0fa807337a3c638aad78d9b50eaae632907291f5fffca08951bc0f27d929189a

max time kernel
78s
max time network
81s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
18/11/2023, 12:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DF.exe
Size

528KB
MD5

0580e3884493d1157a00e694a844a728
SHA1

85492026c18fa2e41ed2eab90e94a6a1979a972d
SHA256

0fa807337a3c638aad78d9b50eaae632907291f5fffca08951bc0f27d929189a
SHA512

cb23316a4228ca8a58f3ed94f69c27af7c197072cde11716fa8bba0799f68bf7c355526c70a3e8d04a5553040a9647eb4cf649be54508b956f90616bf0742ca8
SSDEEP

6144:2m7CZCyTCxUcy9qk0oQk3vFwQuyxMgYjYlEg3KwDe2heh3a1kWazQYoc164:Z7yRSyQSdBi+lDeQehTWajhP

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	Hnha.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	Hnha.exe

Executes dropped EXE 2 IoCs

pid	Process
2384	Hnha.exe
728	SCWCVFF.exe

Loads dropped DLL 1 IoCs

pid	Process
728	SCWCVFF.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	SCWCVFF.exe
File opened (read-only)	\??\P:	SCWCVFF.exe
File opened (read-only)	\??\R:	SCWCVFF.exe
File opened (read-only)	\??\V:	SCWCVFF.exe
File opened (read-only)	\??\B:	SCWCVFF.exe
File opened (read-only)	\??\H:	SCWCVFF.exe
File opened (read-only)	\??\I:	SCWCVFF.exe
File opened (read-only)	\??\K:	SCWCVFF.exe
File opened (read-only)	\??\Q:	SCWCVFF.exe
File opened (read-only)	\??\S:	SCWCVFF.exe
File opened (read-only)	\??\W:	SCWCVFF.exe
File opened (read-only)	\??\Z:	SCWCVFF.exe
File opened (read-only)	\??\E:	SCWCVFF.exe
File opened (read-only)	\??\J:	SCWCVFF.exe
File opened (read-only)	\??\M:	SCWCVFF.exe
File opened (read-only)	\??\N:	SCWCVFF.exe
File opened (read-only)	\??\X:	SCWCVFF.exe
File opened (read-only)	\??\Y:	SCWCVFF.exe
File opened (read-only)	\??\G:	SCWCVFF.exe
File opened (read-only)	\??\O:	SCWCVFF.exe
File opened (read-only)	\??\T:	SCWCVFF.exe
File opened (read-only)	\??\U:	SCWCVFF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 7c0031000000000072578e6011005075626c69630000660009000400efbe724a6fa872578e602e000000630500000000010000000000000000003c00000000001f0114015000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Music"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 780031000000000072578f6011004d7573696300640009000400efbe724a6fa872578f602e000000680500000000010000000000000000003a0000000000e628dd004d007500730069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 540031000000000072578f6010006a6333574d4700003e0009000400efbe72578f6072578f602e000000caab0100000008000000000000000000000000000000e628dd006a006300330057004d004700000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 780031000000000054578b7c1100557365727300640009000400efbe724a0b5d54578b7c2e000000320500000000010000000000000000003a0000000000ddfbb60055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4332	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	DF.exe
2792	DF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe
728	SCWCVFF.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4332	explorer.exe
4332	explorer.exe
728	SCWCVFF.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 4688	2792	DF.exe	71
PID 2792 wrote to memory of 4688	2792	DF.exe	71
PID 4332 wrote to memory of 2384	4332	explorer.exe	74
PID 4332 wrote to memory of 2384	4332	explorer.exe	74
PID 4332 wrote to memory of 2384	4332	explorer.exe	74
PID 4332 wrote to memory of 728	4332	explorer.exe	79
PID 4332 wrote to memory of 728	4332	explorer.exe	79
PID 4332 wrote to memory of 728	4332	explorer.exe	79

C:\Users\Admin\AppData\Local\Temp\DF.exe
"C:\Users\Admin\AppData\Local\Temp\DF.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe C:\Users\Public\Music\jc3WMG
  2⤵
  PID:4688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Roaming\NK3N3\Hnha.exe
  "C:\Users\Admin\AppData\Roaming\NK3N3\Hnha.exe" -n C:\Users\Admin\AppData\Roaming\NK3N3\TP9.zip -d C:\Users\Admin\AppData\Roaming
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:2384
- C:\ProgramData\M2L5L5\SCWCVFF.exe
  "C:\ProgramData\M2L5L5\SCWCVFF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\M2L5L5\360sb.mdb

