Overview

overview

10

Static

static

10

fw.exe

windows7-x64

10

fw.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2023 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fw.exe

  • Size

    84KB

  • MD5

    bc6da13176887a094ff712a2e2a58ba4

  • SHA1

    e67aff93f62eaf757b3167d86936cb71d653c8cf

  • SHA256

    cede6ac238893e42da9d3df998429d991ff02cdcd018f7de4e7b379c3d5fdc6a

  • SHA512

    555a7898693be4d4c5b265a6ed14656515efafd1f03beeb248e6aafafe3638095d39d5eb60589f74b5ca46a2fd835f182ca54ed0e1ad600c53098b57f57ed016

  • SSDEEP

    1536:qZye8psDhdvoYIflDvf+RBe50UE8Feu6JsuDTpU0WyTwJg:6vdvYlDvWRBeiUDTBwVU0H8O

Score
10/10
blackmoonbankerpersistencespywarestealertrojanupxvmprotect

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 5 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 9 IoCs
  • Sets service image path in registry 2 TTPs 4 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 7 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 16 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3300
    • C:\Users\Admin\AppData\Local\Temp\fw.exe
      "C:\Users\Admin\AppData\Local\Temp\fw.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Windows\zlib.exe
        C:\Windows\\zlib.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3428
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\temp\drxm\xm.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5044
          • C:\Windows\Temp\drxm\svchosh.exe
            C:\Windows\Temp\drxm\\svchosh.exe
            5⤵
            • Drops file in Drivers directory
            • Sets service image path in registry
            • Executes dropped EXE
            • Maps connected drives based on registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: LoadsDriver
            • Suspicious use of AdjustPrivilegeToken
            PID:724
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 5 127.0.0.1
            5⤵
            • Runs ping.exe
            PID:648
          • C:\Windows\Temp\drxm\drx.exe
            C:\Windows\Temp\drxm\\drx.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3576
            • C:\Windows\system32\rdpsign.exe
              "C:\Windows\system32\rdpsign.exe"
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4036
              • C:\Users\Admin\AppData\Local\Temp\cleanmgr.exe
                C:\Users\Admin\AppData\Local\Temp\\cleanmgr.exe
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3700
                • C:\Users\Admin\AppData\Local\Temp\910f248\AtBroker.exe
                  "C:\Users\Admin\AppData\Local\Temp\\910f248\AtBroker.exe"
                  8⤵
                  • Drops file in Drivers directory
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  • Checks SCSI registry key(s)
                  • Modifies system certificate store
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of WriteProcessMemory
                  PID:2040
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Windows\Temp\drxm\drx.exe"
              6⤵
                PID:2828
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1140

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
      Filesize

      1KB

      MD5

      65e4a0f8ed616478869d2550dfed4bb8

      SHA1

      fe7f46d0252ae1d561aaedfa760570dcf744526f

      SHA256

      05ceb8998a63d6ddd1836d0801bd297b2c0518383979c6c742e0f25f2e966396

      SHA512

      04f27b46d5c8a4fc1d5fdaa5d9a800221150ab4ab7ea4f78099486f796c3abea11980b3418a078870732b76c69534d9e57677bb87f6e2ffece2e885861e936ff

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
      Filesize

      1KB

      MD5

      e95124742d2342ad0617a74d39c450e3

      SHA1

      4b95f517ed0cfb627cf68a09be2b81007a2e42c2

      SHA256

      8a463d6cecc224a9c3533c658f9add7c7bd7ff3d2d3948e67a0860af856357b8

      SHA512

      4965dcc5a0ec5fa83c8ad312344790f9b11555ad4a36d7aa4535517750a82d539bab86774e33c120db2f6ef9ab68364367357fa0db90321dcec18e4fb8150714

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
      Filesize

      1KB

      MD5

      1140240e4a22f7372b4a830261578b5f

      SHA1

      38af2ae97d706dbe93902de445330d7e376caa5d

      SHA256

      d6b3004b72ddcf3e0084a651acc28a872e72943243c251e7c1cd0f488fbc6484

      SHA512

      8febd3afe973dcb5df8fa2a9efcef86884e865abc398371467d4dda2b2a87670fa3e50b1551524177d9f709b21c788c6c538fe0649f918cf270847439d5d2956

