blackmoon | dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574

Analysis

max time kernel
231s
max time network
280s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574.exe
Size

4.7MB
MD5

f6f300c7ae7da288edb40174a5fdcdc5
SHA1

74fcd8fe20b0946d478524aa913b8956b7cd5a53
SHA256

dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574
SHA512

d90773f887ce778364fd554909cb8008ed5d25f210b968cd28492b058dcbfd3074cafe4eb34c43fb7756c71e38371302b68651599226cb1d4dbabed31bfc1ae3
SSDEEP

98304:n/Un5TJ5yNivnBYXhXuYQiSDMd+DqSooc3Lcv7H:s5TJMSqXhXuYrd+DqSxcbcv7

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016c31-23.dat	family_blackmoon
behavioral1/files/0x0006000000016c31-26.dat	family_blackmoon
behavioral1/files/0x0006000000016c31-49.dat	family_blackmoon
behavioral1/files/0x0006000000016c31-48.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe

Executes dropped EXE 3 IoCs

pid	Process
2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
2408	Ê¢ÊÀÕ½Éñ.exe

Loads dropped DLL 7 IoCs

pid	Process
2660	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574.exe
2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe
2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe
2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe
2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
Token: SeDebugPrivilege	1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
1136	Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
2408	Ê¢ÊÀÕ½Éñ.exe
2408	Ê¢ÊÀÕ½Éñ.exe
2408	Ê¢ÊÀÕ½Éñ.exe
2408	Ê¢ÊÀÕ½Éñ.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2840	2660	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574.exe	30
PID 2660 wrote to memory of 2840	2660	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574.exe	30
PID 2660 wrote to memory of 2840	2660	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574.exe	30
PID 2660 wrote to memory of 2840	2660	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574.exe	30
PID 2840 wrote to memory of 1136	2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe	33
PID 2840 wrote to memory of 1136	2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe	33
PID 2840 wrote to memory of 1136	2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe	33
PID 2840 wrote to memory of 1136	2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe	33
PID 2840 wrote to memory of 2408	2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe	34
PID 2840 wrote to memory of 2408	2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe	34
PID 2840 wrote to memory of 2408	2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe	34
PID 2840 wrote to memory of 2408	2840	dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe	34

C:\Users\Admin\AppData\Local\Temp\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574.exe
"C:\Users\Admin\AppData\Local\Temp\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe
  C:\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
    C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1136
- - C:\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\Ê¢ÊÀÕ½Éñ.exe
    C:\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\Ê¢ÊÀÕ½Éñ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B70478C503EFF9D849F66D2FFA74BEB

Filesize
471B

MD5
0ba59a22d2085ba722a7d611f4ebdec8

SHA1
9198142cddcc38c9c68ae28185fde3f9c2778684

SHA256
282c96c1da6611bc41a4c612953d51a3cc3e09c1657be57ec87ca1b09f3b2cc2

SHA512
b6c93ef9336d948edd7ceefa73b311411d44f6b1308479cbc4967aa7650093a48652598d27641f53ce5bd8548187fa7a20129b7c4dce78161eaa9b6e403175ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
471B

MD5
88851f540dd5a98d06f58b2c39cba489

SHA1
e52892b056bf400a120f983111c67efec329a091

SHA256
a846f57e060f72bb8060b2d2c9056ae05e697cd0e8b5f9489c222b59709a3c13

SHA512
5f0c7ff62b8998032f06cc7d59b59eaa2022c55d4c1560212f1c8a69273d48865c2202f8f6eea1a5134ca09e7d59567f0dd1f8c77205fd9aace2c6bd56e140fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B70478C503EFF9D849F66D2FFA74BEB

Filesize
404B

MD5
e9433fd8d18d85a69c0c4698fd220af8

SHA1
69c28a5764f170d98166c7400a9f1b39a76d6105

SHA256
241d05ce6e105a7ab852ed612ea7469ab2cb2b5c28047bbf5067a3e31d3226e8

SHA512
498fa2037b4202b2f31d0fa5ad834b466e86ff12bf526a3d3db609c4aa4d9ce170a8d2902cfa3cabacd1553bbb6cc034da505744545d55343b4f1b4644ed7ce3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ceb3030d609c03b0f92f915096fd5502

