blackmoon | cede6ac238893e42da9d3df998429d991ff02cdcd018f7de4e7b379c3d5fdc6a

Analysis

max time kernel
123s
max time network
150s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fw.exe
Size

84KB
MD5

bc6da13176887a094ff712a2e2a58ba4
SHA1

e67aff93f62eaf757b3167d86936cb71d653c8cf
SHA256

cede6ac238893e42da9d3df998429d991ff02cdcd018f7de4e7b379c3d5fdc6a
SHA512

555a7898693be4d4c5b265a6ed14656515efafd1f03beeb248e6aafafe3638095d39d5eb60589f74b5ca46a2fd835f182ca54ed0e1ad600c53098b57f57ed016
SSDEEP

1536:qZye8psDhdvoYIflDvf+RBe50UE8Feu6JsuDTpU0WyTwJg:6vdvYlDvWRBeiUDTBwVU0H8O

Score

10^/10

blackmoon banker persistence spyware stealer trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-54-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral1/memory/2008-56-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral1/memory/2008-63-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon

Downloads MZ/PE file

Drops file in Drivers directory 9 IoCs

Processes:

svchosh.exectfmon.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\9Ze_vgTAEZV.sys	svchosh.exe
File opened for modification	C:\Windows\system32\Drivers\1EJ9F1jGh.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\1EJ9F1jGh.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\9GegxEaN.sys	svchosh.exe
File opened for modification	C:\Windows\system32\Drivers\H5EVTeOyeap.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\H5EVTeOyeap.sys	svchosh.exe
File opened for modification	C:\Windows\system32\Drivers\9Ze_vgTAEZV.sys	svchosh.exe
File opened for modification	C:\Windows\system32\Drivers\9GegxEaN.sys	svchosh.exe
File opened for modification	C:\Windows\system32\drivers\etc\	ctfmon.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchosh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\9Ze_vgTAEZV\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\9Ze_vgTAEZV.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\1EJ9F1jGh\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\1EJ9F1jGh.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\9GegxEaN\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\9GegxEaN.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\H5EVTeOyeap\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\H5EVTeOyeap.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eesjxS1x\ImagePath = "\\??\\C:\\ProgramData\\Microsoft\\Crypto\\eesjxS1x.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eJUb86aBudP\ImagePath = "\\??\\C:\\ProgramData\\Microsoft\\MF\\eJUb86aBudP.sys"	svchosh.exe

Executes dropped EXE 5 IoCs

Processes:

zlib.exesvchosh.exedrx.exexwizard.exectfmon.exe

pid process

1432 zlib.exe
540 svchosh.exe
1060 drx.exe
1576 xwizard.exe
2036 ctfmon.exe
Loads dropped DLL 10 IoCs

Processes:

cmd.exeqappsrv.exexwizard.exectfmon.exe

pid process

296 cmd.exe
296 cmd.exe
1704 qappsrv.exe
1576 xwizard.exe
2036 ctfmon.exe
2036 ctfmon.exe
2036 ctfmon.exe
2036 ctfmon.exe
2036 ctfmon.exe
2036 ctfmon.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1432	zlib.exe
540	svchosh.exe
1060	drx.exe
1576	xwizard.exe
2036	ctfmon.exe

pid	process
296	cmd.exe
296	cmd.exe
1704	qappsrv.exe
1576	xwizard.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2008-54-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2008-56-0x0000000000400000-0x0000000000454000-memory.dmp	upx
C:\Windows\zlib.exe	upx
behavioral1/memory/2008-63-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1432-77-0x0000000000090000-0x00000000001DE000-memory.dmp	upx
\Windows\Temp\drxm\drx.exe	upx
C:\Windows\Temp\drxm\drx.exe	upx
behavioral1/memory/1060-94-0x000000013F430000-0x000000013F50B000-memory.dmp	upx
behavioral1/memory/1060-125-0x000000013F430000-0x000000013F50B000-memory.dmp	upx
C:\Windows\Temp\drxm\drx.exe	upx

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	183.60.83.19
Destination IP	223.5.5.5
Destination IP	183.60.83.19
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	183.60.83.19

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Windows\system32\FMCYHv.sys	vmprotect
behavioral1/memory/2036-303-0x00000000085B0000-0x0000000008C2B000-memory.dmp	vmprotect
behavioral1/memory/2036-313-0x0000000009F70000-0x000000000A381000-memory.dmp	vmprotect
C:\Windows\system32\t5CbKlkwO.sys	vmprotect
C:\Windows\system32\L5VJJklF.sys	vmprotect
C:\Windows\system32\RlKcuULB.sys	vmprotect

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchosh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	svchosh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchosh.exe

