ea5c9b5d0f6dd7bddd595bd6bfda7d48fe13656bf4a72f5ecfbd38cdd80cd9fb

Analysis

max time kernel
163s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TEACHER.exe
Size

4.2MB
MD5

2e461836020fe8defb2e8c83efb2891c
SHA1

f935b340258da2ed05a53c7226ea38fbf5028999
SHA256

a844d8410fe6c329c8be5b74fadbf55bb2337660abab472e5fa067b3452ef5b3
SHA512

07450c02252e5c03a51d21847887c34e85c2d0d15331d5c38623e9e1827a078f17ad1f1daec2e8acce686328b9c4e5760f8b4a93b2cb2715133df8f02606a418
SSDEEP

49152:MaixCNNWzyGLYjvMWfHCpv0rscgKCjmZUYD5HT3zWAB4vQnQxxA0k:MQN6UjXK6wjjwmAUQQfDk

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	4800	RunDll32.exe
16	1028	RunDll32.exe
17	1028	RunDll32.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\cdntran.sys	setup.exe
File created	C:\Windows\SysWOW64\drivers\cdnprot.sys	setup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\hcalway.sys	setup1209.exe
File opened for modification	C:\Windows\SysWOW64\drivers\abhcop.sys	setup1209.exe

Executes dropped EXE 10 IoCs

pid	Process
4584	WIS98.exe
3496	CFSQdll.exe
4808	hztk0822.exe
3656	setup.exe
1784	setup.exe
456	setup1209.exe
4404	cdnup.exe
3912	zsearch.exe
2328	ZsUp.exe
2712	TEACHER.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cdnprot\ImagePath = "system32\\drivers\\cdnprot.sys"	setup.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\»®´ÊËÑË÷.lnk	setup1209.exe

Loads dropped DLL 64 IoCs

pid	Process
4668	TEACHER.exe
4752	Rundll32.exe
1028	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
1028	RunDll32.exe
1028	RunDll32.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
4088	regsvr32.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
1784	setup.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
1784	setup.exe
4800	RunDll32.exe
4800	RunDll32.exe
4596	grpconv.exe
4596	grpconv.exe
4596	grpconv.exe
4252	runonce.exe
4252	runonce.exe
4252	runonce.exe
1040	rundll32.exe
1040	rundll32.exe
1040	rundll32.exe
3912	zsearch.exe
3912	zsearch.exe
3912	zsearch.exe
3912	zsearch.exe
3912	zsearch.exe
3912	zsearch.exe
3912	zsearch.exe
2328	ZsUp.exe
456	setup1209.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	WIS98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscfs = "RUNDLL32 C:\\Windows\\system32\\msibm\\cfsys.dll,cfs"	WIS98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CdnCtr = "C:\\Program Files\\CNNIC\\Cdn\\cdnup.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MoveSearch = "C:\\Program Files (x86)\\HuaCi\\huaci\\zsearch.exe"	setup1209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ = "BHelper"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35980F6E-A137-4E50-953D-813BB8556899}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16A770A0-0E87-4278-B748-2460D64A8386}	TEACHER.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup1209.exe
File opened for modification	\??\PhysicalDrive0	zsearch.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msibm\cfscfg.7z	RunDll32.exe
File created	C:\Windows\SysWOW64\cdn.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\msibm\CFSQdll.exe	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\intro.tpl	WIS98.exe
File created	C:\Windows\SysWOW64\ibmvdr_.dll	WIS98.exe
File created	C:\Windows\SysWOW64\ibmuuid_.dll	Rundll32.exe
File created	C:\Windows\SysWOW64\msibm\post.htm	Rundll32.exe
File created	C:\Windows\SysWOW64\msibm\cfsbho.dll	WIS98.exe
File opened for modification	C:\Windows\SysWOW64\ibmvdr_.dll	WIS98.exe
File opened for modification	C:\Windows\SysWOW64\ibmuuid_.dll	Rundll32.exe
File created	C:\Windows\SysWOW64\msibm\Uninstall.exe	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\CFSQdll.exe	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\post.tpl	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\cfs7zd.DLL	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\cfsupd.dll	WIS98.exe
File opened for modification	C:\Windows\SysWOW64\msibm\intro.tpl	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\cfsys.dll	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\intro.htm	Rundll32.exe
File created	C:\Windows\SysWOW64\msuuid_.dll	RunDll32.exe
File created	C:\Windows\SysWOW64\msibm\cfscfg.7z	RunDll32.exe
File created	C:\Windows\SysWOW64\cdnns.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\msibm\post.tpl	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\linbak.dll	WIS98.exe
File created	C:\Windows\SysWOW64\msibm\lowlvl.dll	WIS98.exe
File opened for modification	C:\Windows\SysWOW64\msuuid_.dll	RunDll32.exe
File created	C:\Windows\SysWOW64\msvendr_.dll	RunDll32.exe

