blackmoon | 7694440c4a9f36249dfa3e9e00472bf22b4665b17108ea1bd6a24a9d663d4533

Analysis

max time kernel
111s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/11/2024, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7694440c4a9f36249dfa3e9e00472bf22b4665b17108ea1bd6a24a9d663d4533N.dll
Size

163KB
MD5

56dea4858f3c7afecd014f2b53026950
SHA1

d3ae2b89b7d2ca38beef7a729ae74aed1b0f2ede
SHA256

7694440c4a9f36249dfa3e9e00472bf22b4665b17108ea1bd6a24a9d663d4533
SHA512

bf69b52ed53bf99e37e84ef4d459a3d485f1277b4b2a58a8c8bb1008ad017e99bf0df5d4c8a7709a4fff639422f63b785a8de2e3bfd54bc848b411732d101519
SSDEEP

3072:x5VK0lTSG9xoC+CQpiU5MvUOGk//qmwYre9BN0N4w:E0T9xB+CU4Gk//vwYre9BmN

Score

10^/10

blackmoon gh0strat banker discovery evasion rat trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

resource	yara_rule
behavioral1/memory/2784-28-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-57-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-8685-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-13527-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/files/0x0008000000018b54-13603.dat	family_blackmoon
behavioral1/memory/2784-13615-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-13618-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-13621-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon

Gh0st RAT payload 12 IoCs

resource	yara_rule
behavioral1/memory/2488-5-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2488-7-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2488-3-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2488-2-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2488-8-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2488-9-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2488-14-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2488-13634-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/1112-13651-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/1112-13649-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/1112-13647-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/1112-13654-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3840	netsh.exe

Executes dropped EXE 5 IoCs

pid	Process
2784	MpMgSvc.exe
2596	Eternalblue-2.2.0.exe
3588	Eternalblue-2.2.0.exe
384	Wmicc.exe
3768	GetPassword.exe

Loads dropped DLL 26 IoCs

pid	Process
2488	svchost.exe
2488	svchost.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2596	Eternalblue-2.2.0.exe
2596	Eternalblue-2.2.0.exe
2596	Eternalblue-2.2.0.exe
2596	Eternalblue-2.2.0.exe
2596	Eternalblue-2.2.0.exe
2596	Eternalblue-2.2.0.exe
2596	Eternalblue-2.2.0.exe
2596	Eternalblue-2.2.0.exe
2596	Eternalblue-2.2.0.exe
2784	MpMgSvc.exe
3588	Eternalblue-2.2.0.exe
3588	Eternalblue-2.2.0.exe
3588	Eternalblue-2.2.0.exe
3588	Eternalblue-2.2.0.exe
3588	Eternalblue-2.2.0.exe
3588	Eternalblue-2.2.0.exe
3588	Eternalblue-2.2.0.exe
3588	Eternalblue-2.2.0.exe
3588	Eternalblue-2.2.0.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
3468	cmd.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.226.84.135