Drops file in System32 directory 10 IoCs

Processes:

ctfmon.exe

description	ioc	process
File created	C:\Windows\system32\t5CbKlkwO.sys	ctfmon.exe
File created	C:\Windows\system32\xK5d4T.tmp	ctfmon.exe
File opened for modification	C:\Windows\System32\asyncreg.log	ctfmon.exe
File created	C:\Windows\system32\FMCYHv.sys	ctfmon.exe
File created	C:\Windows\system32\tZQ8ZT.tmp	ctfmon.exe
File opened for modification	C:\Windows\system32\FMCYHv.sys	ctfmon.exe
File created	C:\Windows\system32\pYSyL7.tmp	ctfmon.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	ctfmon.exe
File opened for modification	C:\Windows\System32\dnsrsvlr.log	ctfmon.exe
File created	C:\Windows\system32\L5VJJklF.sys	ctfmon.exe

Drops file in Windows directory 3 IoCs

Processes:

fw.exesvchosh.exectfmon.exe

description	ioc	process
File created	C:\Windows\zlib.exe	fw.exe
File opened for modification	C:\Windows\inf\ServiceModelService 3.0.0.0\aE300.tmp	svchosh.exe
File opened for modification	C:\Windows\win.ini	ctfmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.2345.com?90335-00624	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	Explorer.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ctfmon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\93DC5488064995370596DF5F04FAB7AD5A81B78D	ctfmon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\93DC5488064995370596DF5F04FAB7AD5A81B78D\Blob = 03000000010000001400000093dc5488064995370596df5f04fab7ad5a81b78d20000000010000000a020000308202063082016fa003020102020100300d06092a864886f70d01010b05003027310b300906035504061302434e3118301606035504030c0f4953524720526f6f74205831205633301e170d3233303633303132343734315a170d3234303632393132343734315a3027310b300906035504061302434e3118301606035504030c0f4953524720526f6f7420583120563330819f300d06092a864886f70d010101050003818d0030818902818100d90a2f844983fc7193798a5f8624d50197efca7632576e472297f1bfc17a993d4ac32f46c85edee00157211c1b350f756b838e2eda1dd55fb3c3e38e78c1021fa73337d8312e0c6a2eb4ce0957ab45de166c0a672ede0200089be3009efd0168d8160997e30f385c9b930b71d93b39d84243ff9d5ab29af5c32c4e217c7435ed0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414553287bdcffa990b8f6047c1e70fa2e90f8ec280300d06092a864886f70d01010b050003818100a32ce514482730a1319bd1bda2fcc0c7f5015daae3dab0e3b4b66bf6dc0d44c43126fe326cd82265d5a808f9b6970bdeeccba40f35ffa9016e84718db2a02cb120275b2dc6ee70da1f52e7ad27f0eed90af04b8e0a32bc1cd11435b4cbe941d77338eea0305e7c6e3c5fb1e04acf9e7c7ea18da55597890b8381c76e81bb026d	ctfmon.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1872 PING.EXE

pid	process
1872	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchosh.exedrx.exeqappsrv.exexwizard.exectfmon.exeExplorer.EXE

pid	process
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
1060	drx.exe
1060	drx.exe
1060	drx.exe
1060	drx.exe
1060	drx.exe
1060	drx.exe
1060	drx.exe
1704	qappsrv.exe
1704	qappsrv.exe
1704	qappsrv.exe
1704	qappsrv.exe
1704	qappsrv.exe
1576	xwizard.exe
1576	xwizard.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
1312	Explorer.EXE
2036	ctfmon.exe
1312	Explorer.EXE
1312	Explorer.EXE
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
1312	Explorer.EXE
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
1312	Explorer.EXE
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe
2036	ctfmon.exe

Suspicious behavior: LoadsDriver 18 IoCs

Processes:

svchosh.exe

pid	process
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
540	svchosh.exe
464
464
464
464
464
464

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchosh.exedrx.exeqappsrv.exexwizard.exe

