ea5c9b5d0f6dd7bddd595bd6bfda7d48fe13656bf4a72f5ecfbd38cdd80cd9fb

Analysis

max time kernel
148s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TEACHER.exe
Size

4.2MB
MD5

2e461836020fe8defb2e8c83efb2891c
SHA1

f935b340258da2ed05a53c7226ea38fbf5028999
SHA256

a844d8410fe6c329c8be5b74fadbf55bb2337660abab472e5fa067b3452ef5b3
SHA512

07450c02252e5c03a51d21847887c34e85c2d0d15331d5c38623e9e1827a078f17ad1f1daec2e8acce686328b9c4e5760f8b4a93b2cb2715133df8f02606a418
SSDEEP

49152:MaixCNNWzyGLYjvMWfHCpv0rscgKCjmZUYD5HT3zWAB4vQnQxxA0k:MQN6UjXK6wjjwmAUQQfDk

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	1448	RunDll32.exe
7	1156	RunDll32.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\hcalway.sys	setup1209.exe
File opened for modification	C:\Windows\SysWOW64\drivers\abhcop.sys	setup1209.exe
File created	C:\Windows\SysWOW64\drivers\cdntran.sys	setup.exe
File created	C:\Windows\SysWOW64\drivers\cdnprot.sys	setup.exe

Executes dropped EXE 10 IoCs

pid	Process
1092	WIS98.exe
1332	CFSQdll.exe
1620	hztk0822.exe
1972	setup.exe
924	setup.exe
864	setup1209.exe
2044	cdnup.exe
1048	zsearch.exe
1448	ZsUp.exe
1728	TEACHER.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cdnprot\ImagePath = "system32\\drivers\\cdnprot.sys"	setup.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\»®´ÊËÑË÷.lnk	setup1209.exe

Loads dropped DLL 64 IoCs

pid	Process
1636	TEACHER.exe
1636	TEACHER.exe
1636	TEACHER.exe
1092	WIS98.exe
1092	WIS98.exe
1092	WIS98.exe
1092	WIS98.exe
1092	WIS98.exe
1332	CFSQdll.exe
1332	CFSQdll.exe
1332	CFSQdll.exe
1636	TEACHER.exe
1636	TEACHER.exe
1448	RunDll32.exe
1448	RunDll32.exe
1448	RunDll32.exe
1448	RunDll32.exe
1392	Rundll32.exe
1392	Rundll32.exe
1392	Rundll32.exe
1392	Rundll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1620	hztk0822.exe
1620	hztk0822.exe
1620	hztk0822.exe
1620	hztk0822.exe
1620	hztk0822.exe
1620	hztk0822.exe
1620	hztk0822.exe
1972	setup.exe
1972	setup.exe
1972	setup.exe
1972	setup.exe
924	setup.exe
924	setup.exe
924	setup.exe
1636	TEACHER.exe
924	setup.exe
924	setup.exe
924	setup.exe
864	setup1209.exe
864	setup1209.exe
864	setup1209.exe
924	setup.exe
924	setup.exe
924	setup.exe
924	setup.exe
924	setup.exe
924	setup.exe
924	setup.exe
924	setup.exe
604	regsvr32.exe
864	setup1209.exe
924	setup.exe
864	setup1209.exe
924	setup.exe
924	setup.exe
2044	cdnup.exe
2044	cdnup.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	WIS98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscfs = "RUNDLL32 C:\\Windows\\system32\\msibm\\cfsys.dll,cfs"	WIS98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CdnCtr = "C:\\Program Files\\CNNIC\\Cdn\\cdnup.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MoveSearch = "C:\\Program Files (x86)\\HuaCi\\huaci\\zsearch.exe"	setup1209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{16A770A0-0E87-4278-B748-2460D64A8386}	TEACHER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ = "BHelper"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{35980F6E-A137-4E50-953D-813BB8556899}	setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	zsearch.exe
File opened for modification	\??\PhysicalDrive0	setup1209.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cdn.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\msibm\cfscfg.7z	RunDll32.exe
File created	C:\Windows\SysWOW64\msibm\post.tpl	WIS98.exe
File opened for modification	C:\Windows\SysWOW64\msibm\intro.tpl	WIS98.exe
File created	C:\Windows\SysWOW64\ibmvdr_.dll	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\lowlvl.dll	WIS98.exe
File opened for modification	C:\Windows\SysWOW64\ibmvdr_.dll	WIS98.exe
File created	C:\Windows\SysWOW64\ibmuuid_.dll	Rundll32.exe
File created	C:\Windows\SysWOW64\msibm\post.htm	Rundll32.exe
File created	C:\Windows\SysWOW64\msibm\intro.htm	Rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msibm\CFSQdll.exe	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\CFSQdll.exe	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\linbak.dll	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\cfscfg.7z	RunDll32.exe
File created	C:\Windows\SysWOW64\cdnns.dll	setup.exe
File created	C:\Windows\SysWOW64\msibm\cfsys.dll	WIS98.exe
File opened for modification	C:\Windows\SysWOW64\ibmuuid_.dll	Rundll32.exe
File created	C:\Windows\SysWOW64\msibm\intro.tpl	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\cfs7zd.DLL	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\cfsupd.dll	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\Uninstall.exe	WIS98.exe
File opened for modification	C:\Windows\SysWOW64\msibm\post.tpl	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\cfsbho.dll	WIS98.exe

