amadey | ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328

Analysis

max time kernel
102s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-03-2023 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe
Size

274KB
MD5

47fa206319df2d224ffc4cd1569047ca
SHA1

d0a51ae101bf26fb4547ece1429f626c18280deb
SHA256

ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328
SHA512

540f6516768b35e00f6585511a63eec5c749ad6cb78162218d6d301a5a8ee7ea7a542d9612516a9e24c7086129fdda249b2e4a9a42064a74dfacf0459955560b
SSDEEP

3072:23dEWLjTzubqJ6YcSuQCGbZI15LUhAjPjX3IY26n8eEZJmR/40/8apNN4TJY:4XuqsYcX5LXrjX3IY58bDmd40//NN4T

Score

10^/10

amadey djvu pseudomanuscrypt redline smokeloader vidar 00d92484c9b27bc8482a2cc94cacc508 koreamon pub1 sprg backdoor discovery infostealer loader persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.typo
offline_id
Yao2o6f5vNghOpgVBhEIA8O96SC5vLcgITgaRMt1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-f8UEvx4T0A Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0672IsjO

rsa_pubkey.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

vidar

Version

3.1

Botnet

00d92484c9b27bc8482a2cc94cacc508

https://steamcommunity.com/profiles/76561199472266392

https://t.me/tabootalks

http://135.181.26.183:80

Attributes

profile_id_v2
00d92484c9b27bc8482a2cc94cacc508
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Extracted

Family

redline

Botnet

koreamon

koreamonitoring.com:80

Attributes

auth_value
1a0e1a9f491ef3df873a03577dfa10aa

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 39 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3512-139-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3512-141-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1488-142-0x0000000004930000-0x0000000004A4B000-memory.dmp	family_djvu
behavioral1/memory/3512-143-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3512-148-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3108-156-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3108-157-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3108-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3512-183-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3108-182-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4872-207-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-210-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4872-211-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-213-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5060-222-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-223-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5060-224-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4872-220-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4872-227-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4872-228-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-230-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-232-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5060-231-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-246-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4872-241-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5060-235-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-263-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4872-257-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4872-265-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-266-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4872-288-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-304-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-308-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3368-310-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4872-311-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1520-338-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1520-351-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1520-418-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1520-1107-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects PseudoManuscrypt payload 25 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2664-486-0x0000019B45FB0000-0x0000019B46022000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/2664-492-0x0000019B45A40000-0x0000019B45AB2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1412-588-0x000002B15AA40000-0x000002B15AAB2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/2352-590-0x0000016A04D70000-0x0000016A04DE2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/2352-593-0x0000016A04F70000-0x0000016A04FE2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/2364-600-0x000001EF91140000-0x000001EF911B2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1140-610-0x000001717C100000-0x000001717C172000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1140-613-0x000001717C1F0000-0x000001717C262000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/2364-605-0x000001EF91230000-0x000001EF912A2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1008-655-0x0000022484000000-0x0000022484072000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1008-658-0x0000022484180000-0x00000224841F2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1040-662-0x0000018F82FB0000-0x0000018F83022000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1040-665-0x0000018F82980000-0x0000018F829F2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1496-668-0x000002B682C40000-0x000002B682CB2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1496-673-0x000002B682F00000-0x000002B682F72000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1872-718-0x0000023C2B080000-0x0000023C2B0F2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1872-714-0x0000023C2AF70000-0x0000023C2AFE2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1256-721-0x000001F30A870000-0x000001F30A8E2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1256-724-0x000001F30AE40000-0x000001F30AEB2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1392-731-0x0000019938100000-0x0000019938172000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/1392-728-0x0000019937E90000-0x0000019937F02000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/2644-771-0x000001ECFB630000-0x000001ECFB6A2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/2644-797-0x000001ECFB970000-0x000001ECFB9E2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/2652-804-0x00000187ABA40000-0x00000187ABAB2000-memory.dmp	family_pseudomanuscrypt
behavioral1/memory/2652-806-0x00000187AC010000-0x00000187AC082000-memory.dmp	family_pseudomanuscrypt

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3432	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	3432	rundll32.exe

PseudoManuscrypt
PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
loader pseudomanuscrypt
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1488-365-0x00000000071B0000-0x000000000720A000-memory.dmp	family_redline
behavioral1/memory/1488-370-0x0000000007710000-0x0000000007766000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

1924

pid	process
1924

Executes dropped EXE 34 IoCs

Processes:

FD8F.exeFFD2.exeFD8F.exe4E4.exe62D.exeFFD2.exeFD8F.exeFFD2.exe4375.exe4B56.exeFD8F.exeFFD2.exeivrgubr50C6.exe4375.exe4375.exe8F85.exeF7C6.exebuild2.exebuild2.exeschtasks.exebuild3.exePlayer3.exePlayer3.exejgzhang.exeD62.exejgzhang.exe4375.exess31.exess31.exebuild2.exebuild2.exejgzhang.exejgzhang.exe

pid	process
1488	FD8F.exe
328	FFD2.exe
3512	FD8F.exe
4396	4E4.exe
4588	62D.exe
3108	FFD2.exe
4904	FD8F.exe
4892	FFD2.exe
804	4375.exe
4928	4B56.exe
4872	FD8F.exe
3368	FFD2.exe
600	ivrgubr
3968	50C6.exe
5060	4375.exe
4684	4375.exe
2032	8F85.exe
2736	F7C6.exe
4348	build2.exe
192	build2.exe
2272	schtasks.exe
4200	build3.exe
1164	Player3.exe
1072	Player3.exe
60	jgzhang.exe
1488	D62.exe
4192	jgzhang.exe
1520	4375.exe
2504	ss31.exe
2276	ss31.exe
1444	build2.exe
4832	build2.exe
2240	jgzhang.exe
3928	jgzhang.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3756 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 34.142.181.181

pid	process
3756	icacls.exe

description	ioc
Destination IP	34.142.181.181

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FFD2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1b8ba3db-455a-461b-9134-df6dd059df66\\FFD2.exe\" --AutoStart"	FFD2.exe

Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 api.2ip.ua
37 api.2ip.ua
64 api.2ip.ua
105 ip-api.com
10 api.2ip.ua
11 api.2ip.ua
14 api.2ip.ua
34 api.2ip.ua

flow	ioc
35	api.2ip.ua
37	api.2ip.ua
64	api.2ip.ua
105	ip-api.com
10	api.2ip.ua
11	api.2ip.ua
14	api.2ip.ua
34	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

