blackmoon | a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934cc

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
Size

1.8MB
MD5

10a99d00159dcd34d509a3f1014d20d0
SHA1

af060b8c9712beb1f9be5d326ea80751a0ff52d7
SHA256

a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934cc
SHA512

975e4814453c9f616618e41a424c27f378b9ebb94cc34afd2c27655c061eb2d6032f39796777da28655f7fd7fb560cedc862d4065a79488b754c2556c7a483e4
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/404-4-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/4888-12-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/2792-29-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/4948-31-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4948-45-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4948-75-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4948-99-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4948-107-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/2792-110-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

Processes:

aiyerc.exeaiyerc.exe9524767869157995.exeuin77.exeebe697a1.exeuin77.exee591202a.exeuin77.exeef5cbaa2.exeuin77.exee42ef748.exeuin77.exeeed981c1.exeuin77.exee9931b3a.exeuin77.exeed6648e0.exeuin77.exef820d269.exeuin77.exef2db7bd2.exeuin77.exef7ada988.exeuin77.exef16832f1.exeuin77.exef0af1e98.exe

pid	process
4888	aiyerc.exe
2792	aiyerc.exe
4948	9524767869157995.exe
1088	uin77.exe
3736	ebe697a1.exe
2704	uin77.exe
4672	e591202a.exe
4760	uin77.exe
3124	ef5cbaa2.exe
836	uin77.exe
1408	e42ef748.exe
3136	uin77.exe
1712	eed981c1.exe
3140	uin77.exe
1500	e9931b3a.exe
2700	uin77.exe
2088	ed6648e0.exe
2336	uin77.exe
2944	f820d269.exe
1940	uin77.exe
3260	f2db7bd2.exe
4908	uin77.exe
2696	f7ada988.exe
2520	uin77.exe
1188	f16832f1.exe
1292	uin77.exe
4764	f0af1e98.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
defense_evasion

Clear Persistence
T1070.009

Processes:

cmd.execmd.execmd.execmd.exe

pid process

2156 cmd.exe
2928 cmd.exe
4848 cmd.exe
1144 cmd.exe

pid	process
2156	cmd.exe
2928	cmd.exe
4848	cmd.exe
1144	cmd.exe

Drops file in System32 directory 4 IoCs

Processes:

aiyerc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	aiyerc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	aiyerc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	aiyerc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	aiyerc.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/404-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/404-4-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
C:\Windows\Fonts\zbgcual\aiyerc.exe	upx
behavioral2/memory/4888-12-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
C:\Windows\Temp\9524767869157995.exe	upx
behavioral2/memory/4948-15-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/2792-29-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/4948-31-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4948-45-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4948-75-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4948-99-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4948-107-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/2792-110-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

Processes:

aiyerc.exea03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe

description	ioc	process
File created	\??\c:\windows\fonts\emhiuc\masp.exe	aiyerc.exe
File created	\??\c:\windows\fonts\cxusbz\zscpvf.exe	aiyerc.exe
File created	\??\c:\windows\fonts\zbgcual\aiyerc.exe	a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
File opened for modification	\??\c:\windows\fonts\zbgcual\aiyerc.exe	a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3104 2792 WerFault.exe aiyerc.exe

pid	pid_target	process	target process
3104	2792	WerFault.exe	aiyerc.exe

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

uin77.execmd.exeuin77.exe9524767869157995.exeuin77.execmd.exeWMIC.exeuin77.exeuin77.exeWMIC.exeuin77.exeWMIC.exeWMIC.exeuin77.exeschtasks.exea03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.execmd.exeWMIC.exeuin77.exeschtasks.exeaiyerc.exeWMIC.execmd.exeschtasks.exeWMIC.exeuin77.execmd.exePING.EXEschtasks.exeWMIC.execmd.exeuin77.exeaiyerc.execmd.exeuin77.exeWMIC.exeWMIC.exeWMIC.execmd.exeuin77.exeWMIC.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9524767869157995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aiyerc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aiyerc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

