efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d

Analysis

max time kernel
151s
max time network
197s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Size

860KB
MD5

dbde22b1a6fbc953fde0c33e0e3680b7
SHA1

3d5cfa8569991508e05465de85af8f0f97ab94dd
SHA256

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d
SHA512

08811f563aee45ac1959e5a159dfd2d7efd065edc6345906207c698ceb669a111944f5910631cca0bf66fbd7f9a8e13dcf2342fa67f637fa99cdfc72903bebb2
SSDEEP

12288:I60a5r6BgBAOI4cha7upZ/5XiX2qc91a6mJntVTN4:qBgBAOI4cs7uf/5SX2HaBJntlN4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exetiab.exetiab.exe

pid process

900 efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
304 tiab.exe
1360 tiab.exe

pid	process
900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
304	tiab.exe
1360	tiab.exe

Loads dropped DLL 3 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exeefd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

pid	process
1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tiab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	tiab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{06F6F782-F9F0-8F18-6283-158452E29C23} = "C:\\Users\\Admin\\AppData\\Roaming\\Wygo\\tiab.exe"	tiab.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exetiab.exe

description	pid	process	target process
PID 1956 set thread context of 900	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 304 set thread context of 1360	304	tiab.exe	tiab.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\18212B7B-00000001.eml:OECustomProperty	WinMail.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exetiab.exetiab.exe

pid	process
1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
304	tiab.exe
304	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe
1360	tiab.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exetiab.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	1360	tiab.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe
Token: SeSecurityPrivilege	628	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1784 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1784 WinMail.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exetiab.exeWinMail.exe

pid process

1956 efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
304 tiab.exe
1784 WinMail.exe

pid	process
1784	WinMail.exe

pid	process
1784	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.execmd.exenet.exeefd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exetiab.execmd.exenet.exetiab.exe

description	pid	process	target process
PID 1956 wrote to memory of 1552	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 1956 wrote to memory of 1552	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 1956 wrote to memory of 1552	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 1956 wrote to memory of 1552	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 1956 wrote to memory of 900	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 1956 wrote to memory of 900	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 1956 wrote to memory of 900	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 1956 wrote to memory of 900	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 1956 wrote to memory of 900	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 1956 wrote to memory of 900	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 1956 wrote to memory of 900	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 1956 wrote to memory of 900	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 1956 wrote to memory of 900	1956	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 1552 wrote to memory of 588	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 588	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 588	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 588	1552	cmd.exe	net.exe
PID 588 wrote to memory of 896	588	net.exe	net1.exe
PID 588 wrote to memory of 896	588	net.exe	net1.exe
PID 588 wrote to memory of 896	588	net.exe	net1.exe
PID 588 wrote to memory of 896	588	net.exe	net1.exe
PID 900 wrote to memory of 304	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	tiab.exe
PID 900 wrote to memory of 304	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	tiab.exe
PID 900 wrote to memory of 304	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	tiab.exe
PID 900 wrote to memory of 304	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	tiab.exe
PID 304 wrote to memory of 1544	304	tiab.exe	cmd.exe
PID 304 wrote to memory of 1544	304	tiab.exe	cmd.exe
PID 304 wrote to memory of 1544	304	tiab.exe	cmd.exe
PID 304 wrote to memory of 1544	304	tiab.exe	cmd.exe
PID 304 wrote to memory of 1360	304	tiab.exe	tiab.exe
PID 304 wrote to memory of 1360	304	tiab.exe	tiab.exe
PID 304 wrote to memory of 1360	304	tiab.exe	tiab.exe
PID 304 wrote to memory of 1360	304	tiab.exe	tiab.exe
PID 304 wrote to memory of 1360	304	tiab.exe	tiab.exe
PID 304 wrote to memory of 1360	304	tiab.exe	tiab.exe
PID 304 wrote to memory of 1360	304	tiab.exe	tiab.exe
PID 304 wrote to memory of 1360	304	tiab.exe	tiab.exe
PID 304 wrote to memory of 1360	304	tiab.exe	tiab.exe
PID 900 wrote to memory of 628	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 900 wrote to memory of 628	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 900 wrote to memory of 628	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 900 wrote to memory of 628	900	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 1544 wrote to memory of 608	1544	cmd.exe	net.exe
PID 1544 wrote to memory of 608	1544	cmd.exe	net.exe
PID 1544 wrote to memory of 608	1544	cmd.exe	net.exe
PID 1544 wrote to memory of 608	1544	cmd.exe	net.exe
PID 608 wrote to memory of 1396	608	net.exe	net1.exe
PID 608 wrote to memory of 1396	608	net.exe	net1.exe
PID 608 wrote to memory of 1396	608	net.exe	net1.exe
PID 608 wrote to memory of 1396	608	net.exe	net1.exe
PID 1360 wrote to memory of 1120	1360	tiab.exe	taskhost.exe
PID 1360 wrote to memory of 1120	1360	tiab.exe	taskhost.exe
PID 1360 wrote to memory of 1120	1360	tiab.exe	taskhost.exe
PID 1360 wrote to memory of 1120	1360	tiab.exe	taskhost.exe
PID 1360 wrote to memory of 1120	1360	tiab.exe	taskhost.exe
PID 1360 wrote to memory of 1176	1360	tiab.exe	Dwm.exe
PID 1360 wrote to memory of 1176	1360	tiab.exe	Dwm.exe
PID 1360 wrote to memory of 1176	1360	tiab.exe	Dwm.exe
PID 1360 wrote to memory of 1176	1360	tiab.exe	Dwm.exe
PID 1360 wrote to memory of 1176	1360	tiab.exe	Dwm.exe
PID 1360 wrote to memory of 1204	1360	tiab.exe	Explorer.EXE
PID 1360 wrote to memory of 1204	1360	tiab.exe	Explorer.EXE
PID 1360 wrote to memory of 1204	1360	tiab.exe	Explorer.EXE
PID 1360 wrote to memory of 1204	1360	tiab.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
"C:\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
4⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
5⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
C:\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Roaming\Wygo\tiab.exe
"C:\Users\Admin\AppData\Roaming\Wygo\tiab.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
5⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
6⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Users\Admin\AppData\Roaming\Wygo\tiab.exe
C:\Users\Admin\AppData\Roaming\Wygo\tiab.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp96529b14.bat"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
1⤵
PID:1396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1290884512-2057837501-1633975381-1894552875-684054217-1507950121-1917231423-1722851006"
1⤵
PID:1328

