ammyyadmin | dac399cd370db99711be5b31c1b5935432b9cd11c5e9745e752a5a7b66ef9e67

Analysis

max time kernel
145s
max time network
157s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test/fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Size

3.6MB
MD5

743a6891999db5d7179091aba5f98fdb
SHA1

eeca4b8f88fcae9db6f54304270699d459fb5722
SHA256

fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f
SHA512

9edef033663c828536190332ec87ac0096ffddae934d17c51b255a55ecb05774211a0edb1915c19384641befa291cfdfd2e3f878bf3b827f8b203ec1bee9dd96
SSDEEP

98304:NX8jXTWmbAJDaFoKLxycZ2gzJXvXdfxs2g1ypKLC1z:NX8Dsm9ycUcv82Qy06

Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

Processes:

resource	yara_rule
behavioral9/memory/1192-78-0x0000000000400000-0x0000000001115000-memory.dmp	family_ammyyadmin
behavioral9/memory/1192-81-0x0000000000400000-0x0000000001115000-memory.dmp	family_ammyyadmin
C:\ProgramData\Wlanspeed\outst.exe	family_ammyyadmin
\ProgramData\Wlanspeed\outst.exe	family_ammyyadmin
\ProgramData\Wlanspeed\outst.exe	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 3 IoCs

Processes:

TextEdit.exewlanspeed.exeoutst.exe

pid process

1036 TextEdit.exe
1192 wlanspeed.exe
1892 outst.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

612 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wlanspeed.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation wlanspeed.exe

pid	process
1036	TextEdit.exe
1192	wlanspeed.exe
1892	outst.exe

pid	process
612	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	wlanspeed.exe

Loads dropped DLL 8 IoCs

Processes:

fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

pid	process
1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SinTech client = "C:\\Program Files (x86)\\SinTech\\TextEdit.exe"	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

wlanspeed.exe

pid process

1192 wlanspeed.exe
1192 wlanspeed.exe
1192 wlanspeed.exe
1192 wlanspeed.exe
1192 wlanspeed.exe
1192 wlanspeed.exe
1192 wlanspeed.exe

pid	process
1192	wlanspeed.exe
1192	wlanspeed.exe
1192	wlanspeed.exe
1192	wlanspeed.exe
1192	wlanspeed.exe
1192	wlanspeed.exe
1192	wlanspeed.exe

Drops file in Program Files directory 2 IoCs

Processes:

fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

description	ioc	process
File created	C:\Program Files (x86)\SinTech\TextEdit.exe.config	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
File created	C:\Program Files (x86)\SinTech\TextEdit.exe	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1132 sc.exe
588 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1132	sc.exe
588	sc.exe

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\NoProtectedModeBanner = "1"	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEfe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8TourShownTime = 0c8ab1fc3237d401	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B8D36211-4324-11ED-9D78-7225AF48583A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000008f678e4046fd16d4561b9f72500e6555d54a03165bb5bbb76e4dfc415b3fc92a000000000e8000000002000020000000ab82dec3b46a833b10a9adae74931092f78b0162e1e1a62aee9aa29683b0a9cc200000004f6c379da09bd871d176b53d8403983e0e70d0d54c38c2febae96d6736284baa400000009921471834713584ecc8682808ceb389b0baa426b094585fe5da671691026435c363de91178fcacb44eb8887f1d62a34eb971bd42377908e2b79339bb02f9abe	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\main	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Check_Associations = "no"	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Recovery	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000dc2fd74f6186b37a8930a2edb6a999b1d2127e9d1c09281dbfc2090782b4ba38000000000e8000000002000020000000cf6f89b22751d639ada18600eab996dac7472c7df8e7ac65d1f6cec0ac22eaa490000000f4332be28442d5322a4832da5727ded24cd30f583e20e4b3fe2eae22fae88c898351a2abb18f98c83f2eed3f6f84b470be879dea0169ff59b52435a2e6600bb788240eff1e0be996f6e7f1d73ce852d08abbd6d5b3d0fb49cdb41c0c74afe8ff3e03667958a3cc243f44ebd8b0d262228aa16dcb553989f5edfe887a7dfce7a2fa8cce88a91cd7e03facdedf86ace0a54000000023e39d7f625b0be3987adf1246bf4ff2c04796ff4360159095a1a8765d5c3a868ddf88c93fc16b2bce2901df6cfbf1b8c3275866fb662de05aeed4f793929f7d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8RunOnceLastShown = "1"	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8TourShown = "1"	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4080639e31d7d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8RunOnceLastShown_TIMESTAMP = 8afe20f63237d401	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371571031"	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