description	pid	process
Token: SeDebugPrivilege	540	svchosh.exe
Token: SeDebugPrivilege	540	svchosh.exe
Token: SeDebugPrivilege	540	svchosh.exe
Token: SeLoadDriverPrivilege	540	svchosh.exe
Token: SeDebugPrivilege	540	svchosh.exe
Token: SeLoadDriverPrivilege	540	svchosh.exe
Token: SeDebugPrivilege	540	svchosh.exe
Token: SeDebugPrivilege	1060	drx.exe
Token: SeTcbPrivilege	1060	drx.exe
Token: SeLoadDriverPrivilege	540	svchosh.exe
Token: SeDebugPrivilege	540	svchosh.exe
Token: SeDebugPrivilege	1060	drx.exe
Token: SeIncBasePriorityPrivilege	1060	drx.exe
Token: SeLoadDriverPrivilege	540	svchosh.exe
Token: SeDebugPrivilege	540	svchosh.exe
Token: SeDebugPrivilege	1704	qappsrv.exe
Token: SeTcbPrivilege	1704	qappsrv.exe
Token: SeCreateTokenPrivilege	1704	qappsrv.exe
Token: SeAssignPrimaryTokenPrivilege	1704	qappsrv.exe
Token: SeLockMemoryPrivilege	1704	qappsrv.exe
Token: SeIncreaseQuotaPrivilege	1704	qappsrv.exe
Token: SeMachineAccountPrivilege	1704	qappsrv.exe
Token: SeTcbPrivilege	1704	qappsrv.exe
Token: SeSecurityPrivilege	1704	qappsrv.exe
Token: SeTakeOwnershipPrivilege	1704	qappsrv.exe
Token: SeLoadDriverPrivilege	1704	qappsrv.exe
Token: SeSystemProfilePrivilege	1704	qappsrv.exe
Token: SeSystemtimePrivilege	1704	qappsrv.exe
Token: SeProfSingleProcessPrivilege	1704	qappsrv.exe
Token: SeIncBasePriorityPrivilege	1704	qappsrv.exe
Token: SeCreatePagefilePrivilege	1704	qappsrv.exe
Token: SeCreatePermanentPrivilege	1704	qappsrv.exe
Token: SeBackupPrivilege	1704	qappsrv.exe
Token: SeRestorePrivilege	1704	qappsrv.exe
Token: SeShutdownPrivilege	1704	qappsrv.exe
Token: SeDebugPrivilege	1704	qappsrv.exe
Token: SeAuditPrivilege	1704	qappsrv.exe
Token: SeSystemEnvironmentPrivilege	1704	qappsrv.exe
Token: SeChangeNotifyPrivilege	1704	qappsrv.exe
Token: SeRemoteShutdownPrivilege	1704	qappsrv.exe
Token: SeUndockPrivilege	1704	qappsrv.exe
Token: SeSyncAgentPrivilege	1704	qappsrv.exe
Token: SeEnableDelegationPrivilege	1704	qappsrv.exe
Token: SeManageVolumePrivilege	1704	qappsrv.exe
Token: SeImpersonatePrivilege	1704	qappsrv.exe
Token: SeCreateGlobalPrivilege	1704	qappsrv.exe
Token: 31	1704	qappsrv.exe
Token: 32	1704	qappsrv.exe
Token: 33	1704	qappsrv.exe
Token: 34	1704	qappsrv.exe
Token: 35	1704	qappsrv.exe
Token: SeDebugPrivilege	1704	qappsrv.exe
Token: SeDebugPrivilege	1576	xwizard.exe
Token: SeTcbPrivilege	1576	xwizard.exe
Token: SeCreateTokenPrivilege	1576	xwizard.exe
Token: SeAssignPrimaryTokenPrivilege	1576	xwizard.exe
Token: SeLockMemoryPrivilege	1576	xwizard.exe
Token: SeIncreaseQuotaPrivilege	1576	xwizard.exe
Token: SeMachineAccountPrivilege	1576	xwizard.exe
Token: SeTcbPrivilege	1576	xwizard.exe
Token: SeSecurityPrivilege	1576	xwizard.exe
Token: SeTakeOwnershipPrivilege	1576	xwizard.exe
Token: SeLoadDriverPrivilege	1576	xwizard.exe
Token: SeSystemProfilePrivilege	1576	xwizard.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fw.exe

pid process

2008 fw.exe

pid	process
2008	fw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fw.exezlib.execmd.exedrx.exeqappsrv.exexwizard.exectfmon.exe