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files\CNNIC\Cdn\cdndisp.dat	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\src.dat	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\SearchM.dll.zgx	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdntdns.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprot.dat	setup.exe
File opened for modification	C:\Program Files (x86)\HuaCi\update\sysadInfo.ini	zsearch.exe
File created	C:\Program Files\CNNIC\Cdn\idnconv.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnunins.exe	setup.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\Mouse1.dll	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\sysupdate.ini.tmp	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\zsearch.exe.tmp	setup1209.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\idnconv.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnglo.dll	setup.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\hcalway.sys	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\zsearch.exe	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdniehlp.dll	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\cdndisp.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnhint.dat	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\mUin.exe.tmp	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\mUin.exe	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\SearchM.dll.zgx	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\sysupdate.ini	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\imaol.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\imaconv.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdntran.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\client.dll	setup.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\SearchM.dll	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\hcalway.inf.tmp	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\allverx.dat	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\hcalway.inf	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\hcalway.inf	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\Mouse1.dll.zgx	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\mUin.exe	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\zsup.exe.tmp	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\abhcop.sys.tmp	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdnup.exe	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnspie.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\src.dat	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\setup.tmp	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\_uninstall	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\Mouse1.dll.zgx	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\Mouse1.dll.zgx.tmp	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdnctr.exe	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\hcalway.sys	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\SearchM.dll.zgx.tmp	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\zsearch.exe	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\zsup.exe	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprev.dat	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\allverx.dat	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\imaoe.dll	setup.exe
File created	C:\Program Files (x86)\HuaCi\huaci\hcalway.sys.tmp	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\update\sysadInfo.ini	setup1209.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\abhcop.sys	setup1209.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\cdnvers.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnaux.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdndet.dll	setup.exe
File opened for modification	C:\Program Files (x86)\HuaCi\huaci\_uninstall	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\abhcop.sys	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\allverx.dat.tmp	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\sysupdate.ini	setup1209.exe
File created	C:\Program Files (x86)\HuaCi\huaci\zsup.exe	setup1209.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprh.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnvers.dat	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\HotIcon = "C:\\PROGRA~1\\CNNIC\\Cdn\\cdniehlp.dll,213"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\ValueName = "EnableMailAcc"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\Text = "Display Keyword in the Address Bar Droplist"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\ValueName = "EnableKw"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\HKeyRoot = "2147483649"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ButtonText = "Chinese Navigation"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\HKeyRoot = "2147483649"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\DefaultValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\Text = "Enable Chinese Domain Name Mailing System"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\UncheckedValue = "0"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\DefaultValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\UncheckedValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\ValueName = "EnableIntRes"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\Type = "checkbox"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ButtonText = "ÖÐÎÄÉÏÍø"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\Text = "Automatically Update When New Version is Detected(Recommended)"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\Type = "group"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\ValueName = "EnableIdn"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\Text = "Mail"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\DefaultValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\Text = "the Address Bar Information"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\UncheckedValue = "0"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\DefaultValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\Text = "Enable Chinese Domain Name"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\ValueName = "AutoUpdate"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\CheckedValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\UncheckedValue = "0"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\HKeyRoot = "2147483649"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\MenuStatusBar = "ÖÐÎÄÉÏÍøÉèÖÃ"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\Icon = "C:\\PROGRA~1\\CNNIC\\Cdn\\cdniehlp.dll,213"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ClsidExtension = "{35980F6E-A137-4E50-953D-813BB8556899}"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\DefaultValue = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\ValueName = "EnableAddrHint"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\ValueName = "EnableMail"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\Type = "checkbox"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\CheckedValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\DefaultValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\MenuText = "Chinese Navigation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\Bitmap = "C:\\WINNT\\system32\\inetcpl.cpl,4497"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\CheckedValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\HKeyRoot = "2147483649"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\CheckedValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\UncheckedValue = "0"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\UncheckedValue = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\ = "CNNIC_IDN"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\TypeLib\ = "{C24A5A5C-0874-4386-85C7-E669F90997A9}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7DB519E-7131-47B1-A9F5-DA8D061C2611}\1.0\ = "MailParserSvr 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}\InprocServer32	TEACHER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\FLAGS\ = "0"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\HELPDIR	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\ = "SearchM 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}\Programmable	TEACHER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\AppID	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01833110-7C51-4D41-A09F-69EF74606E5B}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}\1.0\HELPDIR	TEACHER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\TypeLib\ = "{FD536575-73F7-42A3-9E9F-11688F1A006A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\Programmable	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser.1\CLSID\ = "{D449EB58-55AF-4695-B216-895D546AED89}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj.1\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj\CLSID\ = "{9A578C98-3C2F-4630-890B-FC04196EF420}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01833110-7C51-4D41-A09F-69EF74606E5B}\1.0\0\win32\ = "C:\\PROGRA~1\\CNNIC\\Cdn\\cdniehlp.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}\VersionIndependentProgID\ = "MailParserSvr.InspectorHandler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\ = "{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CLSID\ = "{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\ = "cdn 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\cdn.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj\ = "CndnIEHlprObj Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01833110-7C51-4D41-A09F-69EF74606E5B}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}\InprocServer32\ThreadingModel = "both"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser\CLSID\ = "{D449EB58-55AF-4695-B216-895D546AED89}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj\CurVer\ = "Cdn.CdnObj.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj\CLSID\ = "{35980F6E-A137-4E50-953D-813BB8556899}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7DB519E-7131-47B1-A9F5-DA8D061C2611}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\VersionIndependentProgID\ = "SearchM.Search"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper\CurVer\ = "IEHelper.MyIEHelper.1"	TEACHER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\ = "CBHelper Object"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\msibm\\cfsbho.dll"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Search\CurVer\ = "SearchM.Search.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper\CLSID\ = "{16A770A0-0E87-4278-B748-2460D64A8386}"	TEACHER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\ = "IMailParser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}\ProgID	TEACHER.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4808	hztk0822.exe
4808	hztk0822.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe
4800	RunDll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	TEACHER.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	hztk0822.exe
Token: SeDebugPrivilege	4800	RunDll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2712	TEACHER.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2712	TEACHER.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
456	setup1209.exe
4404	cdnup.exe
4404	cdnup.exe
4404	cdnup.exe
3912	zsearch.exe
3912	zsearch.exe
2328	ZsUp.exe
3912	zsearch.exe
3912	zsearch.exe
2328	ZsUp.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4584	4668	TEACHER.exe	79
PID 4668 wrote to memory of 4584	4668	TEACHER.exe	79
PID 4668 wrote to memory of 4584	4668	TEACHER.exe	79
PID 4584 wrote to memory of 3496	4584	WIS98.exe	80
PID 4584 wrote to memory of 3496	4584	WIS98.exe	80
PID 4584 wrote to memory of 3496	4584	WIS98.exe	80
PID 4584 wrote to memory of 4752	4584	WIS98.exe	83
PID 4584 wrote to memory of 4752	4584	WIS98.exe	83
PID 4584 wrote to memory of 4752	4584	WIS98.exe	83
PID 4584 wrote to memory of 1028	4584	WIS98.exe	84
PID 4584 wrote to memory of 1028	4584	WIS98.exe	84
PID 4584 wrote to memory of 1028	4584	WIS98.exe	84
PID 4584 wrote to memory of 4800	4584	WIS98.exe	85
PID 4584 wrote to memory of 4800	4584	WIS98.exe	85
PID 4584 wrote to memory of 4800	4584	WIS98.exe	85
PID 4668 wrote to memory of 4808	4668	TEACHER.exe	86
PID 4668 wrote to memory of 4808	4668	TEACHER.exe	86
PID 4668 wrote to memory of 4808	4668	TEACHER.exe	86
PID 4800 wrote to memory of 2576	4800	RunDll32.exe	75
PID 4800 wrote to memory of 4752	4800	RunDll32.exe	83
PID 4800 wrote to memory of 780	4800	RunDll32.exe	8
PID 4800 wrote to memory of 2576	4800	RunDll32.exe	75
PID 4800 wrote to memory of 1028	4800	RunDll32.exe	84
PID 4808 wrote to memory of 3656	4808	hztk0822.exe	87
PID 4808 wrote to memory of 3656	4808	hztk0822.exe	87
PID 4808 wrote to memory of 3656	4808	hztk0822.exe	87
PID 3656 wrote to memory of 1784	3656	setup.exe	88
PID 3656 wrote to memory of 1784	3656	setup.exe	88
PID 3656 wrote to memory of 1784	3656	setup.exe	88
PID 4668 wrote to memory of 456	4668	TEACHER.exe	89
PID 4668 wrote to memory of 456	4668	TEACHER.exe	89
PID 4668 wrote to memory of 456	4668	TEACHER.exe	89
PID 456 wrote to memory of 4088	456	setup1209.exe	90
PID 456 wrote to memory of 4088	456	setup1209.exe	90
PID 456 wrote to memory of 4088	456	setup1209.exe	90
PID 456 wrote to memory of 1040	456	setup1209.exe	91
PID 456 wrote to memory of 1040	456	setup1209.exe	91
PID 456 wrote to memory of 1040	456	setup1209.exe	91
PID 4800 wrote to memory of 780	4800	RunDll32.exe	8
PID 4800 wrote to memory of 2576	4800	RunDll32.exe	75
PID 1040 wrote to memory of 4252	1040	rundll32.exe	92
PID 1040 wrote to memory of 4252	1040	rundll32.exe	92
PID 1040 wrote to memory of 4252	1040	rundll32.exe	92
PID 1784 wrote to memory of 4404	1784	setup.exe	93
PID 1784 wrote to memory of 4404	1784	setup.exe	93
PID 1784 wrote to memory of 4404	1784	setup.exe	93
PID 4252 wrote to memory of 4596	4252	runonce.exe	94
PID 4252 wrote to memory of 4596	4252	runonce.exe	94
PID 4252 wrote to memory of 4596	4252	runonce.exe	94
PID 456 wrote to memory of 3912	456	setup1209.exe	96
PID 456 wrote to memory of 3912	456	setup1209.exe	96
PID 456 wrote to memory of 3912	456	setup1209.exe	96
PID 3912 wrote to memory of 2328	3912	zsearch.exe	97
PID 3912 wrote to memory of 2328	3912	zsearch.exe	97
PID 3912 wrote to memory of 2328	3912	zsearch.exe	97
PID 4668 wrote to memory of 2712	4668	TEACHER.exe	98
PID 4668 wrote to memory of 2712	4668	TEACHER.exe	98
PID 4668 wrote to memory of 2712	4668	TEACHER.exe	98