1580 iexplore.exe
1580 iexplore.exe
1580 iexplore.exe
1580 iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

iexplore.exewlanspeed.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1580	iexplore.exe
1580	iexplore.exe
1192	wlanspeed.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1580	iexplore.exe
1580	iexplore.exe
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE
1580	iexplore.exe
1580	iexplore.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1580	iexplore.exe
1580	iexplore.exe
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.execmd.exeiexplore.exe

description	pid	process	target process
PID 1340 wrote to memory of 1036	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	TextEdit.exe
PID 1340 wrote to memory of 1036	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	TextEdit.exe
PID 1340 wrote to memory of 1036	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	TextEdit.exe
PID 1340 wrote to memory of 1036	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	TextEdit.exe
PID 1340 wrote to memory of 1988	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	cmd.exe
PID 1340 wrote to memory of 1988	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	cmd.exe
PID 1340 wrote to memory of 1988	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	cmd.exe
PID 1340 wrote to memory of 1988	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	cmd.exe
PID 1988 wrote to memory of 588	1988	cmd.exe	sc.exe
PID 1988 wrote to memory of 588	1988	cmd.exe	sc.exe
PID 1988 wrote to memory of 588	1988	cmd.exe	sc.exe
PID 1988 wrote to memory of 588	1988	cmd.exe	sc.exe
PID 1988 wrote to memory of 1132	1988	cmd.exe	sc.exe
PID 1988 wrote to memory of 1132	1988	cmd.exe	sc.exe
PID 1988 wrote to memory of 1132	1988	cmd.exe	sc.exe
PID 1988 wrote to memory of 1132	1988	cmd.exe	sc.exe
PID 1988 wrote to memory of 612	1988	cmd.exe	netsh.exe
PID 1988 wrote to memory of 612	1988	cmd.exe	netsh.exe
PID 1988 wrote to memory of 612	1988	cmd.exe	netsh.exe
PID 1988 wrote to memory of 612	1988	cmd.exe	netsh.exe
PID 1340 wrote to memory of 1192	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	wlanspeed.exe
PID 1340 wrote to memory of 1192	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	wlanspeed.exe
PID 1340 wrote to memory of 1192	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	wlanspeed.exe
PID 1340 wrote to memory of 1192	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	wlanspeed.exe
PID 1580 wrote to memory of 1944	1580	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 1944	1580	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 1944	1580	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 1944	1580	iexplore.exe	IEXPLORE.EXE
PID 1340 wrote to memory of 1892	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	outst.exe
PID 1340 wrote to memory of 1892	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	outst.exe
PID 1340 wrote to memory of 1892	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	outst.exe
PID 1340 wrote to memory of 1892	1340	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	outst.exe
PID 1580 wrote to memory of 1776	1580	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 1776	1580	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 1776	1580	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 1776	1580	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 2996	1580	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 2996	1580	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 2996	1580	iexplore.exe	IEXPLORE.EXE
PID 1580 wrote to memory of 2996	1580	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\test\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
"C:\Users\Admin\AppData\Local\Temp\test\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer Automatic Crash Recovery
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1340

C:\Program Files (x86)\SinTech\TextEdit.exe
"C:\Program Files (x86)\SinTech\TextEdit.exe"
2⤵
- Executes dropped EXE
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\sc.exe
sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
3⤵
- Launches sc.exe
PID:588

C:\Windows\SysWOW64\sc.exe
sc description Wlanspeed "Wlanspeed service"
3⤵
- Launches sc.exe
PID:1132

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
3⤵
- Modifies Windows Firewall
PID:612

C:\ProgramData\Wlanspeed\wlanspeed.exe
"C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1192

C:\ProgramData\Wlanspeed\outst.exe
"C:\ProgramData\Wlanspeed\outst.exe" -outid
2⤵
- Executes dropped EXE
PID:1892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275468 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:799766 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SinTech\TextEdit.exe

Filesize
72KB

MD5
00a6b8a6d0ad367a46961177f058d7a1

SHA1
1278c7e9243e1949d1b5b560c8a04397011e95d2

SHA256
49db59a95c30aa978362ca589699775932816a3a34732e398986e88fe2b779cb

SHA512
3aa77567476668df800fdae6bb36b75394e64a60e8d467ac0d3cb91de1738dda45fb817d913fdb6902c8c48a313b3ae2b68bb1449993c99f718bea2ae45af4ec

Download Submit
C:\Program Files (x86)\SinTech\TextEdit.exe

Filesize
72KB

MD5
00a6b8a6d0ad367a46961177f058d7a1

SHA1
1278c7e9243e1949d1b5b560c8a04397011e95d2

SHA256
49db59a95c30aa978362ca589699775932816a3a34732e398986e88fe2b779cb

SHA512
3aa77567476668df800fdae6bb36b75394e64a60e8d467ac0d3cb91de1738dda45fb817d913fdb6902c8c48a313b3ae2b68bb1449993c99f718bea2ae45af4ec