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Filesize
860KB

MD5
dbde22b1a6fbc953fde0c33e0e3680b7

SHA1
3d5cfa8569991508e05465de85af8f0f97ab94dd

SHA256
efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d

SHA512
08811f563aee45ac1959e5a159dfd2d7efd065edc6345906207c698ceb669a111944f5910631cca0bf66fbd7f9a8e13dcf2342fa67f637fa99cdfc72903bebb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96529b14.bat
Filesize
307B

MD5
92c9b83f1e1749cf9223745bc1e4f205

SHA1
8fff90a43544c634c92f6aea769a1aecd8d98460

SHA256
4739f60539f7af0cdca5b76e28a2bae84dd13159b99635e01f1faa6a7e70ef4a

SHA512
2d7b234edcbbd6dd597429a1863b0ce69881dbf0ffc2416946ef37917863ce73f2a35183db5d261994e86bcab1c2a522b5dc172f82ceb5eb69c5a7bab9157906

Download Submit
C:\Users\Admin\AppData\Roaming\Copou\pyto.oka
Filesize
323B

MD5
1ae8732986dbac6097de01a194c32755

SHA1
e28b0a2d8e160be36c27e4b81a1412e0ec077832

SHA256
15a6bb3488a70038c153f477838bbad78b5effb48f086cdd5cc8e76a53c722ab

SHA512
a9a1adeddca46f595ee05b774aa9671176abbad5954c0357a7a66631a018e195a5042a0c960d8928f4ec49d0cf681d23dabc19d54fa13b06bbf4af8193f64597

Download Submit
C:\Users\Admin\AppData\Roaming\Wygo\tiab.exe
Filesize
860KB

MD5
5ceb06e5be5299ff1fab74c5e9833935

SHA1
ad5314e7679be1a7579fbc5eccc91ea7f3f0e88d

SHA256
d0ed1749e849cdb6587de7cbfc64a06183b15ff91479929c851d73e2a5913d2a

SHA512
0d9449dcec05483856b1187b704a4739ca39ea351910448e64861c17767ecff6f168ec8073269a4bd4a0536f88ef5b1f94ec750edb95588671674ff967e10956

Download Submit
C:\Users\Admin\AppData\Roaming\Wygo\tiab.exe
Filesize
860KB

MD5
5ceb06e5be5299ff1fab74c5e9833935

SHA1
ad5314e7679be1a7579fbc5eccc91ea7f3f0e88d

SHA256
d0ed1749e849cdb6587de7cbfc64a06183b15ff91479929c851d73e2a5913d2a

SHA512
0d9449dcec05483856b1187b704a4739ca39ea351910448e64861c17767ecff6f168ec8073269a4bd4a0536f88ef5b1f94ec750edb95588671674ff967e10956