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
      Filesize

      508B

      MD5

      b7c42371e62eefa77c6d9e39539723a8

      SHA1

      ba255bbe9130bc56ba7538a923bf9619f245eff7

      SHA256

      eb46615839669d95ea6773a8fdaae9b05a7173c05ea60d6d5c72af3a608ab5e9

      SHA512

      9dec27d646de516e43dd739f145e5bcc00387e4c7374c2963f1e58d0b99a6bf7c284040858d8ef439ab2b279b9dfbc50312cca45d46ab161c44cb69deba1cec2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
      Filesize

      532B

      MD5

      b75d5e19121cbb3f840d213855b9c94c

      SHA1

      53b05f61d1d2cfd84d6dfd9c6a503cbe78e5c370

      SHA256

      6ecff2246279f976d93967579b69fcbafe2f253347cfc3cdd7c840fadb17de28

      SHA512

      91c603dd59b32473e6df2d4443dadd2b40cf91dbd2d805723c8619f7d447a44e4f457854ded7c3cc7eed5ee7e307abd9212287489b3c9487331c7317dbd515db

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
      Filesize

      506B

      MD5

      a769ab4390211f56815ea45e435f4208

      SHA1

      edb1ea234b4296abbd9d3ef3702af2e3f5caf347

      SHA256

      56e104ba7e8f19a42c2fe6c262bc8429e632eab90eda45a9b898323637401bc6

      SHA512

      433c3d3be9d68751247a398beab7572bad817ad96f48985f559440b054ceef401c65ea3df3e21e80fdc7449ef89a262f5a4ab1d849e1f33a3b70f778e1014bd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\910f248\AtBroker.exe
      Filesize

      90KB

      MD5

      30076e434a015bdf4c136e09351882cc

      SHA1

      584c958a35e23083a0861421357405afd26d9a0c

      SHA256

      ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

      SHA512

      675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cleanmgr.exe
      Filesize

      19KB

      MD5

      8f9739e266623499391cbac652a01036

      SHA1

      da16142d698dbbd243930e5058d7756f2204296d

      SHA256

      33f636f222a3af0bbbe429cc87b25b21b6c56182936c81c9453c4bdfb61a3c5e

      SHA512

      d5e562332b4bcd77c7c4c426491e37d3501388656e51f600fb6f007a59675d3ad5669487e730a38af705e94e2746f1bd9238190fe1c6152229096a5180aa3797

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cleanmgr.exe
      Filesize

      19KB

      MD5

      8f9739e266623499391cbac652a01036

      SHA1

      da16142d698dbbd243930e5058d7756f2204296d

      SHA256

      33f636f222a3af0bbbe429cc87b25b21b6c56182936c81c9453c4bdfb61a3c5e

      SHA512

      d5e562332b4bcd77c7c4c426491e37d3501388656e51f600fb6f007a59675d3ad5669487e730a38af705e94e2746f1bd9238190fe1c6152229096a5180aa3797

      Download Submit

    • C:\Windows\System32\JHilkFs.tmp
      Filesize

      9KB

      MD5

      3a91a82b0911a6905d13a7ad10f4f1b6

      SHA1

      de1184c978f1cf1177e0966ee245d5a07a21ea93

      SHA256

      da560330512e8b6724f6b3a68000ac0590ff7a3aa62475029702d9759782c561

      SHA512

      b3f965950bcf82e04b2f5248246ca5d7dc2b9bece6251ac5f7756b5c0fc7829bfeab31720a45c091a760c4a4fc0a963e33467e0c3b251444cad7e7c8df137a74

