71522ed071747c701f3da62a2204507feee18f26f6c4ef2c021d2457e3bacde7

Analysis

max time kernel
143s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90228aeddedaea0e7d47a0476d651d94.exe
Size

763KB
MD5

90228aeddedaea0e7d47a0476d651d94
SHA1

6e417276fca052b4386f8dca08f726ae68f4cab7
SHA256

71522ed071747c701f3da62a2204507feee18f26f6c4ef2c021d2457e3bacde7
SHA512

0eb8fd07fbe45b492f63dcee64aff01428e957e2b72e994c5fd5a925fbc3ebde71c8eecf896cedab37a54330040a57f09d713c779b59d0f5075d70e59f9de5bb
SSDEEP

12288:gpxWIHQo30veQ7EH1oWths0sHXe2GN6/sra7VRbBSUOHQo30veOF7BbQe:qY7RGQI2Wths00epN6/17VRb0wRGOF7D

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2816	wfrgtjyi2007.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EB7A5781-C39F-11EE-AD67-62DD1C0ECF51}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EB7A578C-C39F-11EE-AD67-62DD1C0ECF51}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EB7A5783-C39F-11EE-AD67-62DD1C0ECF51}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EB7A5781-C39F-11EE-AD67-62DD1C0ECF51}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\guocyk882007.dll	wfrgtjyi2007.exe
File created	C:\Windows\wfrgtjyi2007.exe	90228aeddedaea0e7d47a0476d651d94.exe
File opened for modification	C:\Windows\wfrgtjyi2007.exe	90228aeddedaea0e7d47a0476d651d94.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B35149B0-A378-44B9-BCD8-D10E5B38B7C2}\3a-e3-07-66-6c-88	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807020000000400140038003a005e0302000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	wfrgtjyi2007.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-e3-07-66-6c-88	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 8042d1aeac57da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Flags = "512"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807020000000400140038003500d001	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = a07cfeaeac57da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 8058f7aeac57da01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B35149B0-A378-44B9-BCD8-D10E5B38B7C2}\WpadDecision = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{884DB052-54A2-4E80-A923-3AF1509286AA}"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	wfrgtjyi2007.exe
Token: SeDebugPrivilege	2568	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2816	wfrgtjyi2007.exe
2816	wfrgtjyi2007.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2452	2816	wfrgtjyi2007.exe	29
PID 2816 wrote to memory of 2452	2816	wfrgtjyi2007.exe	29
PID 2816 wrote to memory of 2452	2816	wfrgtjyi2007.exe	29
PID 2816 wrote to memory of 2452	2816	wfrgtjyi2007.exe	29
PID 2452 wrote to memory of 2848	2452	IEXPLORE.EXE	30
PID 2452 wrote to memory of 2848	2452	IEXPLORE.EXE	30
PID 2452 wrote to memory of 2848	2452	IEXPLORE.EXE	30
PID 2452 wrote to memory of 2568	2452	IEXPLORE.EXE	31
PID 2452 wrote to memory of 2568	2452	IEXPLORE.EXE	31
PID 2452 wrote to memory of 2568	2452	IEXPLORE.EXE	31
PID 2452 wrote to memory of 2568	2452	IEXPLORE.EXE	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\90228aeddedaea0e7d47a0476d651d94.exe
"C:\Users\Admin\AppData\Local\Temp\90228aeddedaea0e7d47a0476d651d94.exe"
1⤵
- Drops file in Windows directory
PID:3068

C:\Windows\wfrgtjyi2007.exe
C:\Windows\wfrgtjyi2007.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2848
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
30935eb1c54c033a56cd5e4bcc3f6a5a

SHA1
564fde1e28616329505b0adeb2bb2bd785bafc07

SHA256
094164a8d5ae8dcf453e5a6f6f44bf46fb033de5315ba574634c804d1e9462eb

SHA512
a5ea5a5d8fbc83d798321a64ba64329862a5e740553f20d007da483401d301f7792739fce14e00a5a940ffff7a289be81febe61c85b3387b874673903d605a0a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdf68599e354876a6a9462da5a7aebe6