description	pid	process	target process
PID 2008 wrote to memory of 1432	2008	fw.exe	zlib.exe
PID 2008 wrote to memory of 1432	2008	fw.exe	zlib.exe
PID 2008 wrote to memory of 1432	2008	fw.exe	zlib.exe
PID 2008 wrote to memory of 1432	2008	fw.exe	zlib.exe
PID 1432 wrote to memory of 296	1432	zlib.exe	cmd.exe
PID 1432 wrote to memory of 296	1432	zlib.exe	cmd.exe
PID 1432 wrote to memory of 296	1432	zlib.exe	cmd.exe
PID 1432 wrote to memory of 296	1432	zlib.exe	cmd.exe
PID 296 wrote to memory of 540	296	cmd.exe	svchosh.exe
PID 296 wrote to memory of 540	296	cmd.exe	svchosh.exe
PID 296 wrote to memory of 540	296	cmd.exe	svchosh.exe
PID 296 wrote to memory of 540	296	cmd.exe	svchosh.exe
PID 296 wrote to memory of 1872	296	cmd.exe	PING.EXE
PID 296 wrote to memory of 1872	296	cmd.exe	PING.EXE
PID 296 wrote to memory of 1872	296	cmd.exe	PING.EXE
PID 296 wrote to memory of 1872	296	cmd.exe	PING.EXE
PID 296 wrote to memory of 1060	296	cmd.exe	drx.exe
PID 296 wrote to memory of 1060	296	cmd.exe	drx.exe
PID 296 wrote to memory of 1060	296	cmd.exe	drx.exe
PID 296 wrote to memory of 1060	296	cmd.exe	drx.exe
PID 1060 wrote to memory of 1704	1060	drx.exe	qappsrv.exe
PID 1060 wrote to memory of 1704	1060	drx.exe	qappsrv.exe
PID 1060 wrote to memory of 1704	1060	drx.exe	qappsrv.exe
PID 1060 wrote to memory of 1704	1060	drx.exe	qappsrv.exe
PID 1060 wrote to memory of 1704	1060	drx.exe	qappsrv.exe
PID 1060 wrote to memory of 1704	1060	drx.exe	qappsrv.exe
PID 1060 wrote to memory of 1704	1060	drx.exe	qappsrv.exe
PID 1060 wrote to memory of 1704	1060	drx.exe	qappsrv.exe
PID 1060 wrote to memory of 1332	1060	drx.exe	cmd.exe
PID 1060 wrote to memory of 1332	1060	drx.exe	cmd.exe
PID 1060 wrote to memory of 1332	1060	drx.exe	cmd.exe
PID 1704 wrote to memory of 1576	1704	qappsrv.exe	xwizard.exe
PID 1704 wrote to memory of 1576	1704	qappsrv.exe	xwizard.exe
PID 1704 wrote to memory of 1576	1704	qappsrv.exe	xwizard.exe
PID 1704 wrote to memory of 1576	1704	qappsrv.exe	xwizard.exe
PID 1704 wrote to memory of 1576	1704	qappsrv.exe	xwizard.exe
PID 1704 wrote to memory of 1576	1704	qappsrv.exe	xwizard.exe
PID 1704 wrote to memory of 1576	1704	qappsrv.exe	xwizard.exe
PID 1704 wrote to memory of 1576	1704	qappsrv.exe	xwizard.exe
PID 1704 wrote to memory of 1576	1704	qappsrv.exe	xwizard.exe
PID 1576 wrote to memory of 792	1576	xwizard.exe	svchost.exe
PID 1576 wrote to memory of 792	1576	xwizard.exe	svchost.exe
PID 1576 wrote to memory of 792	1576	xwizard.exe	svchost.exe
PID 1576 wrote to memory of 792	1576	xwizard.exe	svchost.exe
PID 1576 wrote to memory of 792	1576	xwizard.exe	svchost.exe
PID 1576 wrote to memory of 792	1576	xwizard.exe	svchost.exe
PID 1576 wrote to memory of 2036	1576	xwizard.exe	ctfmon.exe
PID 1576 wrote to memory of 2036	1576	xwizard.exe	ctfmon.exe
PID 1576 wrote to memory of 2036	1576	xwizard.exe	ctfmon.exe
PID 1576 wrote to memory of 792	1576	xwizard.exe	svchost.exe
PID 1576 wrote to memory of 2036	1576	xwizard.exe	ctfmon.exe
PID 1576 wrote to memory of 2036	1576	xwizard.exe	ctfmon.exe
PID 1576 wrote to memory of 2036	1576	xwizard.exe	ctfmon.exe
PID 1576 wrote to memory of 2036	1576	xwizard.exe	ctfmon.exe
PID 1576 wrote to memory of 2036	1576	xwizard.exe	ctfmon.exe
PID 2036 wrote to memory of 1576	2036	ctfmon.exe	xwizard.exe
PID 2036 wrote to memory of 1576	2036	ctfmon.exe	xwizard.exe
PID 2036 wrote to memory of 1576	2036	ctfmon.exe	xwizard.exe
PID 2036 wrote to memory of 1576	2036	ctfmon.exe	xwizard.exe
PID 2036 wrote to memory of 1576	2036	ctfmon.exe	xwizard.exe
PID 2036 wrote to memory of 1312	2036	ctfmon.exe	Explorer.EXE
PID 2036 wrote to memory of 1312	2036	ctfmon.exe	Explorer.EXE
PID 2036 wrote to memory of 1312	2036	ctfmon.exe	Explorer.EXE
PID 2036 wrote to memory of 1312	2036	ctfmon.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1312
- C:\Users\Admin\AppData\Local\Temp\fw.exe
  "C:\Users\Admin\AppData\Local\Temp\fw.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\zlib.exe
    C:\Windows\\zlib.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\temp\drxm\xm.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:296
    - - C:\Windows\Temp\drxm\svchosh.exe
        
        C:\Windows\Temp\drxm\\svchosh.exe
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:1872
    - - C:\Windows\Temp\drxm\drx.exe
        
        C:\Windows\Temp\drxm\\drx.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\system32\qappsrv.exe
        
        "C:\Windows\system32\qappsrv.exe"
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\\xwizard.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\2r6bl\ctfmon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\2r6bl\ctfmon.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Windows\Temp\drxm\drx.exe"
        6⤵
        
        PID:1332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
65e4a0f8ed616478869d2550dfed4bb8

SHA1
fe7f46d0252ae1d561aaedfa760570dcf744526f

SHA256
05ceb8998a63d6ddd1836d0801bd297b2c0518383979c6c742e0f25f2e966396

SHA512
04f27b46d5c8a4fc1d5fdaa5d9a800221150ab4ab7ea4f78099486f796c3abea11980b3418a078870732b76c69534d9e57677bb87f6e2ffece2e885861e936ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
1KB

