55a9319b84d5c53d16430a484a24f78d1237d14168fbc5c94221bf18ed40302cff7a2f02b05f7a0c3b95e870356d2cd63c

                        Download Submit
                      • C:\Program Files\patch.dll
                        MD5

                        75ca86f2b605a5924edeb57b180620e7

                        SHA1

                        df2fda930efd40c2ae7c59533e5097bd631c3b47

                        SHA256

                        00cb52b80d015d1b692158ce9ca867b99b1ac82d9538090a09881b9edaa0c417

                        SHA512

                        d68b04f03d719506c418daa65d601d55a9319b84d5c53d16430a484a24f78d1237d14168fbc5c94221bf18ed40302cff7a2f02b05f7a0c3b95e870356d2cd63c

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
                        MD5

                        4f3387277ccbd6d1f21ac5c07fe4ca68

                        SHA1

                        e16506f662dc92023bf82def1d621497c8ab5890

                        SHA256

                        767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

                        SHA512

                        9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
                        MD5

                        95b8301688985fa56510fc92cfa6e1ca

                        SHA1

                        16d68a7f32b148f2d39197500b1b0c342d8561c1

                        SHA256

                        9a2fd341a2811c1ce5b3fa198c52a3e9f074c6338dff3be017fb53dcd9f0ca88

                        SHA512

                        f75c037492f2741ce639d4b5536843e3224a359495ae18e9b881496bf7b9e7d8cf68cd9c7083e41c2fba0227396c4f210b6fbea3265669323230506099341c45

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
                        MD5

                        95b8301688985fa56510fc92cfa6e1ca

                        SHA1

                        16d68a7f32b148f2d39197500b1b0c342d8561c1

                        SHA256

                        9a2fd341a2811c1ce5b3fa198c52a3e9f074c6338dff3be017fb53dcd9f0ca88

                        SHA512

                        f75c037492f2741ce639d4b5536843e3224a359495ae18e9b881496bf7b9e7d8cf68cd9c7083e41c2fba0227396c4f210b6fbea3265669323230506099341c45

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
                        MD5

                        954b39f45379c530b7f659d697c29ac7

                        SHA1

                        9fa7dcb754041cc878f6ca3a71581a04e3b23427

                        SHA256

                        301a510700f2ebccd25fc5cc6c579ead2196b957ed81aa3eda29c7bc40887c26

                        SHA512

                        aecda633e082d00a5d9989aad8e20e300372efdcdbe4f48991b7fb7f70079d7465f420c278167edf25656966c44ac03ab72c3f1aaa18962771bee63364e7a6d8

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
                        MD5

                        954b39f45379c530b7f659d697c29ac7

                        SHA1

                        9fa7dcb754041cc878f6ca3a71581a04e3b23427

                        SHA256

                        301a510700f2ebccd25fc5cc6c579ead2196b957ed81aa3eda29c7bc40887c26

                        SHA512

                        aecda633e082d00a5d9989aad8e20e300372efdcdbe4f48991b7fb7f70079d7465f420c278167edf25656966c44ac03ab72c3f1aaa18962771bee63364e7a6d8

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\agdsk.exe
                        MD5

                        618c39d0b0b20b2b5449ab2eae8e00a2

                        SHA1

                        8cb2c1556062e3352b24e7c05f32c65138cb71ac

                        SHA256

                        e8ba721c624ea94595a594790089702d36e024966bf2110bdf374ee2a292e375

                        SHA512

                        197a6e6e591d665f2b32ff7e4dd2fea5a1fa81f873d9295ed45617869a4802c24d2eb8c213f30a05b8739c609435493f7d672c5ba8362e009086294b1067555d

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\agdsk.exe
                        MD5

                        618c39d0b0b20b2b5449ab2eae8e00a2

                        SHA1

                        8cb2c1556062e3352b24e7c05f32c65138cb71ac

                        SHA256

                        e8ba721c624ea94595a594790089702d36e024966bf2110bdf374ee2a292e375

                        SHA512

                        197a6e6e591d665f2b32ff7e4dd2fea5a1fa81f873d9295ed45617869a4802c24d2eb8c213f30a05b8739c609435493f7d672c5ba8362e009086294b1067555d

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        MD5

                        b7161c0845a64ff6d7345b67ff97f3b0

                        SHA1

                        d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

                        SHA256

                        fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

                        SHA512

                        98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        MD5

                        fd2e12553bb97e250952173b9f393bce

                        SHA1

                        321d63cc59f1f3380ab61fa108bee6b30c63166b

                        SHA256

                        c675f8aa68749c7522f70fedf89c34414679155a35b33e27f345e0b997b04f9a

                        SHA512

                        cef7da470bb93bba9fc02d02b4f817c1bb457d36714aceefb63457d3967879ea1f023c978b9df9e49410d08a0d00e229c1ac2c84eff60d9a3749cc6db9245766