Download Submit
C:\Program Files (x86)\SinTech\TextEdit.exe.config

Filesize
178B

MD5
7818adbecb0e6c84d976415f661a031c

SHA1
7cd6f603c2e5a187525fb08b2e3c941d2395ec7b

SHA256
6185dbac8db6eea6e1c1a01782b1deaf3ae26d1cecc7614f02ee47907e346766

SHA512
a37602e09b24bb517768028d0721458bf345750bcef0e139326941b10b1fe298d3b59f423b16429e9755456850a0035f555d5d1ce45dfb57ff336f65b2d89b1b

Download Submit
C:\ProgramData\Wlanspeed\outst.exe

Filesize
697KB

MD5
cfec1538a305af5ea524ce123aadb8d8

SHA1
651affabdf5920cfeb896da48f8adb8255f0d98a

SHA256
8c79aedd591d54c97a77cbb27a94bea74b2338ab4ba35695bd43d6a579b4be63

SHA512
36eacecb74687822e33d64fbf81a1ca08abc9ead4416df79f365a8b772f1d15c64a4fd7d589098f3766b07915837fbb4a46034a0a8b9984af5da8e228803842e

Download Submit
C:\ProgramData\Wlanspeed\session.log

Filesize
93B

MD5
855c73dddb0699a4f951047166515a2f

SHA1
088b471753e102f8b7e7e6fabd2c1bf43ea5f85c

SHA256
5cd5f45558bd06447e6ca4044d8085ad94f51413badc10c5b7526535a5006f83

SHA512
faae42653274b3cf159af2194820c5fd1623f04d703130a6e9b5e57ff384c241c28d278378c5cde74b6985e5987156ed2a699abc4ddbf765a716fa4ac6a35f9d

Download Submit
C:\ProgramData\Wlanspeed\wlanspeed.exe

Filesize
3.2MB

MD5
7e055ac00553ce6dd611f15399b19b14

SHA1
e36a515e369f085ef731212d10b6d98ea506cff9

SHA256
ccb3eb4def241106ba92b6f476e18b529b8cd8253f25cae7cf4cfa2bb293156e

SHA512
7003c6ccad23d6c55edd31bf2550a0b1d6510f1b6e3ee59af8cea3e6abbfa91447ec5972c5337c4758051176b31cb58142b3393203f12dbe66ac0f1be5be3068

Download Submit
C:\ProgramData\temp

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
786afa038c78782cfb5b346e6734e100

SHA1
ddc68735cd512cff7380de2345bb32fcc16a631e

SHA256
c9a382be5ae0b0018be86b038c0083a1ca34137e6b066986851ae567547f6a39

SHA512
44e8889c89523889722830406b10d44e9244f3254f8895a60a1745408cc6a6e614df284c038f736f80cccb4ea1a1291c8440be80bd2d11dfd72217f2c55ea861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9096A354A7A3E42F3F619F51DB75C6B9

Filesize
891B

MD5
6c397da40e5559b23fd641b11250de43

SHA1
5f3b8cf2f810b37d78b4ceec1919c37334b9c774

SHA256
513b2cecb810d4cde5dd85391adfc6c2dd60d87bb736d2b521484aa47a0ebef6

SHA512
0f0369b90ef4930f59bd5c0091067200828bde84ea703c1029ec5603cf4bd1084f0e7e15f370dd5554a9e310d60bd01ba54492e2e6d6301e44609033ea9edbc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_871E11B76822F93FE2DBF907A5A1D9A8

Filesize
472B

MD5
53aa134dc3b33b709b6ccf39e549055f

SHA1
2e85a28ef73d7c403ad693fc8602e95fe3d803f3

SHA256
877de7cadd4fc848afaac488f89ed987929505b563a03eb79e4e9d8fa0b41a0e

SHA512
727594fbf4661ccd894a0b1d012bb44758827eb87c77b4e982ff46c170be3f6ba64a6d16ca1d8988dfd1701cca1d8d867191eab18a91eb48c24f1329f49b30da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_3FAEF9C2ED8948153EF5C4A9CFFD2F19

Filesize
471B

MD5
f45b075a7bb00fc53e70dc362e83a39a

SHA1
3d03fe1d85654c5583c74779a5d7847a6dad8fbd

SHA256
b4d1a5c0f3fde97f1cb09c499134a291c12bb3b72959759960c2a39a21fd1977

SHA512
5edffaa715334ee2ea1b43d652cafa36d9d83630295a825638d079cbb439a27ff681de94db0b0ad937492ff5a81718d29331e0e46529c3e9cef7ab32e27aae33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_7F226C0974B745C5C054D4151A363D5C

