chinese_generic_botnet | 9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
Size

2.4MB
MD5

67845f7a3fa8c3047a935537138aa904
SHA1

6f96ae0992998958151d67a7f88b77255c64ba81
SHA256

9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723
SHA512

e3fe14a7f714b4c7510a56a4a2f610bd2ccac425e53167f57570879278a19dfa106d4b6849a63148f9aa645939d26631c80d29b1627f0817c715e447dfbe3f87
SSDEEP

49152:tB/FdWJ4wklBDP1dGXrIDhmIeYZTozEvaoQ/Xn/Gj1qnrntX4AKhH/:PskDP1dOcd8Avdj1o7tCx

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/2220-9785-0x0000000000400000-0x000000000052C000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2292	computer.exe
1292	._cache_computer.exe
1728	Synaptics.exe
2092	._cache_Synaptics.exe
2924	Umqygia.exe
2960	Terms.exe
1976	Terms.exe

Loads dropped DLL 11 IoCs

pid	Process
1856	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2292	computer.exe
2292	computer.exe
2292	computer.exe
2292	computer.exe
2292	computer.exe
1728	Synaptics.exe
1728	Synaptics.exe
1728	Synaptics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	computer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe"	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HD_ls.exe = "C:\\Windows\\system32\\HD_ls.exe"	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe

Enumerates connected drives 3 TTPs 45 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\P:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\T:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\Z:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\I:	._cache_computer.exe
File opened (read-only)	\??\K:	._cache_computer.exe
File opened (read-only)	\??\E:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\N:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\S:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\V:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\X:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\T:	._cache_computer.exe
File opened (read-only)	\??\J:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\L:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\R:	._cache_computer.exe
File opened (read-only)	\??\S:	._cache_computer.exe
File opened (read-only)	\??\F:	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\B:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\G:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\W:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\B:	._cache_computer.exe
File opened (read-only)	\??\U:	._cache_computer.exe
File opened (read-only)	\??\M:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\N:	._cache_computer.exe
File opened (read-only)	\??\O:	._cache_computer.exe
File opened (read-only)	\??\V:	._cache_computer.exe
File opened (read-only)	\??\W:	._cache_computer.exe
File opened (read-only)	\??\R:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\G:	._cache_computer.exe
File opened (read-only)	\??\J:	._cache_computer.exe
File opened (read-only)	\??\M:	._cache_computer.exe
File opened (read-only)	\??\H:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\K:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\O:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\Q:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\U:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\Y:	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened (read-only)	\??\H:	._cache_computer.exe
File opened (read-only)	\??\L:	._cache_computer.exe
File opened (read-only)	\??\P:	._cache_computer.exe
File opened (read-only)	\??\Q:	._cache_computer.exe
File opened (read-only)	\??\X:	._cache_computer.exe
File opened (read-only)	\??\E:	._cache_computer.exe
File opened (read-only)	\??\Y:	._cache_computer.exe
File opened (read-only)	\??\Z:	._cache_computer.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe
File created	C:\Windows\SysWOW64\HD_ls.exe	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

pid	Process
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Terms.exe	._cache_Synaptics.exe
File created	C:\Program Files (x86)\Terms.exe	._cache_computer.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	._cache_computer.exe
File created	C:\Program Files (x86)\Microsoft Dhbbnn\Umqygia.exe	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File opened for modification	C:\Program Files (x86)\Microsoft Dhbbnn\Umqygia.exe	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
File created	C:\Program Files (x86)\Terms.exe	._cache_Synaptics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\HD_.exe	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ad-dc-e7-ee-f7\WpadDecisionReason = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ad-dc-e7-ee-f7\WpadDecisionReason = "1"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}\WpadDecisionReason = "1"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ad-dc-e7-ee-f7\WpadDecisionTime = 30315e0811c9d901	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}\WpadDecisionReason = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ad-dc-e7-ee-f7	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ad-dc-e7-ee-f7\WpadDetectedUrl	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}\c2-ad-dc-e7-ee-f7	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}\c2-ad-dc-e7-ee-f7	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ad-dc-e7-ee-f7\WpadDecisionTime = b02ac51811c9d901	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}\WpadDecision = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}\WpadNetworkName = "Network 3"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ad-dc-e7-ee-f7\WpadDecision = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}\WpadNetworkName = "Network 3"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ad-dc-e7-ee-f7\WpadDecisionTime = 30315e0811c9d901	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}\WpadDecisionTime = b02ac51811c9d901	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}\WpadDecisionTime = 30315e0811c9d901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ad-dc-e7-ee-f7\WpadDecision = "0"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2037560B-743B-4E68-9C52-2F40826523CA}\WpadDecision = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ad-dc-e7-ee-f7	Terms.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2004	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
1292	._cache_computer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1856	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
2004	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2220	1856	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	28
PID 1856 wrote to memory of 2220	1856	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	28
PID 1856 wrote to memory of 2220	1856	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	28
PID 1856 wrote to memory of 2220	1856	9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	28
PID 2220 wrote to memory of 1528	2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	31
PID 2220 wrote to memory of 1528	2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	31
PID 2220 wrote to memory of 1528	2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	31
PID 2220 wrote to memory of 1528	2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	31
PID 2220 wrote to memory of 2292	2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	34
PID 2220 wrote to memory of 2292	2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	34
PID 2220 wrote to memory of 2292	2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	34
PID 2220 wrote to memory of 2292	2220	HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe	34
PID 2292 wrote to memory of 1292	2292	computer.exe	35
PID 2292 wrote to memory of 1292	2292	computer.exe	35
PID 2292 wrote to memory of 1292	2292	computer.exe	35
PID 2292 wrote to memory of 1292	2292	computer.exe	35
PID 2292 wrote to memory of 1728	2292	computer.exe	36
PID 2292 wrote to memory of 1728	2292	computer.exe	36
PID 2292 wrote to memory of 1728	2292	computer.exe	36
PID 2292 wrote to memory of 1728	2292	computer.exe	36
PID 1728 wrote to memory of 2092	1728	Synaptics.exe	37
PID 1728 wrote to memory of 2092	1728	Synaptics.exe	37
PID 1728 wrote to memory of 2092	1728	Synaptics.exe	37
PID 1728 wrote to memory of 2092	1728	Synaptics.exe	37
PID 2960 wrote to memory of 1976	2960	Terms.exe	42
PID 2960 wrote to memory of 1976	2960	Terms.exe	42
PID 2960 wrote to memory of 1976	2960	Terms.exe	42
PID 2960 wrote to memory of 1976	2960	Terms.exe	42