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files\CNNIC\Cdn\cdntran.dat	setup.exe
File opened for modification	C:\Program Files (x86)\HuaCi\update\sysadInfo.ini	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\allverx.dat	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\hcalway.sys.tmp	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\Mouse1.dll.zgx.tmp	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\mUin.exe	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\abhcop.sys	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\sysupdate.ini	setup1209.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\src.dat	setup.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\hcalway.inf	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\hcalway.sys	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\mUin.exe	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\zsearch.exe.tmp	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdndisp.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\imaconv.dll	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\setup.tmp	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\_uninstall	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\Mouse1.dll.zgx	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\zsup.exe	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\hcalway.sys	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\mUin.exe.tmp	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdnunins.exe	setup.exe
File created	C:\Program Files\CNNIC\Cdn\client.dll	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\cdnvers.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\imaoe.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdntdns.dll	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\allverx.dat.tmp	setup1209.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\idnconv.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdndet.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprev.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnctr.exe	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnglo.dll	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\sysupdate.ini.tmp	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprh.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnup.exe	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnhint.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\imaol.dll	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\SearchM.dll.zgx.tmp	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\zsearch.exe	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdnvers.dat	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\Mouse1.dll.zgx	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\SearchM.dll.zgx	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\zsearch.exe	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprot.dat	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\abhcop.sys.tmp	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\sysupdate.ini	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\zsup.exe.tmp	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\_uninstall	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\abhcop.sys	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\hcalway.inf	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\zsup.exe	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdnspie.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\idnconv.dll	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\cdndisp.dat	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\hcalway.inf.tmp	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\Mouse1.dll	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\SearchM.dll	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\src.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnaux.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdniehlp.dll	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\allverx.dat	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\SearchM.dll.zgx	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\update\sysadInfo.ini	zsearch.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ButtonText = "ÖÐÎÄÉÏÍø"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\MenuStatusBar = "Chinese Navigation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\Type = "checkbox"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\HKeyRoot = "2147483649"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\Type = "checkbox"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\UncheckedValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\Text = "Intelligent Resolution"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\ValueName = "EnableMailScript"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\ValueName = "EnableMailAcc"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\CheckedValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\UncheckedValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\Text = "Enable Internet Keyword"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\UncheckedValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ButtonText = "Chinese Navigation"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\ValueName = "EnableAddrHint"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\Text = "Automatically Update When New Version is Detected(Recommended)"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\Text = "Chinese Domain Name and Internet Keyword"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\Text = " Chinese-Language Internet Access"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\HKeyRoot = "2147483649"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\Bitmap = "C:\\WINNT\\system32\\inetcpl.cpl,4497"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\DefaultValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\Type = "group"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\Text = "Display Keyword in the Address Bar Droplist"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\Text = "the Address Bar Information"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\HKeyRoot = "2147483649"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\Text = "Enable Chinese Domain Name"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\HKeyRoot = "2147483649"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\MenuText = "Chinese Navigation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\HotIcon = "C:\\PROGRA~1\\CNNIC\\Cdn\\cdniehlp.dll,213"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\CheckedValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\ValueName = "EnableKwDisp"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\Type = "group"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\HKeyRoot = "2147483649"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\DefaultValue = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\Text = "Enable Chinese Domain Name Mailing System"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\Text = "Mail"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\ValueName = "EnableMail"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ClsidExtension = "{35980F6E-A137-4E50-953D-813BB8556899}"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\UncheckedValue = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\Text = "Enable Account Configuration Assistant"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\Type = "checkbox"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\ValueName = "EnableKw"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\CheckedValue = "1"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\InprocServer32\ = "C:\\Windows\\SysWow64\\cdn.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\cfsbho.DLL	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.InspectorHandler	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0\win32	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\ = "ICndnIEHlprObj"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Search\CurVer\ = "SearchM.Search.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ = "CBHelper Object"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser\CurVer\ = "MailParserSvr.MailParser.1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}	TEACHER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{951A869A-1003-4897-948F-D55E570871DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7DB519E-7131-47B1-A9F5-DA8D061C2611}\1.0\0\win32\ = "C:\\PROGRA~1\\CNNIC\\Cdn\\imaol.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01833110-7C51-4D41-A09F-69EF74606E5B}\1.0\0\win32\ = "C:\\PROGRA~1\\CNNIC\\Cdn\\cdniehlp.