SHA1
98b7847bd0a67c5da12e4ca3f13630e03cf5e9e8

SHA256
e93dfaf78669b82033cb0694c3f026b1dd5e5b0652c265a55fe0c205b260a7fb

SHA512
7f56092276887ef97ab6b9b33702064152817802513169d072a4bef2ac072bdb98d735795205a32c4d067e4f9ecb961276cd3d715f82a53b4e3d7ae24d5da43a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51001d9c237d4235f88f87b5c767d330

SHA1
264346883812c07b3e58a356565b0af10661d8ba

SHA256
3c59dd9d45abf3f343159850af9e817fcdc9ae72b6d7953cd667ccc971c64607

SHA512
43450f86a85e82a7faa16015b5dd8ac2bbd6863cf8f63fd7e927e46f3537bfff45bddcfd0b1159a687619da8951253b489f5e4cc8c9a32f542eabd50af67f68f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4212f5ef41e0da7795b5831d2a7c6d25

SHA1
b6d54bdccfc706c436199dd797bb757f610d4082

SHA256
d338dc2f0f8b1f82a4c4e6c47bbf83967116a5e22e59860cb8b383a4770b0aa8

SHA512
cc2073819bef0f4d0ad1718265e6931b111447c86c8fb6193b248d8406bbec37d2cc6164cc7656fe98e4bc0eb5bb7bf3f8dcf7fd6b8bd861c9def408fefee6a8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15a09be1020556e9881d8ce360bbb043

SHA1
cc0968adf11b7c92d2489a8a84329caa284e6642

SHA256
2c56020d5661b6e472bffe773e3f6c7abfdd496c98f0dd4ca5ef7088fefb8527

SHA512
1e7f16b389370ae427f2decc4905cd80c843c1a929612eab44af5f91928fb3eff771a31e7e5409f75334f38edcd45333ac2b8b7a3d7bd272b1758c023db2c603

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b94cca457d487700d409a1f989a72af

SHA1
c6dbeae16b31828c0a0d95f279bf39dcc5dcabb1

SHA256
f2412273430e3ba3398298ee812e6e7c23f0484436634cb693946b552157f320

SHA512
f8b2d7f3d94702c4963ff34f859bb7e624c5538f20360a724705c69e74a43f4624f6c81f4c62a08ea10f6f3093e13362019425422a8f3647493223daafd9cc9d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e1dc341d612fb7d9d9f00756f307bca

SHA1
fdb244d3ed8253022ca2ce84a570521d8f1fd28c

SHA256
7d691c64c7ac531fc05df4e4dae42c2de71ed92c59e0fe34bc8f6dd11f287a6c

SHA512
f4105d919be71b5dd3fd5d52b730b5ada71be3c2d6891a31d5521a5fdc2f712bdb083d3a14acf0267d21c671a766d99c1711616b79a204b9dcb0962804871d4a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72e82667cb1bdc9b34e2fecc790f37de

SHA1
7e83f528c7705a468dda1eb3d8cc93c2ed288f7d

SHA256
22e1ad2adb284ac5c6a8cead51fa65ff162d26335bfbfefb74d92c77d23b6246

SHA512
35a44d1414f35f68d68884d346e2b9a29bb3aa560999e69b26c19b2e157ee5a3720c3b28a858f1c5177c4c4f6734af9e902f0c56e8025a12fb9667f8bae24600

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a2f85f309eabcb894ad4d4d8d53fd15

SHA1
149d58a374ea48879bce2a84090d28e8218ee0aa

SHA256
8e5d8287dd57de3d5d3091e7b71195a1dd36590bc73466a1709a6e16c14aa2e1

SHA512
dd5845fa3259a74d10ebd20d1f67245b1fbbd43f6fb5bb1800f17e56264325874d2b94eb3536d2cbfec2a13d0d8fbfe6257d4f169689ed7242a960646b57377e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9296dbb7cac29664b343641c3e226e40