SHA1
dcde2b96dbf1d45d4dd9dbe545dc1844fca3788b

SHA256
aab06f1cc97d0a3d88b43d2ed5bcc2fd510d38671f5f3c7d7cecd79e8b2aeaf6

SHA512
aee1225366d78befdc428bd92c6d6858bf6b9347847bb63c9b259cd55b1e6c8b5156ba6962865917ff99078fd6defdaf0ec08d66e18af027fd088862c49c2557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
404B

MD5
5ab6abed72ea03e72101170da777f4f9

SHA1
b765560e02459b159b9e2faa6e3b978a4b398790

SHA256
eb1296040c4d4323c6be0779a7d8630e3d91d0515ff92144b9b6475cc9ad6844

SHA512
7201ac2296edbefa0e79cb45e73438f0470f3b389a94fa8d692eac3c2f86f5c52409a236c4c6b17bad134e248d43a79613613f46942e2058b888798e732898be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bf176a6432b8755b2d804091471c380.ini

Filesize
1KB

MD5
e25fcae1549dc8831ef2521224ca57b9

SHA1
a82dca1434bc3be67fabc302ede55bacd8a9e5e9

SHA256
b456c01cef647a8e1d307e7a55497bea91c85f822353b1d26f94f81413245fb1

SHA512
d4ae4e47264c9af4239b0feb182c1dfe52eaf8626374888031e61e082dd367fc7bd1599dcb03d085d3939ea250e5dde25a042a1b3acc4680e003856ceb46a265

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bf176a6432b8755b2d804091471c380A.ini

Filesize
1KB

MD5
4d42d9e2fa04069575d219b00461c3f0

SHA1
0a69aa6523fa63ae6d3af032342033d4936e9a51

SHA256
517c3746aad43d6d877ae79166a082884109156077928f5984d3406716c749b9

SHA512
61e41bb84dd177df139d1546efb3c3b3b41db2d4ba1a1ab6634528469df99fc5669c00419093b4839a9c9560f247733b8b923634812c5b0e377965d754b9fdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA489.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bakdel.dat

Filesize
102B

MD5
20f7dddcfd6aae278f392dcbd45dcf35

SHA1
087e7dadec7aa5171e9f53dffeb94696a3a1c338

SHA256
01d88db3c10f1503e468ffe9373de5649ff928087f8792c3e63eeaab50a6beae

SHA512
2ee820d844106c63366a4369a9c4e7d6cba997ae857b598db021d821494d33b275e720579c34e93966929bf8df77233ba1bae8e8bf0efe75864d254780838978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ê¢ÊÀÕ½Éñ.exepack.tmp

Filesize
2KB

MD5
b5270111cd4c821d9a455e3052892490

SHA1
c1279233819734ad8c3ceead491dc3f724cd9fc9

SHA256
d8cf8b9e5e3993d0002f98e273b998c4326c40e3da102b096fe364bbf28eb5d2

SHA512
f6e0e1077c1f3284edbd8e6c80fabf1c1b2dc0d9bc11e8adcdee0e3e503fcf34b27776706c6e5be0877bc9c16d511b98bcc7e3c6a36f260e7dbf6e13d8bd472a

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\ExuiKrnln_Win32.lib

Filesize
1.6MB

MD5
031ad1ecd93701d39265771942ec716c

SHA1
cb3ef507bf0e848894fbb96a29bfc94a0c302152

SHA256
9a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba

SHA512
374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Filesize
2.8MB

MD5
d6c90611ea0a1673c8e552c90cd859b4

SHA1
7f7d034ca3b8d1555c95e080794c902ca45afafe

SHA256
cf6627beae8cfed6866ca4078c6b61e54a29bee040ea922d148756f502bc89e3

SHA512
328671900e9e43eb996f6aca2bf07c1e757ba5cec10f3ca359fbf4d19a42fbcf0bbad873d6ab8820895c0d16340999d6a1c0d01272e6b74e6d07d470e008053c

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Filesize
2.8MB

MD5
d6c90611ea0a1673c8e552c90cd859b4

SHA1
7f7d034ca3b8d1555c95e080794c902ca45afafe

SHA256
cf6627beae8cfed6866ca4078c6b61e54a29bee040ea922d148756f502bc89e3

SHA512
328671900e9e43eb996f6aca2bf07c1e757ba5cec10f3ca359fbf4d19a42fbcf0bbad873d6ab8820895c0d16340999d6a1c0d01272e6b74e6d07d470e008053c