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper.1\CLSID\ = "{16A770A0-0E87-4278-B748-2460D64A8386}"	TEACHER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}\1.0\FLAGS	TEACHER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CurVer	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ = "IBHelper"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}\VersionIndependentProgID\ = "MailParserSvr.InspectorHandler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7DB519E-7131-47B1-A9F5-DA8D061C2611}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\InprocServer32\ = "C:\\PROGRA~2\\HuaCi\\huaci\\searchm.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}\1.0\0	TEACHER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\msibm\\"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj.1\ = "CndnIEHlprObj Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\ProgID\ = "MailParserSvr.MailParser.1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Search\CLSID\ = "{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{3C31D9A2-68F2-480B-A9A5-D579EF4E8729}\Info	TEACHER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\InprocServer32\ = "C:\\Windows\\SysWow64\\msibm\\cfsbho.dll"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\TypeLib\ = "{FD536575-73F7-42A3-9E9F-11688F1A006A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\ = "CBHelper Object"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01833110-7C51-4D41-A09F-69EF74606E5B}\1.0\ = "CndnIEHelper 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser.1\ = "MailParser Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.InspectorHandler.1\CLSID\ = "{461A86F7-A29D-460A-80D5-52979AA6C46D}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}\InprocServer32\ThreadingModel = "Apartment"	TEACHER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj.1	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}\1.0	TEACHER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\TypeLib	TEACHER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj\CLSID\ = "{9A578C98-3C2F-4630-890B-FC04196EF420}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\cfsbho.DLL\AppID	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\ = "cfsbho"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01833110-7C51-4D41-A09F-69EF74606E5B}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\TypeLib\ = "{B7DB519E-7131-47B1-A9F5-DA8D061C2611}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\HuaCi\\huaci\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\ = "IMyIEHelper"	TEACHER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{951A869A-1003-4897-948F-D55E570871DB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\CLSID\ = "{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\ = "CNNIC_IDN"	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	hztk0822.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe
1156	RunDll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1728	TEACHER.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	hztk0822.exe
Token: SeDebugPrivilege	1156	RunDll32.exe
Token: SeRestorePrivilege	1332	rundll32.exe
Token: SeRestorePrivilege	1332	rundll32.exe
Token: SeRestorePrivilege	1332	rundll32.exe
Token: SeRestorePrivilege	1332	rundll32.exe
Token: SeRestorePrivilege	1332	rundll32.exe
Token: SeRestorePrivilege	1332	rundll32.exe
Token: SeRestorePrivilege	1332	rundll32.exe
Token: SeRestorePrivilege	924	setup.exe
Token: SeBackupPrivilege	924	setup.exe
Token: SeRestorePrivilege	2044	cdnup.exe
Token: SeBackupPrivilege	2044	cdnup.exe
Token: SeRestorePrivilege	864	setup1209.exe
Token: SeBackupPrivilege	864	setup1209.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1728	TEACHER.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1728	TEACHER.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
864	setup1209.exe
2044	cdnup.exe
2044	cdnup.exe
2044	cdnup.exe
1048	zsearch.exe
1048	zsearch.exe
1448	ZsUp.exe
1048	zsearch.exe
1048	zsearch.exe
1448	ZsUp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1092	1636	TEACHER.exe	27
PID 1636 wrote to memory of 1092	1636	TEACHER.exe	27
PID 1636 wrote to memory of 1092	1636	TEACHER.exe	27
PID 1636 wrote to memory of 1092	1636	TEACHER.exe	27
PID 1636 wrote to memory of 1092	1636	TEACHER.exe	27
PID 1636 wrote to memory of 1092	1636	TEACHER.exe	27
PID 1636 wrote to memory of 1092	1636	TEACHER.exe	27
PID 1092 wrote to memory of 1332	1092	WIS98.exe	28
PID 1092 wrote to memory of 1332	1092	WIS98.exe	28
PID 1092 wrote to memory of 1332	1092	WIS98.exe	28
PID 1092 wrote to memory of 1332	1092	WIS98.exe	28
PID 1092 wrote to memory of 1332	1092	WIS98.exe	28
PID 1092 wrote to memory of 1332	1092	WIS98.exe	28
PID 1092 wrote to memory of 1332	1092	WIS98.exe	28
PID 1092 wrote to memory of 1392	1092	WIS98.exe	29
PID 1092 wrote to memory of 1392	1092	WIS98.exe	29
PID 1092 wrote to memory of 1392	1092	WIS98.exe	29
PID 1092 wrote to memory of 1392	1092	WIS98.exe	29
PID 1092 wrote to memory of 1392	1092	WIS98.exe	29
PID 1092 wrote to memory of 1392	1092	WIS98.exe	29
PID 1092 wrote to memory of 1392	1092	WIS98.exe	29
PID 1092 wrote to memory of 1448	1092	WIS98.exe	30
PID 1092 wrote to memory of 1448	1092	WIS98.exe	30
PID 1092 wrote to memory of 1448	1092	WIS98.exe	30
PID 1092 wrote to memory of 1448	1092	WIS98.exe	30
PID 1092 wrote to memory of 1448	1092	WIS98.exe	30
PID 1092 wrote to memory of 1448	1092	WIS98.exe	30
PID 1092 wrote to memory of 1448	1092	WIS98.exe	30
PID 1092 wrote to memory of 1156	1092	WIS98.exe	31
PID 1092 wrote to memory of 1156	1092	WIS98.exe	31
PID 1092 wrote to memory of 1156	1092	WIS98.exe	31
PID 1092 wrote to memory of 1156	1092	WIS98.exe	31
PID 1092 wrote to memory of 1156	1092	WIS98.exe	31
PID 1092 wrote to memory of 1156	1092	WIS98.exe	31
PID 1092 wrote to memory of 1156	1092	WIS98.exe	31
PID 1636 wrote to memory of 1620	1636	TEACHER.exe	32
PID 1636 wrote to memory of 1620	1636	TEACHER.exe	32
PID 1636 wrote to memory of 1620	1636	TEACHER.exe	32
PID 1636 wrote to memory of 1620	1636	TEACHER.exe	32
PID 1156 wrote to memory of 1340	1156	RunDll32.exe	14
PID 1156 wrote to memory of 1448	1156	RunDll32.exe	30
PID 1156 wrote to memory of 576	1156	RunDll32.exe	25
PID 1156 wrote to memory of 1340	1156	RunDll32.exe	14
PID 1156 wrote to memory of 1448	1156	RunDll32.exe	30
PID 1156 wrote to memory of 576	1156	RunDll32.exe	25
PID 1156 wrote to memory of 1340	1156	RunDll32.exe	14
PID 1620 wrote to memory of 1972	1620	hztk0822.exe	33
PID 1620 wrote to memory of 1972	1620	hztk0822.exe	33
PID 1620 wrote to memory of 1972	1620	hztk0822.exe	33
PID 1620 wrote to memory of 1972	1620	hztk0822.exe	33
PID 1620 wrote to memory of 1972	1620	hztk0822.exe	33
PID 1620 wrote to memory of 1972	1620	hztk0822.exe	33
PID 1620 wrote to memory of 1972	1620	hztk0822.exe	33
PID 1972 wrote to memory of 924	1972	setup.exe	34
PID 1972 wrote to memory of 924	1972	setup.exe	34
PID 1972 wrote to memory of 924	1972	setup.exe	34
PID 1972 wrote to memory of 924	1972	setup.exe	34
PID 1972 wrote to memory of 924	1972	setup.exe	34
PID 1972 wrote to memory of 924	1972	setup.exe	34
PID 1972 wrote to memory of 924	1972	setup.exe	34
PID 1636 wrote to memory of 864	1636	TEACHER.exe	35
PID 1636 wrote to memory of 864	1636	TEACHER.exe	35
PID 1636 wrote to memory of 864	1636	TEACHER.exe	35
PID 1636 wrote to memory of 864	1636	TEACHER.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1340
- C:\Users\Admin\AppData\Local\Temp\TEACHER.exe
  "C:\Users\Admin\AppData\Local\Temp\TEACHER.exe"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\ProgramData\Application Data\Microsoft\IEHelper\WIS98.exe
    "C:\ProgramData\Application Data\Microsoft\IEHelper\WIS98.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\msibm\CFSQdll.exe
      C:\Windows\system32\msibm\CFSQdll.exe 20
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1332
  - - C:\Windows\SysWOW64\Rundll32.exe
      Rundll32.exe C:\Windows\system32\msibm\cfsbho.dll,firstGenGuid
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      PID:1392
  - - C:\Windows\SysWOW64\RunDll32.exe
      RunDll32.exe C:\Windows\system32\msibm\cfsbho.dll,regUser
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies registry class
      PID:1448
  - - C:\Windows\SysWOW64\RunDll32.exe
      RunDll32.exe C:\Windows\system32\msibm\cfsys.DLL,cfs
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1156
- - C:\ProgramData\Application Data\Microsoft\IEHelper\hztk0822.exe
    "C:\ProgramData\Application Data\Microsoft\IEHelper\hztk0822.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\setup.exe 00020402
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\setup\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup\setup.exe" 00020402
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Sets service image path in registry
        Loads dropped DLL
        Adds Run key to start application
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
      - C:\Program Files\CNNIC\Cdn\cdnup.exe
        
