blackmoon | 0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
Size

1.6MB
MD5

4ef4c51a8b2b7938a1bec2332853742d
SHA1

1d51e0c79cc6be7d8906dcbc0bedd124ec5fb290
SHA256

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f
SHA512

fbfe08121a3bc9a5a84649df0c344efb9ebe83438a0c026c2ce954af8546535954610b824d7b056059db66e1d132b8424c7d3cd6ed4266f6747918a5e34d8e47
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4732-4-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/4256-11-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/2428-29-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/4476-31-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4476-45-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4476-75-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4476-107-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/2428-110-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

Processes:

uwzayc.exeuwzayc.exe3627603097024079.exeuin77.exed1a86595.exeuin77.exedb630f1e.exeuin77.exed51e9887.exeuin77.exedae0c63d.exeuin77.exed4ab5fb5.exeuin77.exedf56e92e.exeuin77.exed33826d4.exeuin77.exedee3b05d.exeuin77.exed8ad49c6.exeuin77.exedc70777c.exeuin77.exed72a00e5.exeuin77.exed1e5aa6e.exe

pid	process
4256	uwzayc.exe
2428	uwzayc.exe
4476	3627603097024079.exe
3388	uin77.exe
4308	d1a86595.exe
3396	uin77.exe
1396	db630f1e.exe
2748	uin77.exe
1776	d51e9887.exe
4000	uin77.exe
3716	dae0c63d.exe
5048	uin77.exe
4920	d4ab5fb5.exe
4732	uin77.exe
4496	df56e92e.exe
3336	uin77.exe
4504	d33826d4.exe
4736	uin77.exe
4856	dee3b05d.exe
2952	uin77.exe
4768	d8ad49c6.exe
3564	uin77.exe
884	dc70777c.exe
1932	uin77.exe
1032	d72a00e5.exe
4348	uin77.exe
3272	d1e5aa6e.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
defense_evasion

Clear Persistence
T1070.009

Processes:

cmd.execmd.execmd.execmd.exe

pid process

3156 cmd.exe
2064 cmd.exe
2240 cmd.exe
3912 cmd.exe

pid	process
3156	cmd.exe
2064	cmd.exe
2240	cmd.exe
3912	cmd.exe

Drops file in System32 directory 4 IoCs

Processes:

uwzayc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	uwzayc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	uwzayc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	uwzayc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	uwzayc.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4732-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/4732-4-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
C:\Windows\Fonts\clbpevo\uwzayc.exe	upx
behavioral2/memory/4256-11-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
C:\Windows\Temp\3627603097024079.exe	upx
behavioral2/memory/4476-14-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/2428-29-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/4476-31-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4476-45-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4476-75-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4476-107-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/2428-110-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exeuwzayc.exe

description	ioc	process
File created	\??\c:\windows\fonts\clbpevo\uwzayc.exe	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
File opened for modification	\??\c:\windows\fonts\clbpevo\uwzayc.exe	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
File created	\??\c:\windows\fonts\rlbeuy\pcejmf.exe	uwzayc.exe
File created	\??\c:\windows\fonts\apwxvo\lmpxqa.exe	uwzayc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1736 2428 WerFault.exe uwzayc.exe

pid	pid_target	process	target process
1736	2428	WerFault.exe	uwzayc.exe

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PING.EXEuin77.exeWMIC.exeuin77.execmd.execmd.exeuin77.exeuin77.execmd.exeuin77.exeschtasks.exeWMIC.exeuwzayc.exeWMIC.exeuin77.execmd.exeWMIC.exeschtasks.exeWMIC.exeuwzayc.execmd.exeWMIC.exeuin77.exeWMIC.exeuin77.exe0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exeschtasks.execmd.exeWMIC.exeWMIC.execmd.exe3627603097024079.execmd.execmd.exeWMIC.exeWMIC.exeuin77.exeWMIC.exeuin77.exeuin77.exeschtasks.exeuin77.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uwzayc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uwzayc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3627603097024079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