Filesize
472B

MD5
544d205b2f709e0bed39ebfc751d6187

SHA1
71559b505f318323405eeb5ff59499c63e806559

SHA256
692e14681ceb7536d5c09cf8700810a258b574e02e93c391e7551690111a5bc7

SHA512
c6c64d518f903331b12538d3168a68ab88f7eff0972efc9cc17fca7b24ae37c9e90f249924413598fc4bd182a515106b663c835a28b33339be4d1995eb7fdf45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_C89A7CE86B947A5BDDEC66331470004A

Filesize
471B

MD5
6abe76ca28fe176c44e7475b1d5c93fb

SHA1
a4a87a771c6f081e5dae3499c090551c6dd31acb

SHA256
451a8f3a3e654355467b434976022b84820c25b54f7b78472635c7dc3241423f

SHA512
5417d09ac430dc4098f42df3e0e35b8767ea73625e071b2d3cb48538a74c2ccfb1e29e89645a0bea6336eb0fe4ae9e3fe1e722fb17ed3afd807817f138901634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
e0bbd9ebabde018a4f0182af151607e9

SHA1
4e5eb0460db2ca9699736a6f5f180200e201e912

SHA256
745a64d2ef35132aa622aec07351a15cf05e008ea55b7d71f4fabb3f28b7a547

SHA512
16db4c8f235cd21c21f26ba42874460e749129231e0add367854030aeaedee1f300e6284ff921e9b137ba4c795174c3a9da2fada3b38ecceedee468663493415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9096A354A7A3E42F3F619F51DB75C6B9

Filesize
282B

MD5
bb40bf1ad36020e60046a9e8dbc01506

SHA1
49635dd010d281c4f8e9f1e387d046d384f74b7c

SHA256
c81b8c2cdfe7585d283f73d918931a042793f53d007d67a1480469e7eb94e1af

SHA512
afa5893dbe04efc6783925ba00cfdeb5192a5364e336a9ac5699fc44ab3b44a04b1f3d3bc6b0aed7d9c2fb796393e99d7edbbe1320aab550dced11e4aeaf10d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
719453d517676278cea075657c267aa6

SHA1
bb16f312fb09aab737db28765157fd08632902c0

SHA256
e146f7222d82ff432fef36eeef5e6934b13b0a410a49aee7db96b722ad53fd3e

SHA512
b2e623a3ab7d32e92e952cfd6bc2fbe555304e0ee1fbe1bd4b30419855bbb1ff48dc3244c5de41844095a3d146182d137493b924c85d83fecb411b03a8e02ef1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6a65f7536dd19b4b4da57f17d65ce77

SHA1
c9b8d28a9f46b0b90d70ee45637b07fdf0892456

SHA256
00359ce1acb99f59206a4be8193145aeaa14f0d096ea952ec619207e9bce82fb

SHA512
1f348f17e1129f9a5acfd7004ee41cc207585a845e76b00b46615b12d8f5478d43109fa667a4b49cdbada2d935a3702d3d5479e665a67666ae500cfc87fe8464

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82f441ad14b8b7dd94b95d304089cd1d

SHA1
c3d04bad5db726e3f3c6b6a04fe527bc571f7eaa

SHA256
494d7046f05f2d9be2295d3f8ed39f1ab2eecbf980e74cb3e41bbe8bf7daec56

SHA512
8afe5674c2ac2e3fc5544b12a76dda9bd9d0ffdac16c04315ad05efdec2b3b6473f01b1342f91f0490b3e6e2d4e4711d88c6c14044b6076236f2280d44ed9b37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82f441ad14b8b7dd94b95d304089cd1d

SHA1
c3d04bad5db726e3f3c6b6a04fe527bc571f7eaa

SHA256
494d7046f05f2d9be2295d3f8ed39f1ab2eecbf980e74cb3e41bbe8bf7daec56

SHA512
8afe5674c2ac2e3fc5544b12a76dda9bd9d0ffdac16c04315ad05efdec2b3b6473f01b1342f91f0490b3e6e2d4e4711d88c6c14044b6076236f2280d44ed9b37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2e55d58a2007b23edb68c31eefd3d99

SHA1
825ba285d4fd74832dd6c0a0af2cee7006288146

SHA256
9d560f51dea9e70382fd32c8d01fee59f0c94ba831f5039edc284346655c9e40

SHA512
bfebbe1ba72c9baff2cc8807adf8761c1810e78e5acd0fc5cf4392ef92ab00e84b1482db6fd1183ba19669c2ea88abd987906b6355f3973619beca7a106b974e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d670dc0f21c517eef95c6ec87d52178f