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe

Filesize
4.7MB

MD5
f6f300c7ae7da288edb40174a5fdcdc5

SHA1
74fcd8fe20b0946d478524aa913b8956b7cd5a53

SHA256
dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574

SHA512
d90773f887ce778364fd554909cb8008ed5d25f210b968cd28492b058dcbfd3074cafe4eb34c43fb7756c71e38371302b68651599226cb1d4dbabed31bfc1ae3

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe

Filesize
4.7MB

MD5
f6f300c7ae7da288edb40174a5fdcdc5

SHA1
74fcd8fe20b0946d478524aa913b8956b7cd5a53

SHA256
dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574

SHA512
d90773f887ce778364fd554909cb8008ed5d25f210b968cd28492b058dcbfd3074cafe4eb34c43fb7756c71e38371302b68651599226cb1d4dbabed31bfc1ae3

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\Ê¢ÊÀÕ½Éñ.exe

Filesize
21.9MB

MD5
db5827a67c918903714789432e1fabc6

SHA1
c25db3d8fc23f29913a52351f3cca60de9a453de

SHA256
351574c92ebdb01d9857c579bbc01b8d3736bc908a61c9dbf31d6414b7e9e5e4

SHA512
8e4e10af10d4ccee6b24880232aef853742f961bba04ceac5417ca224b22893fd56533727b859f18d4d3829375e095d135b72f88c732405114ce60072ed6daea

Download Submit
C:\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\Ê¢ÊÀÕ½Éñ.exe

Filesize
21.9MB

MD5
db5827a67c918903714789432e1fabc6

SHA1
c25db3d8fc23f29913a52351f3cca60de9a453de

SHA256
351574c92ebdb01d9857c579bbc01b8d3736bc908a61c9dbf31d6414b7e9e5e4

SHA512
8e4e10af10d4ccee6b24880232aef853742f961bba04ceac5417ca224b22893fd56533727b859f18d4d3829375e095d135b72f88c732405114ce60072ed6daea

Download Submit
\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\ExuiKrnln_Win32.lib

Filesize
1.6MB

MD5
031ad1ecd93701d39265771942ec716c

SHA1
cb3ef507bf0e848894fbb96a29bfc94a0c302152

SHA256
9a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba

SHA512
374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae

Download Submit
\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Filesize
2.8MB

MD5
d6c90611ea0a1673c8e552c90cd859b4

SHA1
7f7d034ca3b8d1555c95e080794c902ca45afafe

SHA256
cf6627beae8cfed6866ca4078c6b61e54a29bee040ea922d148756f502bc89e3

SHA512
328671900e9e43eb996f6aca2bf07c1e757ba5cec10f3ca359fbf4d19a42fbcf0bbad873d6ab8820895c0d16340999d6a1c0d01272e6b74e6d07d470e008053c

Download Submit
\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Filesize
2.8MB

MD5
d6c90611ea0a1673c8e552c90cd859b4

SHA1
7f7d034ca3b8d1555c95e080794c902ca45afafe

SHA256
cf6627beae8cfed6866ca4078c6b61e54a29bee040ea922d148756f502bc89e3

SHA512
328671900e9e43eb996f6aca2bf07c1e757ba5cec10f3ca359fbf4d19a42fbcf0bbad873d6ab8820895c0d16340999d6a1c0d01272e6b74e6d07d470e008053c

Download Submit
\Users\Admin\AppData\Roaming\genwangame\cqzj_sevice\Õ½¼ÇÊÚÈ¨¹«Ê¾Óë·À³ÁÃÔÈÏÖ¤.exe

Filesize
2.8MB

MD5
d6c90611ea0a1673c8e552c90cd859b4

SHA1
7f7d034ca3b8d1555c95e080794c902ca45afafe

SHA256
cf6627beae8cfed6866ca4078c6b61e54a29bee040ea922d148756f502bc89e3

SHA512
328671900e9e43eb996f6aca2bf07c1e757ba5cec10f3ca359fbf4d19a42fbcf0bbad873d6ab8820895c0d16340999d6a1c0d01272e6b74e6d07d470e008053c

