aa3f58f228d9d0ef44417c33aa03e3d3c7b3cfde67c0db70a9d21fb8b5cb981c

Analysis

max time kernel
300s
max time network
308s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Size

44.9MB
MD5

66a1e1458b9790758f8b985ffb582383
SHA1

670d1185dad515b8b963717b249da3641f8c9b14
SHA256

06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787
SHA512

3d1a20ff2f5584e14e10cf2d4cd8aefeeec9335cf1308c5d91d1bcb576a8598247f006d2112833c2f5d36fce88b2cdef726c20f6ca95de31a0c13b822afd5ca1
SSDEEP

786432:tKatKpswghEMxrpw+en0PYisnDpCf4YiHfaVC4JL4DJvuk7RuPq0yUkmSH592gU2:tXs2r3gVnYiHAC41e5uuRuPK1H59G8px

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1460	FTvrst.exe
1700	spolsvt.exe
1788	audidog.exe
1500	Telegram.exe

Loads dropped DLL 23 IoCs

pid	Process
1032	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1460	FTvrst.exe
1460	FTvrst.exe
1460	FTvrst.exe
1460	FTvrst.exe
1472	MsiExec.exe
1472	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\FTvrst.exe"	FTvrst.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\U:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\P:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\H:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\O:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\Q:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\Z:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\M:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\Y:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\E:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\J:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\T:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\W:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 46 IoCs

pid	Process
1460	FTvrst.exe
1460	FTvrst.exe
1460	FTvrst.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe
1788	audidog.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 1700	1460	FTvrst.exe	39

