blackmoon | fe7bcdcf12d34097b36cffe0ca7f56d29fb9079741d6926baf1cb76285bee367

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2022 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

373KB
MD5

ba9ba28edcd2e019634a2cd354291059
SHA1

57e197322f588f7696ff8953e377bc75728d1ce8
SHA256

fe7bcdcf12d34097b36cffe0ca7f56d29fb9079741d6926baf1cb76285bee367
SHA512

e1a0114abe0a043e60d1d1e43c0faf9f0f8f7d743c5dea878882bd33c693545e94ef127207b9515df15677255d3e03a80cb4df4039518b4b56a602fb469b3a1c
SSDEEP

6144:4mjmFJUEhqnuMotJTR364xjLRYPxSPqLFl/3vKC3WNlF7qMF934yApNhoSX:LjmFgmJk4BLRYpSyLFl//P31fzoS

Score

10^/10

blackmoon banker persistence trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2432-132-0x0000000000400000-0x0000000000534000-memory.dmp	family_blackmoon
behavioral2/memory/2432-133-0x0000000000400000-0x0000000000534000-memory.dmp	family_blackmoon
C:\Program Files\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
C:\Program Files\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
C:\Program Files (x86)\Windows Media Player\wmpIayer.exe	family_blackmoon
C:\Program Files (x86)\Windows Media Player\wmpIayer.exe	family_blackmoon
C:\Program Files\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
C:\Program Files (x86)\Windows Media Player\wmpIayer.exe	family_blackmoon
C:\Windows\expIorer.exe	family_blackmoon
\??\c:\windows\expIorer.exe	family_blackmoon

Drops file in Drivers directory 14 IoCs

Processes:

lmagingDevices.exelmagingDevices.exeexpIorer.exelmagingDevices.exewmpIayer.exelmagingDevices.exewmpIayer.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\ceKvWHPPk0.sys	lmagingDevices.exe
File created	C:\Windows\system32\Drivers\k1x5HDXI.sys	lmagingDevices.exe
File opened for modification	C:\Windows\system32\Drivers\ceKvWHPPk0.sys	lmagingDevices.exe
File created	C:\Windows\system32\Drivers\LLD_oId2.sys	expIorer.exe
File opened for modification	C:\Windows\system32\Drivers\nxSj__s9.sys	lmagingDevices.exe
File created	C:\Windows\system32\Drivers\nxSj__s9.sys	lmagingDevices.exe
File opened for modification	C:\Windows\system32\Drivers\TTaz7KKhLAX.sys	wmpIayer.exe
File created	C:\Windows\system32\Drivers\TTaz7KKhLAX.sys	wmpIayer.exe
File opened for modification	C:\Windows\system32\Drivers\k1x5HDXI.sys	lmagingDevices.exe
File opened for modification	C:\Windows\system32\Drivers\I_Qwczl7qt.sys	lmagingDevices.exe
File created	C:\Windows\system32\Drivers\I_Qwczl7qt.sys	lmagingDevices.exe
File created	C:\Windows\system32\Drivers\rvL3BnWSl6.sys	wmpIayer.exe
File opened for modification	C:\Windows\system32\Drivers\LLD_oId2.sys	expIorer.exe
File opened for modification	C:\Windows\system32\Drivers\rvL3BnWSl6.sys	wmpIayer.exe

Executes dropped EXE 7 IoCs

Processes:

lmagingDevices.exelmagingDevices.exewmpIayer.exelmagingDevices.exelmagingDevices.exewmpIayer.exeexpIorer.exe

pid process

2100 lmagingDevices.exe
4024 lmagingDevices.exe
4672 wmpIayer.exe
4272 lmagingDevices.exe
3524 lmagingDevices.exe
4916 wmpIayer.exe
5040 expIorer.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lmagingDevices.exelmagingDevices.exewmpIayer.exelmagingDevices.exelmagingDevices.exewmpIayer.exeexpIorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ceKvWHPPk0\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\ceKvWHPPk0.sys"	lmagingDevices.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nxSj__s9\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\nxSj__s9.sys"	lmagingDevices.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TTaz7KKhLAX\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\TTaz7KKhLAX.sys"	wmpIayer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\k1x5HDXI\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\k1x5HDXI.sys"	lmagingDevices.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\I_Qwczl7qt\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\I_Qwczl7qt.sys"	lmagingDevices.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rvL3BnWSl6\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\rvL3BnWSl6.sys"	wmpIayer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LLD_oId2\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\LLD_oId2.sys"	expIorer.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2432-132-0x0000000000400000-0x0000000000534000-memory.dmp	upx
behavioral2/memory/2432-133-0x0000000000400000-0x0000000000534000-memory.dmp	upx