MD5
e95124742d2342ad0617a74d39c450e3

SHA1
4b95f517ed0cfb627cf68a09be2b81007a2e42c2

SHA256
8a463d6cecc224a9c3533c658f9add7c7bd7ff3d2d3948e67a0860af856357b8

SHA512
4965dcc5a0ec5fa83c8ad312344790f9b11555ad4a36d7aa4535517750a82d539bab86774e33c120db2f6ef9ab68364367357fa0db90321dcec18e4fb8150714

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
c98349fe791a74b14abbe18ed5bfde8c

SHA1
0c23c46076f8bcd0a4072a9c188a6c920b0c5d00

SHA256
bcdd1de2780cc93dab88df600819b9b7ea8aaeedb965bd54b0138d214af91609

SHA512
c0e8a91022678c3a092f69ecc1e6fbd5762bb5eeee1be688c9c63f6ca67cca2055b2cefb507d22e8b97b12a3ad6963bf7a7948716993c9d6ef412bb8d8f8d39a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
684f2ccf3255cdb01ecf3e81f41491d1

SHA1
97090c524d76548af2242942e7fc83a559ea5f0c

SHA256
e177a5dd365be9c6066ce6b2aaa41abd07b180d3d9faf3251a54120531cddd15

SHA512
708a043f87a4bb07e9525f3e2a6a45e8ea72b3caca992149c1585e196fd2eb5bd4f9f2fb23f9b52489f24d12133c75f915bbabb9fa299f482c57ba589b3a5a4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
532B

MD5
b5b3f72a3aa0359c8ba9336d200adc05

SHA1
ba69de044e5118205689e15d5c0fa8912b873ce9

SHA256
e3a6dbdcb162f7b647554363f48f09e4ba1373e5920eda6b7ee9ec394368809b

SHA512
2215f32a4a31c4bd9b3925850ffdcf320d163414e113d22bbe35e4f179079854215e4ff2d57cc0772e244e1b9e9a5f7f8438f101050411c149271f7e02aecec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb1baeb872e6c93d49f0b3071e9ed421

SHA1
22fa5ef42dfc6ed8c6c139e2088096e4a772a30c

SHA256
714a1e290e5087568c0054f0a066c1fd5b5dc03561ec3e283f36aa6bcfe03bff

SHA512
0c5b9e8c85c99f14a9b205207f0cdf38ca14c9e7895016fa973945707caf7d4a63d91b27f9aae6ee08530825d09cc744676cbbe91a1f4b37bee919b4fa8b0f8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
7122f683abb0cb4603b1adee1884306f

SHA1
bafbfb81752101c2990babe02ec539b430c74236

SHA256
2b2c3123c1fcda0ef5a0ed49ab195e43e2478cf8450930621022b1b4970751a4

SHA512
64317814a115b1e617c4a4127ca906486aa46ff8f98392777dc128dc1ce15002534fccb7211b3b181e05d0a2909ea14fb04a8c268452c0f51d56f78779a6c80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2r6bl\ctfmon.exe

Filesize
9KB

MD5
42b6a94dd747df2b5f628a2752e62a98

SHA1
8ee03b706ea8c0142cd3140ac15f901d479a0b4d

SHA256
4a49eae1322e65ffa6c71f0bea52caec97d1f30de71fb068cd9fd8318c8287ab

SHA512
6175285fe74961156a8947462b77454af675f9ae4ed7a80129e291402dcfeaba99038864edaca8e75084fbcd811522d00210ee76b355aed9aa541390952d7e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5320.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic9678.tmp

Filesize
3KB

MD5
7119be648c798ec949869fecf3678fdf

SHA1
80432c6c8422751c3f42d1feabdbe6209d82bb83

SHA256
596583f8cd154569defe1b0c3307d2ff32b78185a8eb7a75ae15a5bb44bd5686

SHA512
8e8f139ccc4e584392c8e2d78027442512332f9e6273de6af917fa5632529dc6c04ecfbc16a6dafd943f5cd382e211a96f23d52bdef84f8c1aa0946a301cc23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
115KB

MD5
b9624604528aa545a3303ddc3ea3b9d7

SHA1
c4b95895b13bc83c96d945034de4c0460c764572

SHA256
278e8bd017ac178fce9a847e0f326ed104647ccd43635e7ec45065d76a8efa31

SHA512
e3421ab696db44d61fc62ac5ca94826f7f19f202c31dff0e3cc04ed4f18495fccfd4f748bf42beeaecb7a2abfabbbb065b6fade8db3856d3123b1ed7b93497d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
115KB

MD5
b9624604528aa545a3303ddc3ea3b9d7

SHA1
c4b95895b13bc83c96d945034de4c0460c764572

SHA256
278e8bd017ac178fce9a847e0f326ed104647ccd43635e7ec45065d76a8efa31

SHA512
e3421ab696db44d61fc62ac5ca94826f7f19f202c31dff0e3cc04ed4f18495fccfd4f748bf42beeaecb7a2abfabbbb065b6fade8db3856d3123b1ed7b93497d3