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.TxlWoh	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries	msiexec.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-custom.json	msiexec.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.NxMXCc	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.HIPlXJ	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.KgahCI	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.emGpRD	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.oOiCno	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.TxlWoh	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_1	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.OsBEij	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.OsBEij	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.KgahCI	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_5	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s.PqGjBQ	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.GiaiXR	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.NxssNW	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s	msiexec.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json	msiexec.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\opengl_crash_check	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.NxMXCc	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Updater.exe	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\log.txt	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_1	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.soEPvA	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.oOiCno	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.SUDSjL	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.dIyGLU	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.ekqrct	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.wUeEYm	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_0	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_6	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.SUDSjL	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.jUaeoY	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.OQdWwc	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Telegram.exe	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\A7FDF864FBC10B77s	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_0	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_4	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.jUaeoY	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\log_start0.txt	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_4	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s.PqGjBQ	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\spoiler\text	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_3	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_5	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\prefix	msiexec.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.HIPlXJ	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_2	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\tupdate4008003	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\F8806DD0C461824Fs	msiexec.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\usertag	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.emGpRD	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_6	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\modules\x86\d3d\d3dcompiler_47.dll	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\working	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\tdata\version	Telegram.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIADCD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6B6.tmp	msiexec.exe
File created	C:\Windows\DNomb\spolsvt.exe	msiexec.exe
File created	C:\Windows\DNomb\FTvrst.exe	msiexec.exe
File created	C:\WINDOWS\DNombaudidog.exe	audidog.exe
File created	C:\Windows\Installer\6cad42.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cad42.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3E7.tmp	msiexec.exe
File created	C:\Windows\DNomb\Mpec.mbt	msiexec.exe
File created	C:\Windows\DNomb\audidog.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD8A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6cad41.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cad41.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\""	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\ = "URL:Telegram Link"	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\URL Protocol	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\DefaultIcon	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\""	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell\open\command	Telegram.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1500	Telegram.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
360	msiexec.exe
360	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	360	msiexec.exe
Token: SeTakeOwnershipPrivilege	360	msiexec.exe
Token: SeSecurityPrivilege	360	msiexec.exe
Token: SeCreateTokenPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeAssignPrimaryTokenPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeLockMemoryPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeIncreaseQuotaPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeMachineAccountPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeTcbPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSecurityPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeTakeOwnershipPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeLoadDriverPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemProfilePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemtimePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeProfSingleProcessPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeIncBasePriorityPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreatePagefilePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreatePermanentPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeBackupPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeRestorePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeShutdownPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeDebugPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeAuditPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemEnvironmentPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeChangeNotifyPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeRemoteShutdownPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeUndockPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSyncAgentPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeEnableDelegationPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeManageVolumePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeImpersonatePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreateGlobalPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreateTokenPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeAssignPrimaryTokenPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeLockMemoryPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeIncreaseQuotaPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeMachineAccountPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeTcbPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSecurityPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeTakeOwnershipPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeLoadDriverPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemProfilePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemtimePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeProfSingleProcessPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeIncBasePriorityPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreatePagefilePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreatePermanentPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeBackupPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeRestorePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeShutdownPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeDebugPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeAuditPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemEnvironmentPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeChangeNotifyPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeRemoteShutdownPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeUndockPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSyncAgentPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeEnableDelegationPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeManageVolumePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeImpersonatePrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreateGlobalPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreateTokenPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeAssignPrimaryTokenPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeLockMemoryPrivilege	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
2012	msiexec.exe
2012	msiexec.exe
1500	Telegram.exe
1500	Telegram.exe
1500	Telegram.exe
1500	Telegram.exe
1500	Telegram.exe
1500	Telegram.exe
1500	Telegram.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1500	Telegram.exe
1500	Telegram.exe
1500	Telegram.exe
1500	Telegram.exe
1500	Telegram.exe
1500	Telegram.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1460	FTvrst.exe
1460	FTvrst.exe
1788	audidog.exe
1788	audidog.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 1032	360	msiexec.exe	29
PID 360 wrote to memory of 1032	360	msiexec.exe	29
PID 360 wrote to memory of 1032	360	msiexec.exe	29
PID 360 wrote to memory of 1032	360	msiexec.exe	29
PID 360 wrote to memory of 1032	360	msiexec.exe	29
PID 360 wrote to memory of 1032	360	msiexec.exe	29
PID 360 wrote to memory of 1032	360	msiexec.exe	29
PID 1524 wrote to memory of 2012	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe	30
PID 1524 wrote to memory of 2012	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe	30
PID 1524 wrote to memory of 2012	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe	30
PID 1524 wrote to memory of 2012	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe	30
PID 1524 wrote to memory of 2012	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe	30
PID 1524 wrote to memory of 2012	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe	30
PID 1524 wrote to memory of 2012	1524	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe	30
PID 360 wrote to memory of 1472	360	msiexec.exe	31
PID 360 wrote to memory of 1472	360	msiexec.exe	31
PID 360 wrote to memory of 1472	360	msiexec.exe	31
PID 360 wrote to memory of 1472	360	msiexec.exe	31
PID 360 wrote to memory of 1472	360	msiexec.exe	31
PID 360 wrote to memory of 1472	360	msiexec.exe	31
PID 360 wrote to memory of 1472	360	msiexec.exe	31
PID 1472 wrote to memory of 1536	1472	MsiExec.exe	32
PID 1472 wrote to memory of 1536	1472	MsiExec.exe	32
PID 1472 wrote to memory of 1536	1472	MsiExec.exe	32
PID 1472 wrote to memory of 1536	1472	MsiExec.exe	32
PID 1472 wrote to memory of 1536	1472	MsiExec.exe	32
PID 1472 wrote to memory of 1536	1472	MsiExec.exe	32
PID 1472 wrote to memory of 1536	1472	MsiExec.exe	32
PID 360 wrote to memory of 636	360	msiexec.exe	36
PID 360 wrote to memory of 636	360	msiexec.exe	36
PID 360 wrote to memory of 636	360	msiexec.exe	36
PID 360 wrote to memory of 636	360	msiexec.exe	36
PID 360 wrote to memory of 636	360	msiexec.exe	36
PID 360 wrote to memory of 636	360	msiexec.exe	36
PID 360 wrote to memory of 636	360	msiexec.exe	36
PID 1472 wrote to memory of 1460	1472	MsiExec.exe	38
PID 1472 wrote to memory of 1460	1472	MsiExec.exe	38
PID 1472 wrote to memory of 1460	1472	MsiExec.exe	38
PID 1472 wrote to memory of 1460	1472	MsiExec.exe	38
PID 1460 wrote to memory of 1700	1460	FTvrst.exe	39
PID 1460 wrote to memory of 1700	1460	FTvrst.exe	39
PID 1460 wrote to memory of 1700	1460	FTvrst.exe	39
PID 1460 wrote to memory of 1700	1460	FTvrst.exe	39
PID 1460 wrote to memory of 1700	1460	FTvrst.exe	39
PID 1460 wrote to memory of 1700	1460	FTvrst.exe	39
PID 1460 wrote to memory of 1700	1460	FTvrst.exe	39
PID 1460 wrote to memory of 1700	1460	FTvrst.exe	39
PID 1460 wrote to memory of 1700	1460	FTvrst.exe	39
PID 1460 wrote to memory of 1788	1460	FTvrst.exe	40
PID 1460 wrote to memory of 1788	1460	FTvrst.exe	40
PID 1460 wrote to memory of 1788	1460	FTvrst.exe	40
PID 1460 wrote to memory of 1788	1460	FTvrst.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1688077399 "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 51D7AA03420024851281B65254BBDC71 C
  2⤵
  - Loads dropped DLL
  PID:1032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F1C099BAFCC4498191245C899F31E9CE C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
    "C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe" /groupsextract:100; /out:"C:\Users\Public" /callbackid:1472
    3⤵
    PID:1536
- - C:\Users\Public\tg\FTvrst.exe
    "C:\Users\Public\tg\FTvrst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\WINDOWS\DNomb\spolsvt.exe
      C:\WINDOWS\DNomb\spolsvt.exe
      4⤵
      Executes dropped EXE
      PID:1700
  - - C:\WINDOWS\DNomb\audidog.exe
      C:\WINDOWS\DNomb\audidog.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FC5E5EF5B1C0A405D00E29A15F59DD02
  2⤵
  - Loads dropped DLL
  PID:636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1796