VMProtect packed file 15 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Windows\Help\240594953.LBn	vmprotect
behavioral2/memory/2100-139-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect
C:\Windows\Help\240612359.Zd1	vmprotect
behavioral2/memory/4024-145-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect
C:\Windows\Help\240629421.nTL	vmprotect
behavioral2/memory/4672-151-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect
behavioral2/memory/4672-152-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect
C:\Windows\Help\240648593.7Z3	vmprotect
behavioral2/memory/4272-157-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect
C:\Windows\Help\240665765.9R9	vmprotect
behavioral2/memory/3524-162-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect
C:\Windows\Help\240683000.Zzl	vmprotect
behavioral2/memory/4916-167-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect
C:\Windows\Help\240702515.1Z7	vmprotect
behavioral2/memory/5040-173-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect

Loads dropped DLL 14 IoCs

Processes:

lmagingDevices.exelmagingDevices.exewmpIayer.exelmagingDevices.exelmagingDevices.exewmpIayer.exeexpIorer.exe

pid	process
2100	lmagingDevices.exe
2100	lmagingDevices.exe
4024	lmagingDevices.exe
4024	lmagingDevices.exe
4672	wmpIayer.exe
4672	wmpIayer.exe
4272	lmagingDevices.exe
4272	lmagingDevices.exe
3524	lmagingDevices.exe
3524	lmagingDevices.exe
4916	wmpIayer.exe
4916	wmpIayer.exe
5040	expIorer.exe
5040	expIorer.exe

Drops file in Program Files directory 6 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\wmpIayer.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpIayer.exe	tmp.exe
File created	C:\Program Files\Windows Photo Viewer\lmagingDevices.exe	tmp.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\lmagingDevices.exe	tmp.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe	tmp.exe

Drops file in Windows directory 28 IoCs

Processes:

tmp.exelmagingDevices.exewmpIayer.exeexpIorer.exelmagingDevices.exewmpIayer.exelmagingDevices.exelmagingDevices.exe

description	ioc	process
File created	C:\Windows\Help\240562375.zLn	tmp.exe
File created	C:\Windows\Help\240594953.LBn	lmagingDevices.exe
File created	C:\Windows\Help\240629531.3Ph	wmpIayer.exe
File created	C:\Windows\Help\240702625.rhV	expIorer.exe
File created	C:\Windows\Help\240647593.51v	lmagingDevices.exe
File created	C:\Windows\Help\240648593.7Z3	lmagingDevices.exe
File created	C:\Windows\Help\240683000.Zzl	wmpIayer.exe
File created	C:\Windows\Help\240629421.nTL	wmpIayer.exe
File created	C:\Windows\Help\240665875.z97	lmagingDevices.exe
File created	C:\Windows\Help\240612359.Zd1	lmagingDevices.exe
File created	C:\Windows\Help\240612468.1NT	lmagingDevices.exe
File created	\??\c:\windows\DLxj.bat	tmp.exe
File opened for modification	\??\c:\windows\expIorer.exe	tmp.exe
File created	C:\Windows\Help\240702515.1Z7	expIorer.exe
File created	C:\Windows\Help\240583875.r95	tmp.exe
File created	C:\Windows\Help\240648703.Bp9	lmagingDevices.exe
File created	C:\Windows\Help\240664765.n3l	lmagingDevices.exe
File created	C:\Windows\Help\240665765.9R9	lmagingDevices.exe
File created	C:\Windows\Help\240588875.z1J	tmp.exe
File created	C:\Windows\Help\240682000.h3X	wmpIayer.exe
File created	C:\Windows\Help\240683109.FxZ	wmpIayer.exe
File created	C:\Windows\Help\240628421.Zb1	wmpIayer.exe
File created	C:\Windows\Help\240595062.l7n	lmagingDevices.exe
File created	C:\Windows\Help\240611359.FV7	lmagingDevices.exe
File created	C:\Windows\Help\240589515.13B	tmp.exe
File created	C:\Windows\Help\240593937.1Dt	lmagingDevices.exe
File created	\??\c:\windows\expIorer.exe	tmp.exe
File created	C:\Windows\Help\240701515.5Th	expIorer.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

tmp.exe

pid	process
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe
2432	tmp.exe

Suspicious behavior: LoadsDriver 28 IoCs

Processes:

lmagingDevices.exelmagingDevices.exewmpIayer.exelmagingDevices.exelmagingDevices.exewmpIayer.exeexpIorer.exe

pid	process
2100	lmagingDevices.exe
2100	lmagingDevices.exe
2100	lmagingDevices.exe
2100	lmagingDevices.exe
4024	lmagingDevices.exe
4024	lmagingDevices.exe
4024	lmagingDevices.exe
4024	lmagingDevices.exe
4672	wmpIayer.exe
4672	wmpIayer.exe
4672	wmpIayer.exe
4672	wmpIayer.exe
4272	lmagingDevices.exe
4272	lmagingDevices.exe
4272	lmagingDevices.exe
4272	lmagingDevices.exe
3524	lmagingDevices.exe
3524	lmagingDevices.exe
3524	lmagingDevices.exe
3524	lmagingDevices.exe
4916	wmpIayer.exe
4916	wmpIayer.exe
4916	wmpIayer.exe
4916	wmpIayer.exe
5040	expIorer.exe
5040	expIorer.exe
5040	expIorer.exe
5040	expIorer.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

lmagingDevices.exelmagingDevices.exewmpIayer.exelmagingDevices.exelmagingDevices.exewmpIayer.exeexpIorer.exe

description	pid	process
Token: SeLoadDriverPrivilege	2100	lmagingDevices.exe
Token: SeDebugPrivilege	2100	lmagingDevices.exe
Token: SeLoadDriverPrivilege	2100	lmagingDevices.exe
Token: SeDebugPrivilege	2100	lmagingDevices.exe
Token: SeLoadDriverPrivilege	4024	lmagingDevices.exe
Token: SeDebugPrivilege	4024	lmagingDevices.exe
Token: SeLoadDriverPrivilege	4024	lmagingDevices.exe
Token: SeDebugPrivilege	4024	lmagingDevices.exe
Token: SeLoadDriverPrivilege	4672	wmpIayer.exe
Token: SeDebugPrivilege	4672	wmpIayer.exe
Token: SeLoadDriverPrivilege	4672	wmpIayer.exe
Token: SeDebugPrivilege	4672	wmpIayer.exe
Token: SeLoadDriverPrivilege	4272	lmagingDevices.exe
Token: SeDebugPrivilege	4272	lmagingDevices.exe
Token: SeLoadDriverPrivilege	4272	lmagingDevices.exe
Token: SeDebugPrivilege	4272	lmagingDevices.exe
Token: SeLoadDriverPrivilege	3524	lmagingDevices.exe
Token: SeDebugPrivilege	3524	lmagingDevices.exe
Token: SeLoadDriverPrivilege	3524	lmagingDevices.exe
Token: SeDebugPrivilege	3524	lmagingDevices.exe
Token: SeLoadDriverPrivilege	4916	wmpIayer.exe
Token: SeDebugPrivilege	4916	wmpIayer.exe
Token: SeLoadDriverPrivilege	4916	wmpIayer.exe
Token: SeDebugPrivilege	4916	wmpIayer.exe
Token: SeLoadDriverPrivilege	5040	expIorer.exe
Token: SeDebugPrivilege	5040	expIorer.exe
Token: SeLoadDriverPrivilege	5040	expIorer.exe
Token: SeDebugPrivilege	5040	expIorer.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 2432 wrote to memory of 2100	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 2100	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 2100	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4024	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4024	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4024	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4672	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4672	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4672	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4272	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 3524	2432	tmp.exe	lmagingDevices.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 4916	2432	tmp.exe	wmpIayer.exe
PID 2432 wrote to memory of 5040	2432	tmp.exe	expIorer.exe
PID 2432 wrote to memory of 5040	2432	tmp.exe	expIorer.exe
PID 2432 wrote to memory of 5040	2432	tmp.exe	expIorer.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432

C:\Program Files\Windows Photo Viewer\lmagingDevices.exe
"C:\Program Files\Windows Photo Viewer\lmagingDevices.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Program Files (x86)\Windows Media Player\wmpIayer.exe
"C:\Program Files (x86)\Windows Media Player\wmpIayer.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Program Files\Windows Photo Viewer\lmagingDevices.exe
"C:\Program Files\Windows Photo Viewer\lmagingDevices.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Program Files (x86)\Windows Media Player\wmpIayer.exe
"C:\Program Files (x86)\Windows Media Player\wmpIayer.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4916

\??\c:\windows\expIorer.exe
c:\windows\expIorer.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\wmpIayer.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
C:\Program Files (x86)\Windows Media Player\wmpIayer.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
C:\Program Files (x86)\Windows Media Player\wmpIayer.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
C:\Program Files\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
C:\Program Files\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
C:\Program Files\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
C:\Windows\Help\240593937.1Dt
Filesize
142KB