5036 cmd.exe
2352 PING.EXE

pid	process
5036	cmd.exe
2352	PING.EXE

Modifies data under HKEY_USERS 8 IoCs

Processes:

aiyerc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	aiyerc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	aiyerc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	aiyerc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	aiyerc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	aiyerc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	aiyerc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	aiyerc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	aiyerc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2352 PING.EXE

pid	process
2352	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exeaiyerc.exeaiyerc.exeuin77.exeebe697a1.exeuin77.exee591202a.exeuin77.exeef5cbaa2.exe9524767869157995.exe

pid	process
404	a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
404	a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
4888	aiyerc.exe
4888	aiyerc.exe
2792	aiyerc.exe
2792	aiyerc.exe
1088	uin77.exe
1088	uin77.exe
1088	uin77.exe
1088	uin77.exe
3736	ebe697a1.exe
3736	ebe697a1.exe
3736	ebe697a1.exe
3736	ebe697a1.exe
2704	uin77.exe
2704	uin77.exe
2704	uin77.exe
2704	uin77.exe
4672	e591202a.exe
4672	e591202a.exe
4672	e591202a.exe
4672	e591202a.exe
4760	uin77.exe
4760	uin77.exe
4760	uin77.exe
4760	uin77.exe
3124	ef5cbaa2.exe
3124	ef5cbaa2.exe
3124	ef5cbaa2.exe
3124	ef5cbaa2.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe
4948	9524767869157995.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe

pid process

404 a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exeaiyerc.exeaiyerc.exeuin77.exeWMIC.exeebe697a1.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	404	a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
Token: SeDebugPrivilege	4888	aiyerc.exe
Token: SeDebugPrivilege	2792	aiyerc.exe
Token: SeDebugPrivilege	1088	uin77.exe
Token: SeAssignPrimaryTokenPrivilege	3520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3520	WMIC.exe
Token: SeSecurityPrivilege	3520	WMIC.exe
Token: SeTakeOwnershipPrivilege	3520	WMIC.exe
Token: SeLoadDriverPrivilege	3520	WMIC.exe
Token: SeSystemtimePrivilege	3520	WMIC.exe
Token: SeBackupPrivilege	3520	WMIC.exe
Token: SeRestorePrivilege	3520	WMIC.exe
Token: SeShutdownPrivilege	3520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3520	WMIC.exe
Token: SeUndockPrivilege	3520	WMIC.exe
Token: SeManageVolumePrivilege	3520	WMIC.exe
Token: SeDebugPrivilege	3736	ebe697a1.exe
Token: SeAssignPrimaryTokenPrivilege	3520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3520	WMIC.exe
Token: SeSecurityPrivilege	3520	WMIC.exe
Token: SeTakeOwnershipPrivilege	3520	WMIC.exe
Token: SeLoadDriverPrivilege	3520	WMIC.exe
Token: SeSystemtimePrivilege	3520	WMIC.exe
Token: SeBackupPrivilege	3520	WMIC.exe
Token: SeRestorePrivilege	3520	WMIC.exe
Token: SeShutdownPrivilege	3520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3520	WMIC.exe
Token: SeUndockPrivilege	3520	WMIC.exe
Token: SeManageVolumePrivilege	3520	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4992	WMIC.exe
Token: SeSecurityPrivilege	4992	WMIC.exe
Token: SeTakeOwnershipPrivilege	4992	WMIC.exe
Token: SeLoadDriverPrivilege	4992	WMIC.exe
Token: SeSystemtimePrivilege	4992	WMIC.exe
Token: SeBackupPrivilege	4992	WMIC.exe
Token: SeRestorePrivilege	4992	WMIC.exe
Token: SeShutdownPrivilege	4992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4992	WMIC.exe
Token: SeUndockPrivilege	4992	WMIC.exe
Token: SeManageVolumePrivilege	4992	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4992	WMIC.exe
Token: SeSecurityPrivilege	4992	WMIC.exe
Token: SeTakeOwnershipPrivilege	4992	WMIC.exe
Token: SeLoadDriverPrivilege	4992	WMIC.exe
Token: SeSystemtimePrivilege	4992	WMIC.exe
Token: SeBackupPrivilege	4992	WMIC.exe
Token: SeRestorePrivilege	4992	WMIC.exe
Token: SeShutdownPrivilege	4992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4992	WMIC.exe
Token: SeUndockPrivilege	4992	WMIC.exe
Token: SeManageVolumePrivilege	4992	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	208	WMIC.exe
Token: SeSecurityPrivilege	208	WMIC.exe
Token: SeTakeOwnershipPrivilege	208	WMIC.exe
Token: SeLoadDriverPrivilege	208	WMIC.exe
Token: SeSystemtimePrivilege	208	WMIC.exe
Token: SeBackupPrivilege	208	WMIC.exe
Token: SeRestorePrivilege	208	WMIC.exe
Token: SeShutdownPrivilege	208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	208	WMIC.exe
Token: SeUndockPrivilege	208	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exeaiyerc.exeaiyerc.exe9524767869157995.exe