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000004AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:988

C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe
"C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6cad43.rbs

Filesize
4KB

MD5
5f0ac849a811141194f6828d362eaf13

SHA1
b8b750cc7b5e7b81a68b065f8f5c180c84533228

SHA256
a29db1fbae78abde4c9fb851b4a8c57c2b500f1ee7504f45d429a192b90e4c23

SHA512
f5d81894101899467c4df82fefc3b43ae45dcacfb874ffc92aa8f4a96b3642aed2ff36acbaefcc09075acae8d8059926805728378685bd9c08d09a462bcff9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab232D.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2434.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI281B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2925.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2925.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2C22.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2F6E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI302A.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI30B7.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI44D4.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4590.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4590.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48FB.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7C0E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID0B1.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\Telegram.exe

Filesize
101.1MB

MD5
5a6de14a436de1c22e6f328fa40c4835

SHA1
454f68ad0a02cb29d3f11a0f4f187b6b384994d9

SHA256
663726ede77de2960f7b53c85b1eb19af394e1710d43ef7718ae832067d0a2ce

SHA512
1a4406b6b6fdccd9ec105932b790c0a0599dd0b74cd7c0afe17b3c655c595230cb753bfc2c1a6b7e1577ca5d825e5c3a2e827a9f8b3acf51bb41ffaddde3c552

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\Mpec.mbt

Filesize
93KB

MD5
e3c9c776015c5b25b99ae3913988548d

SHA1
8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9

SHA256
04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e

SHA512
4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\0469A94410170880s

Filesize
306KB

MD5
237b2bc4ba380664d0e69d95bfbdca62

SHA1
42fb204f0fb1b5a1e7d7152070accee988747198

SHA256
bfb3af061014f48924f4412402ee99f566725932e80f8a27c5bc429544b0dad6

SHA512
15bd8b90b1508e40e5e20b4630cf69f3ff597cb11768d78528a0db4a9ef3fd6f20aa1e93cf0b945bff3d6864d4182e1ac4cb33f0d3c83462d6db7c3d53bc2741

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\7B7D9BF38A42FD50s

Filesize
140B

MD5
4d28d8121c1365d8b66048804cf85431

SHA1
e19b061f138c52b1a67c123fd8cff8d2f6f3e7ce

SHA256
f620154eb8472755c58e631803e45e08279e5f70b381aa71bfc256a4f06fe6eb

SHA512
4ef49fb867af0894fa42537832bfd567a0fc6e1f9fbd6966cac6215b30d91617f43acfb3b20b62a6f43163162a0f2123dc8e2ad36f493b5c3b9202689c54a482

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\90AB52E6EF1558C8s

Filesize
220B

MD5
0aa0727f6230692e520295abca999a94

SHA1
2dca6accd906adf49bfd4cfa93b2d862a9c29651

SHA256
9676ed8e4497fab0d92b1e2c8c63dec8b9f309db8e379ffbbff919d3c6762e10

SHA512
8d0633ef21107c7e5ca4f4ba50ba762bf62956c5bcd3ccfc3ab9b7845bb2a5388b5bacd7c9ddff0b2c7d0b4ed761c15ebb437deb912cf4a573a1fab5e328093d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\A7FDF864FBC10B77s