MD5
bc131c9f96f79b417fa4e716555f6c7e

SHA1
ba650f5b06614a55a9939703cc8761cb03d62f28

SHA256
12bc8ebd1048a98f347d419d9c3ab6a0304f633c8d5532c4fb4f9d4f9da29bbd

SHA512
3546b5e13c28b74537c37bc6a1ae05ac389e4b6dc11cb6552aca4b131a7e468b2ee993f3179763da4ed7ecacd27b113db05f27885f019b50da7ecdfab2bd74dc

Download Submit
C:\Windows\Help\240594953.LBn
Filesize
432KB

MD5
f5308b223e7846e8b061fe0d84ab7488

SHA1
ab2594d8b19219c72afac83fb4c8d4bc7333232b

SHA256
77347c3f34bfac7c0d5e790629ae94a7df434e0c4c85927c84de231a0d14be7c

SHA512
b7e78876858b3a811072924f598145a227526d6b2cd88901e715692b1e356ecdb63ab0b2a9c34a6070a84ffa7c7a87be323e4d21976b10ea474c12a66a6e7bb1

Download Submit
C:\Windows\Help\240611359.FV7
Filesize
142KB

MD5
bc131c9f96f79b417fa4e716555f6c7e

SHA1
ba650f5b06614a55a9939703cc8761cb03d62f28

SHA256
12bc8ebd1048a98f347d419d9c3ab6a0304f633c8d5532c4fb4f9d4f9da29bbd

SHA512
3546b5e13c28b74537c37bc6a1ae05ac389e4b6dc11cb6552aca4b131a7e468b2ee993f3179763da4ed7ecacd27b113db05f27885f019b50da7ecdfab2bd74dc

Download Submit
C:\Windows\Help\240612359.Zd1
Filesize
432KB

MD5
f5308b223e7846e8b061fe0d84ab7488

SHA1
ab2594d8b19219c72afac83fb4c8d4bc7333232b

SHA256
77347c3f34bfac7c0d5e790629ae94a7df434e0c4c85927c84de231a0d14be7c

SHA512
b7e78876858b3a811072924f598145a227526d6b2cd88901e715692b1e356ecdb63ab0b2a9c34a6070a84ffa7c7a87be323e4d21976b10ea474c12a66a6e7bb1

Download Submit
C:\Windows\Help\240628421.Zb1
Filesize
142KB

MD5
bc131c9f96f79b417fa4e716555f6c7e

SHA1
ba650f5b06614a55a9939703cc8761cb03d62f28

SHA256
12bc8ebd1048a98f347d419d9c3ab6a0304f633c8d5532c4fb4f9d4f9da29bbd

SHA512
3546b5e13c28b74537c37bc6a1ae05ac389e4b6dc11cb6552aca4b131a7e468b2ee993f3179763da4ed7ecacd27b113db05f27885f019b50da7ecdfab2bd74dc

Download Submit
C:\Windows\Help\240629421.nTL
Filesize
432KB

MD5
f5308b223e7846e8b061fe0d84ab7488

SHA1
ab2594d8b19219c72afac83fb4c8d4bc7333232b

SHA256
77347c3f34bfac7c0d5e790629ae94a7df434e0c4c85927c84de231a0d14be7c

SHA512
b7e78876858b3a811072924f598145a227526d6b2cd88901e715692b1e356ecdb63ab0b2a9c34a6070a84ffa7c7a87be323e4d21976b10ea474c12a66a6e7bb1

Download Submit
C:\Windows\Help\240647593.51v
Filesize
142KB

MD5
bc131c9f96f79b417fa4e716555f6c7e

SHA1
ba650f5b06614a55a9939703cc8761cb03d62f28

SHA256
12bc8ebd1048a98f347d419d9c3ab6a0304f633c8d5532c4fb4f9d4f9da29bbd

SHA512
3546b5e13c28b74537c37bc6a1ae05ac389e4b6dc11cb6552aca4b131a7e468b2ee993f3179763da4ed7ecacd27b113db05f27885f019b50da7ecdfab2bd74dc

Download Submit
C:\Windows\Help\240648593.7Z3
Filesize
432KB

MD5
f5308b223e7846e8b061fe0d84ab7488

SHA1
ab2594d8b19219c72afac83fb4c8d4bc7333232b

SHA256
77347c3f34bfac7c0d5e790629ae94a7df434e0c4c85927c84de231a0d14be7c

SHA512
b7e78876858b3a811072924f598145a227526d6b2cd88901e715692b1e356ecdb63ab0b2a9c34a6070a84ffa7c7a87be323e4d21976b10ea474c12a66a6e7bb1