FD8F.exeFFD2.exeFD8F.exeFFD2.exe4375.exe4375.exebuild2.exebuild2.exe

description	pid	process	target process
PID 1488 set thread context of 3512	1488	FD8F.exe	FD8F.exe
PID 328 set thread context of 3108	328	FFD2.exe	FFD2.exe
PID 4904 set thread context of 4872	4904	FD8F.exe	FD8F.exe
PID 4892 set thread context of 3368	4892	FFD2.exe	FFD2.exe
PID 804 set thread context of 5060	804	4375.exe	4375.exe
PID 4684 set thread context of 1520	4684	4375.exe	4375.exe
PID 4348 set thread context of 1444	4348	build2.exe	build2.exe
PID 192 set thread context of 4832	192	build2.exe	build2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1480 4588 WerFault.exe 62D.exe
2164 3968 WerFault.exe 50C6.exe

pid	pid_target	process	target process
1480	4588	WerFault.exe	62D.exe
2164	3968	WerFault.exe	50C6.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe4E4.exe4B56.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4E4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4E4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4B56.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4B56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4E4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4B56.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1896 schtasks.exe
2272 schtasks.exe
4344 schtasks.exe

pid	process
1896	schtasks.exe
2272	schtasks.exe
4344	schtasks.exe

Modifies registry class 60 IoCs

Processes:

jgzhang.exejgzhang.exejgzhang.exejgzhang.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgzhang.exe"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\ = "sqltest.Application"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgzhang.exe"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR\	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ = "sqltest.Application"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgzhang.exe"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\ = "sqltest"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgzhang.exe"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS\ = "0"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	jgzhang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgzhang.exe"	jgzhang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	jgzhang.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 68 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	68	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe

pid	process
1060	ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe
1060	ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924
1924

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1924
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe4E4.exe4B56.exe

pid process

1060 ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe
4396 4E4.exe
4928 4B56.exe

pid	process
1924

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924
Token: SeShutdownPrivilege	1924
Token: SeCreatePagefilePrivilege	1924

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

jgzhang.exejgzhang.exejgzhang.exejgzhang.exe

pid process

60 jgzhang.exe
4192 jgzhang.exe
60 jgzhang.exe
4192 jgzhang.exe
2240 jgzhang.exe
3928 jgzhang.exe
2240 jgzhang.exe
3928 jgzhang.exe

pid	process
60	jgzhang.exe
4192	jgzhang.exe
60	jgzhang.exe
4192	jgzhang.exe
2240	jgzhang.exe
3928	jgzhang.exe
2240	jgzhang.exe
3928	jgzhang.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FD8F.exeFFD2.exeFFD2.exeFD8F.exeFD8F.exeFFD2.exe

description	pid	process	target process
PID 1924 wrote to memory of 1488	1924		FD8F.exe
PID 1924 wrote to memory of 1488	1924		FD8F.exe
PID 1924 wrote to memory of 1488	1924		FD8F.exe
PID 1924 wrote to memory of 328	1924		FFD2.exe
PID 1924 wrote to memory of 328	1924		FFD2.exe
PID 1924 wrote to memory of 328	1924		FFD2.exe
PID 1488 wrote to memory of 3512	1488	FD8F.exe	FD8F.exe
PID 1488 wrote to memory of 3512	1488	FD8F.exe	FD8F.exe
PID 1488 wrote to memory of 3512	1488	FD8F.exe	FD8F.exe
PID 1488 wrote to memory of 3512	1488	FD8F.exe	FD8F.exe
PID 1488 wrote to memory of 3512	1488	FD8F.exe	FD8F.exe
PID 1488 wrote to memory of 3512	1488	FD8F.exe	FD8F.exe
PID 1488 wrote to memory of 3512	1488	FD8F.exe	FD8F.exe
PID 1488 wrote to memory of 3512	1488	FD8F.exe	FD8F.exe
PID 1488 wrote to memory of 3512	1488	FD8F.exe	FD8F.exe
PID 1488 wrote to memory of 3512	1488	FD8F.exe	FD8F.exe
PID 1924 wrote to memory of 4396	1924		4E4.exe
PID 1924 wrote to memory of 4396	1924		4E4.exe
PID 1924 wrote to memory of 4396	1924		4E4.exe
PID 1924 wrote to memory of 4588	1924		62D.exe
PID 1924 wrote to memory of 4588	1924		62D.exe
PID 1924 wrote to memory of 4588	1924		62D.exe
PID 328 wrote to memory of 3108	328	FFD2.exe	FFD2.exe
PID 328 wrote to memory of 3108	328	FFD2.exe	FFD2.exe
PID 328 wrote to memory of 3108	328	FFD2.exe	FFD2.exe
PID 328 wrote to memory of 3108	328	FFD2.exe	FFD2.exe
PID 328 wrote to memory of 3108	328	FFD2.exe	FFD2.exe
PID 328 wrote to memory of 3108	328	FFD2.exe	FFD2.exe
PID 328 wrote to memory of 3108	328	FFD2.exe	FFD2.exe
PID 328 wrote to memory of 3108	328	FFD2.exe	FFD2.exe
PID 328 wrote to memory of 3108	328	FFD2.exe	FFD2.exe
PID 328 wrote to memory of 3108	328	FFD2.exe	FFD2.exe
PID 3108 wrote to memory of 3756	3108	FFD2.exe	icacls.exe
PID 3108 wrote to memory of 3756	3108	FFD2.exe	icacls.exe
PID 3108 wrote to memory of 3756	3108	FFD2.exe	icacls.exe
PID 3108 wrote to memory of 4892	3108	FFD2.exe	FFD2.exe
PID 3108 wrote to memory of 4892	3108	FFD2.exe	FFD2.exe
PID 3108 wrote to memory of 4892	3108	FFD2.exe	FFD2.exe
PID 3512 wrote to memory of 4904	3512	FD8F.exe	FD8F.exe
PID 3512 wrote to memory of 4904	3512	FD8F.exe	FD8F.exe
PID 3512 wrote to memory of 4904	3512	FD8F.exe	FD8F.exe
PID 1924 wrote to memory of 804	1924		4375.exe
PID 1924 wrote to memory of 804	1924		4375.exe
PID 1924 wrote to memory of 804	1924		4375.exe
PID 1924 wrote to memory of 4928	1924		4B56.exe
PID 1924 wrote to memory of 4928	1924		4B56.exe
PID 1924 wrote to memory of 4928	1924		4B56.exe
PID 4904 wrote to memory of 4872	4904	FD8F.exe	FD8F.exe
PID 4904 wrote to memory of 4872	4904	FD8F.exe	FD8F.exe
PID 4904 wrote to memory of 4872	4904	FD8F.exe	FD8F.exe
PID 4904 wrote to memory of 4872	4904	FD8F.exe	FD8F.exe
PID 4904 wrote to memory of 4872	4904	FD8F.exe	FD8F.exe
PID 4904 wrote to memory of 4872	4904	FD8F.exe	FD8F.exe
PID 4904 wrote to memory of 4872	4904	FD8F.exe	FD8F.exe
PID 4904 wrote to memory of 4872	4904	FD8F.exe	FD8F.exe
PID 4904 wrote to memory of 4872	4904	FD8F.exe	FD8F.exe
PID 4904 wrote to memory of 4872	4904	FD8F.exe	FD8F.exe
PID 4892 wrote to memory of 3368	4892	FFD2.exe	FFD2.exe
PID 4892 wrote to memory of 3368	4892	FFD2.exe	FFD2.exe
PID 4892 wrote to memory of 3368	4892	FFD2.exe	FFD2.exe
PID 4892 wrote to memory of 3368	4892	FFD2.exe	FFD2.exe
PID 4892 wrote to memory of 3368	4892	FFD2.exe	FFD2.exe
PID 4892 wrote to memory of 3368	4892	FFD2.exe	FFD2.exe
PID 4892 wrote to memory of 3368	4892	FFD2.exe	FFD2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe
"C:\Users\Admin\AppData\Local\Temp\ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1060