        "C:\Program Files\CNNIC\Cdn\cdnup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2044
- - C:\ProgramData\Application Data\Microsoft\IEHelper\setup1209.exe
    "C:\ProgramData\Application Data\Microsoft\IEHelper\setup1209.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:864
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Program Files (x86)\HuaCi\huaci\searchm.dll" -s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:604
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 .\hcalway.inf
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:1332
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        
        PID:1100
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:1776
  - - C:\Program Files (x86)\HuaCi\huaci\zsearch.exe
      "C:\Program Files (x86)\HuaCi\huaci\zsearch.exe" aa
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1048
    - - C:\Program Files (x86)\HuaCi\huaci\ZsUp.exe
        
        "C:\Program Files (x86)\HuaCi\huaci\ZsUp.exe" check
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1448
- - C:\ProgramData\Application Data\Microsoft\IEHelper\TEACHER.exe
    "C:\ProgramData\Application Data\Microsoft\IEHelper\TEACHER.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x280
1⤵
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\Microsoft\IEHelper\WIS98.exe

Filesize
262KB

MD5
285120db5e9077cceaaf8e8543b5b769

SHA1
aff0507b22752bdf37cb362cdbb1128701814391

SHA256
71cf89fbd9d5f90dafd5b367c3ed228e64a2292da67777814c05bf5d4daefa45

SHA512
0c49f7223752d130c25b8ed2e609a649ebb35d127f3b77805bdd9b16cf1290392b90e6ef448031adf0caa139a9814b86ed5e06357388cda8ce7e941a5f2b307e

Download Submit
C:\ProgramData\Microsoft\IEHelper\WIS98.exe

Filesize
262KB

MD5
285120db5e9077cceaaf8e8543b5b769

SHA1
aff0507b22752bdf37cb362cdbb1128701814391

SHA256
71cf89fbd9d5f90dafd5b367c3ed228e64a2292da67777814c05bf5d4daefa45

SHA512
0c49f7223752d130c25b8ed2e609a649ebb35d127f3b77805bdd9b16cf1290392b90e6ef448031adf0caa139a9814b86ed5e06357388cda8ce7e941a5f2b307e

Download Submit
C:\ProgramData\Microsoft\IEHelper\hztk0822.exe

Filesize
392KB

MD5
f762248da081aa92ac233ab6e798bc1d

SHA1
f9881782d01f9c46e63e3a70c8bc1f6b6f5cb59e

SHA256
7ec286c4f0befe7f8c72fa141fe20824df47bcf517830c0e762c7fed53a0a6b1

SHA512
e27be11f662971f4ac571af58c54c2318cc78a25b96b82d934fd75389bc4864de4d9ba6e9e5f3ea20442ddc2481f11a8dc533eb27333477598848d4dc4249290