SHA1
a621b5f4880fed3759830b5ec79085771c6afd8d

SHA256
ae5c1bce6f5d9043b985c09e2901c4c6b8cb8166388b5f050606374a6ea0e747

SHA512
f2fe36f2ba84670de62e5aac0c20464b8f425cc1929aed157dd92801c64f35376353ee1b3de215fe03274f0228b35da2d0e1a698c8dca4081fbdc4a5afbcc8a0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92ce61a13f10d5a60cd5117e002cf716

SHA1
3a06774319606fe7a972772e3e792562438dfb8b

SHA256
215f6c9f0869701edf634ea3b6216d007d7f234ed63755b2ea9c6b3bcd8ee383

SHA512
f609c6409ace9d770bdb70e1c518c5190a55fa58be330e33140ed152592219519f161657abe0133929eb38c129bd16abf7d547b36de2818e8d9255fd53a9f590

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b506a7a20d620596c19618a040280ad

SHA1
d2f8abdc88896f2695c2c8cfe06ac8ab4a653c5b

SHA256
058e3e4c92348a7e0664ce4a92cda2c8b68eb9bc732d24bf480602f26023c6d7

SHA512
0e8082f60f4f90888a646472f674a157ae9321c358f8618b9f7b62009c4e80e9a3e3eac0a1fe8ba2b86e4f396c8a74dd3473d955eb40686f6b72175ec7a5e772

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6af8ef168563182f1a9c9be780db5f1c

SHA1
244f2b0aff6e477dcaddf5017c413698b0d9720f

SHA256
e65b16f9f730ed1623e9d48f57449968c21adabb77b2c1f380793d9eaee84485

SHA512
946bcd1f09936429ed3ec5ff4640fef57a06cb6d2ddd8da04c9bb129227cd003b33b9da92ec507ae4bbe41faac5efd824b076e10e3a71f90221b8e41e3fc974d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9f77000279c1ad3ab022e8d831f6e34

SHA1
66438491ff026f892fdde90f217d1079c21d0286

SHA256
ea08dc050c21c618fb2e95ee43c7c4be31d4a6479fa44de4c21d4330678c67db

SHA512
4641d848c4c05da4f188fb0ac2eb0199ff18b556fce00d40e58f9ccb3b6b3eb8cbd01b29eeccf6359673c25b9295f8c76774f5ccbaf05b7743f753aa3d7ce693

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b89a62d2523d66c22b77266f08b0018d

SHA1
ea8e1cc1de5e50c79f1a5520c57bfdda4835dbf3

SHA256
d467843c9e0ca824893743037df090beae0880fd8f0afb41bc5bb673a2354b64

SHA512
088da576ea09f0920da2abc297b11c223f3b02a543d702e45779563409c5e6609510713d22ec18d2b7de301988191249f1235df088dfd4eca790faf9e5775298

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2ff6bde00dda041bb01c3394749aea58

SHA1
f122632bd7a248d4dc542cb2b533808ba44146be

SHA256
7e51f6a784d1454ee1f30ff35b21eb3c090d97361e0a60297850bb98f4c3119f

SHA512
1a2053608e4edbd722a3b53258fc2d254937e3585b617d74a7713e9e0c04b22cd45c30d006be2a2ddc7457b47fe1a0549861a715aceb9fb19b3c106a4c26f5b0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d07c719e4eb776e966ce20318e0036b

SHA1
7af34ce6ce02c14d36db8fae4c30baba3453594c

SHA256
5c2b0c12f1e39df0aa06ed52c4294222fa511cbbcc8422cecb5fd541c75451fc

SHA512
3a817c1072f94c65f4d913fe017fe296a4b1653534845bad61b6b2535213db7a4f84479861adc0d14d520295028f93c5e3b4a0f890acd7138584137bb52fe321

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4ecd784ca2051f5ba033c2962c73224