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 2488	2496	rundll32.exe	30

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000018b50-19.dat	upx
behavioral1/memory/2488-27-0x0000000002F00000-0x0000000003825000-memory.dmp	upx
behavioral1/memory/2784-28-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-57-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-8685-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13527-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13615-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13618-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13621-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/files/0x000500000001a404-13627.dat	upx
behavioral1/files/0x000500000001a404-13635.dat	upx
behavioral1/memory/2524-13639-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx
behavioral1/memory/2524-13643-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpMgSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eternalblue-2.2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eternalblue-2.2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wmicc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
3768	GetPassword.exe
3768	GetPassword.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	GetPassword.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2784	MpMgSvc.exe
2784	MpMgSvc.exe
384	Wmicc.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2488	2496	rundll32.exe	30
PID 2496 wrote to memory of 2488	2496	rundll32.exe	30
PID 2496 wrote to memory of 2488	2496	rundll32.exe	30
PID 2496 wrote to memory of 2488	2496	rundll32.exe	30
PID 2496 wrote to memory of 2488	2496	rundll32.exe	30
PID 2496 wrote to memory of 2488	2496	rundll32.exe	30
PID 2496 wrote to memory of 2488	2496	rundll32.exe	30
PID 2496 wrote to memory of 2488	2496	rundll32.exe	30
PID 2496 wrote to memory of 2488	2496	rundll32.exe	30
PID 2488 wrote to memory of 2784	2488	svchost.exe	32
PID 2488 wrote to memory of 2784	2488	svchost.exe	32
PID 2488 wrote to memory of 2784	2488	svchost.exe	32
PID 2488 wrote to memory of 2784	2488	svchost.exe	32
PID 2784 wrote to memory of 2596	2784	MpMgSvc.exe	33
PID 2784 wrote to memory of 2596	2784	MpMgSvc.exe	33
PID 2784 wrote to memory of 2596	2784	MpMgSvc.exe	33
PID 2784 wrote to memory of 2596	2784	MpMgSvc.exe	33
PID 2784 wrote to memory of 3588	2784	MpMgSvc.exe	35
PID 2784 wrote to memory of 3588	2784	MpMgSvc.exe	35
PID 2784 wrote to memory of 3588	2784	MpMgSvc.exe	35
PID 2784 wrote to memory of 3588	2784	MpMgSvc.exe	35
PID 2784 wrote to memory of 384	2784	MpMgSvc.exe	37
PID 2784 wrote to memory of 384	2784	MpMgSvc.exe	37
PID 2784 wrote to memory of 384	2784	MpMgSvc.exe	37
PID 2784 wrote to memory of 384	2784	MpMgSvc.exe	37
PID 384 wrote to memory of 3468	384	Wmicc.exe	38
PID 384 wrote to memory of 3468	384	Wmicc.exe	38
PID 384 wrote to memory of 3468	384	Wmicc.exe	38
PID 384 wrote to memory of 3468	384	Wmicc.exe	38
PID 3468 wrote to memory of 3768	3468	cmd.exe	40
PID 3468 wrote to memory of 3768	3468	cmd.exe	40
PID 3468 wrote to memory of 3768	3468	cmd.exe	40
PID 3468 wrote to memory of 3768	3468	cmd.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7694440c4a9f36249dfa3e9e00472bf22b4665b17108ea1bd6a24a9d663d4533N.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\WINDOWS\Temp\MpMgSvc.exe
    "C:\WINDOWS\Temp\MpMgSvc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
      Eternalblue-2.2.0.exe --TargetIp 10.127.0.115 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2596
  - - C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
      Eternalblue-2.2.0.exe --TargetIp 10.127.0.115 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3588
  - - C:\Windows\Temp\Wmicc.exe
      "C:\Windows\Temp\Wmicc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Windows\Temp\GetPassword.exe >C:\Windows\Temp\PWD.txt
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Windows\Temp\GetPassword.exe
        
        C:\Windows\Temp\GetPassword.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
- - C:\WINDOWS\Temp\Hooks.exe
    "C:\WINDOWS\Temp\Hooks.exe"
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\WINDOWS\Temp\Hooks.exe"
      4⤵
      PID:3576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k GraphicsPerfSvcsGroup
1⤵
PID:3596
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  PID:1112
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=in program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\Temp\trch-1.dll

Filesize
58KB

MD5
838ceb02081ac27de43da56bec20fc76

SHA1
972ab587cdb63c8263eb977f10977fd7d27ecf7b

SHA256
0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f

SHA512
bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22

Download Submit
C:\Windows\Temp\Eternalblue-2.2.0.exe

Filesize
126KB

MD5
8c80dd97c37525927c1e549cb59bcbf3

SHA1
4e80fa7d98c8e87facecdef0fc7de0d957d809e1

SHA256
85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

SHA512
50e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e

Download Submit
C:\Windows\Temp\Eternalblue-2.2.0.xml

Filesize
7KB

MD5
497080fed2000e8b49ee2e97e54036b1

SHA1
4af3fae881a80355dd09df6e736203c30c4faac5

SHA256
756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380

SHA512
4f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df

Download Submit
C:\Windows\Temp\GetPassword.exe

Filesize
494KB

MD5
5b6a804db0c5733d331eb126048ca73b

SHA1
f18c5acae63457ad26565d663467fa5a7fbfbee4

SHA256
5bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9

SHA512
ba6424051ab9f650967cc2ba428fd6a02ccda8f99d8b8e3f5f321a5e6bbf79a22bfc9cdd582c44980470ebbb7aea1b811fd69aab6bf51466a803c7c722fcde26