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        MD5

                        7fee8223d6e4f82d6cd115a28f0b6d58

                        SHA1

                        1b89c25f25253df23426bd9ff6c9208f1202f58b

                        SHA256

                        a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

                        SHA512

                        3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        MD5

                        7fee8223d6e4f82d6cd115a28f0b6d58

                        SHA1

                        1b89c25f25253df23426bd9ff6c9208f1202f58b

                        SHA256

                        a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

                        SHA512

                        3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        MD5

                        a6279ec92ff948760ce53bba817d6a77

                        SHA1

                        5345505e12f9e4c6d569a226d50e71b5a572dce2

                        SHA256

                        8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

                        SHA512

                        213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        MD5

                        a6279ec92ff948760ce53bba817d6a77

                        SHA1

                        5345505e12f9e4c6d569a226d50e71b5a572dce2

                        SHA256

                        8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

                        SHA512

                        213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\jg4_4jaa.exe
                        MD5

                        338921a2482dbb47a0ac6ba265179316

                        SHA1

                        8ec2d631aa5a52b7aa1c4c62b788e8dd35e20f49

                        SHA256

                        90c97549326a337f150c97dc59b7cad89176773cd71851423c2f8ae80472f518

                        SHA512

                        42b5fc41392b14365250ee832cedd86be590128d9fdf459d1fc8727f818910c86439e63de1b492fd16d695bc915c4a74187191b6be2f59de7470d521984e8f77

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\jg4_4jaa.exe
                        MD5

                        338921a2482dbb47a0ac6ba265179316

                        SHA1

                        8ec2d631aa5a52b7aa1c4c62b788e8dd35e20f49

                        SHA256

                        90c97549326a337f150c97dc59b7cad89176773cd71851423c2f8ae80472f518

                        SHA512

                        42b5fc41392b14365250ee832cedd86be590128d9fdf459d1fc8727f818910c86439e63de1b492fd16d695bc915c4a74187191b6be2f59de7470d521984e8f77

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\pub2.exe
                        MD5

                        6de1d89a5d69b052ae3530531d515cbe

                        SHA1

                        7acbdfb192f867f9b6cd13bae14e1f10a392aee3

                        SHA256

                        324f039f77af286f88cfbde910884be2639ae4b1e3482d2bc7b715ca3473b673

                        SHA512

                        bd61de4aef4a3861cc04ab58342f3f32221534d07935a3941f9aa35efed47ba3870b9e8559ace9e8a454dc31f62e2f42de66ae284b691058bcd1c88e955f11ee

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\pub2.exe
                        MD5

                        6de1d89a5d69b052ae3530531d515cbe

                        SHA1

                        7acbdfb192f867f9b6cd13bae14e1f10a392aee3

                        SHA256

                        324f039f77af286f88cfbde910884be2639ae4b1e3482d2bc7b715ca3473b673

                        SHA512

                        bd61de4aef4a3861cc04ab58342f3f32221534d07935a3941f9aa35efed47ba3870b9e8559ace9e8a454dc31f62e2f42de66ae284b691058bcd1c88e955f11ee

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\pzyh.exe
                        MD5

                        8cbde3982249e20a6f564eb414f06fe4

                        SHA1

                        6d040b6c0f9d10b07f0b63797aa7bfabf0703925

                        SHA256

                        4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

                        SHA512

                        d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\pzyh.exe
                        MD5

                        8cbde3982249e20a6f564eb414f06fe4

                        SHA1

                        6d040b6c0f9d10b07f0b63797aa7bfabf0703925

                        SHA256

                        4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

                        SHA512

                        d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\ujqb.exe
                        MD5

                        c07b463cb3a46eecd4f560c13e27f3cd

                        SHA1

                        5d4bcd0532f83be709449e451148200b78c293b0

                        SHA256

                        07eb775d151d4430d83d61862054f7618e63ba4515466e06147d487d0ea8e4f5

                        SHA512

                        439f9259e3d5b6866b5c5b7b31d81b98079e2d119c7a2ac152c32cb0b598b763b7b3fe072b3634b6e10630c3b306ed172725b45f4d233527edfd8ad7411f41ba

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\ujqb.exe
                        MD5

                        c07b463cb3a46eecd4f560c13e27f3cd

                        SHA1

                        5d4bcd0532f83be709449e451148200b78c293b0

                        SHA256

                        07eb775d151d4430d83d61862054f7618e63ba4515466e06147d487d0ea8e4f5

                        SHA512

                        439f9259e3d5b6866b5c5b7b31d81b98079e2d119c7a2ac152c32cb0b598b763b7b3fe072b3634b6e10630c3b306ed172725b45f4d233527edfd8ad7411f41ba

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\wf-game.exe
                        MD5

                        5530c8bf2fddf2afc18b2defc14d3a74

                        SHA1

                        872b5a3d72b20f64fbe5e5ed1998ea749d0ef648

                        SHA256

                        6e052a1f2392408efc528e25591b417c14cb1ff6e96faa6ff26b61f61ebfca3c

                        SHA512

                        a388aa78aecb876d42823c2a06f10f873182eacd18c31ae52323014f635e13fab16b07b0752462ad02fd9cdbba47c269bbcf4dacb89be39f0352bc02ee09ae0b

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\wf-game.exe
                        MD5