Download Submit
C:\ProgramData\Microsoft\IEHelper\setup1209.exe

Filesize
187KB

MD5
084a84d07284ec9c26c33123b68c6d87

SHA1
8c59867c6d19f7bdb48a26265f2e1ec24ca7aaed

SHA256
508fca44a3ceaeb6de685059b7608783fade7ff0d6fa61ec03a5db26eedfd075

SHA512
f934be5fca14d5beb4d8cbd506bccefd9bfb6cee82b452c1e7d91712a01b816f29f0e96d4c4392b820164857964686b8392e709e858e065986dbe9cfbafa0c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
333KB

MD5
1b9679acf2f19392430256398a5f1ce5

SHA1
3174921a4f3f191d326fc24ef0919071d1a4fdb6

SHA256
571a9f31535e97bd0dd6da46998246a64c75cbe5aae20ac16e5bec818c7fd8b7

SHA512
f8e4d3ff9e6d88e9889e880534d984fed84abade2307cffc1963e8629726deb87bed4ed44a94ce81f9162b152460b9ca1befcf9929745fd07697ae344c43e970

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
333KB

MD5
1b9679acf2f19392430256398a5f1ce5

SHA1
3174921a4f3f191d326fc24ef0919071d1a4fdb6

SHA256
571a9f31535e97bd0dd6da46998246a64c75cbe5aae20ac16e5bec818c7fd8b7

SHA512
f8e4d3ff9e6d88e9889e880534d984fed84abade2307cffc1963e8629726deb87bed4ed44a94ce81f9162b152460b9ca1befcf9929745fd07697ae344c43e970

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnins.dll

Filesize
72KB

MD5
ddd3eda4b579e482e23aa3c5132cc14b

SHA1
9b88c9ea2175283f48d4152b9ac24a63bf2c217d

SHA256
871888a6706c56fe3441dd4e2ad556348b31c9337e3984a24fe40ee14bdff60b

SHA512
7382f548de6239ff5ffa6a0689d6f77e7b13f8ef6b21960e9a4d7f4db0e577b7ea156d95db3cbcd400ec1f68ce8666e4c53009e731ff250fa2ae1efda6cc9119

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprh.dll

Filesize
40KB

MD5
6bf77aeea07670dcb9b7507573d93489

SHA1
331aa409fd345fdb76877928eda7f1ea97a8f358

SHA256
17b60d34722ff32014ce272f568b30774f1607f5230e24b88381ab99aed72d5a

SHA512
364109d674d8069cb476f52db7e059c746b475c8ebb6b0986cb07ad9b7df232edb1744cc37f8d048d7725aabb53274e0dd1682208846ebb817ac0990a1cc0ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
C:\Windows\SysWOW64\ibmuuid_.dll

Filesize
36B

MD5
4c0f8bc34b5d06cb9817e152e6401853

SHA1
16e8b00e5c79bbfe45e8b7ae6ce713336f78a7b4

SHA256
bce8f6263e4c4b3667cef16b4187af2c9f0911377be502a38667263de6c21ec1

SHA512
8c51b7c21ec8ec9c5367a776e1528188c91919ab1c9857305752f5b3b16bb039a7bb4483f4421ea65918aa5b5075c20017395181c0da2ea38ec5065c4ca82d40

Download Submit
C:\Windows\SysWOW64\ibmvdr_.dll

Filesize
7B

MD5
c72943c59f50021ffb99a65583161efe

SHA1
e8e1250a454f217a6cbdb3aa200eebbc32fa5467

SHA256
14345b479170b82b8da09e638b0c69ba5075d1fc73a6bf4c541dbeb6779bf2d8

SHA512
10644476caaae16bd90756d63302adda493f8b2503e5d63c4b4a0a1f65fd7cc165224a3ed186aea4b10e37dc8179962ee5a2958eea6fce8ce46d8305de649298

Download Submit
C:\Windows\SysWOW64\msibm\CFSQdll.exe

Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
C:\Windows\SysWOW64\msibm\CFSQdll.exe

Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
C:\Windows\SysWOW64\msibm\cfs7zd.DLL

Filesize
14KB

MD5
379f4f2560c2d11838676ffcabeee8dd

SHA1
b88999a424f7306eb2000955f5d8f1424160d1b2

SHA256
65aaaad675bda642ae296a89a6a4da29693ed094c5db200470f32637164820c3

SHA512
4861bb5ad9d1eacc6d92ec8554b81c25c5be3544d93c1200b7784cf2aaa2ea32247d13cfebdecfbc8bd637959643e5808922cf2b57685057f36cdaf3a196f22d

Download Submit
C:\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
C:\Windows\SysWOW64\msibm\cfsupd.dll

Filesize
72KB

MD5
87355014fd31dd1047b4086640f9c14a

SHA1
bde3383df2421d40c1f7ccbb909156dccc847d14

SHA256
5f8d5ad410b926f70edb694028802548d6d1d6c656a5daa1f0cda6613d14e2a3

SHA512
603ef15ea81be5cb39c7b3eeec2202e0100e9d111696cc3de640d18a7b69691d6069c6ab27d72f565a210cdbad11a2332d0c6b211c8d24560efd5674059c09b5