Download Submit
C:\Users\Admin\AppData\Roaming\Wygo\tiab.exe
Filesize
860KB

MD5
5ceb06e5be5299ff1fab74c5e9833935

SHA1
ad5314e7679be1a7579fbc5eccc91ea7f3f0e88d

SHA256
d0ed1749e849cdb6587de7cbfc64a06183b15ff91479929c851d73e2a5913d2a

SHA512
0d9449dcec05483856b1187b704a4739ca39ea351910448e64861c17767ecff6f168ec8073269a4bd4a0536f88ef5b1f94ec750edb95588671674ff967e10956

Download Submit
C:\debug.txt
Filesize
6KB

MD5
1455c9400f4385817d7dc56bf2d48f3b

SHA1
1a6ce5e0b672f60f3dfb45eb010d19ff07921745

SHA256
bd4ac29924c93bf5ecfaa80d5ae1f687bd7193fb1116176d280442279fde4be1

SHA512
0e51c4e73e283114f71175a70881b3431bd0a23cbecece6b239d9c01a9ca78745ec54a9a6a577f66e813a1f8133431f9790dddd4a0bb9ecaed33b7c3faebc02e

Download Submit
C:\debug.txt
Filesize
7KB

MD5
69a63325440e94fab4a95534dc6e5b9d

SHA1
5d8076fa60dfe83d5eb0d6508f4de9a0d21ce717

SHA256
13bb252f0d06344ddc1a4be4ad76f19480dddc21ee3b5690e93a2231c695c3d8

SHA512
c727f5134d83ba9cc83ded8f5811ce967c247655a358cac354a59fe24e03ef3fbc0bb83eee355b1db9e78e989a8685e683dd4d43fbd935762f1ef1bf90e5e832

Download Submit
C:\debug.txt
Filesize
8KB

MD5
ae8365a62d66fb562dd0b62a327c104e

SHA1
10f15908744778d37b3e5cd3dd42ff2b28b0c33f

SHA256
67ba0ed31b33da248e0e17ce6b5cea545fe766d6d5fbacd14406430182680a84

SHA512
08d126fcfdfed0a1e751ca4d4dba3bac02a3af05bc34f67551553c50b1f4dc47130d87ea14dc3e23e6436eb31a79572de530ad7e22dba90c35093360e18373ac

Download Submit
C:\debug.txt
Filesize
8KB

MD5
166a3d3fdeb6ce42c3b708b58b14e039

SHA1
57d927dd04e86e472bb0c860e1a03186cae4c0db

SHA256
4497790003558736270f511adca165f8457badd4af69c169a9b0c46ab5d9a60a

SHA512
c8aad9aa6896b86388fd10b127b5a289ffc98047877dcdfb3d2ada88c520a7d0826cd6fba5f973c50fddae2a69b9c828ebe621a58a61bcda4002a5869f00deef

Download Submit
C:\debug.txt
Filesize
10KB

MD5
97348efcd7765d1d904c93cb6d722f42

SHA1
b8dc738f8128c6b0279ec0157b62a91130d2c66d

SHA256
95931c156d0819581572c524f7dff49bd0718268027343399ca4a2f11d32558e

SHA512
4e7a93fa0b40988768a94c6dc71e686411b34ac08ea6a226745e8d3d6bd4e597e4a4a61604460dbf256bfc07f71cc75c2b88a61328310d542176bea47fc40143

Download Submit
C:\debug.txt
Filesize
10KB

MD5
97348efcd7765d1d904c93cb6d722f42

SHA1
b8dc738f8128c6b0279ec0157b62a91130d2c66d

SHA256
95931c156d0819581572c524f7dff49bd0718268027343399ca4a2f11d32558e

SHA512
4e7a93fa0b40988768a94c6dc71e686411b34ac08ea6a226745e8d3d6bd4e597e4a4a61604460dbf256bfc07f71cc75c2b88a61328310d542176bea47fc40143

Download Submit
C:\debug.txt
Filesize
10KB

MD5
de2bda1f1f3b2a970fdcdc25f2372eb5

SHA1
18d844b3251acedb72cc000546669794b1f8f0df

SHA256
31034ed5c04e855a91b1291a9ab7643f2d35f9b9fce79f96ab6463d308f743fb

SHA512
bbd8260ca6bfaed3f57f067bf32911da16b4e1802cf430e940b3818cfc68c595c12c0ce15bea993195a856544b63e3f2bf5f6cd0e02d4ea6766ee6360637e3bd