Filesize
996KB

MD5
4b4097d2367f3d89fdfe6b48f538b2b5

SHA1
b18f954d000bb4d988e9118ba629e682c5b1735c

SHA256
30a0f3bfeb33ae38d45f60dda35f05ca9eda07ae02a6e10d82bd3d03e4df89bb

SHA512
d15581b3661b9b884c477d062fdc1d9d19ebb581d8a0f06201d016e1be576aa6f9b76f2886f90a60a5b3db3920d4cd5ca6f5dc3853775950be4452ff452abd42

Download Submit
C:\ProgramData\M2L5L5\AsuraBase.dll

Filesize
2.8MB

MD5
c553971cce0d318dea4945f1b3f7591e

SHA1
ec7767572e756fb56b3e2b63fe80bc11e9269f82

SHA256
7149082478379a8aa39a5e9532e581c7d300726948c0aea21442869cc5af66cc

SHA512
6e3e96e37d6b82b8e78350a9a4d8bc06986597741a3a2298a3dfb2a69c09f12a197b1eb1ab93c09e53b6f28892378e021fc3f4057e9ab7d4f0fefa071310168c

Download Submit
C:\ProgramData\M2L5L5\SCWCVFF.exe

Filesize
13.1MB

MD5
b9cc4082b3d835bdf60f54d187cfc81e

SHA1
c0354fc04bcd27dd79aa5019a99654b7600c8388

SHA256
4b4fc187a3503f68fbeb540865b21d77e98bc8e83a155c8d5e725fe24eaa1910

SHA512
932064375ed1dfab06193b413b9400cf0ad83b3e3feb307e0f7ea8c5d1003577dbd2cb30e51fc32860f995085062fc77365ad6976513788e71c28d10d11b6ce7

Download Submit
C:\ProgramData\M2L5L5\SCWCVFF.exe

Filesize
13.1MB

MD5
b9cc4082b3d835bdf60f54d187cfc81e

SHA1
c0354fc04bcd27dd79aa5019a99654b7600c8388

SHA256
4b4fc187a3503f68fbeb540865b21d77e98bc8e83a155c8d5e725fe24eaa1910

SHA512
932064375ed1dfab06193b413b9400cf0ad83b3e3feb307e0f7ea8c5d1003577dbd2cb30e51fc32860f995085062fc77365ad6976513788e71c28d10d11b6ce7

Download Submit
C:\ProgramData\M2L5L5\SCWCVFF.exe

Filesize
13.1MB

MD5
b9cc4082b3d835bdf60f54d187cfc81e

SHA1
c0354fc04bcd27dd79aa5019a99654b7600c8388

SHA256
4b4fc187a3503f68fbeb540865b21d77e98bc8e83a155c8d5e725fe24eaa1910

SHA512
932064375ed1dfab06193b413b9400cf0ad83b3e3feb307e0f7ea8c5d1003577dbd2cb30e51fc32860f995085062fc77365ad6976513788e71c28d10d11b6ce7

Download Submit
C:\Users\Admin\AppData\Roaming\NK3N3\Embarcaderophi.lnk

Filesize
797B

MD5
211793d060f6986757764be366b21b0a

SHA1
64d93737ffb38ce6574174673cffb612dca206c5

SHA256
a81f416bd9832ee2b7b088a27d267cab6962062639a34b53094fe47661619a45

SHA512
e608bacda5fb6ce1817dd88302e8bd53c875f53078165fc1571b6b1ea8b1e771787041cd8248c4d0c302b5eabbefb40d63fe5c3d978daeb1477625f8737b4ef0

Download Submit
C:\Users\Admin\AppData\Roaming\NK3N3\Hnha.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
C:\Users\Admin\AppData\Roaming\NK3N3\Hnha.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
C:\Users\Admin\AppData\Roaming\NK3N3\Hnha.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
C:\Users\Admin\AppData\Roaming\NK3N3\TP9.zip