SHA1
57e93731ec4f327bdaba8ed093e4e085c2869c03

SHA256
c0b6762668e8571b4e7dbd85255475a66b67f5373acb95bcedcddc9726dbdaf9

SHA512
c7573c9e48d1f6956f427b4d91ba63a5beb473b8529cac34bff48b791d653bf6e94ad05e1a364e7cdcfa20da50a7de0d4ba9ff51809d3276db7d64218c982d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
482ad787d8c31caee88161b7dac668ab

SHA1
18471195aa60c28b8bff5ce6565360c5497b6d55

SHA256
989b6faa5ea975b882d004eecfcff9a82f01170ddbaaf55235769f2a5a551db7

SHA512
04ec3a0ef8fcfee5adcb11a738ed6c2041da492ba85653d04609bdfd6f8528590d8de0bb675c1ff25057c895782ff8aefd3843b752f552c93281294f89442e92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ed5d4572aef2caf492fcb3a792e3edd

SHA1
da983e9b39c6074cdcc05c36f62f2426d518ffe7

SHA256
ea88a9c5661c66f8ae83eae89388d79505136a89e833861bd810f83f25b64105

SHA512
6510fb39a7c63e6904f7b4c6106ca80402706c42623667864f76d3ab72c0865f7346893387432c6478bd5c0d692d7fa496b81285c8339be671797620cf37c60a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ed5d4572aef2caf492fcb3a792e3edd

SHA1
da983e9b39c6074cdcc05c36f62f2426d518ffe7

SHA256
ea88a9c5661c66f8ae83eae89388d79505136a89e833861bd810f83f25b64105

SHA512
6510fb39a7c63e6904f7b4c6106ca80402706c42623667864f76d3ab72c0865f7346893387432c6478bd5c0d692d7fa496b81285c8339be671797620cf37c60a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f9d35ba97dbf34b89637ee04c86e137

SHA1
cbda57d192f4ea088e7384192f51051c6f575924

SHA256
eb4f59f81f76e7447149deac7f2806ca796198e6b38f6c7c36e9c8ddd0f8b45a

SHA512
fe57514e9be2059372f68773aac30f06a1443c22a5390f1dcc63cf475a5ae9466862ecee07c6405e81f84b9946519e0df3001459bc96edb60de54ad6db09c470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d2008297caa61f0d84db1db2ea40df7

SHA1
749926a9ce54740479395b6da48c14fe13dddcf8

SHA256
9a7adccdda9e3a5f4b9f98f51154b6c4dea2b3da462e18ee5bede05b01423715

SHA512
0df4a22720b016abcf533b74c675592af26b572a23198ef268c875f51d2a884dd5033607d831c012c82319f72f598eefa0b0b7fe07c5db9ac43259574400f210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26a3a18c8f99f2a1d010db6ad07c4455

SHA1
58846dce984e620857e1591cfff0aeb262e99911

SHA256
182f93e29ec14d67a7dd7dcabd558d0714b8ea3404004e7a36f22e34e7aa8699

SHA512
434af50b44be19d92230f41d385cf8586981901d263693104c30885585a9cb7feb0cf66d5329c36e69f0e3cdd48e3fda32dcc9bb89ba5e728c15e77f00b3b95c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
f0488643f98ca2a66bb8fda4f34d6033

SHA1
ccd68f7137a0f3c12ed2f956fd3954f19388b0fc

SHA256
8c6a9a00454cbd9a34d4484f5fd8a61a991fb590842a2291cad54f7f0b1a3bf1

SHA512
66b841c4a6c34a3568b894430a80c5e2857a029be682320b707f7e5fa6a66e6a7fbb72706dd5ceaf19bd05d3e6bfac7ccdc25746f092a7ea9200a093900ba333

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_871E11B76822F93FE2DBF907A5A1D9A8

Filesize
402B

MD5
f02750745b84a951444c63f912fb5a82

SHA1
908b6764f8cd0734b46e70a49b37e30cb6e4d524

SHA256
91e15e7b6ebae9197099b931a60575c663044ac1703c014f25855dfc324a88bf

SHA512
5a9ffb3f7159edd5ac4695f71d0cb96872ffe992fccf061aa6fced6f4db201920498323aabf5fb908461584750df309ac12ef2a2cbd8ece74ffbbf269db357c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_3FAEF9C2ED8948153EF5C4A9CFFD2F19