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:780

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\TEACHER.exe
  "C:\Users\Admin\AppData\Local\Temp\TEACHER.exe"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\ProgramData\Application Data\Microsoft\IEHelper\WIS98.exe
    "C:\ProgramData\Application Data\Microsoft\IEHelper\WIS98.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\msibm\CFSQdll.exe
      C:\Windows\system32\msibm\CFSQdll.exe 20
      4⤵
      Executes dropped EXE
      PID:3496
  - - C:\Windows\SysWOW64\Rundll32.exe
      Rundll32.exe C:\Windows\system32\msibm\cfsbho.dll,firstGenGuid
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      PID:4752
  - - C:\Windows\SysWOW64\RunDll32.exe
      RunDll32.exe C:\Windows\system32\msibm\cfsbho.dll,regUser
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Modifies registry class
      PID:1028
  - - C:\Windows\SysWOW64\RunDll32.exe
      RunDll32.exe C:\Windows\system32\msibm\cfsys.DLL,cfs
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4800
- - C:\ProgramData\Application Data\Microsoft\IEHelper\hztk0822.exe
    "C:\ProgramData\Application Data\Microsoft\IEHelper\hztk0822.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\setup.exe 00020402
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3656
    - - C:\Users\Admin\AppData\Local\Temp\setup\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup\setup.exe" 00020402
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Sets service image path in registry
        Loads dropped DLL
        Adds Run key to start application
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Program Files\CNNIC\Cdn\cdnup.exe
        
        "C:\Program Files\CNNIC\Cdn\cdnup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4404
- - C:\ProgramData\Application Data\Microsoft\IEHelper\setup1209.exe
    "C:\ProgramData\Application Data\Microsoft\IEHelper\setup1209.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Program Files (x86)\HuaCi\huaci\searchm.dll" -s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4088
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 .\hcalway.inf
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        Loads dropped DLL
        
        PID:4596
  - - C:\Program Files (x86)\HuaCi\huaci\zsearch.exe
      "C:\Program Files (x86)\HuaCi\huaci\zsearch.exe" aa
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Program Files (x86)\HuaCi\huaci\ZsUp.exe
        
        "C:\Program Files (x86)\HuaCi\huaci\ZsUp.exe" check
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2328
- - C:\ProgramData\Application Data\Microsoft\IEHelper\TEACHER.exe
    "C:\ProgramData\Application Data\Microsoft\IEHelper\TEACHER.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HuaCi\huaci\searchm.dll

Filesize
40KB

MD5
e087ca7bd81e37c81f825eb6418ab004

SHA1
cb97cdf077624ac84c0c091b85f0af5a219217c0

SHA256
6c5170a251cc9276c0568ad07aad23524efa8362f2b7a58cc0b0b76c92c11858

SHA512
f36b074cdd541394f96d2d8ebee29baa83b5913973d6b742f79e78f869ee87a197e41f3a2639692733e9413466144590b9a5488a97918421b9b63ff9fcd50530

Download Submit
C:\Program Files\CNNIC\Cdn\cdniehlp.dll

Filesize
112KB

MD5
6d684c72ae70bc2621408c7389a77d12

SHA1
f6a073aa45954be4037f24c4e27eecf7f03f4cf3

SHA256
a71ace180d93d9dfd8d9c3027c051a8e2d4cb39db26eb7243cc349e8760e489c

SHA512
e43efb5c2f228d8421321fc98a3b4db68208887f9ba04c81c7f41442015331c5c32594d54e3ee6fab781216051fa72ae7cddb3e3a3d594d5b7f211ba8e7938d1

Download Submit
C:\Program Files\CNNIC\Cdn\cdniehlp.dll

Filesize
112KB

MD5
6d684c72ae70bc2621408c7389a77d12

SHA1
f6a073aa45954be4037f24c4e27eecf7f03f4cf3

SHA256
a71ace180d93d9dfd8d9c3027c051a8e2d4cb39db26eb7243cc349e8760e489c

SHA512
e43efb5c2f228d8421321fc98a3b4db68208887f9ba04c81c7f41442015331c5c32594d54e3ee6fab781216051fa72ae7cddb3e3a3d594d5b7f211ba8e7938d1