pid process

404 a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
4888 aiyerc.exe
2792 aiyerc.exe
4948 9524767869157995.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.execmd.exeaiyerc.exe9524767869157995.execmd.execmd.exeuin77.exeuin77.exeuin77.execmd.execmd.exeuin77.exe

description	pid	process	target process
PID 404 wrote to memory of 5036	404	a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe	cmd.exe
PID 404 wrote to memory of 5036	404	a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe	cmd.exe
PID 404 wrote to memory of 5036	404	a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe	cmd.exe
PID 5036 wrote to memory of 2352	5036	cmd.exe	PING.EXE
PID 5036 wrote to memory of 2352	5036	cmd.exe	PING.EXE
PID 5036 wrote to memory of 2352	5036	cmd.exe	PING.EXE
PID 5036 wrote to memory of 4888	5036	cmd.exe	aiyerc.exe
PID 5036 wrote to memory of 4888	5036	cmd.exe	aiyerc.exe
PID 5036 wrote to memory of 4888	5036	cmd.exe	aiyerc.exe
PID 2792 wrote to memory of 4948	2792	aiyerc.exe	9524767869157995.exe
PID 2792 wrote to memory of 4948	2792	aiyerc.exe	9524767869157995.exe
PID 2792 wrote to memory of 4948	2792	aiyerc.exe	9524767869157995.exe
PID 4948 wrote to memory of 2156	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 2156	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 2156	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 2032	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 2032	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 2032	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 1088	4948	9524767869157995.exe	uin77.exe
PID 4948 wrote to memory of 1088	4948	9524767869157995.exe	uin77.exe
PID 4948 wrote to memory of 1088	4948	9524767869157995.exe	uin77.exe
PID 2156 wrote to memory of 2452	2156	cmd.exe	schtasks.exe
PID 2156 wrote to memory of 2452	2156	cmd.exe	schtasks.exe
PID 2156 wrote to memory of 2452	2156	cmd.exe	schtasks.exe
PID 2032 wrote to memory of 3520	2032	cmd.exe	WMIC.exe
PID 2032 wrote to memory of 3520	2032	cmd.exe	WMIC.exe
PID 2032 wrote to memory of 3520	2032	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 3736	1088	uin77.exe	ebe697a1.exe
PID 1088 wrote to memory of 3736	1088	uin77.exe	ebe697a1.exe
PID 2032 wrote to memory of 4992	2032	cmd.exe	WMIC.exe
PID 2032 wrote to memory of 4992	2032	cmd.exe	WMIC.exe
PID 2032 wrote to memory of 4992	2032	cmd.exe	WMIC.exe
PID 2032 wrote to memory of 208	2032	cmd.exe	WMIC.exe
PID 2032 wrote to memory of 208	2032	cmd.exe	WMIC.exe
PID 2032 wrote to memory of 208	2032	cmd.exe	WMIC.exe
PID 4948 wrote to memory of 2704	4948	9524767869157995.exe	uin77.exe
PID 4948 wrote to memory of 2704	4948	9524767869157995.exe	uin77.exe
PID 4948 wrote to memory of 2704	4948	9524767869157995.exe	uin77.exe
PID 2704 wrote to memory of 4672	2704	uin77.exe	e591202a.exe
PID 2704 wrote to memory of 4672	2704	uin77.exe	e591202a.exe
PID 4948 wrote to memory of 4760	4948	9524767869157995.exe	uin77.exe
PID 4948 wrote to memory of 4760	4948	9524767869157995.exe	uin77.exe
PID 4948 wrote to memory of 4760	4948	9524767869157995.exe	uin77.exe
PID 4760 wrote to memory of 3124	4760	uin77.exe	ef5cbaa2.exe
PID 4760 wrote to memory of 3124	4760	uin77.exe	ef5cbaa2.exe
PID 4948 wrote to memory of 2928	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 2928	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 2928	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 3580	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 3580	4948	9524767869157995.exe	cmd.exe
PID 4948 wrote to memory of 3580	4948	9524767869157995.exe	cmd.exe
PID 2928 wrote to memory of 2400	2928	cmd.exe	schtasks.exe
PID 2928 wrote to memory of 2400	2928	cmd.exe	schtasks.exe
PID 2928 wrote to memory of 2400	2928	cmd.exe	schtasks.exe
PID 4948 wrote to memory of 836	4948	9524767869157995.exe	uin77.exe
PID 4948 wrote to memory of 836	4948	9524767869157995.exe	uin77.exe
PID 4948 wrote to memory of 836	4948	9524767869157995.exe	uin77.exe
PID 3580 wrote to memory of 4588	3580	cmd.exe	WMIC.exe
PID 3580 wrote to memory of 4588	3580	cmd.exe	WMIC.exe
PID 3580 wrote to memory of 4588	3580	cmd.exe	WMIC.exe
PID 836 wrote to memory of 1408	836	uin77.exe	e42ef748.exe
PID 836 wrote to memory of 1408	836	uin77.exe	e42ef748.exe
PID 3580 wrote to memory of 5012	3580	cmd.exe	WMIC.exe
PID 3580 wrote to memory of 5012	3580	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
"C:\Users\Admin\AppData\Local\Temp\a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\zbgcual\aiyerc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2352
- - \??\c:\windows\fonts\zbgcual\aiyerc.exe
    c:\windows\fonts\zbgcual\aiyerc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4888