Filesize
410B

MD5
ceeb8b551b19185b9b758f52a30e9cc3

SHA1
1a4b430d400093c0e7afaede8c8c059b0de048bd

SHA256
9b7d6c1bcdd55ef9648c5fc7b1820d714630dfcb6871640558bb84307cebf732

SHA512
890e0b85aa16b1ef28882aa4eb84dba69055a5602e72fd7b98f6ff0a4509f56e0b8e198fe11bc4c20b436f1efef40e7a112f63951cd5cd4e1ab6a5131da5e583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_7F226C0974B745C5C054D4151A363D5C

Filesize
406B

MD5
9916573bd4aee6d7897699db7d6daab3

SHA1
31b8b753a49eb285069251a1885cc5ee9a995cae

SHA256
70a4ac2ace3a7da510acf10b0713f889145403004a3f9d5574b0664182b028f4

SHA512
42b9aabb8d897c2fa74ed789dc2626e8df063dbdf7ca9642b99a1787927de4a84348e6114b8e7cf0ed330d85774f4808232e9106b8e836cddfbee5b3ec0ad14c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8f1b999578e7172dbf69717831f10488

SHA1
4e21147ee91b690a2bae59920a03c4d5159ff9d0

SHA256
854fe48bc3700a32fb0abcd0b98ad08b23c9e077badd761be29573343cf7281c

SHA512
ffbde5b5009e0be4b51a9cbab8bc6c4aa9a6427c86c9451df8bf350fb4db5ec99b559f6eb7eb67e84e104d08724490a8c8a5004bd7d7b9d2cc579011be507a5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_C89A7CE86B947A5BDDEC66331470004A

Filesize
406B

MD5
370d4bf83dba90fe33f7393263c0ecac

SHA1
9a80995bc3cb78f9aa69b9766808ed49f3d3b2a5

SHA256
a460d9744d57afe25baaae3309202cec4b4d09c2f89d8070fe62cc4c9f2faf80

SHA512
303f24c9640057a71579a122953da1000b403801f7e27f99e2f3955a3066dba08b505e0a6173e7722eafc46dc12c1a81bf0792b48299b4064b5d03a45ddaa887

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
8d889fcf3eef5553a633bddc7ed861fb

SHA1
a4cf4379d3c2b6ad95e1402249051a1f12d5b586

SHA256
a0aacd43209b2028bb3dec0409de163d6ba04ab648736b5097fc5113b81d32b2

SHA512
d39dfe1e7e4c540fe9811dda378f450c40690a41d9f8c04fb854c8e4c07f624242dfed3f2c119b6ab78170bf10f33892d8e743613a35e1b5f7a75ae110e82ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\gtm[1].js

Filesize
115KB

MD5
6b62fa4aeda8251cd4131057caf78456

SHA1
ca317f9feea84cf2efa397bc7ea8ee06e83e5b6a

SHA256
eeea2dc0a30809231d1e91fe922e01c35694f2c6819681ed4fa89bd01e2df3a9

SHA512
d304271da2559cd4ae0fca23c2911383a4522a3644cd18cd2d00019f5e945c2c664e867cc055fdee833e2ca0e4078640ec6024ec07c50385f14c0663489709f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\logo[1].htm

Filesize
258B

MD5
087db6fa7ba6e0a7246a9bbba6bd5222

SHA1
da6056925bd2b51fad922865edbbc8d081aff5a4

SHA256
87b21466ff0daf4de2e7a74dcc090dc8863fef291a6ab78283f0cea2b05a200d

SHA512
78544ed66f291ffeac39be832012401b748f529a550e134801e8a5b0bc0631820cd1385d28d6283185af4a88c2e1ed5966be6cb8a96421e61ea2c8779ed23bdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\analytics[1].js

Filesize
48KB

MD5
99ba52a15d2da967b023016d1af58cbd

SHA1
5c2246049c43834d17113877b4731bd4f9803d55

SHA256
9e25469f734732205f33dd80ff8ca12080406c18d2fa99a1f368103e51f7999f

SHA512
d274e02cc486783eec8887e6bad67b409afd22e6d73b9ed67af88c0aa7145863df9675347a78526a8eaee68b1880240f0d938e49a3abc640d170291195c0c56d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\jquery.min[1].js

Filesize
93KB

MD5
5790ead7ad3ba27397aedfa3d263b867

SHA1
8130544c215fe5d1ec081d83461bf4a711e74882

SHA256
2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0

SHA512
781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\qr[1].htm

Filesize
256B

MD5
fd292ee0391a4e2d73c0d9b36554b5e9

SHA1
e2508d95761a010101dbaba8646309bb61445d70

SHA256
85d9951334de9f50325844926b6d19ca75cb4fc19c0bafe5a05d9486a3b0ddad

SHA512
f839af40a8316c079c0285bc0fca957d2af877c6eaf9e5dc071b6a9b54873fa1cd2db50e5179d36bfc38004c981efee9c269ba5b4883b911fe6ddd36ea2b7b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\style[1].css