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
192KB

MD5
68e97252669acacf76a58954b5b4e2be

SHA1
f249b52cf6486da051342b0a1e37139c74887548

SHA256
5990c064067f5112a3388eb98cded7693cd8081a5300c150b5a62ac071b71c27

SHA512
5716c0b7341fabe80c41e39b695e9c1f8a41294938b61d2ae7110a91be5c24413bdeb99ff9d2c0a634763228b625647e2e48c573870b22e9c93e0cd7f32c82ed

Download Submit
C:\Windows\System32\pYSyL7.tmp

Filesize
9KB

MD5
3a91a82b0911a6905d13a7ad10f4f1b6

SHA1
de1184c978f1cf1177e0966ee245d5a07a21ea93

SHA256
da560330512e8b6724f6b3a68000ac0590ff7a3aa62475029702d9759782c561

SHA512
b3f965950bcf82e04b2f5248246ca5d7dc2b9bece6251ac5f7756b5c0fc7829bfeab31720a45c091a760c4a4fc0a963e33467e0c3b251444cad7e7c8df137a74

Download Submit
C:\Windows\Temp\drxm\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
C:\Windows\Temp\drxm\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
C:\Windows\Temp\drxm\svchosh.exe

Filesize
766KB

MD5
a6dc95dbe25ef89c40c6943ab64d8b2d

SHA1
0d01f835a589191b6c28d264ee34a318df63012f

SHA256
8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

SHA512
e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

Download Submit
C:\Windows\Temp\drxm\svchosh.exe

Filesize
766KB

MD5
a6dc95dbe25ef89c40c6943ab64d8b2d

SHA1
0d01f835a589191b6c28d264ee34a318df63012f

SHA256
8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

SHA512
e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

Download Submit
C:\Windows\Temp\drxm\xm.bat

Filesize
203B

MD5
7ad87393edbfa2718bb172d84eb7ffc8

SHA1
59e87ca229b3fa0a4d023571d9b23e7652fe91a9

SHA256
638a70fc5c280af5821d6cc6a03877229a6458ed56df156c91fd0ec8f1a5965c

SHA512
ebed640fcf594e26fb175079160ee47c9dffb864f23903b588ee5d12910f3d35204ccd991ef46695a1a8da1531386d317256295eaeb2fe32fe5d86f843acbde6

Download Submit
C:\Windows\system32\FMCYHv.sys

Filesize
887KB

MD5
bf6a2ed5922f4f6d2553b6c96ee79c28

SHA1
9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

SHA256
693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

SHA512
46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

Download Submit
C:\Windows\system32\L5VJJklF.sys

Filesize
887KB

MD5
bf6a2ed5922f4f6d2553b6c96ee79c28

SHA1
9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

SHA256
693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

SHA512
46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

Download Submit
C:\Windows\system32\RlKcuULB.sys

Filesize
887KB

MD5
bf6a2ed5922f4f6d2553b6c96ee79c28

SHA1
9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

SHA256
693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

SHA512
46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

Download Submit
C:\Windows\system32\t5CbKlkwO.sys

Filesize
887KB

MD5
bf6a2ed5922f4f6d2553b6c96ee79c28

SHA1
9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

SHA256
693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

SHA512
46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

Download Submit
C:\Windows\temp\drxm\xm.bat

Filesize
203B

MD5
7ad87393edbfa2718bb172d84eb7ffc8

SHA1
59e87ca229b3fa0a4d023571d9b23e7652fe91a9

SHA256
638a70fc5c280af5821d6cc6a03877229a6458ed56df156c91fd0ec8f1a5965c

SHA512
ebed640fcf594e26fb175079160ee47c9dffb864f23903b588ee5d12910f3d35204ccd991ef46695a1a8da1531386d317256295eaeb2fe32fe5d86f843acbde6

Download Submit
C:\Windows\zlib.exe

Filesize
1.1MB

MD5
2156499ed40b54d8602275a06fa527b9

SHA1
88bfaffeaf61e7c5dd2c5f9f60307adedbb6566f

SHA256
6933b2cb03952e5894ae9fcda474d628fd58b982167c6e70f1af468299c71223

SHA512
dc15fd515e411512072ceb033e9819865dc60908965a70b30ef435011f70e5c33e9485bc31e01bc30dd96cc8761d5eca6ae4de076d1b0f7ed8e328550c1ffae3

Download Submit
\Users\Admin\AppData\Local\Temp\2r6bl\ctfmon.exe

Filesize
9KB

MD5
42b6a94dd747df2b5f628a2752e62a98

SHA1
8ee03b706ea8c0142cd3140ac15f901d479a0b4d

SHA256
4a49eae1322e65ffa6c71f0bea52caec97d1f30de71fb068cd9fd8318c8287ab

SHA512
6175285fe74961156a8947462b77454af675f9ae4ed7a80129e291402dcfeaba99038864edaca8e75084fbcd811522d00210ee76b355aed9aa541390952d7e2c

Download Submit
\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
115KB

MD5
b9624604528aa545a3303ddc3ea3b9d7

SHA1
c4b95895b13bc83c96d945034de4c0460c764572

SHA256
278e8bd017ac178fce9a847e0f326ed104647ccd43635e7ec45065d76a8efa31

SHA512
e3421ab696db44d61fc62ac5ca94826f7f19f202c31dff0e3cc04ed4f18495fccfd4f748bf42beeaecb7a2abfabbbb065b6fade8db3856d3123b1ed7b93497d3