C:\Users\Admin\AppData\Local\Temp\FD8F.exe
C:\Users\Admin\AppData\Local\Temp\FD8F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\FD8F.exe
  C:\Users\Admin\AppData\Local\Temp\FD8F.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\FD8F.exe
    "C:\Users\Admin\AppData\Local\Temp\FD8F.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\FD8F.exe
      "C:\Users\Admin\AppData\Local\Temp\FD8F.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:4872
    - - C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build2.exe
        
        "C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4348
      - C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build2.exe
        
        "C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build2.exe"
        6⤵
        Executes dropped EXE
        
        PID:1444
    - - C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build3.exe
        
        "C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build3.exe"
        5⤵
        
        PID:2272
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4344

C:\Users\Admin\AppData\Local\Temp\FFD2.exe
C:\Users\Admin\AppData\Local\Temp\FFD2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:328
- C:\Users\Admin\AppData\Local\Temp\FFD2.exe
  C:\Users\Admin\AppData\Local\Temp\FFD2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\1b8ba3db-455a-461b-9134-df6dd059df66" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3756
- - C:\Users\Admin\AppData\Local\Temp\FFD2.exe
    "C:\Users\Admin\AppData\Local\Temp\FFD2.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\FFD2.exe
      "C:\Users\Admin\AppData\Local\Temp\FFD2.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:3368
    - - C:\Users\Admin\AppData\Local\9892c69c-37fd-4ac1-8eaa-fcf91f49870a\build2.exe
        
        "C:\Users\Admin\AppData\Local\9892c69c-37fd-4ac1-8eaa-fcf91f49870a\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:192
      - C:\Users\Admin\AppData\Local\9892c69c-37fd-4ac1-8eaa-fcf91f49870a\build2.exe
        
        "C:\Users\Admin\AppData\Local\9892c69c-37fd-4ac1-8eaa-fcf91f49870a\build2.exe"
        6⤵
        Executes dropped EXE
        
        PID:4832
    - - C:\Users\Admin\AppData\Local\9892c69c-37fd-4ac1-8eaa-fcf91f49870a\build3.exe
        
        "C:\Users\Admin\AppData\Local\9892c69c-37fd-4ac1-8eaa-fcf91f49870a\build3.exe"
        5⤵
        Executes dropped EXE
        
        PID:4200

C:\Users\Admin\AppData\Local\Temp\4E4.exe
C:\Users\Admin\AppData\Local\Temp\4E4.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4396

C:\Users\Admin\AppData\Local\Temp\62D.exe
C:\Users\Admin\AppData\Local\Temp\62D.exe
1⤵
- Executes dropped EXE
PID:4588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 476
  2⤵
  - Program crash
  PID:1480

C:\Users\Admin\AppData\Roaming\ivrgubr
C:\Users\Admin\AppData\Roaming\ivrgubr
1⤵
- Executes dropped EXE
PID:600

C:\Users\Admin\AppData\Local\Temp\4375.exe
C:\Users\Admin\AppData\Local\Temp\4375.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:804
- C:\Users\Admin\AppData\Local\Temp\4375.exe
  C:\Users\Admin\AppData\Local\Temp\4375.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\4375.exe
    "C:\Users\Admin\AppData\Local\Temp\4375.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\4375.exe
      "C:\Users\Admin\AppData\Local\Temp\4375.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:1520
    - - C:\Users\Admin\AppData\Local\4d0b5c90-5102-41ba-a2f7-1f088762b4d6\build2.exe
        
        "C:\Users\Admin\AppData\Local\4d0b5c90-5102-41ba-a2f7-1f088762b4d6\build2.exe"
        5⤵
        
        PID:32
      - C:\Users\Admin\AppData\Local\4d0b5c90-5102-41ba-a2f7-1f088762b4d6\build2.exe
        
        "C:\Users\Admin\AppData\Local\4d0b5c90-5102-41ba-a2f7-1f088762b4d6\build2.exe"
        6⤵
        
        PID:4912
    - - C:\Users\Admin\AppData\Local\4d0b5c90-5102-41ba-a2f7-1f088762b4d6\build3.exe
        
        "C:\Users\Admin\AppData\Local\4d0b5c90-5102-41ba-a2f7-1f088762b4d6\build3.exe"
        5⤵
        
        PID:1296
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1896

C:\Users\Admin\AppData\Local\Temp\4B56.exe
C:\Users\Admin\AppData\Local\Temp\4B56.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4928

C:\Users\Admin\AppData\Local\Temp\50C6.exe
C:\Users\Admin\AppData\Local\Temp\50C6.exe
1⤵
- Executes dropped EXE
PID:3968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 480
  2⤵
  - Program crash
  PID:2164

C:\Users\Admin\AppData\Local\Temp\8F85.exe
C:\Users\Admin\AppData\Local\Temp\8F85.exe
1⤵
- Executes dropped EXE
PID:2032
- C:\Users\Admin\AppData\Local\Temp\jgzhang.exe
  "C:\Users\Admin\AppData\Local\Temp\jgzhang.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\jgzhang.exe
    "C:\Users\Admin\AppData\Local\Temp\jgzhang.exe" -h
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\ss31.exe
  "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\Player3.exe
  "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
  2⤵
  - Executes dropped EXE
  PID:1072