Download Submit
C:\Program Files\CNNIC\Cdn\imaol.dll

Filesize
92KB

MD5
915c0235920f915d7933058eee08858b

SHA1
9945a0d6c29c67fa46cd7359d5b155a914a404ae

SHA256
eda38c4311e2780d0df7d6db8bb9ac158eb8626aaca1aeb5fe44dc6d580502a6

SHA512
68c3db18c039cf17e3e3c9ec15b91419de9fa65321de842e937dcb3f8f9f0d46ad689ea90f6988b0cd63901dddcd9f76f7996b8294a2927b09867be05d781d80

Download Submit
C:\Program Files\CNNIC\Cdn\imaol.dll

Filesize
92KB

MD5
915c0235920f915d7933058eee08858b

SHA1
9945a0d6c29c67fa46cd7359d5b155a914a404ae

SHA256
eda38c4311e2780d0df7d6db8bb9ac158eb8626aaca1aeb5fe44dc6d580502a6

SHA512
68c3db18c039cf17e3e3c9ec15b91419de9fa65321de842e937dcb3f8f9f0d46ad689ea90f6988b0cd63901dddcd9f76f7996b8294a2927b09867be05d781d80

Download Submit
C:\ProgramData\Application Data\Microsoft\IEHelper\WIS98.exe

Filesize
262KB

MD5
285120db5e9077cceaaf8e8543b5b769

SHA1
aff0507b22752bdf37cb362cdbb1128701814391

SHA256
71cf89fbd9d5f90dafd5b367c3ed228e64a2292da67777814c05bf5d4daefa45

SHA512
0c49f7223752d130c25b8ed2e609a649ebb35d127f3b77805bdd9b16cf1290392b90e6ef448031adf0caa139a9814b86ed5e06357388cda8ce7e941a5f2b307e

Download Submit
C:\ProgramData\Application Data\Microsoft\IEHelper\hztk0822.exe

Filesize
392KB

MD5
f762248da081aa92ac233ab6e798bc1d

SHA1
f9881782d01f9c46e63e3a70c8bc1f6b6f5cb59e

SHA256
7ec286c4f0befe7f8c72fa141fe20824df47bcf517830c0e762c7fed53a0a6b1

SHA512
e27be11f662971f4ac571af58c54c2318cc78a25b96b82d934fd75389bc4864de4d9ba6e9e5f3ea20442ddc2481f11a8dc533eb27333477598848d4dc4249290

Download Submit
C:\ProgramData\Application Data\Microsoft\IEHelper\setup1209.exe

Filesize
187KB

MD5
084a84d07284ec9c26c33123b68c6d87

SHA1
8c59867c6d19f7bdb48a26265f2e1ec24ca7aaed

SHA256
508fca44a3ceaeb6de685059b7608783fade7ff0d6fa61ec03a5db26eedfd075

SHA512
f934be5fca14d5beb4d8cbd506bccefd9bfb6cee82b452c1e7d91712a01b816f29f0e96d4c4392b820164857964686b8392e709e858e065986dbe9cfbafa0c53

Download Submit
C:\ProgramData\Microsoft\IEHelper\IEHelper_8888.dll

Filesize
80KB

MD5
89b797079f9f48b471c94a544229a765

SHA1
2f732aea98e89ca8fd97f86e8a42d97dcb8722f9

SHA256
87c8252112795c78d1b70859685356bb8774cfc89cf254833a35978611582b72

SHA512
5ee5864f5429b83411b1ff54f213c3efd857006edc5c70e05801ba3fe9ffceac58ec96ecc261c27fa2f629c70878242be5fbeff2df7ad486b390cb23df3cebfe

Download Submit
C:\ProgramData\Microsoft\IEHelper\WIS98.exe

Filesize
262KB

MD5
285120db5e9077cceaaf8e8543b5b769

SHA1
aff0507b22752bdf37cb362cdbb1128701814391

SHA256
71cf89fbd9d5f90dafd5b367c3ed228e64a2292da67777814c05bf5d4daefa45

SHA512
0c49f7223752d130c25b8ed2e609a649ebb35d127f3b77805bdd9b16cf1290392b90e6ef448031adf0caa139a9814b86ed5e06357388cda8ce7e941a5f2b307e

Download Submit
C:\ProgramData\Microsoft\IEHelper\hztk0822.exe

Filesize
392KB

MD5
f762248da081aa92ac233ab6e798bc1d

SHA1
f9881782d01f9c46e63e3a70c8bc1f6b6f5cb59e

SHA256
7ec286c4f0befe7f8c72fa141fe20824df47bcf517830c0e762c7fed53a0a6b1

SHA512
e27be11f662971f4ac571af58c54c2318cc78a25b96b82d934fd75389bc4864de4d9ba6e9e5f3ea20442ddc2481f11a8dc533eb27333477598848d4dc4249290

Download Submit
C:\ProgramData\Microsoft\IEHelper\setup1209.exe

Filesize
187KB

MD5
084a84d07284ec9c26c33123b68c6d87

SHA1
8c59867c6d19f7bdb48a26265f2e1ec24ca7aaed

SHA256
508fca44a3ceaeb6de685059b7608783fade7ff0d6fa61ec03a5db26eedfd075

SHA512
f934be5fca14d5beb4d8cbd506bccefd9bfb6cee82b452c1e7d91712a01b816f29f0e96d4c4392b820164857964686b8392e709e858e065986dbe9cfbafa0c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
333KB

MD5
1b9679acf2f19392430256398a5f1ce5

SHA1
3174921a4f3f191d326fc24ef0919071d1a4fdb6

SHA256
571a9f31535e97bd0dd6da46998246a64c75cbe5aae20ac16e5bec818c7fd8b7

SHA512
f8e4d3ff9e6d88e9889e880534d984fed84abade2307cffc1963e8629726deb87bed4ed44a94ce81f9162b152460b9ca1befcf9929745fd07697ae344c43e970

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
333KB

MD5
1b9679acf2f19392430256398a5f1ce5

SHA1
3174921a4f3f191d326fc24ef0919071d1a4fdb6

SHA256
571a9f31535e97bd0dd6da46998246a64c75cbe5aae20ac16e5bec818c7fd8b7

SHA512
f8e4d3ff9e6d88e9889e880534d984fed84abade2307cffc1963e8629726deb87bed4ed44a94ce81f9162b152460b9ca1befcf9929745fd07697ae344c43e970