Filesize
1KB

MD5
72339e5b4ca4743c2c1313c90fa38b27

SHA1
8123ac4d35080c0c397478845b2ab16944636bae

SHA256
6a8a6995f4f87336681017417d6ae78223cd725e1118c4e336c93e203c17a9e4

SHA512
3eb657959bdfc0b30124a7e087d44b33aa7814ee9a18a20205b5debc1b290754024d8529174f3e17646fae77339d28a02312584bd6bda7021ad5b59c67d6fa0d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\D877F783D5D3EF8Cs

Filesize
1KB

MD5
e58b4c34a563191cfee1d6d617a78216

SHA1
83ff6975bacf2f4e5ff44dbf5f8de38f7dd7f437

SHA256
729c64f4ee746214839002d6e79bd82baebc2eba5e38e47307e65fcf25a83cf1

SHA512
3d875550e6f0f43cc1306f3eb2f83d2b5a06ddc211dcd03c31abc0cce0350481b19015adde62ed8632b8a902138c345e6f7c533be50a55343566903e8d593eeb

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\F8806DD0C461824Fs

Filesize
1KB

MD5
fb9a1cbbd1b3531943eecfefa15df5de

SHA1
0295ac1bdc3a668a5f488e6c98a34ad71a53c67b

SHA256
438c768ac7851e93d1081c4291c2b14c250b7cc847050d7716626ab3948760d8

SHA512
abc104efdbf46c9ff9621e9d3c7e3be2d803208e62b63658a1a7f94c8deb823302896b0878c8d9f4962045a7d257afe51047b1ff73f64c2f8e440680a3ef1e60

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\countries

Filesize
20KB

MD5
5d1f2b862acb26f8353cb1d178a2116f

SHA1
e3989f717bb652b4ee3fd18e4dc3f2e0193c75bd

SHA256
3d6d4e33dcaeff17425ea9451d37bb9c866d711d6ece51ef5c09d2fbd296e85e

SHA512
adb1ef7675a0292b236aafdd923be94705eb7ea7baf25a0d3c001fba2014b8f90473375e96739d8af43a7bd9a123f1ce38c532516da3d1a46db50bf66a0c1a73

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\key_datas

Filesize
388B

MD5
eb7e5e1d7636232186c42fe52b7611b6

SHA1
ae235dcf06db5931e082155da14936ed7c7db2fb

SHA256
66d374699b23bd425bb68f5480785ae70f0f87f2e5948d0bd51ce7838fdb706a

SHA512
813d9318d6937ba6a6def9bd676a26999cb97e0f0b744c0a99174d4fd6163414cff9f5195d420fdd7cdc86442cceb7a7130ad0fe2f93ab5d961381b90df859e5

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\prefix

Filesize
24B

MD5
3fb9de9c3edf4abc3a42deaf14dfa8d6

SHA1
d02d2382706bffb38831acfcce62e720a6d55733

SHA256
84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28

SHA512
7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\settingss

Filesize
2KB

MD5
d149ddf991c084294f019fc76161fb15

SHA1
d42777f18ed62c3f4c8ff5d326f63fccfe06d454

SHA256
9afef05acbb201afd6007584482f01c93628484d9d80858f8cb67ef9f0c18875

SHA512
f45c7fc6ba1e192b41fcb267572a81342eb2657f9025181b5be660095c19e7d39c50190fe62ee400d7d1cf8132fb757cbd90222f8ba6aad91d3458bd82de6da6

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-custom.json

Filesize
404B

MD5
874b930b4c2fddc8043f59113c044a14

SHA1
75b14a96fe1194f27913a096e484283b172b1749

SHA256
f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8

SHA512
f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-default.json

Filesize
2KB

MD5
a56b95951d30537236b8a4b5792abbe4

SHA1
ca418e143fa5bf6930cea986f2f02914ba2b34c8

SHA256
422a4c74d98877f87f5d3eb6f70a903782d00e362e9fca75f06a1f84be387808

SHA512
20f2fa66f02ff3da80ec67ff89a232bd6642051702a6ddd94fb382980b46502ca0bda8ba09793fae2f068b4dc18c80ab0186e6426af9760670e8a328ef3c1e95

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\usertag

Filesize
8B

MD5
87ccdff6d764416c75d4aa695f9be3e4

SHA1
d4c197cb78f5e5f62aef16af3840d3be0509020a

SHA256
e02453e232a9fdc9446885a629109231c07b35f8d2adf886e010cdf07685fdec

SHA512
0224a43341ad897613a233b9b170d4ed523ac45d8d13ab8ae023c6c0b266cb7b68abf3e365f3474045d103f6ce7682d009719592578b601edfceab31d678dca5