3288 cmd.exe
4360 PING.EXE

pid	process
3288	cmd.exe
4360	PING.EXE

Modifies data under HKEY_USERS 8 IoCs

Processes:

uwzayc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	uwzayc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	uwzayc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	uwzayc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	uwzayc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	uwzayc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	uwzayc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	uwzayc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	uwzayc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4360 PING.EXE

pid	process
4360	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exeuwzayc.exeuwzayc.exeuin77.exed1a86595.exeuin77.exedb630f1e.exeuin77.exed51e9887.exe3627603097024079.exe

pid	process
4732	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
4732	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
4256	uwzayc.exe
4256	uwzayc.exe
2428	uwzayc.exe
2428	uwzayc.exe
3388	uin77.exe
3388	uin77.exe
3388	uin77.exe
3388	uin77.exe
4308	d1a86595.exe
4308	d1a86595.exe
4308	d1a86595.exe
4308	d1a86595.exe
4308	d1a86595.exe
3396	uin77.exe
3396	uin77.exe
3396	uin77.exe
3396	uin77.exe
1396	db630f1e.exe
1396	db630f1e.exe
1396	db630f1e.exe
1396	db630f1e.exe
2748	uin77.exe
2748	uin77.exe
2748	uin77.exe
2748	uin77.exe
1776	d51e9887.exe
1776	d51e9887.exe
1776	d51e9887.exe
1776	d51e9887.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe
4476	3627603097024079.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe

pid process

4732 0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exeuwzayc.exeuwzayc.exeWMIC.exeuin77.exed1a86595.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4732	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
Token: SeDebugPrivilege	4256	uwzayc.exe
Token: SeDebugPrivilege	2428	uwzayc.exe
Token: SeAssignPrimaryTokenPrivilege	4148	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4148	WMIC.exe
Token: SeSecurityPrivilege	4148	WMIC.exe
Token: SeTakeOwnershipPrivilege	4148	WMIC.exe
Token: SeLoadDriverPrivilege	4148	WMIC.exe
Token: SeSystemtimePrivilege	4148	WMIC.exe
Token: SeBackupPrivilege	4148	WMIC.exe
Token: SeRestorePrivilege	4148	WMIC.exe
Token: SeShutdownPrivilege	4148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4148	WMIC.exe
Token: SeUndockPrivilege	4148	WMIC.exe
Token: SeManageVolumePrivilege	4148	WMIC.exe
Token: SeDebugPrivilege	3388	uin77.exe
Token: SeDebugPrivilege	4308	d1a86595.exe
Token: SeAssignPrimaryTokenPrivilege	4148	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4148	WMIC.exe
Token: SeSecurityPrivilege	4148	WMIC.exe
Token: SeTakeOwnershipPrivilege	4148	WMIC.exe
Token: SeLoadDriverPrivilege	4148	WMIC.exe
Token: SeSystemtimePrivilege	4148	WMIC.exe
Token: SeBackupPrivilege	4148	WMIC.exe
Token: SeRestorePrivilege	4148	WMIC.exe
Token: SeShutdownPrivilege	4148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4148	WMIC.exe
Token: SeUndockPrivilege	4148	WMIC.exe
Token: SeManageVolumePrivilege	4148	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1892	WMIC.exe
Token: SeSecurityPrivilege	1892	WMIC.exe
Token: SeTakeOwnershipPrivilege	1892	WMIC.exe
Token: SeLoadDriverPrivilege	1892	WMIC.exe
Token: SeSystemtimePrivilege	1892	WMIC.exe
Token: SeBackupPrivilege	1892	WMIC.exe
Token: SeRestorePrivilege	1892	WMIC.exe
Token: SeShutdownPrivilege	1892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1892	WMIC.exe
Token: SeUndockPrivilege	1892	WMIC.exe
Token: SeManageVolumePrivilege	1892	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1892	WMIC.exe
Token: SeSecurityPrivilege	1892	WMIC.exe
Token: SeTakeOwnershipPrivilege	1892	WMIC.exe
Token: SeLoadDriverPrivilege	1892	WMIC.exe
Token: SeSystemtimePrivilege	1892	WMIC.exe
Token: SeBackupPrivilege	1892	WMIC.exe
Token: SeRestorePrivilege	1892	WMIC.exe
Token: SeShutdownPrivilege	1892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1892	WMIC.exe
Token: SeUndockPrivilege	1892	WMIC.exe
Token: SeManageVolumePrivilege	1892	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2952	WMIC.exe
Token: SeSecurityPrivilege	2952	WMIC.exe
Token: SeTakeOwnershipPrivilege	2952	WMIC.exe
Token: SeLoadDriverPrivilege	2952	WMIC.exe
Token: SeSystemtimePrivilege	2952	WMIC.exe
Token: SeBackupPrivilege	2952	WMIC.exe
Token: SeRestorePrivilege	2952	WMIC.exe
Token: SeShutdownPrivilege	2952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2952	WMIC.exe
Token: SeUndockPrivilege	2952	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exeuwzayc.exeuwzayc.exe3627603097024079.exe