Download Submit
C:\Windows\Temp\Hooks.exe

Filesize
11.7MB

MD5
1af2da7b95cdbbd5a18461e5d5fe910a

SHA1
8540958b02170962cb958da094e059be5ff43fb0

SHA256
1b08b6f863be2c62eb5b00457475630fddb245361f1a35e4396eada29e2da64a

SHA512
bc3ea6b76cc8079871c550af197d01c227526688881b10a5192a215d9dca8cd8401408d6a6835444cab862b20856b1ad88b1450a3f93dfa8cd2ecbdc5653459a

Download Submit
C:\Windows\Temp\Hooks.exe

Filesize
10.4MB

MD5
d2ce5f4d875b6130e56cd98a14c2d117

SHA1
e41d564ca0dda1f6acf2acf16ee21af82a4f48ee

SHA256
101d27a064f62f9c120d9668257a62d04101e4cd7244b4868a0cb77f17a6314a

SHA512
a2db46ac1601ec4fd84d361d611f89c846e1fdf9b0f52feccfd47292aec04ce0d207800b14e19be874bbbef0ba00b861215d86bd10add92cf958f8bb5a9aaa73

Download Submit
C:\Windows\Temp\MpMgSvc.exe

Filesize
3.2MB

MD5
3809c59565787ee7398fe9222d4bd669

SHA1
68842768c9ae9deb1d1d7ed2b27846c392b47103

SHA256
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

SHA512
2f78ad26acfe15f4682b69090704fa8ebb24938c8a58b8d343ef0993e8234897aed53dfcea4119168f915384fe545d2cbb16bc12339d0600dafae06deefc9098

Download Submit
C:\Windows\Temp\PWD.txt

Filesize
29B

MD5
f6262ef1583c2ff55e4d5c88fdb93a9d

SHA1
b1b3f25f1296d2a27a9f13711e756ce1bd18524c

SHA256
e7df16b8cee14c69a079ecd3b7957ca3bf362fa7a0f89eee6c16ec6305ac9fbe

SHA512
dc8f97cf9d542623a6b651e493a065da2d24f93d285dc152b43719708c2231f83ded09d8064dae826200a6de13c650f70bbd94cc1c7943b9886bb0938b33b034

Download Submit
C:\Windows\Temp\ip.txt

Filesize
720B

MD5
af35695f6c3ddbfb3575fed35405d14c

SHA1
0dca15d291f7009736bbf7a0b379db051e21178f

SHA256
10d019a79d65b5968b66d3f54d577de154cabc8e123505105c5a32db6343ed4b

SHA512
fd95d6e085c0d68c2ca65770eb07d8138a219bc7ec574a6d9b4836d6f5c79174c794cea55f79270a22e6690fb433065b327df56cab48f0b12ced8f168ef22d19

Download Submit
C:\Windows\Temp\ip.txt

Filesize
1KB

MD5
7bc5550d0ae71c9b2b1f34324cd8103c

SHA1
982d1eebcdfddfc209fcdda52eeec971048073c2

SHA256
c605dcbd300feaa1d871ca7335d6f4340cc7d2219fb43d2026f89bc7b6430ecf

SHA512
2dc1facc976bb04a80e4656352e51059e6d910a3790f27225ae151b05585531774f9e0ea0d2cca7394d8df32b40548da06bb0abb226ea14af037b015da1cc36b

Download Submit
C:\Windows\Temp\ip.txt

Filesize
180KB

MD5
76525d6f7276ee985b130452a3814cb5

SHA1
f71e2514500818979e784f51f38c9ddcf0dea30b

SHA256
47eb27321793f22338c1b447c6646e1f62695235cb7a1cdfa07683dd3d3d967b

SHA512
e2c823f7b06fb577f224401d9a946c4300ba0ae8151b5700711c5d1352b736d419c0f6f8781602321f2d7c2a8e5bc731095e6a59d2cbeeacb27952e223f18e29