Filesize
1KB

MD5
1e3dfd5b5825b74e74de4f414b3bec40

SHA1
ad5f1dbef789e1cf54bca966a8491e7b6d51c779

SHA256
8c9d105697ad0bf6ccedb353bd388b26c7c8135123f61ed9a5cad204d87a2e2c

SHA512
8bd5c98f44ac25dd6168d5da26b4c46c544d95fb15f105b23556652af2e8f57ad404deebe2da0c3995d3ef19740576d77249d95cbb7ebe012a24748e666c878e

Download Submit
C:\Users\Public\5L4L4O

Filesize
14.3MB

MD5
c8d12d7ad5732cf61d1d4aa5690c6a4f

SHA1
acedbd4b1d01eb516fd23fa7cab680d4769e83b5

SHA256
56aaf38c2b881f4073f0ceb282802e6956b3adacefd48e10084e97a47ed4d35b

SHA512
9bae5f61dcec9523dfc9902a70dd67d4379aa1ea223ec786a988d50b71f1d1f44a76d7d73bfff7f9f56fd06e6f7d96c7106b688570381d2d42d8d9b854a29658

Download Submit
C:\Users\Public\Music\jc3WMG\7XQKAh.lnk

Filesize
1006B

MD5
9c6bc6d3daf48f283728e9abfedaa74e

SHA1
978dca918176f0e6cdd5fe5a2a94d9c0b90c3797

SHA256
fd52010b1360abe566412c66e7b6a54968b86104a6195bf3fa3d4c4668552129

SHA512
628ab18695b0a20ba2dfd8ed52e1b41ca5d326c89babce7adf43ffaccb3990ec63f583aeca95fe5783a64a14a5dcfb5ec217e0fdba4eeb2179c922bd5e088be0

Download Submit
C:\Users\Public\Music\jc3WMG\9TJDtm.lnk

Filesize
1006B

MD5
9c6bc6d3daf48f283728e9abfedaa74e

SHA1
978dca918176f0e6cdd5fe5a2a94d9c0b90c3797

SHA256
fd52010b1360abe566412c66e7b6a54968b86104a6195bf3fa3d4c4668552129

SHA512
628ab18695b0a20ba2dfd8ed52e1b41ca5d326c89babce7adf43ffaccb3990ec63f583aeca95fe5783a64a14a5dcfb5ec217e0fdba4eeb2179c922bd5e088be0

Download Submit
C:\Users\Public\Music\jc3WMG\Gwqg93.url

Filesize
67B

MD5
aa375b51fa2ee67732bc60af0654ad1c

SHA1
e4b3489b44f5c7cc0cb7c0a6026ddc56fd7dfd9b

SHA256
336168d1d00a0250e1f7ff8b96d05f1ecdf70649cca5b98b733dc5c61151a939

SHA512
a8d871d1a2e1bd778e611c8c29f01badc361c6a0955abc28f56253b2acf7198080ad5e4e1fc9bc9e60ad44b0071f339a51381689abd095133242e9642f2d57b4

Download Submit
C:\Users\Public\Music\jc3WMG\Jt90TN.lnk

Filesize
1006B

MD5
9c6bc6d3daf48f283728e9abfedaa74e

SHA1
978dca918176f0e6cdd5fe5a2a94d9c0b90c3797

SHA256
fd52010b1360abe566412c66e7b6a54968b86104a6195bf3fa3d4c4668552129

SHA512
628ab18695b0a20ba2dfd8ed52e1b41ca5d326c89babce7adf43ffaccb3990ec63f583aeca95fe5783a64a14a5dcfb5ec217e0fdba4eeb2179c922bd5e088be0

Download Submit
C:\Users\Public\Music\jc3WMG\Jztmc6.url

Filesize
67B

MD5
aa375b51fa2ee67732bc60af0654ad1c

SHA1
e4b3489b44f5c7cc0cb7c0a6026ddc56fd7dfd9b

SHA256
336168d1d00a0250e1f7ff8b96d05f1ecdf70649cca5b98b733dc5c61151a939

SHA512
a8d871d1a2e1bd778e611c8c29f01badc361c6a0955abc28f56253b2acf7198080ad5e4e1fc9bc9e60ad44b0071f339a51381689abd095133242e9642f2d57b4