Download Submit
\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
115KB

MD5
b9624604528aa545a3303ddc3ea3b9d7

SHA1
c4b95895b13bc83c96d945034de4c0460c764572

SHA256
278e8bd017ac178fce9a847e0f326ed104647ccd43635e7ec45065d76a8efa31

SHA512
e3421ab696db44d61fc62ac5ca94826f7f19f202c31dff0e3cc04ed4f18495fccfd4f748bf42beeaecb7a2abfabbbb065b6fade8db3856d3123b1ed7b93497d3

Download Submit
\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
115KB

MD5
b9624604528aa545a3303ddc3ea3b9d7

SHA1
c4b95895b13bc83c96d945034de4c0460c764572

SHA256
278e8bd017ac178fce9a847e0f326ed104647ccd43635e7ec45065d76a8efa31

SHA512
e3421ab696db44d61fc62ac5ca94826f7f19f202c31dff0e3cc04ed4f18495fccfd4f748bf42beeaecb7a2abfabbbb065b6fade8db3856d3123b1ed7b93497d3

Download Submit
\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
115KB

MD5
b9624604528aa545a3303ddc3ea3b9d7

SHA1
c4b95895b13bc83c96d945034de4c0460c764572

SHA256
278e8bd017ac178fce9a847e0f326ed104647ccd43635e7ec45065d76a8efa31

SHA512
e3421ab696db44d61fc62ac5ca94826f7f19f202c31dff0e3cc04ed4f18495fccfd4f748bf42beeaecb7a2abfabbbb065b6fade8db3856d3123b1ed7b93497d3

Download Submit
\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
115KB

MD5
b9624604528aa545a3303ddc3ea3b9d7

SHA1
c4b95895b13bc83c96d945034de4c0460c764572

SHA256
278e8bd017ac178fce9a847e0f326ed104647ccd43635e7ec45065d76a8efa31

SHA512
e3421ab696db44d61fc62ac5ca94826f7f19f202c31dff0e3cc04ed4f18495fccfd4f748bf42beeaecb7a2abfabbbb065b6fade8db3856d3123b1ed7b93497d3

Download Submit
\Windows\Temp\drxm\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
\Windows\Temp\drxm\svchosh.exe

Filesize
766KB

MD5
a6dc95dbe25ef89c40c6943ab64d8b2d

SHA1
0d01f835a589191b6c28d264ee34a318df63012f

SHA256
8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

SHA512
e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

Download Submit
\Windows\Temp\drxm\svchosh.exe

Filesize
766KB

MD5
a6dc95dbe25ef89c40c6943ab64d8b2d

SHA1
0d01f835a589191b6c28d264ee34a318df63012f

SHA256
8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

SHA512
e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

Download Submit
\Windows\Temp\drxm\svchosh.exe

Filesize
766KB

MD5
a6dc95dbe25ef89c40c6943ab64d8b2d

SHA1
0d01f835a589191b6c28d264ee34a318df63012f

SHA256
8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

SHA512
e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

Download Submit
memory/792-165-0x0000000002030000-0x00000000023EF000-memory.dmp

Filesize
3.7MB

Download
memory/1060-92-0x000007FE7E630000-0x000007FE7E631000-memory.dmp

Filesize
4KB

Download
memory/1060-125-0x000000013F430000-0x000000013F50B000-memory.dmp

Filesize
876KB

Download
memory/1060-90-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1060-91-0x000007FE7E620000-0x000007FE7E621000-memory.dmp

Filesize
4KB

Download
memory/1060-93-0x000007FE7E640000-0x000007FE7E641000-memory.dmp

Filesize
4KB

Download
memory/1060-94-0x000000013F430000-0x000000013F50B000-memory.dmp

Filesize
876KB

Download
memory/1312-345-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/1312-342-0x00000000060F0000-0x000000000613F000-memory.dmp

Filesize
316KB

Download
memory/1312-344-0x00000000041F0000-0x00000000041F3000-memory.dmp

Filesize
12KB

Download
memory/1312-265-0x0000000007970000-0x0000000007A87000-memory.dmp

Filesize
1.1MB

Download
memory/1312-322-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/1312-320-0x0000000007E40000-0x0000000007EC1000-memory.dmp

Filesize
516KB

Download
memory/1312-308-0x0000000003ED0000-0x0000000003F4C000-memory.dmp

Filesize
496KB

Download
memory/1312-222-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/1312-277-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

Filesize
4KB

Download
memory/1312-208-0x0000000002A90000-0x0000000002AE0000-memory.dmp

Filesize
320KB

Download
memory/1312-273-0x0000000003DF0000-0x0000000003DF3000-memory.dmp

Filesize
12KB

Download
memory/1312-219-0x0000000003D80000-0x0000000003DD6000-memory.dmp

Filesize
344KB

Download
memory/1432-77-0x0000000000090000-0x00000000001DE000-memory.dmp

Filesize
1.3MB

Download
memory/1576-146-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1576-193-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/1576-164-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1576-148-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1576-163-0x0000000002910000-0x0000000002CCF000-memory.dmp