Download Submit
C:\debug.txt
Filesize
10KB

MD5
de2bda1f1f3b2a970fdcdc25f2372eb5

SHA1
18d844b3251acedb72cc000546669794b1f8f0df

SHA256
31034ed5c04e855a91b1291a9ab7643f2d35f9b9fce79f96ab6463d308f743fb

SHA512
bbd8260ca6bfaed3f57f067bf32911da16b4e1802cf430e940b3818cfc68c595c12c0ce15bea993195a856544b63e3f2bf5f6cd0e02d4ea6766ee6360637e3bd

Download Submit
C:\debug.txt
Filesize
11KB

MD5
b0a38120fcdc5714bd15fc66ee1d7ffd

SHA1
9d39513e1cb39b816d58d38fcdb05945acad834e

SHA256
46b43f97bccbb22a69da99513cecf2a5d32ed71893af49b237514df45576e8be

SHA512
6a2e90feaff251451323cfd3b2d5c7a4fa87636a31211d1bbb4f7e22dd3e079fa169bf57c02120faec6da7ea6b631a71b3d37bc9811cbf04956e21ba2d877f75

Download Submit
C:\debug.txt
Filesize
11KB

MD5
69bea53ebca1f9df40ffcb44ca5f6b5e

SHA1
3fae1523aa110cf2ac61913b23353f0379db7cab

SHA256
108ba64ac74810dc8c3a2418c2f23a7f0c5301dec3976bae00f274f3008fbfb6

SHA512
3c43de08c06538e7bc5224eaf81056671b6d9481f8f91d304c6a7ad1e50486f1fcefbdf221ed6d2db2ae7f87ba6a27907ef7672e2432eb35c523fdd8eae15a5b

Download Submit
C:\debug.txt
Filesize
12KB

MD5
54400e290a3c49d3354e9f4255ecbc14

SHA1
f68777d416e96b63ef5b2303cdb7704e719f31fd

SHA256
49f1f6799691759a85a03cabdd89cb2ed32805c0e339b8daa29930953c35b8ef

SHA512
5e9a7793d64ad0616c746e5dab9cd40a6b06e4baef9a5b6d92b97495ea777f139fc26fdeec829bb4151d4d283cd55d61e05f44bad99c482e0c48aefb916547d9

Download Submit
C:\debug.txt
Filesize
14KB

MD5
15d299ee0d90fa879e5b1d2848aec442

SHA1
a732352b5ba838552b0088faf2c375f39e99308c

SHA256
af5b684d46c312daf50c730823b35fb0f42d4bbc56ccf8b2ecae68451326c547

SHA512
7184e1c2cc4e4ce1b64490e62dfacb30ad69c44d776a0aa6ada15f927189b0aa42d7397a3767f2d1985b6e4526dedb7131617f8c8fc1cf6cbc4b8d54a2f65cfd

Download Submit
C:\debug.txt
Filesize
14KB

MD5
f41af396fad5e8c9c607f4dc957d5e4d

SHA1
e31451e9b62bcf9f25089fd559ba250e6a2e9af1

SHA256
3ea1141359790fa4dfa88283466e1d49c9809162c3afd5b5cd4af1462aef2e15

SHA512
de6e35859c3616bba14417cc25853a34da752ba551a03fbef83df5e12e1a8abc2373b4333e08dee1b7076e4e7e3bf588b94485c58b27152ca5e53a822289eb1f

Download Submit
C:\debug.txt
Filesize
16KB

MD5
1afbc43d22b24b41721a66242c4545db

SHA1
ad869b99a69ea8a0b578160956a724887793e1c8

SHA256
c005a578e62596fec8bdc547fa8456a31607765960ea3ce0655c4196aa022d14

SHA512
457b9751d9f0e00acc3fe563e150a87d48af01b8b7b3bb420df75e7a683d236c20a49b9afba75d0690aa0db7e35e707751676e91e8d63752a6c24ab5961d5300

Download Submit
C:\debug.txt
Filesize
3KB

MD5
354a127c03a3aa64a752fb5fe446835b

SHA1
e1acb5df6c69355b2e279feef04648b4c70370f9

SHA256
58fe4deaefcb391569ae01dcc0a6a8330163ce24b51e3ff5c4299bd496bbbd60

SHA512
bcc5fbb5d51128c24cba0841d904ddc5f762469773c5058aba684224e9cb01fa5eb649437c371c039a0122e7700fc063bbc8b367278fad4e606e3eb55cff1067