Download Submit
C:\Users\Public\Music\jc3WMG\Jztmc6.url

Filesize
67B

MD5
aa375b51fa2ee67732bc60af0654ad1c

SHA1
e4b3489b44f5c7cc0cb7c0a6026ddc56fd7dfd9b

SHA256
336168d1d00a0250e1f7ff8b96d05f1ecdf70649cca5b98b733dc5c61151a939

SHA512
a8d871d1a2e1bd778e611c8c29f01badc361c6a0955abc28f56253b2acf7198080ad5e4e1fc9bc9e60ad44b0071f339a51381689abd095133242e9642f2d57b4

Download Submit
C:\Users\Public\Music\jc3WMG\MFwpj9.url

Filesize
67B

MD5
aa375b51fa2ee67732bc60af0654ad1c

SHA1
e4b3489b44f5c7cc0cb7c0a6026ddc56fd7dfd9b

SHA256
336168d1d00a0250e1f7ff8b96d05f1ecdf70649cca5b98b733dc5c61151a939

SHA512
a8d871d1a2e1bd778e611c8c29f01badc361c6a0955abc28f56253b2acf7198080ad5e4e1fc9bc9e60ad44b0071f339a51381689abd095133242e9642f2d57b4

Download Submit
C:\Users\Public\Music\jc3WMG\PICsmc.url

Filesize
67B

MD5
aa375b51fa2ee67732bc60af0654ad1c

SHA1
e4b3489b44f5c7cc0cb7c0a6026ddc56fd7dfd9b

SHA256
336168d1d00a0250e1f7ff8b96d05f1ecdf70649cca5b98b733dc5c61151a939

SHA512
a8d871d1a2e1bd778e611c8c29f01badc361c6a0955abc28f56253b2acf7198080ad5e4e1fc9bc9e60ad44b0071f339a51381689abd095133242e9642f2d57b4

Download Submit
C:\Users\Public\Music\jc3WMG\PvcWCw.lnk

Filesize
1006B

MD5
9c6bc6d3daf48f283728e9abfedaa74e

SHA1
978dca918176f0e6cdd5fe5a2a94d9c0b90c3797

SHA256
fd52010b1360abe566412c66e7b6a54968b86104a6195bf3fa3d4c4668552129

SHA512
628ab18695b0a20ba2dfd8ed52e1b41ca5d326c89babce7adf43ffaccb3990ec63f583aeca95fe5783a64a14a5dcfb5ec217e0fdba4eeb2179c922bd5e088be0

Download Submit
C:\Users\Public\Music\jc3WMG\Rxrka4.lnk

Filesize
1006B

MD5
9c6bc6d3daf48f283728e9abfedaa74e

SHA1
978dca918176f0e6cdd5fe5a2a94d9c0b90c3797

SHA256
fd52010b1360abe566412c66e7b6a54968b86104a6195bf3fa3d4c4668552129

SHA512
628ab18695b0a20ba2dfd8ed52e1b41ca5d326c89babce7adf43ffaccb3990ec63f583aeca95fe5783a64a14a5dcfb5ec217e0fdba4eeb2179c922bd5e088be0

Download Submit
C:\Users\Public\Music\jc3WMG\Rxrka4.lnk

Filesize
1006B

MD5
9c6bc6d3daf48f283728e9abfedaa74e

SHA1
978dca918176f0e6cdd5fe5a2a94d9c0b90c3797

SHA256
fd52010b1360abe566412c66e7b6a54968b86104a6195bf3fa3d4c4668552129

SHA512
628ab18695b0a20ba2dfd8ed52e1b41ca5d326c89babce7adf43ffaccb3990ec63f583aeca95fe5783a64a14a5dcfb5ec217e0fdba4eeb2179c922bd5e088be0

Download Submit
C:\Users\Public\Music\jc3WMG\VFvoiL.lnk

Filesize
1006B

MD5
629d0aa6ef5a4c21d69595be9d464a38

SHA1
9099d0b924d482706895b77f7415e496bebc439c

SHA256
0b9dea590d3a578eca099af0e04bc4e5065ca3cb76ec8be5b9cc75ba417c1e92

SHA512
246b482badf8b7b1c560863efbedc05bdce230db495574e35079856556aa9f4350e4f9613b275c3c983e26cb49e271730ec52609670a83781bc891a993c3deb2