\??\c:\windows\fonts\zbgcual\aiyerc.exe
c:\windows\fonts\zbgcual\aiyerc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\TEMP\9524767869157995.exe
  C:\Windows\TEMP\9524767869157995.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN uxiwd /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN uxiwd /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3520
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:208
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\TEMP\ebe697a1.exe
      "C:\Windows\TEMP\ebe697a1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3736
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\TEMP\e591202a.exe
      "C:\Windows\TEMP\e591202a.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4672
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\TEMP\ef5cbaa2.exe
      "C:\Windows\TEMP\ef5cbaa2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN uxiwd /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN uxiwd /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4588
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:5012
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:540
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\TEMP\e42ef748.exe
      "C:\Windows\TEMP\e42ef748.exe"
      4⤵
      Executes dropped EXE
      PID:1408
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3136
  - - C:\Windows\TEMP\eed981c1.exe
      "C:\Windows\TEMP\eed981c1.exe"
      4⤵
      Executes dropped EXE
      PID:1712
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3140
  - - C:\Windows\TEMP\e9931b3a.exe
      "C:\Windows\TEMP\e9931b3a.exe"
      4⤵
      Executes dropped EXE
      PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN uxiwd /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:4848
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN uxiwd /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3428
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:5020
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1584
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2592
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2700
  - - C:\Windows\TEMP\ed6648e0.exe
      "C:\Windows\TEMP\ed6648e0.exe"
      4⤵
      Executes dropped EXE
      PID:2088
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2336
  - - C:\Windows\TEMP\f820d269.exe
      "C:\Windows\TEMP\f820d269.exe"
      4⤵
      Executes dropped EXE
      PID:2944
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1940
  - - C:\Windows\TEMP\f2db7bd2.exe
      "C:\Windows\TEMP\f2db7bd2.exe"
      4⤵
      Executes dropped EXE
      PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN mcfga /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1144
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN mcfga /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuh" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="gifxc" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuh'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:512
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuh" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2096
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="gifxc" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4664
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuh'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1172
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4908
  - - C:\Windows\TEMP\f7ada988.exe
      "C:\Windows\TEMP\f7ada988.exe"
      4⤵
      Executes dropped EXE
      PID:2696
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2520
  - - C:\Windows\TEMP\f16832f1.exe
      "C:\Windows\TEMP\f16832f1.exe"
      4⤵
      Executes dropped EXE
      PID:1188
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1292
  - - C:\Windows\TEMP\f0af1e98.exe
      "C:\Windows\TEMP\f0af1e98.exe"
      4⤵
      Executes dropped EXE
      PID:4764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1320
  2⤵
  - Program crash
  PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2792 -ip 2792
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\zbgcual\aiyerc.exe