pid process

4732 0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
4256 uwzayc.exe
2428 uwzayc.exe
4476 3627603097024079.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.execmd.exeuwzayc.exe3627603097024079.execmd.execmd.exeuin77.exeuin77.exeuin77.execmd.execmd.exeuin77.exe

description	pid	process	target process
PID 4732 wrote to memory of 3288	4732	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe	cmd.exe
PID 4732 wrote to memory of 3288	4732	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe	cmd.exe
PID 4732 wrote to memory of 3288	4732	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe	cmd.exe
PID 3288 wrote to memory of 4360	3288	cmd.exe	PING.EXE
PID 3288 wrote to memory of 4360	3288	cmd.exe	PING.EXE
PID 3288 wrote to memory of 4360	3288	cmd.exe	PING.EXE
PID 3288 wrote to memory of 4256	3288	cmd.exe	uwzayc.exe
PID 3288 wrote to memory of 4256	3288	cmd.exe	uwzayc.exe
PID 3288 wrote to memory of 4256	3288	cmd.exe	uwzayc.exe
PID 2428 wrote to memory of 4476	2428	uwzayc.exe	3627603097024079.exe
PID 2428 wrote to memory of 4476	2428	uwzayc.exe	3627603097024079.exe
PID 2428 wrote to memory of 4476	2428	uwzayc.exe	3627603097024079.exe
PID 4476 wrote to memory of 3156	4476	3627603097024079.exe	cmd.exe
PID 4476 wrote to memory of 3156	4476	3627603097024079.exe	cmd.exe
PID 4476 wrote to memory of 3156	4476	3627603097024079.exe	cmd.exe
PID 4476 wrote to memory of 3204	4476	3627603097024079.exe	cmd.exe
PID 4476 wrote to memory of 3204	4476	3627603097024079.exe	cmd.exe
PID 4476 wrote to memory of 3204	4476	3627603097024079.exe	cmd.exe
PID 3156 wrote to memory of 2140	3156	cmd.exe	schtasks.exe
PID 3156 wrote to memory of 2140	3156	cmd.exe	schtasks.exe
PID 3156 wrote to memory of 2140	3156	cmd.exe	schtasks.exe
PID 3204 wrote to memory of 4148	3204	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 4148	3204	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 4148	3204	cmd.exe	WMIC.exe
PID 4476 wrote to memory of 3388	4476	3627603097024079.exe	uin77.exe
PID 4476 wrote to memory of 3388	4476	3627603097024079.exe	uin77.exe
PID 4476 wrote to memory of 3388	4476	3627603097024079.exe	uin77.exe
PID 3388 wrote to memory of 4308	3388	uin77.exe	d1a86595.exe
PID 3388 wrote to memory of 4308	3388	uin77.exe	d1a86595.exe
PID 3204 wrote to memory of 1892	3204	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 1892	3204	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 1892	3204	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 2952	3204	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 2952	3204	cmd.exe	WMIC.exe
PID 3204 wrote to memory of 2952	3204	cmd.exe	WMIC.exe
PID 4476 wrote to memory of 3396	4476	3627603097024079.exe	uin77.exe
PID 4476 wrote to memory of 3396	4476	3627603097024079.exe	uin77.exe
PID 4476 wrote to memory of 3396	4476	3627603097024079.exe	uin77.exe
PID 3396 wrote to memory of 1396	3396	uin77.exe	db630f1e.exe
PID 3396 wrote to memory of 1396	3396	uin77.exe	db630f1e.exe
PID 4476 wrote to memory of 2748	4476	3627603097024079.exe	uin77.exe
PID 4476 wrote to memory of 2748	4476	3627603097024079.exe	uin77.exe
PID 4476 wrote to memory of 2748	4476	3627603097024079.exe	uin77.exe
PID 2748 wrote to memory of 1776	2748	uin77.exe	d51e9887.exe
PID 2748 wrote to memory of 1776	2748	uin77.exe	d51e9887.exe
PID 4476 wrote to memory of 2064	4476	3627603097024079.exe	cmd.exe
PID 4476 wrote to memory of 2064	4476	3627603097024079.exe	cmd.exe
PID 4476 wrote to memory of 2064	4476	3627603097024079.exe	cmd.exe
PID 4476 wrote to memory of 456	4476	3627603097024079.exe	cmd.exe
PID 4476 wrote to memory of 456	4476	3627603097024079.exe	cmd.exe
PID 4476 wrote to memory of 456	4476	3627603097024079.exe	cmd.exe
PID 2064 wrote to memory of 2508	2064	cmd.exe	schtasks.exe
PID 2064 wrote to memory of 2508	2064	cmd.exe	schtasks.exe
PID 2064 wrote to memory of 2508	2064	cmd.exe	schtasks.exe
PID 456 wrote to memory of 3796	456	cmd.exe	WMIC.exe
PID 456 wrote to memory of 3796	456	cmd.exe	WMIC.exe
PID 456 wrote to memory of 3796	456	cmd.exe	WMIC.exe
PID 4476 wrote to memory of 4000	4476	3627603097024079.exe	uin77.exe
PID 4476 wrote to memory of 4000	4476	3627603097024079.exe	uin77.exe
PID 4476 wrote to memory of 4000	4476	3627603097024079.exe	uin77.exe
PID 4000 wrote to memory of 3716	4000	uin77.exe	dae0c63d.exe
PID 4000 wrote to memory of 3716	4000	uin77.exe	dae0c63d.exe
PID 456 wrote to memory of 3124	456	cmd.exe	WMIC.exe
PID 456 wrote to memory of 3124	456	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
"C:\Users\Admin\AppData\Local\Temp\0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\clbpevo\uwzayc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4360
- - \??\c:\windows\fonts\clbpevo\uwzayc.exe
    c:\windows\fonts\clbpevo\uwzayc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4256