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdn.dll

Filesize
32KB

MD5
d2829f213225e47ef57798652673b79d

SHA1
97998fa49efe17d383a91839ffebc3ca2dce67f0

SHA256
0ca6f98d230813f05019f5ecf67b8b460aea421b3a9020e3e4d3bdf1d8f01988

SHA512
405d5f18bec74f95ed0b2d319ac89e8e4d62ac7296f7d3d293882e3ce5f4d38836d871b0fa59791afade2fcd9fad24135a83dcbef8c1bf286c473cca9e88397f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnaux.dll

Filesize
36KB

MD5
a7a7b73184d80b802d8f324b29c7574b

SHA1
252f64ab7d06c781dc782e7dd51440a8d7d1427e

SHA256
a168517f1428b8926cf4c161b6c1cca1dd17b85b98766a15f2d582391283221a

SHA512
48e2d1c2b0e678feb73c32dcede5befa5ed8a86dc23ac3e1ff82d89edec4a668fa5e5145f0e47f2e511f17b8138d855f13013fe08ab03c60cd7ead15dadfd9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnctr.exe

Filesize
56KB

MD5
3cdcd6d87cb6fd238fd4ef3c20d51cd2

SHA1
8eb2c6e1b1b397fa0fec67eeb0e531870474bee9

SHA256
8b4ed9ae5cc04ed0bfa36ac0c7f4853e9b3d03078387fd33cb595b3a15ec4443

SHA512
7ff586ff8729b7359081737ecbf42bcd9d69f45756715d1f0c2fd8f902c37dde355583ecdf7362720f253d576508fb450ad73d64799ba5582a7b7f2a15867ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdndet.dll

Filesize
76KB

MD5
a24feed08d91dde5aaa97bab14808175

SHA1
e0fcae94a2cad1015e27e5e4466e076923a824f2

SHA256
fae04d0e4f5a0d4319f50a0163aab03c739e4e3bd48347f1bb6f54a0ebf93c26

SHA512
d0b143d3a7493f90319894df1559c307799a00ee4f967d5e85b1e49fed441d4ec98050bac524b57d74aeb68b80844a51be3ce842176ea7c557a0381848ee61ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdndisp.dat

Filesize
408B

MD5
c446ea5f7758e07542e47c5353a843bc

SHA1
ef4db3fc423e539f32ea4625538351f46c0149c7

SHA256
d834262537368b143c1e39801122c7045bfe1da14f708a935e44a46963deaaed

SHA512
133895206340747a779fc60cd8adea33fb7298468f908c30a2283c089d6387452ca7bc2ab140b73e0d5f8291edd198fe01dfa54913cde401c8e7a833396b908d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnglo.dll

Filesize
84KB

MD5
6fa516fc990b1e06e2d7e9ba328be19c

SHA1
eabcfccfd669408825b8851b397dddf2700f8380

SHA256
bc1552201f7cf45185c78540d2a894e6e23250c4187014fbd18b123e5429ded9

SHA512
aece891396c20bbe6608620c31550b2a8e08f1ebf4f9125545ad11464c35aa7338619a38bf33a0efe2ef4a657101d526819ec799fdeaa614a3b694ff2e672f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnhint.dat

Filesize
617B

MD5
9dfcd4bdb68132d89824172847db86e7

SHA1
ca3671ad08c33487b4b685f5c166934362ef877e

SHA256
608a870b870ac5beebdf9d9fa6f85d5abde08274c550ab968403b0409d65030a

SHA512
daa209322c78eacc9ba2773c3d2dd7f66bcef88d41bc818b426cf358d290282d4b1d1ea130fd9ee2f567915cf7aa68976a0216d0ea2d95d211b2001cd3e88d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdniehlp.dll

Filesize
112KB

MD5
6d684c72ae70bc2621408c7389a77d12

SHA1
f6a073aa45954be4037f24c4e27eecf7f03f4cf3

SHA256
a71ace180d93d9dfd8d9c3027c051a8e2d4cb39db26eb7243cc349e8760e489c

SHA512
e43efb5c2f228d8421321fc98a3b4db68208887f9ba04c81c7f41442015331c5c32594d54e3ee6fab781216051fa72ae7cddb3e3a3d594d5b7f211ba8e7938d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnins.dll

Filesize
72KB

MD5
ddd3eda4b579e482e23aa3c5132cc14b

SHA1
9b88c9ea2175283f48d4152b9ac24a63bf2c217d

SHA256
871888a6706c56fe3441dd4e2ad556348b31c9337e3984a24fe40ee14bdff60b

SHA512
7382f548de6239ff5ffa6a0689d6f77e7b13f8ef6b21960e9a4d7f4db0e577b7ea156d95db3cbcd400ec1f68ce8666e4c53009e731ff250fa2ae1efda6cc9119

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnins.dll

Filesize
72KB

MD5
ddd3eda4b579e482e23aa3c5132cc14b

SHA1
9b88c9ea2175283f48d4152b9ac24a63bf2c217d

SHA256
871888a6706c56fe3441dd4e2ad556348b31c9337e3984a24fe40ee14bdff60b

SHA512
7382f548de6239ff5ffa6a0689d6f77e7b13f8ef6b21960e9a4d7f4db0e577b7ea156d95db3cbcd400ec1f68ce8666e4c53009e731ff250fa2ae1efda6cc9119

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnns.dll

Filesize
22KB

MD5
b9ec30062a67883d1ffdcc498d17ed3b

SHA1
a74722a2196e77dfe8bf85deb5942269e0e9f4bf

SHA256
23493233c886b2e02e48c4b47177b814aaa988c0f0f3e4ec8f168242fec1e0bd

SHA512
a8f306b286f6d36abcb20b2571de3f8aba1eb075b2f2334bbc2c7e8f462c69448bd9a6297c1d3117ac8d0a023fd4a8bf344020a103a3ad5224b377b3e92ea889

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprh.dll

Filesize
40KB

MD5
6bf77aeea07670dcb9b7507573d93489

SHA1
331aa409fd345fdb76877928eda7f1ea97a8f358

SHA256
17b60d34722ff32014ce272f568b30774f1607f5230e24b88381ab99aed72d5a

SHA512
364109d674d8069cb476f52db7e059c746b475c8ebb6b0986cb07ad9b7df232edb1744cc37f8d048d7725aabb53274e0dd1682208846ebb817ac0990a1cc0ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprh.dll