Download Submit
C:\Users\Public\Music\jc3WMG\VLFvpi.url

Filesize
67B

MD5
aa375b51fa2ee67732bc60af0654ad1c

SHA1
e4b3489b44f5c7cc0cb7c0a6026ddc56fd7dfd9b

SHA256
336168d1d00a0250e1f7ff8b96d05f1ecdf70649cca5b98b733dc5c61151a939

SHA512
a8d871d1a2e1bd778e611c8c29f01badc361c6a0955abc28f56253b2acf7198080ad5e4e1fc9bc9e60ad44b0071f339a51381689abd095133242e9642f2d57b4

Download Submit
C:\Users\Public\Music\jc3WMG\YOIBsl.url

Filesize
67B

MD5
aa375b51fa2ee67732bc60af0654ad1c

SHA1
e4b3489b44f5c7cc0cb7c0a6026ddc56fd7dfd9b

SHA256
336168d1d00a0250e1f7ff8b96d05f1ecdf70649cca5b98b733dc5c61151a939

SHA512
a8d871d1a2e1bd778e611c8c29f01badc361c6a0955abc28f56253b2acf7198080ad5e4e1fc9bc9e60ad44b0071f339a51381689abd095133242e9642f2d57b4

Download Submit
C:\Users\Public\Music\jc3WMG\rkb4YO.lnk

Filesize
1006B

MD5
9c6bc6d3daf48f283728e9abfedaa74e

SHA1
978dca918176f0e6cdd5fe5a2a94d9c0b90c3797

SHA256
fd52010b1360abe566412c66e7b6a54968b86104a6195bf3fa3d4c4668552129

SHA512
628ab18695b0a20ba2dfd8ed52e1b41ca5d326c89babce7adf43ffaccb3990ec63f583aeca95fe5783a64a14a5dcfb5ec217e0fdba4eeb2179c922bd5e088be0

Download Submit
C:\Users\Public\Music\jc3WMG\ztmd6W.url

Filesize
67B

MD5
aa375b51fa2ee67732bc60af0654ad1c

SHA1
e4b3489b44f5c7cc0cb7c0a6026ddc56fd7dfd9b

SHA256
336168d1d00a0250e1f7ff8b96d05f1ecdf70649cca5b98b733dc5c61151a939

SHA512
a8d871d1a2e1bd778e611c8c29f01badc361c6a0955abc28f56253b2acf7198080ad5e4e1fc9bc9e60ad44b0071f339a51381689abd095133242e9642f2d57b4

Download Submit
\ProgramData\M2L5L5\asurabase.dll

Filesize
2.8MB

MD5
c553971cce0d318dea4945f1b3f7591e

SHA1
ec7767572e756fb56b3e2b63fe80bc11e9269f82

SHA256
7149082478379a8aa39a5e9532e581c7d300726948c0aea21442869cc5af66cc

SHA512
6e3e96e37d6b82b8e78350a9a4d8bc06986597741a3a2298a3dfb2a69c09f12a197b1eb1ab93c09e53b6f28892378e021fc3f4057e9ab7d4f0fefa071310168c

Download Submit
memory/728-104-0x00000000052D0000-0x00000000052FD000-memory.dmp

Filesize
180KB

Download
memory/728-112-0x0000000000400000-0x0000000003618000-memory.dmp

Filesize
50.1MB

Download
memory/728-118-0x0000000005D50000-0x0000000005D85000-memory.dmp

Filesize
212KB

Download
memory/728-120-0x0000000005ED0000-0x0000000005F0C000-memory.dmp

Filesize
240KB

Download
memory/728-117-0x0000000005ED0000-0x0000000005F0C000-memory.dmp

Filesize
240KB

Download
memory/728-121-0x0000000005ED0000-0x0000000005F0C000-memory.dmp

Filesize
240KB

Download
memory/728-122-0x0000000005ED0000-0x0000000005F0C000-memory.dmp

Filesize
240KB

Download
memory/728-124-0x0000000005ED0000-0x0000000005F0C000-memory.dmp

Filesize
240KB

Download
memory/2384-82-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2792-0-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2792-15-0x00000000026D0000-0x0000000002716000-memory.dmp

Filesize
280KB

Download
memory/2792-6-0x0000000004CF0000-0x0000000004DB1000-memory.dmp

Filesize
772KB

Download