\??\c:\windows\fonts\clbpevo\uwzayc.exe
c:\windows\fonts\clbpevo\uwzayc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\TEMP\3627603097024079.exe
  C:\Windows\TEMP\3627603097024079.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN incsx /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN incsx /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="zlcvp" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="euoa" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='zlcvp'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="zlcvp" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4148
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="euoa" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1892
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='zlcvp'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2952
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\TEMP\d1a86595.exe
      "C:\Windows\TEMP\d1a86595.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4308
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\TEMP\db630f1e.exe
      "C:\Windows\TEMP\db630f1e.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1396
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\TEMP\d51e9887.exe
      "C:\Windows\TEMP\d51e9887.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN incsx /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN incsx /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="zlcvp" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="euoa" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='zlcvp'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="zlcvp" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3796
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="euoa" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3124
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='zlcvp'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3348
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\TEMP\dae0c63d.exe
      "C:\Windows\TEMP\dae0c63d.exe"
      4⤵
      Executes dropped EXE
      PID:3716
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5048
  - - C:\Windows\TEMP\d4ab5fb5.exe
      "C:\Windows\TEMP\d4ab5fb5.exe"
      4⤵
      Executes dropped EXE
      PID:4920
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4732
  - - C:\Windows\TEMP\df56e92e.exe
      "C:\Windows\TEMP\df56e92e.exe"
      4⤵
      Executes dropped EXE
      PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN incsx /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:2240
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN incsx /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="zlcvp" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="euoa" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='zlcvp'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="zlcvp" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="euoa" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3572
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='zlcvp'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4208
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3336
  - - C:\Windows\TEMP\d33826d4.exe
      "C:\Windows\TEMP\d33826d4.exe"
      4⤵
      Executes dropped EXE
      PID:4504
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4736
  - - C:\Windows\TEMP\dee3b05d.exe
      "C:\Windows\TEMP\dee3b05d.exe"
      4⤵
      Executes dropped EXE
      PID:4856
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2952
  - - C:\Windows\TEMP\d8ad49c6.exe
      "C:\Windows\TEMP\d8ad49c6.exe"
      4⤵
      Executes dropped EXE
      PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN cwj /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:3912
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN cwj /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fijse" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="vaec" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fijse'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3668
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fijse" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="vaec" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:980
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fijse'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3564
  - - C:\Windows\TEMP\dc70777c.exe
      "C:\Windows\TEMP\dc70777c.exe"
      4⤵
      Executes dropped EXE
      PID:884
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1932
  - - C:\Windows\TEMP\d72a00e5.exe
      "C:\Windows\TEMP\d72a00e5.exe"
      4⤵
      Executes dropped EXE
      PID:1032
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4348
  - - C:\Windows\TEMP\d1e5aa6e.exe
      "C:\Windows\TEMP\d1e5aa6e.exe"
      4⤵
      Executes dropped EXE
      PID:3272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1332
  2⤵
  - Program crash
  PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2428 -ip 2428
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\clbpevo\uwzayc.exe