Download Submit
\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Filesize
860KB

MD5
dbde22b1a6fbc953fde0c33e0e3680b7

SHA1
3d5cfa8569991508e05465de85af8f0f97ab94dd

SHA256
efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d

SHA512
08811f563aee45ac1959e5a159dfd2d7efd065edc6345906207c698ceb669a111944f5910631cca0bf66fbd7f9a8e13dcf2342fa67f637fa99cdfc72903bebb2

Download Submit
\Users\Admin\AppData\Roaming\Wygo\tiab.exe
Filesize
860KB

MD5
5ceb06e5be5299ff1fab74c5e9833935

SHA1
ad5314e7679be1a7579fbc5eccc91ea7f3f0e88d

SHA256
d0ed1749e849cdb6587de7cbfc64a06183b15ff91479929c851d73e2a5913d2a

SHA512
0d9449dcec05483856b1187b704a4739ca39ea351910448e64861c17767ecff6f168ec8073269a4bd4a0536f88ef5b1f94ec750edb95588671674ff967e10956

Download Submit
\Users\Admin\AppData\Roaming\Wygo\tiab.exe
Filesize
860KB

MD5
5ceb06e5be5299ff1fab74c5e9833935

SHA1
ad5314e7679be1a7579fbc5eccc91ea7f3f0e88d

SHA256
d0ed1749e849cdb6587de7cbfc64a06183b15ff91479929c851d73e2a5913d2a

SHA512
0d9449dcec05483856b1187b704a4739ca39ea351910448e64861c17767ecff6f168ec8073269a4bd4a0536f88ef5b1f94ec750edb95588671674ff967e10956

Download Submit
memory/304-75-0x0000000000000000-mapping.dmp

Download
memory/588-69-0x0000000000000000-mapping.dmp

Download
memory/608-92-0x0000000000000000-mapping.dmp

Download
memory/628-116-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/628-119-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/628-118-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/628-91-0x0000000000000000-mapping.dmp

Download
memory/628-137-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/628-117-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/628-122-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/896-70-0x0000000000000000-mapping.dmp

Download
memory/900-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-65-0x00000000004118DF-mapping.dmp

Download
memory/900-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-100-0x0000000001DC0000-0x0000000001DEF000-memory.dmp

Filesize
188KB

Download
memory/1120-99-0x0000000001DC0000-0x0000000001DEF000-memory.dmp

Filesize
188KB

Download
memory/1120-98-0x0000000001DC0000-0x0000000001DEF000-memory.dmp

Filesize
188KB

Download
memory/1120-101-0x0000000001DC0000-0x0000000001DEF000-memory.dmp

Filesize
188KB

Download
memory/1176-106-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/1176-107-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/1176-104-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/1176-105-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/1204-112-0x00000000025A0000-0x00000000025CF000-memory.dmp

Filesize
188KB

Download
memory/1204-113-0x00000000025A0000-0x00000000025CF000-memory.dmp

Filesize
188KB

Download
memory/1204-111-0x00000000025A0000-0x00000000025CF000-memory.dmp

Filesize
188KB

Download
memory/1204-110-0x00000000025A0000-0x00000000025CF000-memory.dmp

Filesize
188KB

Download
memory/1328-131-0x0000000001AE0000-0x0000000001B0F000-memory.dmp

Filesize
188KB

Download
memory/1328-128-0x0000000001AE0000-0x0000000001B0F000-memory.dmp

Filesize
188KB

Download
memory/1328-130-0x0000000001AE0000-0x0000000001B0F000-memory.dmp

Filesize
188KB

Download
memory/1328-129-0x0000000001AE0000-0x0000000001B0F000-memory.dmp

Filesize
188KB

Download
memory/1360-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-87-0x00000000004118DF-mapping.dmp

Download
memory/1396-95-0x0000000000000000-mapping.dmp

Download
memory/1544-79-0x0000000000000000-mapping.dmp

Download
memory/1552-56-0x0000000000000000-mapping.dmp

Download
memory/1784-145-0x000007FEFC631000-0x000007FEFC633000-memory.dmp

Filesize
8KB

Download
memory/1784-146-0x000007FEF6EB1000-0x000007FEF6EB3000-memory.dmp

Filesize
8KB

Download
memory/1784-147-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1784-153-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/1956-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1956-55-0x00000000002A0000-0x00000000002A4000-memory.dmp

Filesize
16KB

Download