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi

Filesize
1.7MB

MD5
f4adbf929ac90c4a9fff6142b5daa670

SHA1
9d0c56596957d04bb9582a2e0e556dbe7977e9c1

SHA256
e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a

SHA512
ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi

Filesize
1.7MB

MD5
f4adbf929ac90c4a9fff6142b5daa670

SHA1
9d0c56596957d04bb9582a2e0e556dbe7977e9c1

SHA256
e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a

SHA512
ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38

Download Submit
C:\Users\Public\tg\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Users\Public\tg\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\WINDOWS\DNomb\Mpec.mbt

Filesize
93KB

MD5
e3c9c776015c5b25b99ae3913988548d

SHA1
8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9

SHA256
04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e

SHA512
4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10

Download Submit
C:\WINDOWS\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\WINDOWS\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Windows\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\Installer\MSIADCD.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSIB0EA.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSIB3E7.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSIB6B6.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2434.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI281B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2925.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2C22.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2F6E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSI302A.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI30B7.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI44D4.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4590.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSI48FB.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7C0E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSID0B1.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Public\tg\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
\Users\Public\tg\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
\Windows\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
\Windows\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\Installer\MSIADCD.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Windows\Installer\MSIB0EA.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Windows\Installer\MSIB3E7.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Windows\Installer\MSIB6B6.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
memory/1460-635-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-673-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-627-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-628-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-629-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-630-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-631-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-632-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-633-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-634-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-624-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-636-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-637-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-640-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-638-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-639-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-641-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-642-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-643-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-644-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-645-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-646-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-647-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-649-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-648-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-651-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-652-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-650-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-653-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-654-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-655-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-656-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-657-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-658-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-659-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-660-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-662-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-661-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-663-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-666-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-664-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-665-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-667-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-669-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-668-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-670-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-672-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-626-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-671-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-674-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-675-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-676-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-678-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-677-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-679-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-212-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1460-6204-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1460-1491-0x00000000024A0000-0x00000000025A0000-memory.dmp

Filesize
1024KB

Download
memory/1460-1493-0x0000000002640000-0x00000000027C1000-memory.dmp

Filesize
1.5MB

Download
memory/1460-4971-0x00000000024A0000-0x00000000025A0000-memory.dmp

Filesize
1024KB

Download
memory/1460-4972-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-4973-0x0000000002930000-0x0000000002A31000-memory.dmp

Filesize
1.0MB

Download
memory/1460-4974-0x0000000002B70000-0x0000000002C11000-memory.dmp

Filesize
644KB

Download
memory/1460-623-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-625-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-622-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-621-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-620-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-617-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-619-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-618-0x0000000002A50000-0x0000000002B61000-memory.dmp

Filesize
1.1MB

Download
memory/1460-209-0x00000000757F0000-0x0000000075837000-memory.dmp

Filesize
284KB

Download
memory/1460-5184-0x0000000003360000-0x0000000003BC4000-memory.dmp

Filesize
8.4MB

Download
memory/1472-208-0x0000000002990000-0x00000000031F4000-memory.dmp

Filesize
8.4MB

Download
memory/1472-1489-0x0000000002990000-0x00000000031F4000-memory.dmp

Filesize
8.4MB

Download
memory/1472-1488-0x0000000002990000-0x00000000031F4000-memory.dmp

Filesize
8.4MB

Download
memory/1472-210-0x0000000002990000-0x00000000031F4000-memory.dmp

Filesize
8.4MB

Download
memory/1500-9178-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/1500-9832-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/1500-9831-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/1500-8362-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/1500-9800-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1500-8744-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1500-9176-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/1524-61-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1788-9174-0x00000000002E0000-0x00000000003E0000-memory.dmp

Filesize
1024KB

Download
memory/1788-9791-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/1788-9797-0x0000000002650000-0x0000000002751000-memory.dmp

Filesize
1.0MB

Download
memory/1788-9798-0x0000000002AC0000-0x0000000002B61000-memory.dmp

Filesize
644KB

Download
memory/1788-8609-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/1788-6350-0x0000000002930000-0x0000000002AB1000-memory.dmp

Filesize
1.5MB

Download
memory/1788-6348-0x00000000002E0000-0x00000000003E0000-memory.dmp

Filesize
1024KB

Download
memory/1788-5188-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download