      Download Submit

    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
      Filesize

      2KB

      MD5

      8abf2d6067c6f3191a015f84aa9b6efe

      SHA1

      98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

      SHA256

      ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

      SHA512

      c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

      Download Submit

    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
      Filesize

      2KB

      MD5

      f313c5b4f95605026428425586317353

      SHA1

      06be66fa06e1cffc54459c38d3d258f46669d01a

      SHA256

      129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

      SHA512

      b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

      Download Submit

    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
      Filesize

      2KB

      MD5

      ceb7caa4e9c4b8d760dbf7e9e5ca44c5

      SHA1

      a3879621f9493414d497ea6d70fbf17e283d5c08

      SHA256

      98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

      SHA512

      1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

      Download Submit

    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
      Filesize

      2KB

      MD5

      7d612892b20e70250dbd00d0cdd4f09b

      SHA1

      63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

      SHA256

      727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

      SHA512

      f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

      Download Submit

    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
      Filesize

      2KB

      MD5

      1e8e2076314d54dd72e7ee09ff8a52ab

      SHA1

      5fd0a67671430f66237f483eef39ff599b892272

      SHA256

      55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

      SHA512

      5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

      Download Submit

    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
      Filesize

      2KB

      MD5

      0b990e24f1e839462c0ac35fef1d119e

      SHA1

      9e17905f8f68f9ce0a2024d57b537aa8b39c6708

      SHA256

      a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

      SHA512

      c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      147KB

      MD5

      f3f1a87caf2dad7a5d51d05be419d720

      SHA1

      d087b075322ab5db081264ecebfa68e9c48ea799

      SHA256

      710fe82447ee6b75a9ad2fe3d381151fb64161701c9e1584e206655ced64549c

      SHA512

      11f1c023550fdb2f8b65a18ff2b84fa1e57a7019ec5b515e294804add3447dd85c83fa00d4285b98fc388feb2e4fa2c9235932d7ca5524d38a54565b232dd791

      Download Submit

    • C:\Windows\System32\oaBwSobz.sys
      Filesize

      887KB

      MD5

      bf6a2ed5922f4f6d2553b6c96ee79c28

      SHA1

      9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

      SHA256

      693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

      SHA512

      46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

      Download Submit

    • C:\Windows\System32\oaBwSobz.sys
      Filesize

      1.5MB

      MD5

      f4fdee6f598ff906de93ad1e280b47a4

      SHA1

      08fc2a8850ddf94af5d83d03e6caf192d392ccea

      SHA256

      45ab5459806544a9c567e49094d2bf6280081b8bddd96c0f9ef766a57f0fc33e

      SHA512

      cf79ce0a2eb05dd537017072907eb6d61783abb1616522ea8a7744f10e745e6640be90f6d2762c6602365c433a2e98c9c1091b584b5fa38cc22f9d5b179459a0