C:\Users\Admin\AppData\Local\Temp\F7C6.exe
C:\Users\Admin\AppData\Local\Temp\F7C6.exe
1⤵
- Executes dropped EXE
PID:2736
- C:\Users\Admin\AppData\Local\Temp\ss31.exe
  "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\jgzhang.exe
  "C:\Users\Admin\AppData\Local\Temp\jgzhang.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\jgzhang.exe
    "C:\Users\Admin\AppData\Local\Temp\jgzhang.exe" -h
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3928
- C:\Users\Admin\AppData\Local\Temp\Player3.exe
  "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
  2⤵
  - Executes dropped EXE
  PID:1164

C:\Users\Admin\AppData\Local\Temp\D62.exe
C:\Users\Admin\AppData\Local\Temp\D62.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:4780
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Executes dropped EXE
  - Creates scheduled task(s)
  PID:2272

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:3528
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  PID:2708

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:324
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WspService
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\7A46.exe
C:\Users\Admin\AppData\Local\Temp\7A46.exe
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SystemID\PersonalID.txt

Filesize
42B

MD5
75cf87df08df8cd956d2bd32ee11ac0c

SHA1
b487d6fd2a9966f49c7ae4b68597300c650f9b48

SHA256
1a414e845909f4dc4a5786bcf84c30361d3489e2bd8d55fdb602231b219f2a17

SHA512
89fda2e000740d0052e3b23703c0eee151783dc9b630e053afec33eca58933a162a4e9f09cda1e37e4be4d4ba79514d8dc06adf659c286ff2d10950ad60395bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
ebf38835fd83d603ed2939112fe923d2

SHA1
27426896cf1aac5c41eff28eae202b44d92345f9

SHA256
1b703c5ef0e6349372108f3a7a2033a365e50a17e8d7cd278f93e4444f232b71

SHA512
7d4d060f679ba65f601e5e7d9bee51bec4bd801bb3440a5c1f856cfa643ccca152a670e38d1e458d419e5f41ee422d5f37029035e58c2e8e9ec9e0339c680a0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
e23d8cd61c2e75283867a91ce42aa1dc

SHA1
a86f54bb4f00cf0fcd3efc3951d54e168d25c7f4

SHA256
0a8b65baa91fb423458dd64e067a6009cd4ce9a93c65ac4b448025403ab0ea9c

SHA512
89483da80407e373d6d0f18b4ddd3976a5cd8e590b398de51e881623f54e4c146ec57def18c26c8f7ca5e7ed00b51b9a94d14ad38d2d716b416507b41144c5f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
e10bd555881b36519403ae3529586f6e

SHA1
ebdea3fb0ac439a6cab3ca34709295b9443fddbe

SHA256
e8eecd6e5de4108b25ffd57cfee9a68e2483a5344af633ab057664724070d9eb

SHA512
953ef677661ba68619ca384d839bbbb24bb8b01304303d45e1bf3593549e6b635cf83b0bd04b70dc579affaacc1e7239fc08f4294468fde885c3655dfbe57a51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
e10bd555881b36519403ae3529586f6e

SHA1
ebdea3fb0ac439a6cab3ca34709295b9443fddbe

SHA256
e8eecd6e5de4108b25ffd57cfee9a68e2483a5344af633ab057664724070d9eb

SHA512
953ef677661ba68619ca384d839bbbb24bb8b01304303d45e1bf3593549e6b635cf83b0bd04b70dc579affaacc1e7239fc08f4294468fde885c3655dfbe57a51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
e10bd555881b36519403ae3529586f6e

SHA1
ebdea3fb0ac439a6cab3ca34709295b9443fddbe

SHA256
e8eecd6e5de4108b25ffd57cfee9a68e2483a5344af633ab057664724070d9eb

SHA512
953ef677661ba68619ca384d839bbbb24bb8b01304303d45e1bf3593549e6b635cf83b0bd04b70dc579affaacc1e7239fc08f4294468fde885c3655dfbe57a51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
b1bdc3411fbca657b7995bf09dc0c1bd

SHA1
f832db7616b30aded459ffa97a2abd192b1267c2

SHA256
5514573da8f01a04a8fc7fbe29800bda891643fbc01cc3c27c225153fadd8969

SHA512
f3f2580d619da1672c366fba1304a0eb248085546aae3f400828cbab2eb65f413fd7be756799e8810c1ac7778e2d2369fdd228ce410a38c222653a5d75d49e9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
90ad5a38b301722cf1e5917e3c847b50

SHA1
0155b25fac1f558d65ae16fb4083ec477f478269

SHA256
3ba30c562fcf2c85ee7e1d81165344a8819146edab715ecb0006dde48b74a4ff

SHA512
0c8226547e709ae6fb4e3a5830f7e4030dcd4c37712d2d9668cd0ba3f8ce043f357d27c8a55f2d5c539ddc5e49dc4523aa9946bb01ce642d0c16cbfc499f808a

Download Submit
C:\Users\Admin\AppData\Local\1b8ba3db-455a-461b-9134-df6dd059df66\FFD2.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\9892c69c-37fd-4ac1-8eaa-fcf91f49870a\build2.exe

Filesize
299KB

MD5
6b343cd7dea3ae28d0819bc55a2f86fe

SHA1
cedd49849a5dd678d0a55da607e9b28a9680073c

SHA256
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49

SHA512
7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48

Download Submit
C:\Users\Admin\AppData\Local\9892c69c-37fd-4ac1-8eaa-fcf91f49870a\build2.exe

Filesize
299KB

MD5
6b343cd7dea3ae28d0819bc55a2f86fe

SHA1
cedd49849a5dd678d0a55da607e9b28a9680073c

SHA256
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49

SHA512
7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48

Download Submit
C:\Users\Admin\AppData\Local\9892c69c-37fd-4ac1-8eaa-fcf91f49870a\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\9892c69c-37fd-4ac1-8eaa-fcf91f49870a\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4375.exe

Filesize
782KB

MD5
493e983c2930d7b44db8229ab7e32a7b

SHA1
a59a5bd850233d6efc7e1b5d0d383a5bc87b46bd

SHA256
944d33195c22491579d358fb4b316cff621881eae2391583ac1be478b6c264e5

SHA512
9a5b8017ac2e72a42dd7d40d90c2fd574a8b9dbd185a324a562e236b24a8f931ffc1f701c46ee853a587a46259be6b9d06b6f03febf124caac3bb21fd306309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4375.exe