C:\Users\Admin\AppData\Local\Temp\9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
"C:\Users\Admin\AppData\Local\Temp\9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
  C:\Users\Admin\AppData\Local\Temp\HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c md C:\windowss64
    3⤵
    PID:1528
- - C:\windowss64\computer.exe
    "C:\windowss64\computer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:1292
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2092

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Program Files (x86)\Microsoft Dhbbnn\Umqygia.exe
"C:\Program Files (x86)\Microsoft Dhbbnn\Umqygia.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Program Files (x86)\Terms.exe
  "C:\Program Files (x86)\Terms.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Dhbbnn\Umqygia.exe

Filesize
889KB

MD5
e875a237d6a68cf4f0c6becaae181756

SHA1
170dde378e497e4743fa0980bfc0a7439b46c16d

SHA256
c89085680b0eea443bef95035d09f57e1bbe9a5090387dd08a5dc22b8fd73162

SHA512
c1ca9f876bf766ea6493282340313c22337872b375aae51c61cea02c06a317174e9f7a70c3822ada766460797ab57ed6dc98bec029bde5c6eafa1f57e1f42c2d

Download Submit
C:\Program Files (x86)\Microsoft Dhbbnn\Umqygia.exe

Filesize
889KB

MD5
e875a237d6a68cf4f0c6becaae181756

SHA1
170dde378e497e4743fa0980bfc0a7439b46c16d

SHA256
c89085680b0eea443bef95035d09f57e1bbe9a5090387dd08a5dc22b8fd73162

SHA512
c1ca9f876bf766ea6493282340313c22337872b375aae51c61cea02c06a317174e9f7a70c3822ada766460797ab57ed6dc98bec029bde5c6eafa1f57e1f42c2d

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fzSIYxc.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe

Filesize
889KB

MD5
e875a237d6a68cf4f0c6becaae181756

SHA1
170dde378e497e4743fa0980bfc0a7439b46c16d

SHA256
c89085680b0eea443bef95035d09f57e1bbe9a5090387dd08a5dc22b8fd73162

SHA512
c1ca9f876bf766ea6493282340313c22337872b375aae51c61cea02c06a317174e9f7a70c3822ada766460797ab57ed6dc98bec029bde5c6eafa1f57e1f42c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe

Filesize
889KB

MD5
e875a237d6a68cf4f0c6becaae181756

SHA1
170dde378e497e4743fa0980bfc0a7439b46c16d

SHA256
c89085680b0eea443bef95035d09f57e1bbe9a5090387dd08a5dc22b8fd73162

SHA512
c1ca9f876bf766ea6493282340313c22337872b375aae51c61cea02c06a317174e9f7a70c3822ada766460797ab57ed6dc98bec029bde5c6eafa1f57e1f42c2d

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
\Users\Admin\AppData\Local\Temp\HD_9268c2492e5b2f5cbc0780d7add2459790d5a4040d8927b830e0b3be54c85723.exe

Filesize
889KB

MD5
e875a237d6a68cf4f0c6becaae181756

SHA1
170dde378e497e4743fa0980bfc0a7439b46c16d

SHA256
c89085680b0eea443bef95035d09f57e1bbe9a5090387dd08a5dc22b8fd73162

SHA512
c1ca9f876bf766ea6493282340313c22337872b375aae51c61cea02c06a317174e9f7a70c3822ada766460797ab57ed6dc98bec029bde5c6eafa1f57e1f42c2d

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
memory/1728-8818-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1728-9933-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1856-54-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1856-65-0x00000000025C0000-0x00000000026EC000-memory.dmp

Filesize
1.2MB

Download
memory/2004-8832-0x00000000731ED000-0x00000000731F8000-memory.dmp

Filesize
44KB

Download
memory/2004-10067-0x00000000731ED000-0x00000000731F8000-memory.dmp

Filesize
44KB

Download
memory/2220-907-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-887-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-2617-0x0000000001F80000-0x0000000002101000-memory.dmp

Filesize
1.5MB

Download
memory/2220-4111-0x0000000001DE0000-0x0000000001EE0000-memory.dmp

Filesize
1024KB

Download
memory/2220-8757-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-937-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-8763-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2220-8765-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2220-935-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-933-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-931-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-929-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-67-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2220-927-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-925-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-923-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-921-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-919-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-917-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-915-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-913-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-911-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-909-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-905-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-903-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-901-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-899-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-897-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-895-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-893-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-891-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-68-0x00000000769D0000-0x0000000076A17000-memory.dmp

Filesize
284KB

Download
memory/2220-889-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-9785-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2220-2616-0x0000000001DE0000-0x0000000001EE0000-memory.dmp

Filesize
1024KB

Download
memory/2220-885-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-882-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-878-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2220-879-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/2292-8779-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2924-11417-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2924-11418-0x0000000002090000-0x0000000002211000-memory.dmp

Filesize
1.5MB

Download
memory/2924-13227-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2924-14654-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2924-8857-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download