Filesize
330B

MD5
0d8ec20c5a3758663b828801a3f0ab2c

SHA1
465f96c3d31bbdb9474a6290ed114aaf7d25293a

SHA256
2ea90d48b38e5ab9a4e9577f1a1133d3f6f8ee6d383fc19bf4d17279225ae62e

SHA512
4b5d4ee4b147a8c0b03c17712ab367d2e6660707819e0a1a9eff5b0dce06074a0a8835fe0c09dd744112d93d1984abf0537d56c8fd60ec3adacb0ff784145995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\uh[1].js

Filesize
30KB

MD5
b27fc62d9a9a1b1704443d72e873bff4

SHA1
3e0e33233405eb42728da14efd7fa6b39ad64e17

SHA256
afef63348ef4e06b6da27547978472e008f7d4667f7036d50a6872bfc4da6bab

SHA512
6ea082f120fa00c951757b162ad756c2d1a4f6b3bea4cbd077bb02154ab0f47f709850e6f2379f583d5a75f781fb1ff6da7e8b882bcdf3e1064f2b6057d2acca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\js[1].js

Filesize
214KB

MD5
9a0febbefcad7e80f6856c7938141cc1

SHA1
66fa5b59a5ce16af503be0a27a11c905fc06a25a

SHA256
405384798361f2b505ee08b5a3b22a729a3a13b9a084cb0727e40794bcb484fa

SHA512
1e5e9b0ff5f54f9c70034a3d6d8ab5cd3da5f175d43dc11edd4349d14b68a05c9f6962f83aec5471570df8307f34e3b5ace43a340b3f2ab73e6159eb72a2ae13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\js[2].js

Filesize
210KB

MD5
33bda6aac1d95c99c5cbdcea92a25d90

SHA1
e613dff6e581f509cb17a09389dc8c0da5fa8f61

SHA256
dfb67e6804546ac1415c2d6a60ed57190bb1bb2d2f9de8116b0918940bc781e8

SHA512
dc511852277fb39c058778cb3e98a5fa879aed13843c56636f652e31ab981da2f7f8c887e749218d99ec0392fa13b7efbb6d15b4ca3e09e31fb73229335d1abc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2UAMT2T4.txt

Filesize
558B

MD5
38808fb2035d8541cc2eb7379095bbc4

SHA1
9924096368efc5888c1c40f3e1b233180f5d13e4

SHA256
0ff6b8cfeccde84bb8dbf2c1742e848e6f32bec36e4f254116b68e2882c1933c

SHA512
4d22681f8c6d14d69e3458ff63ad956e5831e60ac6d29453888e4ff8a8305fed77e57e6e3e8ce6811a547de7f3cad61ec423b2ab3f0a5d1bc0092f15329c423b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6AFJURIX.txt

Filesize
607B

MD5
2cfc1bd4d093ac5bad8117907a51fb80

SHA1
32b607756c4f8f7635b314dfd218acc8e06e9f72

SHA256
d0816050894ebe931682dc59a9dc7066b2fad8756930ac0571cf84d4fc9daea9

SHA512
45c48c2a1e270f819e567a57c2c84376a5ed2cd893a8867b11e58bf1c56e2cc156ea6f71773d2123c4c90c5c7c530384c9da5210cac0200457c6f964ce27f279

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BMDN9UQ4.txt

Filesize
558B

MD5
6a5e75dff090a087b450a4222b604511

SHA1
13e7584cfeca8007b0a30b48b8e04f509581a440

SHA256
cc30f90b550633403faf035c41b38bde2520ea4a38482b6ff6c0c2b6efd1150b

SHA512
61d6dce9c53f0d7a3aa06edef96b58eca9414274a050cb236dcf4096a2fc117892a8ea21dda58b312299fea21724cdab1147be0d691690e970d30162ea40d10f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JZLG96ZE.txt

Filesize
558B

MD5
ba2bc788b8acbecb1805ea3b0ff5ba76

SHA1
98e2f1f379a3f871e6593406c7b424f2c5f80a18

SHA256
fad51687257a95872fe5f614b3a79b5ca66547cb8e66e64c4d410fcaff290d99

SHA512
da4deff9c0b0026f216ec77bf9791072c94cd284de17a06f3a17d7833e1a26a884117d04bcf287c94880f3d738560b1313972708f25ae8466bfd299cd940754c