Filesize
782KB

MD5
493e983c2930d7b44db8229ab7e32a7b

SHA1
a59a5bd850233d6efc7e1b5d0d383a5bc87b46bd

SHA256
944d33195c22491579d358fb4b316cff621881eae2391583ac1be478b6c264e5

SHA512
9a5b8017ac2e72a42dd7d40d90c2fd574a8b9dbd185a324a562e236b24a8f931ffc1f701c46ee853a587a46259be6b9d06b6f03febf124caac3bb21fd306309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4375.exe

Filesize
782KB

MD5
493e983c2930d7b44db8229ab7e32a7b

SHA1
a59a5bd850233d6efc7e1b5d0d383a5bc87b46bd

SHA256
944d33195c22491579d358fb4b316cff621881eae2391583ac1be478b6c264e5

SHA512
9a5b8017ac2e72a42dd7d40d90c2fd574a8b9dbd185a324a562e236b24a8f931ffc1f701c46ee853a587a46259be6b9d06b6f03febf124caac3bb21fd306309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4375.exe

Filesize
782KB

MD5
493e983c2930d7b44db8229ab7e32a7b

SHA1
a59a5bd850233d6efc7e1b5d0d383a5bc87b46bd

SHA256
944d33195c22491579d358fb4b316cff621881eae2391583ac1be478b6c264e5

SHA512
9a5b8017ac2e72a42dd7d40d90c2fd574a8b9dbd185a324a562e236b24a8f931ffc1f701c46ee853a587a46259be6b9d06b6f03febf124caac3bb21fd306309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4375.exe

Filesize
782KB

MD5
493e983c2930d7b44db8229ab7e32a7b

SHA1
a59a5bd850233d6efc7e1b5d0d383a5bc87b46bd

SHA256
944d33195c22491579d358fb4b316cff621881eae2391583ac1be478b6c264e5

SHA512
9a5b8017ac2e72a42dd7d40d90c2fd574a8b9dbd185a324a562e236b24a8f931ffc1f701c46ee853a587a46259be6b9d06b6f03febf124caac3bb21fd306309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B56.exe

Filesize
275KB

MD5
a3977cfffdf7d761f023b079f9112fa2

SHA1
8571c879fbfc226e8317612d1bd2f5e1d5a41f0a

SHA256
b17247d929c31c0ffcd0606b6fc4cf462da2ab4fd858ffbdfdfad3479a7a145f

SHA512
0e358d09fdffb9a8c34fecb4a48f56e220b51b094f0a8fa58d5553097843c33b8d711e2cec6e803d20499f8a76ff32eec3cc22e84fe7660fd6bfde02ce255315

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B56.exe

Filesize
275KB

MD5
a3977cfffdf7d761f023b079f9112fa2

SHA1
8571c879fbfc226e8317612d1bd2f5e1d5a41f0a

SHA256
b17247d929c31c0ffcd0606b6fc4cf462da2ab4fd858ffbdfdfad3479a7a145f

SHA512
0e358d09fdffb9a8c34fecb4a48f56e220b51b094f0a8fa58d5553097843c33b8d711e2cec6e803d20499f8a76ff32eec3cc22e84fe7660fd6bfde02ce255315

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E4.exe

Filesize
274KB

MD5
81e9aca3a2f3dca9519588c844fe496a

SHA1
2dd6073a1c8fab1ebe918c9b6659df0a683052d5

SHA256
60c37a1d02538b021481edadabdf9b8610ad10dbaf587a1d1302b06ee4b862f8

SHA512
0ce1dd047ec0b911da0fd1f9c2d03c3c99a499ea4464df330ecc0b9b829df115beef680e6dc9c6f2baaf58ac7e416cca0a736744d5a13729ccab6bb4265862cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E4.exe

Filesize
274KB

MD5
81e9aca3a2f3dca9519588c844fe496a

SHA1
2dd6073a1c8fab1ebe918c9b6659df0a683052d5

SHA256
60c37a1d02538b021481edadabdf9b8610ad10dbaf587a1d1302b06ee4b862f8

SHA512
0ce1dd047ec0b911da0fd1f9c2d03c3c99a499ea4464df330ecc0b9b829df115beef680e6dc9c6f2baaf58ac7e416cca0a736744d5a13729ccab6bb4265862cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\50C6.exe

Filesize
275KB

MD5
a3977cfffdf7d761f023b079f9112fa2

SHA1
8571c879fbfc226e8317612d1bd2f5e1d5a41f0a

SHA256
b17247d929c31c0ffcd0606b6fc4cf462da2ab4fd858ffbdfdfad3479a7a145f

SHA512
0e358d09fdffb9a8c34fecb4a48f56e220b51b094f0a8fa58d5553097843c33b8d711e2cec6e803d20499f8a76ff32eec3cc22e84fe7660fd6bfde02ce255315

Download Submit
C:\Users\Admin\AppData\Local\Temp\50C6.exe

Filesize
275KB

MD5
a3977cfffdf7d761f023b079f9112fa2

SHA1
8571c879fbfc226e8317612d1bd2f5e1d5a41f0a

SHA256
b17247d929c31c0ffcd0606b6fc4cf462da2ab4fd858ffbdfdfad3479a7a145f

SHA512
0e358d09fdffb9a8c34fecb4a48f56e220b51b094f0a8fa58d5553097843c33b8d711e2cec6e803d20499f8a76ff32eec3cc22e84fe7660fd6bfde02ce255315

Download Submit
C:\Users\Admin\AppData\Local\Temp\62D.exe

Filesize
274KB

MD5
81e9aca3a2f3dca9519588c844fe496a

SHA1
2dd6073a1c8fab1ebe918c9b6659df0a683052d5

SHA256
60c37a1d02538b021481edadabdf9b8610ad10dbaf587a1d1302b06ee4b862f8

SHA512
0ce1dd047ec0b911da0fd1f9c2d03c3c99a499ea4464df330ecc0b9b829df115beef680e6dc9c6f2baaf58ac7e416cca0a736744d5a13729ccab6bb4265862cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\62D.exe

Filesize
274KB

MD5
81e9aca3a2f3dca9519588c844fe496a

SHA1
2dd6073a1c8fab1ebe918c9b6659df0a683052d5

SHA256
60c37a1d02538b021481edadabdf9b8610ad10dbaf587a1d1302b06ee4b862f8

SHA512
0ce1dd047ec0b911da0fd1f9c2d03c3c99a499ea4464df330ecc0b9b829df115beef680e6dc9c6f2baaf58ac7e416cca0a736744d5a13729ccab6bb4265862cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F85.exe

