chinese_generic_botnet | bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
Size

833KB
MD5

20c7c9a0d90fee734d3824255bf09e45
SHA1

72ff70ab0dd20cad1d36ae4b1fffb5cdfe4ad73e
SHA256

bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428
SHA512

09f43d460c452980be87136264d9d63613f6fd4d02db68a48ff5d3f8542f45215c4315239d5c6354b59620bfb38be1febdd04ad87f20af9cb9783007844850d3
SSDEEP

24576:OkXRu60c+p0/B3jOjp9AcGpwJaS5mgLclZIOJQ7C8:DXR770sMjbAcOw6gw/9c

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/2100-10252-0x0000000000400000-0x000000000051D000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
1676	computer.exe
1016	._cache_computer.exe
1716	Synaptics.exe
2244	._cache_Synaptics.exe
1124	Terms.exe
2264	Uyuecug.exe
2068	Terms.exe
400	Server_se.exe
2160	Terms.exe

Loads dropped DLL 10 IoCs

pid	Process
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
1676	computer.exe
1676	computer.exe
1676	computer.exe
1676	computer.exe
1676	computer.exe
1716	Synaptics.exe
1716	Synaptics.exe
1716	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	computer.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	._cache_Synaptics.exe
File opened (read-only)	\??\O:	._cache_Synaptics.exe
File opened (read-only)	\??\P:	._cache_Synaptics.exe
File opened (read-only)	\??\T:	._cache_Synaptics.exe
File opened (read-only)	\??\V:	._cache_Synaptics.exe
File opened (read-only)	\??\E:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\Y:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\G:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\M:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\P:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\Z:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\B:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\M:	._cache_Synaptics.exe
File opened (read-only)	\??\U:	._cache_Synaptics.exe
File opened (read-only)	\??\W:	._cache_Synaptics.exe
File opened (read-only)	\??\X:	._cache_Synaptics.exe
File opened (read-only)	\??\S:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\V:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\G:	._cache_Synaptics.exe
File opened (read-only)	\??\Z:	._cache_Synaptics.exe
File opened (read-only)	\??\J:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\L:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\T:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\X:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\J:	._cache_Synaptics.exe
File opened (read-only)	\??\Q:	._cache_Synaptics.exe
File opened (read-only)	\??\S:	._cache_Synaptics.exe
File opened (read-only)	\??\H:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\I:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\N:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\Q:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\B:	._cache_Synaptics.exe
File opened (read-only)	\??\E:	._cache_Synaptics.exe
File opened (read-only)	\??\R:	._cache_Synaptics.exe
File opened (read-only)	\??\K:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\U:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\H:	._cache_Synaptics.exe
File opened (read-only)	\??\I:	._cache_Synaptics.exe
File opened (read-only)	\??\L:	._cache_Synaptics.exe
File opened (read-only)	\??\N:	._cache_Synaptics.exe
File opened (read-only)	\??\Y:	._cache_Synaptics.exe
File opened (read-only)	\??\O:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\R:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened (read-only)	\??\W:	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs

pid	Process
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Terms.exe	._cache_computer.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	._cache_computer.exe
File created	C:\Program Files (x86)\Uyuecug.exe	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
File opened for modification	C:\Program Files (x86)\Uyuecug.exe	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\WpadDecision = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\WpadNetworkName = "Network 3"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecisionTime = 70e1b7add6c8d901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\22-77-05-79-11-cd	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecisionTime = 30c72ab3d6c8d901	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecisionTime = 70e1b7add6c8d901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\WpadDecision = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\WpadDecision = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecisionReason = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecision = "0"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\22-77-05-79-11-cd	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\22-77-05-79-11-cd	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\WpadNetworkName = "Network 3"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecisionReason = "1"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecision = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecisionTime = 30fd74bad6c8d901	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecisionReason = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\WpadDecisionTime = 70e1b7add6c8d901	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecisionTime = 30c72ab3d6c8d901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDecision = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\WpadDecisionReason = "1"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-77-05-79-11-cd\WpadDetectedUrl	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\WpadDecisionTime = 30c72ab3d6c8d901	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1877902F-FE73-45C9-AC4B-BFE784399D31}\WpadDecisionReason = "1"	Terms.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1720	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2244	._cache_Synaptics.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1136	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	30
PID 2100 wrote to memory of 1136	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	30
PID 2100 wrote to memory of 1136	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	30
PID 2100 wrote to memory of 1136	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	30
PID 2100 wrote to memory of 1676	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	34
PID 2100 wrote to memory of 1676	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	34
PID 2100 wrote to memory of 1676	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	34
PID 2100 wrote to memory of 1676	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	34
PID 1676 wrote to memory of 1016	1676	computer.exe	35
PID 1676 wrote to memory of 1016	1676	computer.exe	35
PID 1676 wrote to memory of 1016	1676	computer.exe	35
PID 1676 wrote to memory of 1016	1676	computer.exe	35
PID 1676 wrote to memory of 1716	1676	computer.exe	36
PID 1676 wrote to memory of 1716	1676	computer.exe	36
PID 1676 wrote to memory of 1716	1676	computer.exe	36
PID 1676 wrote to memory of 1716	1676	computer.exe	36
PID 1716 wrote to memory of 2244	1716	Synaptics.exe	37
PID 1716 wrote to memory of 2244	1716	Synaptics.exe	37
PID 1716 wrote to memory of 2244	1716	Synaptics.exe	37
PID 1716 wrote to memory of 2244	1716	Synaptics.exe	37
PID 1124 wrote to memory of 2068	1124	Terms.exe	43
PID 1124 wrote to memory of 2068	1124	Terms.exe	43
PID 1124 wrote to memory of 2068	1124	Terms.exe	43
PID 1124 wrote to memory of 2068	1124	Terms.exe	43
PID 2100 wrote to memory of 400	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	44
PID 2100 wrote to memory of 400	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	44
PID 2100 wrote to memory of 400	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	44
PID 2100 wrote to memory of 400	2100	bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe	44
PID 2068 wrote to memory of 2160	2068	Terms.exe	45
PID 2068 wrote to memory of 2160	2068	Terms.exe	45
PID 2068 wrote to memory of 2160	2068	Terms.exe	45
PID 2068 wrote to memory of 2160	2068	Terms.exe	45