Download Submit
C:\Windows\Temp\ip.txt

Filesize
1KB

MD5
3c9c4d6ea84883b57807ec2cf0011b70

SHA1
dda9dda4a7152b02a33a81b0fb89f39365e2f6cb

SHA256
552ba5ec4b2cff98b962e8581ffe67d71aef5ae6fadfd7be911ad0711a286d55

SHA512
8c045622f7ed84888814c61a90b439f8757624f876b6a3752419b23248ec7fbcd3b74d766b86b60b19eb6a7e3d24199c0d981bdd6fcce316edcc8e386804e3d8

Download Submit
C:\Windows\Temp\ip.txt

Filesize
2KB

MD5
a5356c5c4037308de7bbf77736bc5303

SHA1
62850665cd686c189a09cef78b19af6bdd088a06

SHA256
490f3f21d5527baff110974b57f3adcabfb487ff17c653dffb3c68345f0efdd0

SHA512
fcd588442387c926a9a51de75365b192e9d12d2618a62a0c2c5a581a5ec945107a851f124bf4c32a8b781fcc70227645bf5cb0b24a480d2023e77010f31b91a1

Download Submit
C:\Windows\Temp\ip.txt

Filesize
5KB

MD5
cef9f9ce654d3acd9c2b63447731cca6

SHA1
d1c49e1e180735d1d5ecae48dffba8980ecf2483

SHA256
0d9853995cf4f0e1e32667bb83ad001e4a9e78ba1f4c79f56b3a221fc2449b91

SHA512
1a7765229e5411cf2a2b4f60d29ef53bb1ed0fed9b3f67b1b60e05c77e6e1b07659bf2ecc7fc30cddfa69175ab55d0c83c257b640fe6f53f7169b9f33111fb6f

Download Submit
C:\Windows\Temp\ip.txt

Filesize
110B

MD5
e6f75eaafc8747e47cb793189e2444da

SHA1
d034a1224e3a0f3827ae47a02e620290a584756b

SHA256
f0f9345004675da05fb13bcfabced89b83136e65314c38858b5da4c8e04ac8ea

SHA512
39199bb1b3b2007cd6d995cefd2eb7fb87241d95168b8324a61546e48606f3d54657266347b74c4c9d9ae5d67652f107cafe74002e281d7ec5f74d702cef9aac

Download Submit
C:\Windows\Temp\ip.txt

Filesize
581B

MD5
7391b868f969b9f5db63f9e5631f1b2b

SHA1
0f82e50c87482684b6e9b2a347454153e52873f1

SHA256
80b132c6f8358a8f54b2c2943e11c02bc27ff70ade4822d28f97f2accec96a8a

SHA512
054348805c7e9d0e126f44751ccc36c077c5942e9cd948f58cc7ca9b08e5d7a42ca3240bfb83fb87430124cce4d52f83a8a2f681a60ad5432700d5baac89e48e

Download Submit
\??\c:\users\admin\appdata\roaming\graphicsperfsvcs.dll

Filesize
9.5MB

MD5
93961b2f88fed8655ea1ed008d6c15be

SHA1
5a55551af9867e077b48ccd5baebd2ef6f612f72

SHA256
127aa5d9f1b4e006939e02df75aef887f3c6ea82544ee739d3db7e8a321590c6

SHA512
1e6fbc4a691f4931c106d585bfde7ef448f68e348f26270b70ff529c6549e9e4bf164502d6a56b87f94c0afbe7fffe39b64a53501c2560423b71d92323abcbba

Download Submit
\Users\Admin\AppData\Roaming\GraphicsPerfSvcs.dll

Filesize
8.1MB

MD5
3ab5f580d1409d2a3c6a07bb19edf385

SHA1
ef1129ab5a7799b1c4ea995438f701615e02d1b7

SHA256
7645b760d8143e612b269b3cb1359bbef5ce30717d0899b2e4979d6705a2d563

SHA512
844a539254dd3954943b88e8002ba2fc6bd9f63070f8df1af6a6c13e02e38103caf1f147d20e05fdc3198481c1cd0f26680f034c5b4464f276766f209daf637a