Filesize
1.1MB

MD5
ba218b60cb97c3532b8b9c796d954622

SHA1
ae18137fb0809f61797b7448bb139840d1f49e99

SHA256
8bee3d713fc207a8ca82e8eaf85396b55fcd29fe9214a83ce9399fa48ac4bd4b

SHA512
06b0ac48d4dad3253a817a7f6bc34437a748e3d885328986f652347c8cbc72f2fc5aebdc3e3781357887da74b77f2eb6b57a816d16d96e6b713e3c3aab1ba158

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F85.exe

Filesize
1.1MB

MD5
ba218b60cb97c3532b8b9c796d954622

SHA1
ae18137fb0809f61797b7448bb139840d1f49e99

SHA256
8bee3d713fc207a8ca82e8eaf85396b55fcd29fe9214a83ce9399fa48ac4bd4b

SHA512
06b0ac48d4dad3253a817a7f6bc34437a748e3d885328986f652347c8cbc72f2fc5aebdc3e3781357887da74b77f2eb6b57a816d16d96e6b713e3c3aab1ba158

Download Submit
C:\Users\Admin\AppData\Local\Temp\D62.exe

Filesize
379KB

MD5
0efa6d00b4fc00055dac895f2b46dd74

SHA1
5a163ae8f860ec81f9946dc4627f471d6de04eeb

SHA256
0ef8ff550c5e33908630f7d3dce2b928881067ae5adb43c08fe51b1aaed527bb

SHA512
c2ba5ee7f406fbdf33a66d9f34646eb5e8b5d765e8fbd53c820b811fe3a5e97e97361e86d668304d47b729b40cbd2217fa114e1cf1a600393241f563f2cac916

Download Submit
C:\Users\Admin\AppData\Local\Temp\D62.exe

Filesize
379KB

MD5
0efa6d00b4fc00055dac895f2b46dd74

SHA1
5a163ae8f860ec81f9946dc4627f471d6de04eeb

SHA256
0ef8ff550c5e33908630f7d3dce2b928881067ae5adb43c08fe51b1aaed527bb

SHA512
c2ba5ee7f406fbdf33a66d9f34646eb5e8b5d765e8fbd53c820b811fe3a5e97e97361e86d668304d47b729b40cbd2217fa114e1cf1a600393241f563f2cac916

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7C6.exe

Filesize
1.1MB

MD5
ba218b60cb97c3532b8b9c796d954622

SHA1
ae18137fb0809f61797b7448bb139840d1f49e99

SHA256
8bee3d713fc207a8ca82e8eaf85396b55fcd29fe9214a83ce9399fa48ac4bd4b

SHA512
06b0ac48d4dad3253a817a7f6bc34437a748e3d885328986f652347c8cbc72f2fc5aebdc3e3781357887da74b77f2eb6b57a816d16d96e6b713e3c3aab1ba158

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7C6.exe

Filesize
1.1MB

MD5
ba218b60cb97c3532b8b9c796d954622

SHA1
ae18137fb0809f61797b7448bb139840d1f49e99

SHA256
8bee3d713fc207a8ca82e8eaf85396b55fcd29fe9214a83ce9399fa48ac4bd4b

SHA512
06b0ac48d4dad3253a817a7f6bc34437a748e3d885328986f652347c8cbc72f2fc5aebdc3e3781357887da74b77f2eb6b57a816d16d96e6b713e3c3aab1ba158

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8F.exe

Filesize
782KB

MD5
493e983c2930d7b44db8229ab7e32a7b

SHA1
a59a5bd850233d6efc7e1b5d0d383a5bc87b46bd

SHA256
944d33195c22491579d358fb4b316cff621881eae2391583ac1be478b6c264e5

SHA512
9a5b8017ac2e72a42dd7d40d90c2fd574a8b9dbd185a324a562e236b24a8f931ffc1f701c46ee853a587a46259be6b9d06b6f03febf124caac3bb21fd306309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8F.exe

Filesize
782KB

MD5
493e983c2930d7b44db8229ab7e32a7b

SHA1
a59a5bd850233d6efc7e1b5d0d383a5bc87b46bd

SHA256
944d33195c22491579d358fb4b316cff621881eae2391583ac1be478b6c264e5

SHA512
9a5b8017ac2e72a42dd7d40d90c2fd574a8b9dbd185a324a562e236b24a8f931ffc1f701c46ee853a587a46259be6b9d06b6f03febf124caac3bb21fd306309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8F.exe

Filesize
782KB

MD5
493e983c2930d7b44db8229ab7e32a7b

SHA1
a59a5bd850233d6efc7e1b5d0d383a5bc87b46bd

SHA256
944d33195c22491579d358fb4b316cff621881eae2391583ac1be478b6c264e5

SHA512
9a5b8017ac2e72a42dd7d40d90c2fd574a8b9dbd185a324a562e236b24a8f931ffc1f701c46ee853a587a46259be6b9d06b6f03febf124caac3bb21fd306309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8F.exe

Filesize
782KB

MD5
493e983c2930d7b44db8229ab7e32a7b

SHA1
a59a5bd850233d6efc7e1b5d0d383a5bc87b46bd

SHA256
944d33195c22491579d358fb4b316cff621881eae2391583ac1be478b6c264e5

SHA512
9a5b8017ac2e72a42dd7d40d90c2fd574a8b9dbd185a324a562e236b24a8f931ffc1f701c46ee853a587a46259be6b9d06b6f03febf124caac3bb21fd306309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8F.exe

Filesize
782KB

MD5
493e983c2930d7b44db8229ab7e32a7b

SHA1
a59a5bd850233d6efc7e1b5d0d383a5bc87b46bd

SHA256
944d33195c22491579d358fb4b316cff621881eae2391583ac1be478b6c264e5

SHA512
9a5b8017ac2e72a42dd7d40d90c2fd574a8b9dbd185a324a562e236b24a8f931ffc1f701c46ee853a587a46259be6b9d06b6f03febf124caac3bb21fd306309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFD2.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFD2.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFD2.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFD2.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFD2.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgzhang.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgzhang.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgzhang.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgzhang.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
579KB

MD5
ecf708ffb402f5956e63e73313d8c46f

SHA1
9333f29c771a162cdf3b00a07ea6a94623e33762

SHA256
57c011aeceb54ab58d9d2ea21a115ca66145c445e172492ace12cce697c0852e

SHA512
f89cccaddff10ebe4200dbd9becc56327277522e32b6b0425ef57e334e806d26888c6f07ea76dd7c152fc83b173a2975006e61f84b0a5348687d1e256bd00c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
579KB