C:\Users\Admin\AppData\Local\Temp\bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe
"C:\Users\Admin\AppData\Local\Temp\bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\windowss64
  2⤵
  PID:1136
- C:\windowss64\computer.exe
  "C:\windowss64\computer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1016
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      PID:2244
- \??\c:\Server_se.exe
  c:\Server_se.exe
  2⤵
  - Executes dropped EXE
  PID:400

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Program Files (x86)\Terms.exe
  "C:\Program Files (x86)\Terms.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Program Files (x86)\Terms.exe
    "C:\Program Files (x86)\Terms.exe" Win7
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2160

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Program Files (x86)\Uyuecug.exe
"C:\Program Files (x86)\Uyuecug.exe"
1⤵
- Executes dropped EXE
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Uyuecug.exe

Filesize
833KB

MD5
20c7c9a0d90fee734d3824255bf09e45

SHA1
72ff70ab0dd20cad1d36ae4b1fffb5cdfe4ad73e

SHA256
bca805f28e54c951189578d379dbe94366d0e29fbc334e65786f547da4760428

SHA512
09f43d460c452980be87136264d9d63613f6fd4d02db68a48ff5d3f8542f45215c4315239d5c6354b59620bfb38be1febdd04ad87f20af9cb9783007844850d3

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\Server_se.exe

Filesize
862KB

MD5
8f246355b24f2547c03edc128aea377e

SHA1
352b5b12807c8573168838751547ea63f58a9b0a

SHA256
673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6

SHA512
36dfd95982af2892b2b7fd9ffdf44821e9ee22ed5d2f81c4f74815fa4f9d7ccf6e285a6fe52c93c3bbc4d40f5655e824665d828aa02e4d3e45175b2ba4a67792

Download Submit
C:\Server_se.exe

Filesize
862KB

MD5
8f246355b24f2547c03edc128aea377e

SHA1
352b5b12807c8573168838751547ea63f58a9b0a

SHA256
673c00df2f452a08ba8f04840697162a927cbd5b4fa995d9787cb636ad396af6

SHA512
36dfd95982af2892b2b7fd9ffdf44821e9ee22ed5d2f81c4f74815fa4f9d7ccf6e285a6fe52c93c3bbc4d40f5655e824665d828aa02e4d3e45175b2ba4a67792

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\VHDsBz3h.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
memory/400-9958-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1676-8763-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1716-8800-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1716-8849-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1720-8824-0x0000000073E1D000-0x0000000073E28000-memory.dmp

Filesize
44KB

Download
memory/1720-9666-0x0000000073E1D000-0x0000000073E28000-memory.dmp

Filesize
44KB

Download
memory/2100-898-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-896-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-2603-0x0000000002050000-0x00000000021D1000-memory.dmp

Filesize
1.5MB

Download
memory/2100-8741-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-8746-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2100-8748-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2100-924-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-926-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-918-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-920-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-922-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-912-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-914-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-916-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-910-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-908-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-906-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-902-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-904-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-900-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-54-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2100-2601-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2100-892-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-894-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-890-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-888-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-884-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-886-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-882-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-880-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-874-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-10252-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2100-876-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-878-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-872-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-865-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-866-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-9956-0x0000000003BD0000-0x0000000003CF5000-memory.dmp

Filesize
1.1MB

Download
memory/2100-870-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-868-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-55-0x00000000769D0000-0x0000000076A17000-memory.dmp

Filesize
284KB

Download
memory/2264-8851-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2264-10874-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download