Download Submit
\Windows\Temp\Wmicc.exe

Filesize
1.4MB

MD5
4935b75f2a23d38527cf3821c9d9dac3

SHA1
f17aa56215ab7b90da00f048fe30d39a2d671b5d

SHA256
dd2d7b07e9091590ae60b42022956319bbbbd51b457ea214fb475ecc3e9156f8

SHA512
348e041104de20b0850b19db1ebb88ae0b65ecd1695f1ade47e099d62da9cec983a1a73e7fc657509b4fc58496784e0c1681bf46265477b75fdfab440c41acbd

Download Submit
\Windows\Temp\coli-0.dll

Filesize
15KB

MD5
3c2fe2dbdf09cfa869344fdb53307cb2

SHA1
b67a8475e6076a24066b7cb6b36d307244bb741f

SHA256
0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887

SHA512
d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c

Download Submit
\Windows\Temp\exma-1.dll

Filesize
10KB

MD5
ba629216db6cf7c0c720054b0c9a13f3

SHA1
37bb800b2bb812d4430e2510f14b5b717099abaa

SHA256
15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9

SHA512
c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9

Download Submit
\Windows\Temp\libxml2.dll

Filesize
807KB

MD5
9a5cec05e9c158cbc51cdc972693363d

SHA1
ca4d1bb44c64a85871944f3913ca6ccddfa2dc04

SHA256
aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3

SHA512
8af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94

Download Submit
\Windows\Temp\posh-0.dll

Filesize
11KB

MD5
2f0a52ce4f445c6e656ecebbcaceade5

SHA1
35493e06b0b2cdab2211c0fc02286f45d5e2606d

SHA256
cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb

SHA512
88151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1

Download Submit
\Windows\Temp\tibe-2.dll

Filesize
232KB

MD5
f0881d5a7f75389deba3eff3f4df09ac

SHA1
8404f2776fa8f7f8eaffb7a1859c19b0817b147a

SHA256
ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362

SHA512
f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e

Download Submit
\Windows\Temp\trfo-2.dll

Filesize
29KB

MD5
3e89c56056e5525bf4d9e52b28fbbca7

SHA1
08f93ab25190a44c4e29bee5e8aacecc90dab80c

SHA256
b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa

SHA512
32487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6

Download Submit
\Windows\Temp\tucl-1.dll

Filesize
9KB

MD5
83076104ae977d850d1e015704e5730a

SHA1
776e7079734bc4817e3af0049f42524404a55310

SHA256
cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12

SHA512
bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8

Download Submit
\Windows\Temp\ucl.dll

Filesize
57KB

MD5
6b7276e4aa7a1e50735d2f6923b40de4

SHA1
db8603ac6cac7eb3690f67af7b8d081aa9ce3075

SHA256
f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a

SHA512
58e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa

Download Submit
memory/1112-13647-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1112-13645-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1112-13654-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1112-13646-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1112-13649-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1112-13651-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1112-13652-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2488-56-0x0000000002F00000-0x0000000003825000-memory.dmp

Filesize
9.1MB

Download
memory/2488-13636-0x0000000002F00000-0x00000000046F5000-memory.dmp

Filesize
24.0MB

Download
memory/2488-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2488-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-29-0x0000000002F00000-0x0000000003825000-memory.dmp

Filesize
9.1MB

Download
memory/2488-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-13634-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-13638-0x0000000002F00000-0x00000000046F5000-memory.dmp

Filesize
24.0MB

Download
memory/2488-27-0x0000000002F00000-0x0000000003825000-memory.dmp

Filesize
9.1MB

Download
memory/2524-13639-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/2524-13643-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/2596-8704-0x00000000000E0000-0x00000000000F1000-memory.dmp

Filesize
68KB

Download
memory/2784-28-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13621-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13618-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13615-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-57-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-8685-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13527-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/3588-13602-0x0000000000120000-0x0000000000131000-memory.dmp

Filesize
68KB

Download