MD5
ecf708ffb402f5956e63e73313d8c46f

SHA1
9333f29c771a162cdf3b00a07ea6a94623e33762

SHA256
57c011aeceb54ab58d9d2ea21a115ca66145c445e172492ace12cce697c0852e

SHA512
f89cccaddff10ebe4200dbd9becc56327277522e32b6b0425ef57e334e806d26888c6f07ea76dd7c152fc83b173a2975006e61f84b0a5348687d1e256bd00c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
579KB

MD5
ecf708ffb402f5956e63e73313d8c46f

SHA1
9333f29c771a162cdf3b00a07ea6a94623e33762

SHA256
57c011aeceb54ab58d9d2ea21a115ca66145c445e172492ace12cce697c0852e

SHA512
f89cccaddff10ebe4200dbd9becc56327277522e32b6b0425ef57e334e806d26888c6f07ea76dd7c152fc83b173a2975006e61f84b0a5348687d1e256bd00c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
579KB

MD5
ecf708ffb402f5956e63e73313d8c46f

SHA1
9333f29c771a162cdf3b00a07ea6a94623e33762

SHA256
57c011aeceb54ab58d9d2ea21a115ca66145c445e172492ace12cce697c0852e

SHA512
f89cccaddff10ebe4200dbd9becc56327277522e32b6b0425ef57e334e806d26888c6f07ea76dd7c152fc83b173a2975006e61f84b0a5348687d1e256bd00c91

Download Submit
C:\Users\Admin\AppData\Local\bowsakkdestx.txt

Filesize
562B

MD5
0a4f5a793a2d9b132c2ca0ddf9042823

SHA1
6bd8770ea7bdcfa79707f3f8aab9ea0423ee819e

SHA256
18efbf3cb9f6d43ea3befea1ba44ab18f38f4ca3e6f0e428d483558252ddaf0d

SHA512
a4cbc2782d731ef827a19881820ac9c593fea25220e7beb33e1cdb83a8dacafcdd64ce3f28fd5b93e017275081fc72e5b802ec37eec2cd8151cb4f1bef20f30b

Download Submit
C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build2.exe

Filesize
299KB

MD5
6b343cd7dea3ae28d0819bc55a2f86fe

SHA1
cedd49849a5dd678d0a55da607e9b28a9680073c

SHA256
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49

SHA512
7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48

Download Submit
C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build2.exe

Filesize
299KB

MD5
6b343cd7dea3ae28d0819bc55a2f86fe

SHA1
cedd49849a5dd678d0a55da607e9b28a9680073c

SHA256
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49

SHA512
7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48

Download Submit
C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build2.exe

Filesize
299KB

MD5
6b343cd7dea3ae28d0819bc55a2f86fe

SHA1
cedd49849a5dd678d0a55da607e9b28a9680073c

SHA256
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49

SHA512
7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48

Download Submit
C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build2.exe

Filesize
299KB

MD5
6b343cd7dea3ae28d0819bc55a2f86fe

SHA1
cedd49849a5dd678d0a55da607e9b28a9680073c

SHA256
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49

SHA512
7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48

Download Submit
C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\d7f03748-1be9-43bb-a248-29fbf4de3d25\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\bjrgubr

Filesize
275KB

MD5
a3977cfffdf7d761f023b079f9112fa2

SHA1
8571c879fbfc226e8317612d1bd2f5e1d5a41f0a

SHA256
b17247d929c31c0ffcd0606b6fc4cf462da2ab4fd858ffbdfdfad3479a7a145f

SHA512
0e358d09fdffb9a8c34fecb4a48f56e220b51b094f0a8fa58d5553097843c33b8d711e2cec6e803d20499f8a76ff32eec3cc22e84fe7660fd6bfde02ce255315

Download Submit
C:\Users\Admin\AppData\Roaming\ivrgubr

Filesize
274KB

MD5
47fa206319df2d224ffc4cd1569047ca

SHA1
d0a51ae101bf26fb4547ece1429f626c18280deb

SHA256
ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328

SHA512
540f6516768b35e00f6585511a63eec5c749ad6cb78162218d6d301a5a8ee7ea7a542d9612516a9e24c7086129fdda249b2e4a9a42064a74dfacf0459955560b

Download Submit
C:\Users\Admin\AppData\Roaming\ivrgubr

Filesize
274KB

MD5
47fa206319df2d224ffc4cd1569047ca

SHA1
d0a51ae101bf26fb4547ece1429f626c18280deb

SHA256
ee98edec4c14dab2c27ddaec0fe5f0a7472d82b5fa99a8dd127deb5cdfa65328

SHA512
540f6516768b35e00f6585511a63eec5c749ad6cb78162218d6d301a5a8ee7ea7a542d9612516a9e24c7086129fdda249b2e4a9a42064a74dfacf0459955560b

Download Submit
C:\Users\Admin\AppData\Roaming\ucrgubr

Filesize
274KB

MD5
81e9aca3a2f3dca9519588c844fe496a

SHA1
2dd6073a1c8fab1ebe918c9b6659df0a683052d5

SHA256
60c37a1d02538b021481edadabdf9b8610ad10dbaf587a1d1302b06ee4b862f8

SHA512
0ce1dd047ec0b911da0fd1f9c2d03c3c99a499ea4464df330ecc0b9b829df115beef680e6dc9c6f2baaf58ac7e416cca0a736744d5a13729ccab6bb4265862cc

Download Submit
memory/1008-655-0x0000022484000000-0x0000022484072000-memory.dmp

Filesize
456KB

Download
memory/1008-658-0x0000022484180000-0x00000224841F2000-memory.dmp

Filesize
456KB

Download
memory/1040-665-0x0000018F82980000-0x0000018F829F2000-memory.dmp

Filesize
456KB

Download
memory/1040-662-0x0000018F82FB0000-0x0000018F83022000-memory.dmp

Filesize
456KB

Download
memory/1060-124-0x0000000000400000-0x0000000002B72000-memory.dmp

Filesize
39.4MB

Download
memory/1060-122-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1140-610-0x000001717C100000-0x000001717C172000-memory.dmp