      Download Submit

    • C:\Windows\Temp\drxm\drx.exe
      Filesize

      222KB

      MD5

      fda6409e19a40a1b6dc73568199331f7

      SHA1

      a61f7250bd1f776c3dc63eaf12770690a399f25d

      SHA256

      b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

      SHA512

      e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

      Download Submit

    • C:\Windows\Temp\drxm\drx.exe
      Filesize

      222KB

      MD5

      fda6409e19a40a1b6dc73568199331f7

      SHA1

      a61f7250bd1f776c3dc63eaf12770690a399f25d

      SHA256

      b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

      SHA512

      e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

      Download Submit

    • C:\Windows\Temp\drxm\svchosh.exe
      Filesize

      766KB

      MD5

      a6dc95dbe25ef89c40c6943ab64d8b2d

      SHA1

      0d01f835a589191b6c28d264ee34a318df63012f

      SHA256

      8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

      SHA512

      e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

      Download Submit

    • C:\Windows\Temp\drxm\svchosh.exe
      Filesize

      766KB

      MD5

      a6dc95dbe25ef89c40c6943ab64d8b2d

      SHA1

      0d01f835a589191b6c28d264ee34a318df63012f

      SHA256

      8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

      SHA512

      e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

      Download Submit

    • C:\Windows\system32\4JugCWM.sys
      Filesize

      887KB

      MD5

      bf6a2ed5922f4f6d2553b6c96ee79c28

      SHA1

      9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

      SHA256

      693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

      SHA512

      46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

      Download Submit

    • C:\Windows\system32\a3KPJDKjN.sys
      Filesize

      887KB

      MD5

      bf6a2ed5922f4f6d2553b6c96ee79c28

      SHA1

      9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

      SHA256

      693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

      SHA512

      46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

      Download Submit

    • C:\Windows\system32\fmi82acQs.sys
      Filesize

      887KB

      MD5

      bf6a2ed5922f4f6d2553b6c96ee79c28

      SHA1

      9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

      SHA256

      693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

      SHA512

      46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

      Download Submit

    • C:\Windows\system32\npesQH.sys
      Filesize

      887KB

      MD5

      bf6a2ed5922f4f6d2553b6c96ee79c28

      SHA1

      9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

      SHA256

      693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

      SHA512

      46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

      Download Submit

    • C:\Windows\system32\oaBwSobz.sys
      Filesize

      887KB

      MD5

      bf6a2ed5922f4f6d2553b6c96ee79c28

      SHA1

      9ed49aa6dd64ed584b331c78c7a3864cfdd6799a

      SHA256

      693fa06e40368f80a355f39e605d655496cc67e293c30e452a534f93ff2a242e

      SHA512

      46bc6cc31cce51b1b3396d3455e4048c4f0e758cfc01fc69cae461b630b283f6eb539bbf6391f269eb5f016940aa33b16c0135d85bd708f05a20695f3803c0cb

      Download Submit

    • C:\Windows\temp\drxm\xm.bat
      Filesize

      203B

      MD5

      7ad87393edbfa2718bb172d84eb7ffc8

      SHA1

      59e87ca229b3fa0a4d023571d9b23e7652fe91a9

      SHA256

      638a70fc5c280af5821d6cc6a03877229a6458ed56df156c91fd0ec8f1a5965c

      SHA512

      ebed640fcf594e26fb175079160ee47c9dffb864f23903b588ee5d12910f3d35204ccd991ef46695a1a8da1531386d317256295eaeb2fe32fe5d86f843acbde6

      Download Submit

    • C:\Windows\zlib.exe
      Filesize

      1.1MB

      MD5

      2156499ed40b54d8602275a06fa527b9

      SHA1

      88bfaffeaf61e7c5dd2c5f9f60307adedbb6566f

      SHA256

      6933b2cb03952e5894ae9fcda474d628fd58b982167c6e70f1af468299c71223

      SHA512

      dc15fd515e411512072ceb033e9819865dc60908965a70b30ef435011f70e5c33e9485bc31e01bc30dd96cc8761d5eca6ae4de076d1b0f7ed8e328550c1ffae3

      Download Submit

    • C:\Windows\zlib.exe
      Filesize

      1.1MB

      MD5

      2156499ed40b54d8602275a06fa527b9

      SHA1

      88bfaffeaf61e7c5dd2c5f9f60307adedbb6566f

      SHA256

      6933b2cb03952e5894ae9fcda474d628fd58b982167c6e70f1af468299c71223

      SHA512

      dc15fd515e411512072ceb033e9819865dc60908965a70b30ef435011f70e5c33e9485bc31e01bc30dd96cc8761d5eca6ae4de076d1b0f7ed8e328550c1ffae3

      Download Submit

    • memory/1140-204-0x000002B628100000-0x000002B6284BF000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2040-298-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-299-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-216-0x0000015B43220000-0x0000015B4323A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2040-218-0x0000015B43240000-0x0000015B43243000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2040-219-0x0000015B44B00000-0x0000015B44B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2040-215-0x0000015B44BC0000-0x0000015B44F1B000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2040-518-0x0000015B49420000-0x0000015B494D6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2040-229-0x000001BD12380000-0x000001BD1239C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2040-230-0x000001BD12380000-0x000001BD1239C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2040-231-0x000001BD12380000-0x000001BD1239C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2040-517-0x0000015B49420000-0x0000015B494D6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2040-236-0x0000015B44BC0000-0x0000015B44F1B000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2040-261-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-516-0x0000015B47EB0000-0x0000015B480BF000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2040-213-0x00007FF8BD0F0000-0x00007FF8BD100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-212-0x00007FF8BD0F0000-0x00007FF8BD100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-210-0x00007FF8BD0F0000-0x00007FF8BD100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-514-0x0000015B49420000-0x0000015B494D6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2040-511-0x0000015B49420000-0x0000015B494D6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2040-509-0x0000015B47EB0000-0x0000015B480BF000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2040-510-0x0000015B49420000-0x0000015B494D6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2040-507-0x0000015B47EB0000-0x0000015B480BF000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2040-506-0x0000015B47EB0000-0x0000015B480BF000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2040-472-0x0000015B49420000-0x0000015B494D6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2040-471-0x0000015B49420000-0x0000015B494D6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2040-458-0x0000015B47EB0000-0x0000015B480BF000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2040-287-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-288-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-289-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-291-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-293-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-297-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-456-0x0000015B49420000-0x0000015B494D6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2040-342-0x0000015B468D0000-0x0000015B46979000-memory.dmp