Download Submit
C:\Windows\Help\240664765.n3l
Filesize
142KB

MD5
bc131c9f96f79b417fa4e716555f6c7e

SHA1
ba650f5b06614a55a9939703cc8761cb03d62f28

SHA256
12bc8ebd1048a98f347d419d9c3ab6a0304f633c8d5532c4fb4f9d4f9da29bbd

SHA512
3546b5e13c28b74537c37bc6a1ae05ac389e4b6dc11cb6552aca4b131a7e468b2ee993f3179763da4ed7ecacd27b113db05f27885f019b50da7ecdfab2bd74dc

Download Submit
C:\Windows\Help\240665765.9R9
Filesize
432KB

MD5
f5308b223e7846e8b061fe0d84ab7488

SHA1
ab2594d8b19219c72afac83fb4c8d4bc7333232b

SHA256
77347c3f34bfac7c0d5e790629ae94a7df434e0c4c85927c84de231a0d14be7c

SHA512
b7e78876858b3a811072924f598145a227526d6b2cd88901e715692b1e356ecdb63ab0b2a9c34a6070a84ffa7c7a87be323e4d21976b10ea474c12a66a6e7bb1

Download Submit
C:\Windows\Help\240682000.h3X
Filesize
142KB

MD5
bc131c9f96f79b417fa4e716555f6c7e

SHA1
ba650f5b06614a55a9939703cc8761cb03d62f28

SHA256
12bc8ebd1048a98f347d419d9c3ab6a0304f633c8d5532c4fb4f9d4f9da29bbd

SHA512
3546b5e13c28b74537c37bc6a1ae05ac389e4b6dc11cb6552aca4b131a7e468b2ee993f3179763da4ed7ecacd27b113db05f27885f019b50da7ecdfab2bd74dc

Download Submit
C:\Windows\Help\240683000.Zzl
Filesize
432KB

MD5
f5308b223e7846e8b061fe0d84ab7488

SHA1
ab2594d8b19219c72afac83fb4c8d4bc7333232b

SHA256
77347c3f34bfac7c0d5e790629ae94a7df434e0c4c85927c84de231a0d14be7c

SHA512
b7e78876858b3a811072924f598145a227526d6b2cd88901e715692b1e356ecdb63ab0b2a9c34a6070a84ffa7c7a87be323e4d21976b10ea474c12a66a6e7bb1

Download Submit
C:\Windows\Help\240701515.5Th
Filesize
142KB

MD5
bc131c9f96f79b417fa4e716555f6c7e

SHA1
ba650f5b06614a55a9939703cc8761cb03d62f28

SHA256
12bc8ebd1048a98f347d419d9c3ab6a0304f633c8d5532c4fb4f9d4f9da29bbd

SHA512
3546b5e13c28b74537c37bc6a1ae05ac389e4b6dc11cb6552aca4b131a7e468b2ee993f3179763da4ed7ecacd27b113db05f27885f019b50da7ecdfab2bd74dc

Download Submit
C:\Windows\Help\240702515.1Z7
Filesize
432KB

MD5
f5308b223e7846e8b061fe0d84ab7488

SHA1
ab2594d8b19219c72afac83fb4c8d4bc7333232b

SHA256
77347c3f34bfac7c0d5e790629ae94a7df434e0c4c85927c84de231a0d14be7c

SHA512
b7e78876858b3a811072924f598145a227526d6b2cd88901e715692b1e356ecdb63ab0b2a9c34a6070a84ffa7c7a87be323e4d21976b10ea474c12a66a6e7bb1

Download Submit
C:\Windows\expIorer.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
\??\c:\windows\expIorer.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
memory/2100-139-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/2100-134-0x0000000000000000-mapping.dmp

Download
memory/2432-132-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2432-133-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3524-162-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/3524-158-0x0000000000000000-mapping.dmp

Download
memory/4024-145-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/4024-140-0x0000000000000000-mapping.dmp

Download
memory/4272-157-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/4272-153-0x0000000000000000-mapping.dmp

Download
memory/4672-152-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/4672-151-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/4672-146-0x0000000000000000-mapping.dmp

Download
memory/4916-163-0x0000000000000000-mapping.dmp

Download
memory/4916-167-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/5040-168-0x0000000000000000-mapping.dmp

Download
memory/5040-173-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download