Filesize
456KB

Download
memory/1140-613-0x000001717C1F0000-0x000001717C262000-memory.dmp

Filesize
456KB

Download
memory/1256-724-0x000001F30AE40000-0x000001F30AEB2000-memory.dmp

Filesize
456KB

Download
memory/1256-721-0x000001F30A870000-0x000001F30A8E2000-memory.dmp

Filesize
456KB

Download
memory/1392-728-0x0000019937E90000-0x0000019937F02000-memory.dmp

Filesize
456KB

Download
memory/1392-731-0x0000019938100000-0x0000019938172000-memory.dmp

Filesize
456KB

Download
memory/1412-588-0x000002B15AA40000-0x000002B15AAB2000-memory.dmp

Filesize
456KB

Download
memory/1412-979-0x000002B15AAC0000-0x000002B15AADB000-memory.dmp

Filesize
108KB

Download
memory/1412-980-0x000002B15D200000-0x000002B15D30B000-memory.dmp

Filesize
1.0MB

Download
memory/1412-982-0x000002B15AAE0000-0x000002B15AB00000-memory.dmp

Filesize
128KB

Download
memory/1412-984-0x000002B15C3C0000-0x000002B15C3DB000-memory.dmp

Filesize
108KB

Download
memory/1444-395-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1444-344-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1444-1175-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1444-348-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1488-429-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1488-431-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1488-427-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1488-422-0x00000000047D0000-0x0000000004832000-memory.dmp

Filesize
392KB

Download
memory/1488-142-0x0000000004930000-0x0000000004A4B000-memory.dmp

Filesize
1.1MB

Download
memory/1488-368-0x0000000007210000-0x000000000770E000-memory.dmp

Filesize
5.0MB

Download
memory/1488-370-0x0000000007710000-0x0000000007766000-memory.dmp

Filesize
344KB

Download
memory/1488-365-0x00000000071B0000-0x000000000720A000-memory.dmp

Filesize
360KB

Download
memory/1496-673-0x000002B682F00000-0x000002B682F72000-memory.dmp

Filesize
456KB

Download
memory/1496-668-0x000002B682C40000-0x000002B682CB2000-memory.dmp

Filesize
456KB

Download
memory/1520-1107-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1520-338-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1520-418-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1520-351-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1872-714-0x0000023C2AF70000-0x0000023C2AFE2000-memory.dmp

Filesize
456KB

Download
memory/1872-718-0x0000023C2B080000-0x0000023C2B0F2000-memory.dmp

Filesize
456KB

Download
memory/1924-187-0x0000000001250000-0x0000000001266000-memory.dmp

Filesize
88KB

Download
memory/1924-264-0x0000000003010000-0x0000000003026000-memory.dmp

Filesize
88KB

Download
memory/1924-123-0x0000000000FD0000-0x0000000000FE6000-memory.dmp

Filesize
88KB

Download
memory/2276-434-0x0000000003300000-0x0000000003434000-memory.dmp

Filesize
1.2MB

Download
memory/2300-474-0x0000000004AF0000-0x0000000004B4E000-memory.dmp

Filesize
376KB

Download
memory/2300-780-0x0000000004AF0000-0x0000000004B4E000-memory.dmp

Filesize
376KB

Download
memory/2300-471-0x0000000004BF0000-0x0000000004D00000-memory.dmp

Filesize
1.1MB

Download
memory/2352-593-0x0000016A04F70000-0x0000016A04FE2000-memory.dmp

Filesize
456KB

Download
memory/2352-590-0x0000016A04D70000-0x0000016A04DE2000-memory.dmp

Filesize
456KB

Download
memory/2364-605-0x000001EF91230000-0x000001EF912A2000-memory.dmp

Filesize
456KB

Download
memory/2364-600-0x000001EF91140000-0x000001EF911B2000-memory.dmp

Filesize
456KB

Download
memory/2504-426-0x0000000002DD0000-0x0000000002F04000-memory.dmp

Filesize
1.2MB

Download
memory/2504-424-0x0000000002C50000-0x0000000002DC3000-memory.dmp

Filesize
1.4MB

Download
memory/2644-797-0x000001ECFB970000-0x000001ECFB9E2000-memory.dmp

Filesize
456KB

Download
memory/2644-771-0x000001ECFB630000-0x000001ECFB6A2000-memory.dmp

Filesize
456KB

Download
memory/2652-804-0x00000187ABA40000-0x00000187ABAB2000-memory.dmp

Filesize
456KB

Download
memory/2652-806-0x00000187AC010000-0x00000187AC082000-memory.dmp

Filesize
456KB

Download
memory/2664-478-0x0000019B45030000-0x0000019B4507D000-memory.dmp

Filesize
308KB

Download
memory/2664-486-0x0000019B45FB0000-0x0000019B46022000-memory.dmp

Filesize
456KB

Download
memory/2664-492-0x0000019B45A40000-0x0000019B45AB2000-memory.dmp

Filesize
456KB

Download
memory/2708-782-0x0000000000F00000-0x0000000000F5E000-memory.dmp

Filesize
376KB

Download
memory/2708-467-0x0000000000F00000-0x0000000000F5E000-memory.dmp

Filesize
376KB

Download
memory/2708-464-0x0000000000DF0000-0x0000000000EFC000-memory.dmp

Filesize
1.0MB

Download
memory/2736-278-0x0000000000330000-0x0000000000458000-memory.dmp

Filesize
1.2MB

Download
memory/3108-182-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3108-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3108-156-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3108-157-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-213-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-263-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-223-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-266-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-308-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-246-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-210-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-310-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-230-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-304-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-232-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3512-139-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3512-148-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3512-143-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3512-183-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3512-141-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3968-309-0x0000000000400000-0x0000000002B72000-memory.dmp

Filesize
39.4MB

Download
memory/4348-352-0x0000000000630000-0x0000000000687000-memory.dmp

Filesize
348KB

Download
memory/4396-190-0x0000000000400000-0x0000000002B72000-memory.dmp

Filesize
39.4MB

Download
memory/4396-181-0x0000000002BD0000-0x0000000002BD9000-memory.dmp

Filesize
36KB

Download
memory/4588-197-0x0000000000400000-0x0000000002B72000-memory.dmp

Filesize
39.4MB

Download
memory/4832-1177-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4832-420-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4872-228-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4872-220-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4872-241-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4872-257-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4872-265-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4872-227-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4872-288-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4872-211-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4872-311-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4872-207-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4912-596-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4928-233-0x0000000002C60000-0x0000000002C69000-memory.dmp

Filesize
36KB

Download
memory/4928-274-0x0000000000400000-0x0000000002B72000-memory.dmp

Filesize
39.4MB

Download
memory/5060-231-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5060-235-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5060-224-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5060-222-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download