      Filesize

      676KB

      Download

    • memory/2040-301-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-300-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-302-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-296-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-295-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-294-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-292-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2040-455-0x0000015B49420000-0x0000015B494D6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2040-305-0x0000015B44BC0000-0x0000015B44F1B000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2040-307-0x0000015B43220000-0x0000015B4323A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2040-308-0x0000015B43220000-0x0000015B4323A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2040-309-0x0000015B43240000-0x0000015B43243000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2040-310-0x0000015B46200000-0x0000015B46326000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2040-306-0x0000015B43220000-0x0000015B4323A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2040-217-0x0000015B43220000-0x0000015B4323A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2040-407-0x0000015B48AD0000-0x0000015B48E03000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/2040-319-0x0000015B45BB0000-0x0000015B45C5F000-memory.dmp

      Filesize

      700KB

      Download

    • memory/2040-320-0x000001BD12380000-0x000001BD1239C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2040-321-0x000001BD12380000-0x000001BD1239C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2040-322-0x0000015B46CC0000-0x0000015B470D1000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2040-323-0x0000015B45BB0000-0x0000015B45C5F000-memory.dmp

      Filesize

      700KB

      Download

    • memory/2040-355-0x000001BD12380000-0x000001BD1239C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2040-353-0x0000015B47EB0000-0x0000015B480BF000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2040-352-0x0000015B47EB0000-0x0000015B480BF000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2040-351-0x0000015B47EB0000-0x0000015B480BF000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2040-345-0x0000015B48AD0000-0x0000015B48E03000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/2040-344-0x0000015B46980000-0x0000015B469CE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/2040-337-0x000001BD12380000-0x000001BD1239C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2040-343-0x0000015B48230000-0x0000015B48325000-memory.dmp

      Filesize

      980KB

      Download

    • memory/2040-339-0x0000015B469E0000-0x0000015B46A90000-memory.dmp

      Filesize

      704KB

      Download

    • memory/2040-340-0x0000015B47AD0000-0x0000015B47B96000-memory.dmp

      Filesize

      792KB

      Download

    • memory/2040-341-0x0000015B47EB0000-0x0000015B480BF000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3300-315-0x0000000009830000-0x0000000009947000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3300-316-0x00000000032D0000-0x00000000032DD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3300-329-0x0000000003280000-0x0000000003281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3300-328-0x0000000003280000-0x0000000003281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3300-327-0x0000000003280000-0x0000000003281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3300-325-0x0000000003280000-0x0000000003281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3300-326-0x0000000003280000-0x0000000003281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3300-324-0x0000000003280000-0x0000000003281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3300-338-0x0000000003280000-0x0000000003281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3300-235-0x0000000007D90000-0x0000000007DE6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3428-151-0x0000000000E30000-0x0000000000F7E000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3576-187-0x00007FF73F890000-0x00007FF73F96B000-memory.dmp

      Filesize

      876KB

      Download

    • memory/3576-175-0x00007FF87D120000-0x00007FF87D121000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3576-164-0x00007FF73F890000-0x00007FF73F96B000-memory.dmp

      Filesize

      876KB

      Download

    • memory/3700-303-0x000001BD102E0000-0x000001BD1069F000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3700-228-0x000001BD12380000-0x000001BD1239C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3700-192-0x000001BD10030000-0x000001BD10033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3700-195-0x000001BD10030000-0x000001BD10033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3700-202-0x000001BD102E0000-0x000001BD1069F000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3700-203-0x000001BD101A0000-0x000001BD101BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4036-186-0x00000146860F0000-0x00000146860F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4036-201-0x0000014687F20000-0x0000014687F3A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4036-200-0x0000014687B00000-0x0000014687EFC000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4036-214-0x0000014687B00000-0x0000014687EFC000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4036-199-0x0000014687F20000-0x0000014687F3A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4036-189-0x00000146860F0000-0x00000146860F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4972-133-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4972-142-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4972-138-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4972-136-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4972-134-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download