Download Submit
C:\Windows\SysWOW64\msibm\cfsys.DLL

Filesize
187KB

MD5
6d7a20743ac066b025c09a4499448264

SHA1
5c15f4ae14c6c80c98ab97d2b98284598b9c3a21

SHA256
6331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473

SHA512
1e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d

Download Submit
C:\Windows\SysWOW64\msibm\intro.tpl

Filesize
161B

MD5
e0782089e9f016369e89a4ec36474355

SHA1
a364f107081a899aea66ed73403dfc19041ea3f5

SHA256
c09efa49ecdb14dbd0dae118f3ba4ac30ecb4fe2db9e5bfe2874403733e99d46

SHA512
fff1a002e575ecf1f43573e2278f246ee72d007ac008f81717ecd0a9a003e969d2e91a28019e29912ed4741f1f3d9bed43adc14bfa48d80bd471df47825b9cfe

Download Submit
C:\Windows\SysWOW64\msibm\lowlvl.dll

Filesize
44KB

MD5
5ad7b028f0431453d05d5bedcdee3574

SHA1
c9f14c3530391461b74a4da359e1d0b7fdffad12

SHA256
d6a2fdaebae37652ae308a0103285eefc266081cda2114873cdba0d159f0159f

SHA512
22fd3a8e1fc8dedc8062905d4a81d3806c62eb10ce15468f6ec835dd8d6b6295dd17300a38fc02b6d1f7feef46045aea6d1bbbf334507bb34779ea7dd0aeaf9c

Download Submit
C:\Windows\SysWOW64\msibm\post.tpl

Filesize
160B

MD5
7ba5508ca1abca116183c1dcdbcf31d2

SHA1
c006df723e7ce851387345efe880c2fb7796d330

SHA256
0057b6b6acd17a102867a24e4927cdc487db31930c8769ad5271497757546e3e

SHA512
31dae4340d02815a0529cabe88fcad6a1e127776076d6172a1d7a76ed54cd0ecb86fec9aede5db9bf37278b47de857bc4c738d2fa30bfb635181492f8a8bd21b

Download Submit
\ProgramData\Microsoft\IEHelper\IEHelper_8888.dll

Filesize
80KB

MD5
89b797079f9f48b471c94a544229a765

SHA1
2f732aea98e89ca8fd97f86e8a42d97dcb8722f9

SHA256
87c8252112795c78d1b70859685356bb8774cfc89cf254833a35978611582b72

SHA512
5ee5864f5429b83411b1ff54f213c3efd857006edc5c70e05801ba3fe9ffceac58ec96ecc261c27fa2f629c70878242be5fbeff2df7ad486b390cb23df3cebfe

Download Submit
\ProgramData\Microsoft\IEHelper\WIS98.exe

Filesize
262KB

MD5
285120db5e9077cceaaf8e8543b5b769

SHA1
aff0507b22752bdf37cb362cdbb1128701814391

SHA256
71cf89fbd9d5f90dafd5b367c3ed228e64a2292da67777814c05bf5d4daefa45

SHA512
0c49f7223752d130c25b8ed2e609a649ebb35d127f3b77805bdd9b16cf1290392b90e6ef448031adf0caa139a9814b86ed5e06357388cda8ce7e941a5f2b307e

Download Submit
\ProgramData\Microsoft\IEHelper\WIS98.exe

Filesize
262KB

MD5
285120db5e9077cceaaf8e8543b5b769

SHA1
aff0507b22752bdf37cb362cdbb1128701814391

SHA256
71cf89fbd9d5f90dafd5b367c3ed228e64a2292da67777814c05bf5d4daefa45

SHA512
0c49f7223752d130c25b8ed2e609a649ebb35d127f3b77805bdd9b16cf1290392b90e6ef448031adf0caa139a9814b86ed5e06357388cda8ce7e941a5f2b307e

Download Submit
\ProgramData\Microsoft\IEHelper\WIS98.exe

Filesize
262KB

MD5
285120db5e9077cceaaf8e8543b5b769

SHA1
aff0507b22752bdf37cb362cdbb1128701814391

SHA256
71cf89fbd9d5f90dafd5b367c3ed228e64a2292da67777814c05bf5d4daefa45

SHA512
0c49f7223752d130c25b8ed2e609a649ebb35d127f3b77805bdd9b16cf1290392b90e6ef448031adf0caa139a9814b86ed5e06357388cda8ce7e941a5f2b307e

Download Submit
\ProgramData\Microsoft\IEHelper\WIS98.exe

Filesize
262KB

MD5
285120db5e9077cceaaf8e8543b5b769

SHA1
aff0507b22752bdf37cb362cdbb1128701814391

SHA256
71cf89fbd9d5f90dafd5b367c3ed228e64a2292da67777814c05bf5d4daefa45

SHA512
0c49f7223752d130c25b8ed2e609a649ebb35d127f3b77805bdd9b16cf1290392b90e6ef448031adf0caa139a9814b86ed5e06357388cda8ce7e941a5f2b307e

Download Submit
\ProgramData\Microsoft\IEHelper\WIS98.exe

Filesize
262KB

MD5
285120db5e9077cceaaf8e8543b5b769

SHA1
aff0507b22752bdf37cb362cdbb1128701814391

SHA256
71cf89fbd9d5f90dafd5b367c3ed228e64a2292da67777814c05bf5d4daefa45

SHA512
0c49f7223752d130c25b8ed2e609a649ebb35d127f3b77805bdd9b16cf1290392b90e6ef448031adf0caa139a9814b86ed5e06357388cda8ce7e941a5f2b307e