Download Submit
\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe

Filesize
4.7MB

MD5
f6f300c7ae7da288edb40174a5fdcdc5

SHA1
74fcd8fe20b0946d478524aa913b8956b7cd5a53

SHA256
dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574

SHA512
d90773f887ce778364fd554909cb8008ed5d25f210b968cd28492b058dcbfd3074cafe4eb34c43fb7756c71e38371302b68651599226cb1d4dbabed31bfc1ae3

Download Submit
\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ].exe

Filesize
4.7MB

MD5
f6f300c7ae7da288edb40174a5fdcdc5

SHA1
74fcd8fe20b0946d478524aa913b8956b7cd5a53

SHA256
dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574

SHA512
d90773f887ce778364fd554909cb8008ed5d25f210b968cd28492b058dcbfd3074cafe4eb34c43fb7756c71e38371302b68651599226cb1d4dbabed31bfc1ae3

Download Submit
\Users\Admin\AppData\Roaming\genwangame\dd18a1d8ca564d328028dba83639ba10ae2390dd9a8465e1482a44b3e42ba574[Êµ]\Ê¢ÊÀÕ½Éñ.exe

Filesize
21.9MB

MD5
db5827a67c918903714789432e1fabc6

SHA1
c25db3d8fc23f29913a52351f3cca60de9a453de

SHA256
351574c92ebdb01d9857c579bbc01b8d3736bc908a61c9dbf31d6414b7e9e5e4

SHA512
8e4e10af10d4ccee6b24880232aef853742f961bba04ceac5417ca224b22893fd56533727b859f18d4d3829375e095d135b72f88c732405114ce60072ed6daea

Download Submit
memory/1136-81-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1136-209-0x0000000000400000-0x0000000000BCC000-memory.dmp

Filesize
7.8MB

Download
memory/1136-78-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1136-429-0x0000000000400000-0x0000000000BCC000-memory.dmp

Filesize
7.8MB

Download
memory/1136-76-0x0000000000400000-0x0000000000BCC000-memory.dmp

Filesize
7.8MB

Download
memory/1136-95-0x0000000000400000-0x0000000000BCC000-memory.dmp

Filesize
7.8MB

Download
memory/1136-82-0x0000000000FA0000-0x0000000000FF9000-memory.dmp

Filesize
356KB

Download
memory/1136-425-0x0000000000400000-0x0000000000BCC000-memory.dmp

Filesize
7.8MB

Download
memory/2408-210-0x0000000000400000-0x0000000001DA9000-memory.dmp

Filesize
25.7MB

Download
memory/2408-93-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2408-103-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/2408-94-0x0000000000400000-0x0000000001DA9000-memory.dmp

Filesize
25.7MB

Download
memory/2408-426-0x0000000000400000-0x0000000001DA9000-memory.dmp

Filesize
25.7MB

Download
memory/2408-99-0x0000000000400000-0x0000000001DA9000-memory.dmp

Filesize
25.7MB

Download
memory/2408-428-0x0000000000400000-0x0000000001DA9000-memory.dmp

Filesize
25.7MB

Download
memory/2408-208-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2660-29-0x0000000002810000-0x00000000029B1000-memory.dmp

Filesize
1.6MB

Download
memory/2660-27-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2660-0-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2660-1-0x0000000002810000-0x00000000029B1000-memory.dmp

Filesize
1.6MB

Download
memory/2840-106-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2840-28-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2840-107-0x0000000002730000-0x00000000028D1000-memory.dmp

Filesize
1.6MB

Download
memory/2840-64-0x0000000006490000-0x0000000006C5C000-memory.dmp

Filesize
7.8MB

Download
memory/2840-91-0x00000000061B0000-0x0000000007B59000-memory.dmp

Filesize
25.7MB

Download
memory/2840-75-0x0000000006670000-0x0000000006E3C000-memory.dmp

Filesize
7.8MB

Download
memory/2840-37-0x0000000002730000-0x00000000028D1000-memory.dmp

Filesize
1.6MB

Download
memory/2840-65-0x0000000006490000-0x0000000006C5C000-memory.dmp

Filesize
7.8MB

Download
memory/2840-30-0x0000000002730000-0x00000000028D1000-memory.dmp

Filesize
1.6MB

Download