Filesize
40KB

MD5
6bf77aeea07670dcb9b7507573d93489

SHA1
331aa409fd345fdb76877928eda7f1ea97a8f358

SHA256
17b60d34722ff32014ce272f568b30774f1607f5230e24b88381ab99aed72d5a

SHA512
364109d674d8069cb476f52db7e059c746b475c8ebb6b0986cb07ad9b7df232edb1744cc37f8d048d7725aabb53274e0dd1682208846ebb817ac0990a1cc0ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntdns.dll

Filesize
64KB

MD5
33000a1da78887ec0c3395956dc73625

SHA1
4e95eb95bc0a0748dacdd83ea0e00128580306f3

SHA256
fae2c6765a6643e4779900098d723bc08265092f47e07ab4ad808c8d27cfa5c8

SHA512
ea9d381775f1997e6261de44e1958f1f2f8329096f318326febc55c3946a1c115d8143627275ed2f775b58685973473daf97f683e91063448dfd2505b77337e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntran.sys

Filesize
12KB

MD5
c61fcc6e2c783ff55ba22ca296b4d11d

SHA1
3a7cbb7083fa35fcb338ce486899fa22798d50ab

SHA256
9c6a75ea1e8198efaac0d037e5b9fd41fa1e84a39dda80457dccad03a190b167

SHA512
dc95b8c0d993be32acae2a4b50f9009730685aec8cce0e0f02dc38a60c804deaee091a191e081da1a9be6ca4cfb73c210266611e49916765acf53fac9f2e763d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnunins.exe

Filesize
68KB

MD5
182330b5766815c8727e9ceef6bacb72

SHA1
8b96d4c0ea04e1791bb1139fa0287be8e6993c7c

SHA256
bee606d848d460b632d3be66dba2b88ce45b16695bb6afc0905c283764973b5f

SHA512
bc3a57848871546bdf29509cf37b05f00c1f676bb068c24309d914d80e0da93ea0620d1523b75a4d7f17ffb147c7e96aa095f084e1851d5ec2590bf29ae72cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnup.exe

Filesize
68KB

MD5
617ede36c58e86027da051debdaf4c81

SHA1
b94ee8a31691ad9227138cdb14058e6c867b4a75

SHA256
d499ed2f18b0fe4c8407b54bc2d53e6d8f3d99e398c42bc33fc3525b10697b24

SHA512
1a02e337d92d5f4f694714bbde8c60181a15a73a5ee4544d98335911ada5dfd7300e39ed5972659ef6f17546145ad26d1b5c926541a368681d2b5abb1bca3a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnvers.dat

Filesize
1KB

MD5
323623a4fcd34062cf58e4160494304a

SHA1
8511717e6d51abdd10541422ce1f0d33cded424a

SHA256
3cf66a39c25ea39c03237a955d92690907d91a28c3d1e92a36dcaa12fbdc0f3c

SHA512
88c56766a74ff2f6fefdc36c59339f6d3a35f2cb173d13405f5d92da4f87259cf5cbd4c29894e55b38b186ffb9dcc9d9172bf59d93f05f64a92a4e552f192f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\client.dll

Filesize
40KB

MD5
310cc33829f149c0913ed5f79f213ec5

SHA1
1f22f940c5f0905b8ddbf452efadb23d5c942ccb

SHA256
1551ec21970495f40f423341bcdcbde5744560418e47c01c6cccdeb74f6e6946

SHA512
94325996d4f680ff0a3a0fbd41e289e559d1e9a3de8ae634ec1f4d64ec281ec5deb41a9e6d55e66e02a39fda3296c0f15c5b86b1e7ad16309335730c0c5a7a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\idnconv.dll

Filesize
228KB

MD5
53e69b76bc93941c0eda58d85f6e05f9

SHA1
13bb7ed0edfb943f7c981fdf9df8487878a151f4

SHA256
55d8110ebe08d94c63ce16558fd7e897cc7c6aedf1bb3f52b0d383b2d17dc576

SHA512
2acbe0f0ead481be94aedd9be57e88bdcfcd0011088c63c48f7aef438c3833b1246656ce73fbb0c705212504d1e4375725f730cd2110a32a094845dac53fb098

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaconv.dll

Filesize
36KB

MD5
925383c03b330f2416f6efbeaf0e61e9

SHA1
e17ad03b6e1fd3c5788f91e2a432bfc324a810d3

SHA256
862f5ea1d81c1bd4a5e8bbff75a7de1cbac7085bb5f2e822d90a7318783af924

SHA512
c2fb1396747525dfe80b91cd65e02dca62d5d48d7453725100fe86fc8975a0bc1d43a770ae303cb380d473ea343d6315ba5239ea0b8e667c59b4c56acb36b320

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaconv.dll

Filesize
36KB

MD5
925383c03b330f2416f6efbeaf0e61e9

SHA1
e17ad03b6e1fd3c5788f91e2a432bfc324a810d3

SHA256
862f5ea1d81c1bd4a5e8bbff75a7de1cbac7085bb5f2e822d90a7318783af924

SHA512
c2fb1396747525dfe80b91cd65e02dca62d5d48d7453725100fe86fc8975a0bc1d43a770ae303cb380d473ea343d6315ba5239ea0b8e667c59b4c56acb36b320

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaconv.dll

Filesize
36KB

MD5
925383c03b330f2416f6efbeaf0e61e9

SHA1
e17ad03b6e1fd3c5788f91e2a432bfc324a810d3

SHA256
862f5ea1d81c1bd4a5e8bbff75a7de1cbac7085bb5f2e822d90a7318783af924

SHA512
c2fb1396747525dfe80b91cd65e02dca62d5d48d7453725100fe86fc8975a0bc1d43a770ae303cb380d473ea343d6315ba5239ea0b8e667c59b4c56acb36b320

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaoe.dll

Filesize
52KB

MD5
58be436dd3309680ee2818bdc1c20041

SHA1
d740fa64c3b67852b08ff0221911eb168a8189cc

SHA256
ef08403922e31c5bd2bd85500b7292dc60cd75786275625e2a51df96e992feeb

SHA512
1de0705bf2d3c28dd5115ab5d39653255611b4eead37bf63a8ae7508799259e6e52f409b9bfe77427aace559b56cb904c2dea2e9d72b9223a98344b97386e6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaol.dll

Filesize
92KB

MD5
915c0235920f915d7933058eee08858b

SHA1
9945a0d6c29c67fa46cd7359d5b155a914a404ae

SHA256
eda38c4311e2780d0df7d6db8bb9ac158eb8626aaca1aeb5fe44dc6d580502a6

SHA512
68c3db18c039cf17e3e3c9ec15b91419de9fa65321de842e937dcb3f8f9f0d46ad689ea90f6988b0cd63901dddcd9f76f7996b8294a2927b09867be05d781d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\src.dat