Download Submit
\ProgramData\Microsoft\IEHelper\hztk0822.exe

Filesize
392KB

MD5
f762248da081aa92ac233ab6e798bc1d

SHA1
f9881782d01f9c46e63e3a70c8bc1f6b6f5cb59e

SHA256
7ec286c4f0befe7f8c72fa141fe20824df47bcf517830c0e762c7fed53a0a6b1

SHA512
e27be11f662971f4ac571af58c54c2318cc78a25b96b82d934fd75389bc4864de4d9ba6e9e5f3ea20442ddc2481f11a8dc533eb27333477598848d4dc4249290

Download Submit
\ProgramData\Microsoft\IEHelper\hztk0822.exe

Filesize
392KB

MD5
f762248da081aa92ac233ab6e798bc1d

SHA1
f9881782d01f9c46e63e3a70c8bc1f6b6f5cb59e

SHA256
7ec286c4f0befe7f8c72fa141fe20824df47bcf517830c0e762c7fed53a0a6b1

SHA512
e27be11f662971f4ac571af58c54c2318cc78a25b96b82d934fd75389bc4864de4d9ba6e9e5f3ea20442ddc2481f11a8dc533eb27333477598848d4dc4249290

Download Submit
\ProgramData\Microsoft\IEHelper\setup1209.exe

Filesize
187KB

MD5
084a84d07284ec9c26c33123b68c6d87

SHA1
8c59867c6d19f7bdb48a26265f2e1ec24ca7aaed

SHA256
508fca44a3ceaeb6de685059b7608783fade7ff0d6fa61ec03a5db26eedfd075

SHA512
f934be5fca14d5beb4d8cbd506bccefd9bfb6cee82b452c1e7d91712a01b816f29f0e96d4c4392b820164857964686b8392e709e858e065986dbe9cfbafa0c53

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
333KB

MD5
1b9679acf2f19392430256398a5f1ce5

SHA1
3174921a4f3f191d326fc24ef0919071d1a4fdb6

SHA256
571a9f31535e97bd0dd6da46998246a64c75cbe5aae20ac16e5bec818c7fd8b7

SHA512
f8e4d3ff9e6d88e9889e880534d984fed84abade2307cffc1963e8629726deb87bed4ed44a94ce81f9162b152460b9ca1befcf9929745fd07697ae344c43e970

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
333KB

MD5
1b9679acf2f19392430256398a5f1ce5

SHA1
3174921a4f3f191d326fc24ef0919071d1a4fdb6

SHA256
571a9f31535e97bd0dd6da46998246a64c75cbe5aae20ac16e5bec818c7fd8b7

SHA512
f8e4d3ff9e6d88e9889e880534d984fed84abade2307cffc1963e8629726deb87bed4ed44a94ce81f9162b152460b9ca1befcf9929745fd07697ae344c43e970

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
333KB

MD5
1b9679acf2f19392430256398a5f1ce5

SHA1
3174921a4f3f191d326fc24ef0919071d1a4fdb6

SHA256
571a9f31535e97bd0dd6da46998246a64c75cbe5aae20ac16e5bec818c7fd8b7

SHA512
f8e4d3ff9e6d88e9889e880534d984fed84abade2307cffc1963e8629726deb87bed4ed44a94ce81f9162b152460b9ca1befcf9929745fd07697ae344c43e970

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
333KB

MD5
1b9679acf2f19392430256398a5f1ce5

SHA1
3174921a4f3f191d326fc24ef0919071d1a4fdb6

SHA256
571a9f31535e97bd0dd6da46998246a64c75cbe5aae20ac16e5bec818c7fd8b7

SHA512
f8e4d3ff9e6d88e9889e880534d984fed84abade2307cffc1963e8629726deb87bed4ed44a94ce81f9162b152460b9ca1befcf9929745fd07697ae344c43e970

Download Submit
\Users\Admin\AppData\Local\Temp\setup\cdnprh.dll

Filesize
40KB

MD5
6bf77aeea07670dcb9b7507573d93489

SHA1
331aa409fd345fdb76877928eda7f1ea97a8f358

SHA256
17b60d34722ff32014ce272f568b30774f1607f5230e24b88381ab99aed72d5a

SHA512
364109d674d8069cb476f52db7e059c746b475c8ebb6b0986cb07ad9b7df232edb1744cc37f8d048d7725aabb53274e0dd1682208846ebb817ac0990a1cc0ef7

Download Submit
\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
\Windows\SysWOW64\msibm\CFSQdll.exe

Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
\Windows\SysWOW64\msibm\CFSQdll.exe

Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
\Windows\SysWOW64\msibm\CFSQdll.exe

Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
\Windows\SysWOW64\msibm\CFSQdll.exe

Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
\Windows\SysWOW64\msibm\CFSQdll.exe

Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
\Windows\SysWOW64\msibm\cfs7zd.DLL

Filesize
14KB

MD5
379f4f2560c2d11838676ffcabeee8dd

SHA1
b88999a424f7306eb2000955f5d8f1424160d1b2

SHA256
65aaaad675bda642ae296a89a6a4da29693ed094c5db200470f32637164820c3

SHA512
4861bb5ad9d1eacc6d92ec8554b81c25c5be3544d93c1200b7784cf2aaa2ea32247d13cfebdecfbc8bd637959643e5808922cf2b57685057f36cdaf3a196f22d