Filesize
3.7MB

Download
memory/1576-140-0x0000000000510000-0x00000000008C9000-memory.dmp

Filesize
3.7MB

Download
memory/1576-137-0x0000000000150000-0x000000000050A000-memory.dmp

Filesize
3.7MB

Download
memory/1576-264-0x0000000002910000-0x0000000002CCF000-memory.dmp

Filesize
3.7MB

Download
memory/1576-202-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/1704-134-0x0000000002080000-0x000000000247C000-memory.dmp

Filesize
4.0MB

Download
memory/1704-126-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1704-122-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1704-121-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1704-139-0x0000000002080000-0x000000000247C000-memory.dmp

Filesize
4.0MB

Download
memory/1704-118-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1704-179-0x0000000002080000-0x000000000247C000-memory.dmp

Filesize
4.0MB

Download
memory/1704-143-0x0000000002080000-0x000000000247C000-memory.dmp

Filesize
4.0MB

Download
memory/1704-117-0x0000000000290000-0x0000000000687000-memory.dmp

Filesize
4.0MB

Download
memory/2008-54-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2008-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2008-56-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2036-177-0x000007FEBE5F0000-0x000007FEBE600000-memory.dmp

Filesize
64KB

Download
memory/2036-178-0x0000000037520000-0x0000000037530000-memory.dmp

Filesize
64KB

Download
memory/2036-252-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2036-250-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2036-254-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2036-251-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2036-249-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2036-267-0x00000000026E0000-0x0000000002790000-memory.dmp

Filesize
704KB

Download
memory/2036-270-0x0000000002070000-0x00000000023CB000-memory.dmp

Filesize
3.4MB

Download
memory/2036-271-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/2036-272-0x0000000004210000-0x00000000042D6000-memory.dmp

Filesize
792KB

Download
memory/2036-248-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2036-275-0x0000000004860000-0x000000000490F000-memory.dmp

Filesize
700KB

Download
memory/2036-170-0x00000000001C0000-0x0000000000513000-memory.dmp

Filesize
3.3MB

Download
memory/2036-276-0x00000000078A0000-0x0000000007A21000-memory.dmp

Filesize
1.5MB

Download
memory/2036-303-0x00000000085B0000-0x0000000008C2B000-memory.dmp

Filesize
6.5MB

Download
memory/2036-306-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/2036-304-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/2036-307-0x0000000009190000-0x00000000094C3000-memory.dmp

Filesize
3.2MB

Download
memory/2036-223-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2036-313-0x0000000009F70000-0x000000000A381000-memory.dmp

Filesize
4.1MB

Download
memory/2036-309-0x0000000004480000-0x0000000004534000-memory.dmp

Filesize
720KB

Download
memory/2036-319-0x0000000005160000-0x0000000005255000-memory.dmp

Filesize
980KB

Download
memory/2036-253-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2036-182-0x000007FEBE5F0000-0x000007FEBE600000-memory.dmp

Filesize
64KB

Download
memory/2036-324-0x000000000A6D0000-0x000000000A7F6000-memory.dmp

Filesize
1.1MB

Download
memory/2036-328-0x000000000A800000-0x000000000AA30000-memory.dmp

Filesize
2.2MB

Download
memory/2036-335-0x00000000032D0000-0x000000000331E000-memory.dmp

Filesize
312KB

Download
memory/2036-339-0x0000000004070000-0x00000000040F7000-memory.dmp

Filesize
540KB

Download
memory/2036-184-0x0000000002070000-0x00000000023CB000-memory.dmp

Filesize
3.4MB

Download
memory/2036-186-0x0000000037520000-0x0000000037530000-memory.dmp

Filesize
64KB

Download
memory/2036-201-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2036-347-0x0000000009C00000-0x0000000009CA9000-memory.dmp

Filesize
676KB

Download
memory/2036-354-0x0000000004C20000-0x0000000004CAF000-memory.dmp

Filesize
572KB

Download
memory/2036-360-0x000000000C7D0000-0x000000000C8A2000-memory.dmp

Filesize
840KB

Download
memory/2036-369-0x0000000004190000-0x00000000041F9000-memory.dmp

Filesize
420KB

Download
memory/2036-376-0x000000000CBF0000-0x000000000CCEA000-memory.dmp

Filesize
1000KB

Download
memory/2036-203-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/2036-399-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/2036-400-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/2036-401-0x000000000B5A0000-0x000000000B7AF000-memory.dmp

Filesize
2.1MB

Download
memory/2036-204-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/2036-205-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/2036-210-0x0000000002070000-0x00000000023CB000-memory.dmp

Filesize
3.4MB

Download
memory/2036-220-0x0000000003D80000-0x0000000003DD6000-memory.dmp

Filesize
344KB

Download
memory/2036-224-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download