SHA1
1ad16d38099776745cadaf15d28059d05a65effd

SHA256
f3fcbb33a3eae59ce5ff7141e710228656171b33f6be5088be52d0db3cee2193

SHA512
10198d95a5ea8fe11f8c86640c152e97ef4ae2fe2007a004431daffa24ecc446503125e31432eef59ece580e44a7f765f8159046827fcdca8ccbb7b8d7ecefe7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
252c521e2f12ef10cf620537128bb525

SHA1
96fcecb4249f3f23345a2c7254e7980d6f1ba072

SHA256
1087d027d8e377f57efc5f892d3189f6a43f4a929ba74fc3dbf890b4ea2441f4

SHA512
1f48c3bb937b058da5e6c3f2a2a051c99ee49dd8e7253beb738e3ec19cdfba8dead7eef5531aff3fa4556d4d8d5b6bc71e25300445651a5468671d97b087ef67

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab6B27.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar6B59.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar87C2.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Temp\www5A12.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www5A22.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\guocyk882007.dll

Filesize
491KB

MD5
bf323941244f580c21d249642ffd0740

SHA1
01fc9dba07c4804b26db52e60e3b9b2e8d27a42d

SHA256
646ee826bfbebef7fa8f4df36ae1d876a030ea9d1d5bcb0645c3ce54bde1f640

SHA512
ac0d73fb1f84d101ac99da6554d23996bf9800ae6fe43ae2395220b2bcf045eb3cdd6127a395f1bfa1d8467856f8eb06b0bf01b5a5630b3cb4001e12575319b9

Download Submit
C:\Windows\wfrgtjyi2007.exe

Filesize
763KB

MD5
90228aeddedaea0e7d47a0476d651d94

SHA1
6e417276fca052b4386f8dca08f726ae68f4cab7

SHA256
71522ed071747c701f3da62a2204507feee18f26f6c4ef2c021d2457e3bacde7

SHA512
0eb8fd07fbe45b492f63dcee64aff01428e957e2b72e994c5fd5a925fbc3ebde71c8eecf896cedab37a54330040a57f09d713c779b59d0f5075d70e59f9de5bb

Download Submit
memory/2816-723-0x0000000002CC0000-0x0000000002D96000-memory.dmp

Filesize
856KB

Download
memory/2816-725-0x0000000002E60000-0x0000000002EAB000-memory.dmp

Filesize
300KB

Download
memory/2816-722-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2816-28-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2816-157-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2816-29-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2816-30-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/2816-184-0x0000000002E60000-0x0000000002EAB000-memory.dmp

Filesize
300KB

Download
memory/2816-25-0x00000000026C0000-0x00000000027C0000-memory.dmp

Filesize
1024KB

Download
memory/2816-200-0x0000000000300000-0x000000000034B000-memory.dmp

Filesize
300KB

Download
memory/2816-201-0x0000000003570000-0x0000000003573000-memory.dmp

Filesize
12KB

Download
memory/2816-22-0x0000000000300000-0x000000000034B000-memory.dmp

Filesize
300KB

Download
memory/2816-113-0x0000000002CC0000-0x0000000002D96000-memory.dmp

Filesize
856KB

Download
memory/2816-220-0x000000007702F000-0x0000000077030000-memory.dmp

Filesize
4KB

Download
memory/2816-21-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2816-27-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/3068-26-0x0000000000330000-0x000000000037B000-memory.dmp

Filesize
300KB

Download
memory/3068-11-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/3068-0-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3068-19-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/3068-16-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/3068-17-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/3068-18-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/3068-12-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/3068-24-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3068-13-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/3068-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3068-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3068-3-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/3068-4-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3068-5-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/3068-6-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3068-7-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3068-8-0x0000000002780000-0x0000000002782000-memory.dmp

Filesize
8KB

Download
memory/3068-9-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3068-10-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000000000330000-0x000000000037B000-memory.dmp

Filesize
300KB

Download