                        5530c8bf2fddf2afc18b2defc14d3a74

                        SHA1

                        872b5a3d72b20f64fbe5e5ed1998ea749d0ef648

                        SHA256

                        6e052a1f2392408efc528e25591b417c14cb1ff6e96faa6ff26b61f61ebfca3c

                        SHA512

                        a388aa78aecb876d42823c2a06f10f873182eacd18c31ae52323014f635e13fab16b07b0752462ad02fd9cdbba47c269bbcf4dacb89be39f0352bc02ee09ae0b

                        Download Submit
                      • memory/508-156-0x0000011572490000-0x00000115724D4000-memory.dmp
                        Filesize

                        272KB

                        Download
                      • memory/508-157-0x0000011572550000-0x00000115725B7000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/544-215-0x0000000000000000-mapping.dmp
                        Download
                      • memory/856-198-0x0000000003530000-0x0000000003540000-memory.dmp
                        Filesize

                        64KB

                        Download
                      • memory/856-137-0x0000000000000000-mapping.dmp
                        Download
                      • memory/856-219-0x00000000044E0000-0x00000000044E8000-memory.dmp
                        Filesize

                        32KB

                        Download
                      • memory/856-204-0x00000000036D0000-0x00000000036E0000-memory.dmp
                        Filesize

                        64KB

                        Download
                      • memory/856-218-0x00000000044C0000-0x00000000044C8000-memory.dmp
                        Filesize

                        32KB

                        Download
                      • memory/856-216-0x00000000041A0000-0x00000000041A8000-memory.dmp
                        Filesize

                        32KB

                        Download
                      • memory/856-217-0x0000000004240000-0x0000000004248000-memory.dmp
                        Filesize

                        32KB

                        Download
                      • memory/856-214-0x0000000004180000-0x0000000004188000-memory.dmp
                        Filesize

                        32KB

                        Download
                      • memory/1140-167-0x000002045D1B0000-0x000002045D217000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/1176-187-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1184-164-0x0000013F639A0000-0x0000013F639E4000-memory.dmp
                        Filesize

                        272KB

                        Download
                      • memory/1184-165-0x0000013F647B0000-0x0000013F64817000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/1324-171-0x0000020577E70000-0x0000020577ED7000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/1388-221-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1496-170-0x000001C04AB60000-0x000001C04ABC7000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/1540-160-0x0000022C6E150000-0x0000022C6E194000-memory.dmp
                        Filesize

                        272KB

                        Download
                      • memory/1540-161-0x0000022C6E470000-0x0000022C6E4D7000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/1604-168-0x000001E5E5B20000-0x000001E5E5B87000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/2004-169-0x000001E5A8190000-0x000001E5A81F7000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/2500-158-0x00000173E2770000-0x00000173E27B4000-memory.dmp
                        Filesize

                        272KB

                        Download
                      • memory/2500-159-0x00000173E2ED0000-0x00000173E2F37000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/2600-190-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2640-197-0x0000000002690000-0x00000000026A6000-memory.dmp
                        Filesize

                        88KB

                        Download
                      • memory/2648-163-0x00000285797B0000-0x0000028579817000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/2676-172-0x0000020DB1900000-0x0000020DB1967000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/2688-174-0x000001A0E3D20000-0x000001A0E3D87000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/2872-189-0x0000000000B90000-0x0000000000B99000-memory.dmp
                        Filesize

                        36KB

                        Download
                      • memory/2872-185-0x0000000000A48000-0x0000000000A51000-memory.dmp
                        Filesize

                        36KB

                        Download
                      • memory/2872-186-0x0000000000A48000-0x0000000000A51000-memory.dmp
                        Filesize

                        36KB

                        Download
                      • memory/2872-179-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2872-194-0x0000000000400000-0x0000000000A15000-memory.dmp
                        Filesize

                        6.1MB

                        Download
                      • memory/3140-176-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3204-134-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3492-175-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3784-210-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3940-155-0x0000000002C50000-0x0000000002CA6000-memory.dmp
                        Filesize

                        344KB

                        Download
                      • memory/3940-154-0x0000000002BC0000-0x0000000002BFA000-memory.dmp
                        Filesize

                        232KB

                        Download
                      • memory/3940-149-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4100-173-0x00000153C8990000-0x00000153C89F7000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/4236-140-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4264-147-0x00007FFF2CDF0000-0x00007FFF2D8B1000-memory.dmp
                        Filesize

                        10.8MB

                        Download
                      • memory/4264-143-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4264-146-0x0000000000690000-0x00000000006C6000-memory.dmp
                        Filesize

                        216KB

                        Download
                      • memory/4264-148-0x000000001C850000-0x000000001C852000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/4672-162-0x000002B841090000-0x000002B8410D4000-memory.dmp
                        Filesize

                        272KB

                        Download
                      • memory/4672-153-0x00007FF70A924E80-mapping.dmp
                        Download
                      • memory/4672-166-0x000002B841470000-0x000002B8414D7000-memory.dmp
                        Filesize

                        412KB

                        Download
                      • memory/4944-220-0x0000000000000000-mapping.dmp
                        Download
                      • memory/5016-182-0x0000000000000000-mapping.dmp
                        Download