Download Submit
\??\c:\programdata\wlanspeed\wlanspeed.exe

Filesize
3.2MB

MD5
7e055ac00553ce6dd611f15399b19b14

SHA1
e36a515e369f085ef731212d10b6d98ea506cff9

SHA256
ccb3eb4def241106ba92b6f476e18b529b8cd8253f25cae7cf4cfa2bb293156e

SHA512
7003c6ccad23d6c55edd31bf2550a0b1d6510f1b6e3ee59af8cea3e6abbfa91447ec5972c5337c4758051176b31cb58142b3393203f12dbe66ac0f1be5be3068

Download Submit
\Program Files (x86)\SinTech\TextEdit.exe

Filesize
72KB

MD5
00a6b8a6d0ad367a46961177f058d7a1

SHA1
1278c7e9243e1949d1b5b560c8a04397011e95d2

SHA256
49db59a95c30aa978362ca589699775932816a3a34732e398986e88fe2b779cb

SHA512
3aa77567476668df800fdae6bb36b75394e64a60e8d467ac0d3cb91de1738dda45fb817d913fdb6902c8c48a313b3ae2b68bb1449993c99f718bea2ae45af4ec

Download Submit
\ProgramData\Wlanspeed\outst.exe

Filesize
697KB

MD5
cfec1538a305af5ea524ce123aadb8d8

SHA1
651affabdf5920cfeb896da48f8adb8255f0d98a

SHA256
8c79aedd591d54c97a77cbb27a94bea74b2338ab4ba35695bd43d6a579b4be63

SHA512
36eacecb74687822e33d64fbf81a1ca08abc9ead4416df79f365a8b772f1d15c64a4fd7d589098f3766b07915837fbb4a46034a0a8b9984af5da8e228803842e

Download Submit
\ProgramData\Wlanspeed\outst.exe

Filesize
697KB

MD5
cfec1538a305af5ea524ce123aadb8d8

SHA1
651affabdf5920cfeb896da48f8adb8255f0d98a

SHA256
8c79aedd591d54c97a77cbb27a94bea74b2338ab4ba35695bd43d6a579b4be63

SHA512
36eacecb74687822e33d64fbf81a1ca08abc9ead4416df79f365a8b772f1d15c64a4fd7d589098f3766b07915837fbb4a46034a0a8b9984af5da8e228803842e

Download Submit
\ProgramData\Wlanspeed\wlanspeed.exe

Filesize
3.2MB

MD5
7e055ac00553ce6dd611f15399b19b14

SHA1
e36a515e369f085ef731212d10b6d98ea506cff9

SHA256
ccb3eb4def241106ba92b6f476e18b529b8cd8253f25cae7cf4cfa2bb293156e

SHA512
7003c6ccad23d6c55edd31bf2550a0b1d6510f1b6e3ee59af8cea3e6abbfa91447ec5972c5337c4758051176b31cb58142b3393203f12dbe66ac0f1be5be3068

Download Submit
\ProgramData\Wlanspeed\wlanspeed.exe

Filesize
3.2MB

MD5
7e055ac00553ce6dd611f15399b19b14

SHA1
e36a515e369f085ef731212d10b6d98ea506cff9

SHA256
ccb3eb4def241106ba92b6f476e18b529b8cd8253f25cae7cf4cfa2bb293156e

SHA512
7003c6ccad23d6c55edd31bf2550a0b1d6510f1b6e3ee59af8cea3e6abbfa91447ec5972c5337c4758051176b31cb58142b3393203f12dbe66ac0f1be5be3068

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2B08.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2B08.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2B08.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
memory/588-62-0x0000000000000000-mapping.dmp

Download
memory/612-64-0x0000000000000000-mapping.dmp

Download
memory/1036-69-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/1036-67-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/1036-57-0x0000000000000000-mapping.dmp

Download
memory/1036-93-0x000000001CD70000-0x000000001D516000-memory.dmp

Filesize
7.6MB

Download
memory/1036-66-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1132-63-0x0000000000000000-mapping.dmp

Download
memory/1192-78-0x0000000000400000-0x0000000001115000-memory.dmp

Filesize
13.1MB

Download
memory/1192-72-0x0000000000000000-mapping.dmp

Download
memory/1192-79-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1192-81-0x0000000000400000-0x0000000001115000-memory.dmp

Filesize
13.1MB

Download
memory/1340-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1340-76-0x0000000002500000-0x0000000003215000-memory.dmp

Filesize
13.1MB

Download
memory/1340-77-0x0000000002500000-0x0000000003215000-memory.dmp

Filesize
13.1MB

Download
memory/1340-80-0x0000000002500000-0x0000000003215000-memory.dmp

Filesize
13.1MB

Download
memory/1892-84-0x0000000000000000-mapping.dmp

Download
memory/1988-61-0x0000000000000000-mapping.dmp

Download