Filesize
108B

MD5
4ce7785ba04b74213f2b782b7f2dcd48

SHA1
f7702f5de74b3046170f317189f1a3cb4c2be365

SHA256
de26283e59923608864387cf1c6f0e98dd0417e5b6b2f82d5fdd845d8dea4485

SHA512
30056d1caa3e60e816881cb56f40b317b3b1df3190d2ae383a3a5a846b1fddc7b407b68c267824fe0601ac54f66aa74ff3862125efd01bbe92111723a6eb543f

Download Submit
C:\Windows\SysWOW64\cdn.dll

Filesize
32KB

MD5
d2829f213225e47ef57798652673b79d

SHA1
97998fa49efe17d383a91839ffebc3ca2dce67f0

SHA256
0ca6f98d230813f05019f5ecf67b8b460aea421b3a9020e3e4d3bdf1d8f01988

SHA512
405d5f18bec74f95ed0b2d319ac89e8e4d62ac7296f7d3d293882e3ce5f4d38836d871b0fa59791afade2fcd9fad24135a83dcbef8c1bf286c473cca9e88397f

Download Submit
C:\Windows\SysWOW64\cdn.dll

Filesize
32KB

MD5
d2829f213225e47ef57798652673b79d

SHA1
97998fa49efe17d383a91839ffebc3ca2dce67f0

SHA256
0ca6f98d230813f05019f5ecf67b8b460aea421b3a9020e3e4d3bdf1d8f01988

SHA512
405d5f18bec74f95ed0b2d319ac89e8e4d62ac7296f7d3d293882e3ce5f4d38836d871b0fa59791afade2fcd9fad24135a83dcbef8c1bf286c473cca9e88397f

Download Submit
C:\Windows\SysWOW64\ibmuuid_.dll

Filesize
36B

MD5
3e1f563519b387120e0a9228a2f1953d

SHA1
2180f6b4dcddb4aea59a09acdb8e7098181a1f0b

SHA256
45b21a14f23aea02029a4fe0bb956f56e67d2bee53383e8a7cc23a51a6002b21

SHA512
9c01f5928fdbcf35f96d8bcfe20569e16276632c22614411d440583ce1eee629558c6359e440cc93d7d3186eec2e79defd28bc3bbfda32a78f79a6ba5453a852

Download Submit
C:\Windows\SysWOW64\ibmvdr_.dll

Filesize
7B

MD5
c72943c59f50021ffb99a65583161efe

SHA1
e8e1250a454f217a6cbdb3aa200eebbc32fa5467

SHA256
14345b479170b82b8da09e638b0c69ba5075d1fc73a6bf4c541dbeb6779bf2d8

SHA512
10644476caaae16bd90756d63302adda493f8b2503e5d63c4b4a0a1f65fd7cc165224a3ed186aea4b10e37dc8179962ee5a2958eea6fce8ce46d8305de649298

Download Submit
C:\Windows\SysWOW64\msibm\CFSQdll.exe

Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
C:\Windows\SysWOW64\msibm\CFSQdll.exe

Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
C:\Windows\SysWOW64\msibm\cfs7zd.DLL

Filesize
14KB

MD5
379f4f2560c2d11838676ffcabeee8dd

SHA1
b88999a424f7306eb2000955f5d8f1424160d1b2

SHA256
65aaaad675bda642ae296a89a6a4da29693ed094c5db200470f32637164820c3

SHA512
4861bb5ad9d1eacc6d92ec8554b81c25c5be3544d93c1200b7784cf2aaa2ea32247d13cfebdecfbc8bd637959643e5808922cf2b57685057f36cdaf3a196f22d

Download Submit
C:\Windows\SysWOW64\msibm\cfs7zd.DLL

Filesize
14KB

MD5
379f4f2560c2d11838676ffcabeee8dd

SHA1
b88999a424f7306eb2000955f5d8f1424160d1b2

SHA256
65aaaad675bda642ae296a89a6a4da29693ed094c5db200470f32637164820c3

SHA512
4861bb5ad9d1eacc6d92ec8554b81c25c5be3544d93c1200b7784cf2aaa2ea32247d13cfebdecfbc8bd637959643e5808922cf2b57685057f36cdaf3a196f22d

Download Submit
C:\Windows\SysWOW64\msibm\cfs7zd.DLL

Filesize
14KB

MD5
379f4f2560c2d11838676ffcabeee8dd

SHA1
b88999a424f7306eb2000955f5d8f1424160d1b2

SHA256
65aaaad675bda642ae296a89a6a4da29693ed094c5db200470f32637164820c3

SHA512
4861bb5ad9d1eacc6d92ec8554b81c25c5be3544d93c1200b7784cf2aaa2ea32247d13cfebdecfbc8bd637959643e5808922cf2b57685057f36cdaf3a196f22d

Download Submit
C:\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
C:\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
C:\Windows\SysWOW64\msibm\cfsbho.dll

Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
C:\Windows\SysWOW64\msibm\cfsupd.dll

Filesize
72KB

MD5
87355014fd31dd1047b4086640f9c14a

SHA1
bde3383df2421d40c1f7ccbb909156dccc847d14

SHA256
5f8d5ad410b926f70edb694028802548d6d1d6c656a5daa1f0cda6613d14e2a3

SHA512
603ef15ea81be5cb39c7b3eeec2202e0100e9d111696cc3de640d18a7b69691d6069c6ab27d72f565a210cdbad11a2332d0c6b211c8d24560efd5674059c09b5

Download Submit
C:\Windows\SysWOW64\msibm\cfsupd.dll

Filesize
72KB

MD5
87355014fd31dd1047b4086640f9c14a

SHA1
bde3383df2421d40c1f7ccbb909156dccc847d14

SHA256
5f8d5ad410b926f70edb694028802548d6d1d6c656a5daa1f0cda6613d14e2a3

SHA512
603ef15ea81be5cb39c7b3eeec2202e0100e9d111696cc3de640d18a7b69691d6069c6ab27d72f565a210cdbad11a2332d0c6b211c8d24560efd5674059c09b5

Download Submit
C:\Windows\SysWOW64\msibm\cfsupd.dll

Filesize
72KB

MD5
87355014fd31dd1047b4086640f9c14a

SHA1
bde3383df2421d40c1f7ccbb909156dccc847d14

SHA256
5f8d5ad410b926f70edb694028802548d6d1d6c656a5daa1f0cda6613d14e2a3

SHA512
603ef15ea81be5cb39c7b3eeec2202e0100e9d111696cc3de640d18a7b69691d6069c6ab27d72f565a210cdbad11a2332d0c6b211c8d24560efd5674059c09b5