Filesize
1.7MB

MD5
870e8cf405df3a75318d6bb6280054fd

SHA1
10cbebe1da0b1141f2362176394da76f60e46983

SHA256
c6e56f85b2648ba1be5e4303fa87b67fbcaa84629e985607f28a2040f445a1fd

SHA512
a4f2ff25b5a9c0984e160540bf92916c9e485d9fc7bc097c30626c30dbd7851b0560f2c126f13fe072924967acf7534ee23c87c8eacc7f17ddae3b7b161a75aa

Download Submit
C:\Windows\TEMP\d33826d4.exe

Filesize
95KB

MD5
013c2ae02e6c9751f7a4b1f74fdcbc51

SHA1
857d7999752a6a905e6eb8236a251249d74c6eb8

SHA256
2bdcf0cc8613b42860cf077482282053c8c414b380f50a7f6586f32a8ea97ecd

SHA512
16a12e00e5cf8c08ac7971bf6055d2d6e40ca10c525677e9f4443fabeaa2747f06740c0cc95dd4a53c5d5e449da9fdac8cf0a386e27c7228ebe998893b00214f

Download Submit
C:\Windows\Temp\3627603097024079.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
C:\Windows\Temp\d1a86595.exe

Filesize
95KB

MD5
238f71dafa3d717eb9fd2f776625e677

SHA1
0a5760795c99dbcd0adc308bb20dbf6784471737

SHA256
c9d03453c40831bd958c1c24af0cd6c09a5483f0626682849eb3ff07ef914c4c

SHA512
c6a4c333f7396b468db80ce90a5a39ac97006f7f5deb11166297c26bac2f53c6a45d31ce76b67a4fc1b29e52005627fb180e852953ed51982e4e5acc09e41c2a

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
15725bab96cf4cf6e0c04ca124cd7d07

SHA1
b5cc79d12000c7b0107e4e9648077c4256cf80e5

SHA256
39777052a912d7ecc4953880ca787eed3f02052ec523652bff9bdcf11b444db8

SHA512
0d0b1f2d6ffe1cd8419e8c615160123891b2f9461219fa32cb9b9086d70fc6be8d4cd486f1f21471dfd3b810b1cd162ff39e220ca5b481aab81a4304cf0396f3

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
0d8f82d981e30c1ce8fa16b2487e391e

SHA1
2c53a1b214293c981c75f046d352a53bd62d99ea

SHA256
0cb25ec82aac04fd953132df3440b28e747031427ee5c427df4023f9ca6b47d4

SHA512
4fa7fc3a3aaa80cabe95f92ab368a429faf9ee11998c376740bea64793be1ebfbe6f4b4d55ffebdd3a6b08804a196f1023266884fa65a661020f336e3ca172c1

Download Submit
memory/2428-110-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2428-29-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4256-11-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4476-31-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4476-45-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4476-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4476-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4476-107-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4732-4-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4732-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download