Filesize
1.9MB

MD5
9ea4edda1065338bb156dcd194ca88c4

SHA1
c1b6332e599598f17d526dfec1f2856bcbe384b3

SHA256
6b53b110fb78cc9ca8fa926ad813093a85c4f8e0370cfe53d784b1f47728e4fd

SHA512
a9a2ec5da90d0e36329f6ddb35566649f73a930b527461a0196be71f537361f0859aa207f7eb6f54a75e212e9ff72af5e8ffa6469897f422c5555e0b7f3e43ae

Download Submit
C:\Windows\Temp\9524767869157995.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
C:\Windows\Temp\ebe697a1.exe

Filesize
95KB

MD5
3252c16698f0c40568b763883db23340

SHA1
9fcf4caa07eaacbad82cb1ab568edccb67e22a64

SHA256
9bbe7be11559f22d2b40de1852cc01099fb8f92c16250603fa9c91131fe7ed43

SHA512
f16daaabbde38ce9404450ab7583e04182ab66073f61c5a119b3727359600e316c809f12d6c699caca694de226a9f40e215b9a9b51b9a68d19e0b623085df433

Download Submit
C:\Windows\Temp\ed6648e0.exe

Filesize
95KB

MD5
ad408ec223eeba676b45db36d9f32f24

SHA1
5b0e4960ce304f2b76449935f3902938c8ceabaf

SHA256
c2553337ef365b6c0dd8b28912fd7d8f47171638e9b53006e7e333d40c867176

SHA512
f49edfc0549b4cbfda5bff6e80bbfa0af008aafe806e6d9b75ea25a425d8c4acb9d8a7fe81ba027d041f3410fc1dbaed8a1a05d9d4a7235050187a266fb0e338

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
55c07884fbcb97ef0be93aff9dc21a62

SHA1
0d32041d6f7f37e1e3934831b0de4297a3932132

SHA256
13bcabbc8ea661deb9fa5b7289ece6b9e59eb267abae2f68aa597c7489e3abae

SHA512
ae2400b0829dda3a08fe8a9d224921fc32b1caf9f6197d40a72b061940dda4c249c29f85e772adee4c00b290c93cb9598853b019af41007e524aa5b05d36cee4

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
42eb1bd3fe1c9944241edd49652a6345

SHA1
4907f7a130dc79f774ee4a3f9c42b99cf9479359

SHA256
6befde74b572da96ab1eeba04e4ce0d30789218e80c3c290478cb35b9d173e5f

SHA512
5d01da5738301c99a29ac25e46c472c3d5c25da68c54961aeec3f592c1f2f677a4764e832827ca1f3240ba99d500c2bde8206ecc77e0ddc7d0cca20cd254efb1

Download Submit
memory/404-4-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/404-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2792-110-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2792-29-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4888-12-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4948-45-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4948-31-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4948-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4948-99-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4948-107-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4948-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download