Download Submit
C:\Windows\SysWOW64\msibm\cfsys.DLL

Filesize
187KB

MD5
6d7a20743ac066b025c09a4499448264

SHA1
5c15f4ae14c6c80c98ab97d2b98284598b9c3a21

SHA256
6331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473

SHA512
1e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d

Download Submit
C:\Windows\SysWOW64\msibm\cfsys.dll

Filesize
187KB

MD5
6d7a20743ac066b025c09a4499448264

SHA1
5c15f4ae14c6c80c98ab97d2b98284598b9c3a21

SHA256
6331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473

SHA512
1e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d

Download Submit
C:\Windows\SysWOW64\msibm\intro.tpl

Filesize
161B

MD5
e0782089e9f016369e89a4ec36474355

SHA1
a364f107081a899aea66ed73403dfc19041ea3f5

SHA256
c09efa49ecdb14dbd0dae118f3ba4ac30ecb4fe2db9e5bfe2874403733e99d46

SHA512
fff1a002e575ecf1f43573e2278f246ee72d007ac008f81717ecd0a9a003e969d2e91a28019e29912ed4741f1f3d9bed43adc14bfa48d80bd471df47825b9cfe

Download Submit
C:\Windows\SysWOW64\msibm\lowlvl.dll

Filesize
44KB

MD5
5ad7b028f0431453d05d5bedcdee3574

SHA1
c9f14c3530391461b74a4da359e1d0b7fdffad12

SHA256
d6a2fdaebae37652ae308a0103285eefc266081cda2114873cdba0d159f0159f

SHA512
22fd3a8e1fc8dedc8062905d4a81d3806c62eb10ce15468f6ec835dd8d6b6295dd17300a38fc02b6d1f7feef46045aea6d1bbbf334507bb34779ea7dd0aeaf9c

Download Submit
C:\Windows\SysWOW64\msibm\lowlvl.dll

Filesize
44KB

MD5
5ad7b028f0431453d05d5bedcdee3574

SHA1
c9f14c3530391461b74a4da359e1d0b7fdffad12

SHA256
d6a2fdaebae37652ae308a0103285eefc266081cda2114873cdba0d159f0159f

SHA512
22fd3a8e1fc8dedc8062905d4a81d3806c62eb10ce15468f6ec835dd8d6b6295dd17300a38fc02b6d1f7feef46045aea6d1bbbf334507bb34779ea7dd0aeaf9c

Download Submit
C:\Windows\SysWOW64\msibm\lowlvl.dll

Filesize
44KB

MD5
5ad7b028f0431453d05d5bedcdee3574

SHA1
c9f14c3530391461b74a4da359e1d0b7fdffad12

SHA256
d6a2fdaebae37652ae308a0103285eefc266081cda2114873cdba0d159f0159f

SHA512
22fd3a8e1fc8dedc8062905d4a81d3806c62eb10ce15468f6ec835dd8d6b6295dd17300a38fc02b6d1f7feef46045aea6d1bbbf334507bb34779ea7dd0aeaf9c

Download Submit
C:\Windows\SysWOW64\msibm\post.tpl

Filesize
160B

MD5
7ba5508ca1abca116183c1dcdbcf31d2

SHA1
c006df723e7ce851387345efe880c2fb7796d330

SHA256
0057b6b6acd17a102867a24e4927cdc487db31930c8769ad5271497757546e3e

SHA512
31dae4340d02815a0529cabe88fcad6a1e127776076d6172a1d7a76ed54cd0ecb86fec9aede5db9bf37278b47de857bc4c738d2fa30bfb635181492f8a8bd21b

Download Submit
memory/456-238-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/456-239-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/456-219-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1028-165-0x0000000000D90000-0x0000000000DA6000-memory.dmp

Filesize
88KB

Download
memory/1040-230-0x0000000000C30000-0x0000000000C3D000-memory.dmp

Filesize
52KB

Download
memory/1784-204-0x0000000001ED0000-0x0000000001EE8000-memory.dmp

Filesize
96KB

Download
memory/1784-213-0x0000000002DA0000-0x0000000002F51000-memory.dmp

Filesize
1.7MB

Download
memory/1784-208-0x0000000000621000-0x0000000000625000-memory.dmp

Filesize
16KB

Download
memory/1784-190-0x00000000004E1000-0x00000000004E4000-memory.dmp

Filesize
12KB

Download
memory/1784-198-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/1784-217-0x0000000001F21000-0x0000000001F26000-memory.dmp

Filesize
20KB

Download
memory/1784-215-0x0000000001F20000-0x0000000001F2C000-memory.dmp

Filesize
48KB

Download
memory/1784-214-0x0000000001EF1000-0x0000000001EF5000-memory.dmp

Filesize
16KB

Download
memory/2712-237-0x0000000000CD0000-0x0000000000CE4000-memory.dmp

Filesize
80KB

Download
memory/3912-235-0x0000000002190000-0x00000000021A4000-memory.dmp

Filesize
80KB

Download
memory/3912-233-0x00000000006D0000-0x00000000006DD000-memory.dmp

Filesize
52KB

Download
memory/3912-232-0x00000000006B0000-0x00000000006C4000-memory.dmp

Filesize
80KB

Download
memory/4252-229-0x00000000026C0000-0x00000000026CD000-memory.dmp

Filesize
52KB

Download
memory/4404-222-0x00000000020A0000-0x00000000020B4000-memory.dmp

Filesize
80KB

Download
memory/4404-225-0x0000000002D30000-0x0000000002EE1000-memory.dmp

Filesize
1.7MB

Download
memory/4404-223-0x0000000002120000-0x000000000212D000-memory.dmp

Filesize
52KB

Download
memory/4404-224-0x0000000002130000-0x0000000002144000-memory.dmp

Filesize
80KB

Download
memory/4596-228-0x0000000000960000-0x000000000096D000-memory.dmp

Filesize
52KB

Download
memory/4800-160-0x0000000002321000-0x0000000002324000-memory.dmp

Filesize
12KB

Download
memory/4800-226-0x0000000002750000-0x0000000002764000-memory.dmp

Filesize
80KB

Download
memory/4800-153-0x0000000000AD1000-0x0000000000AD4000-memory.dmp

Filesize
12KB

Download