Download Submit
\Windows\SysWOW64\msibm\cfs7zd.DLL

Filesize
14KB

MD5
379f4f2560c2d11838676ffcabeee8dd

SHA1
b88999a424f7306eb2000955f5d8f1424160d1b2

SHA256
65aaaad675bda642ae296a89a6a4da29693ed094c5db200470f32637164820c3

SHA512
4861bb5ad9d1eacc6d92ec8554b81c25c5be3544d93c1200b7784cf2aaa2ea32247d13cfebdecfbc8bd637959643e5808922cf2b57685057f36cdaf3a196f22d

Download Submit
\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
\Windows\SysWOW64\msibm\cfsys.dll

Filesize
187KB

MD5
6d7a20743ac066b025c09a4499448264

SHA1
5c15f4ae14c6c80c98ab97d2b98284598b9c3a21

SHA256
6331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473

SHA512
1e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d

Download Submit
\Windows\SysWOW64\msibm\cfsys.dll

Filesize
187KB

MD5
6d7a20743ac066b025c09a4499448264

SHA1
5c15f4ae14c6c80c98ab97d2b98284598b9c3a21

SHA256
6331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473

SHA512
1e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d

Download Submit
\Windows\SysWOW64\msibm\cfsys.dll

Filesize
187KB

MD5
6d7a20743ac066b025c09a4499448264

SHA1
5c15f4ae14c6c80c98ab97d2b98284598b9c3a21

SHA256
6331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473

SHA512
1e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d

Download Submit
\Windows\SysWOW64\msibm\cfsys.dll

Filesize
187KB

MD5
6d7a20743ac066b025c09a4499448264

SHA1
5c15f4ae14c6c80c98ab97d2b98284598b9c3a21

SHA256
6331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473

SHA512
1e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d

Download Submit
\Windows\SysWOW64\msibm\cfsys.dll

Filesize
187KB

MD5
6d7a20743ac066b025c09a4499448264

SHA1
5c15f4ae14c6c80c98ab97d2b98284598b9c3a21

SHA256
6331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473

SHA512
1e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d

Download Submit
\Windows\SysWOW64\msibm\lowlvl.dll

Filesize
44KB

MD5
5ad7b028f0431453d05d5bedcdee3574

SHA1
c9f14c3530391461b74a4da359e1d0b7fdffad12

SHA256
d6a2fdaebae37652ae308a0103285eefc266081cda2114873cdba0d159f0159f

SHA512
22fd3a8e1fc8dedc8062905d4a81d3806c62eb10ce15468f6ec835dd8d6b6295dd17300a38fc02b6d1f7feef46045aea6d1bbbf334507bb34779ea7dd0aeaf9c

Download Submit
\Windows\SysWOW64\msibm\lowlvl.dll

Filesize
44KB

MD5
5ad7b028f0431453d05d5bedcdee3574

SHA1
c9f14c3530391461b74a4da359e1d0b7fdffad12

SHA256
d6a2fdaebae37652ae308a0103285eefc266081cda2114873cdba0d159f0159f

SHA512
22fd3a8e1fc8dedc8062905d4a81d3806c62eb10ce15468f6ec835dd8d6b6295dd17300a38fc02b6d1f7feef46045aea6d1bbbf334507bb34779ea7dd0aeaf9c

Download Submit
\Windows\SysWOW64\msibm\lowlvl.dll

Filesize
44KB

MD5
5ad7b028f0431453d05d5bedcdee3574

SHA1
c9f14c3530391461b74a4da359e1d0b7fdffad12

SHA256
d6a2fdaebae37652ae308a0103285eefc266081cda2114873cdba0d159f0159f

SHA512
22fd3a8e1fc8dedc8062905d4a81d3806c62eb10ce15468f6ec835dd8d6b6295dd17300a38fc02b6d1f7feef46045aea6d1bbbf334507bb34779ea7dd0aeaf9c

Download Submit
memory/864-140-0x0000000000230000-0x000000000026B000-memory.dmp

Filesize
236KB

Download
memory/864-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/864-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/864-141-0x0000000000230000-0x000000000026B000-memory.dmp

Filesize
236KB

Download
memory/864-171-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/924-137-0x00000000002D0000-0x00000000002F0000-memory.dmp

Filesize
128KB

Download
memory/924-138-0x0000000000340000-0x0000000000358000-memory.dmp

Filesize
96KB

Download
memory/924-139-0x0000000002E40000-0x0000000002F50000-memory.dmp

Filesize
1.1MB

Download
memory/1048-162-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download
memory/1048-163-0x0000000000260000-0x000000000026D000-memory.dmp

Filesize
52KB

Download
memory/1048-166-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/1092-59-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1156-159-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/1332-158-0x0000000000390000-0x000000000039D000-memory.dmp

Filesize
52KB

Download
memory/1636-134-0x00000000002C0000-0x00000000002FB000-memory.dmp

Filesize
236KB

Download
memory/1728-169-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2044-157-0x0000000003460000-0x0000000003611000-memory.dmp

Filesize
1.7MB

Download
memory/2044-156-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/2044-155-0x00000000002F0000-0x00000000002FD000-memory.dmp

Filesize
52KB

Download
memory/2044-154-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download