blackmoon | 6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
Size

2.1MB
MD5

31dd29ec3ac91d92e2cbe3c1c9f58240
SHA1

afbfa2285bdab52a34226fdf86cde3ad13370303
SHA256

6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357b
SHA512

e908f4c20612b3f29f806c60a7f3a76c8e5b6138a18df30feefcb146e9e76dcea2dc653f0d7bb53c356cb16db1ee9842e6964fa27cbbd122b5bbe9922e0efee4
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 9 IoCs

resource	yara_rule
behavioral1/memory/2372-4-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral1/memory/2492-11-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral1/memory/264-22-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/2196-42-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral1/memory/2196-43-0x0000000000B60000-0x0000000000BEC000-memory.dmp	family_blackmoon
behavioral1/memory/264-44-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/264-68-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/264-154-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/2196-160-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

pid	Process
2492	dwuoia.exe
2196	dwuoia.exe
264	9211179932460464.exe
2308	uin77.exe
2696	f740976a.exe
2364	uin77.exe
2808	f1fb20e3.exe
1640	uin77.exe
2316	fbb5ba5c.exe
1400	uin77.exe
2672	fbfca6e3.exe
2220	uin77.exe
3040	f5b73f6c.exe
1856	uin77.exe
1512	f4fd1bf3.exe
1260	uin77.exe
1360	f444f68b.exe
2176	uin77.exe
2448	fefe8004.exe
952	uin77.exe
3016	f8b9297c.exe
2856	uin77.exe
2500	f8f00514.exe
2728	uin77.exe
2736	f2ba9e8d.exe
2628	uin77.exe
2588	fc652806.exe

Loads dropped DLL 30 IoCs

pid	Process
1808	cmd.exe
1808	cmd.exe
2196	dwuoia.exe
2196	dwuoia.exe
264	9211179932460464.exe
2308	uin77.exe
264	9211179932460464.exe
2364	uin77.exe
264	9211179932460464.exe
1640	uin77.exe
264	9211179932460464.exe
1400	uin77.exe
264	9211179932460464.exe
2220	uin77.exe
264	9211179932460464.exe
1856	uin77.exe
264	9211179932460464.exe
1260	uin77.exe
264	9211179932460464.exe
2176	uin77.exe
264	9211179932460464.exe
952	uin77.exe
264	9211179932460464.exe
2856	uin77.exe
264	9211179932460464.exe
2728	uin77.exe
264	9211179932460464.exe
2628	uin77.exe
844	WerFault.exe
844	WerFault.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
2780	cmd.exe
1912	cmd.exe
1052	cmd.exe
2056	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	dwuoia.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-4-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2372-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/files/0x000800000001739a-5.dat	upx
behavioral1/memory/2492-11-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/264-22-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/files/0x0007000000017403-13.dat	upx
behavioral1/memory/2196-20-0x0000000000B60000-0x0000000000BEC000-memory.dmp	upx
behavioral1/memory/2196-42-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/264-44-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/264-68-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/264-154-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2196-160-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\elhufj\djlmfp.exe	dwuoia.exe
File created	\??\c:\windows\fonts\chzedr\frhiub.exe	dwuoia.exe
File created	\??\c:\windows\fonts\nvbceq\dwuoia.exe	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
File opened for modification	\??\c:\windows\fonts\nvbceq\dwuoia.exe	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
844	2196	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwuoia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9211179932460464.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2856	PING.EXE
1808	cmd.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	dwuoia.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dwuoia.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	dwuoia.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	dwuoia.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\WpadNetworkName = "Network 3"	dwuoia.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dwuoia.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dwuoia.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	dwuoia.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-46-17-3d-55-f3\WpadDecisionReason = "1"	dwuoia.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-46-17-3d-55-f3\WpadDecisionTime = 306a1af26a52db01	dwuoia.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-46-17-3d-55-f3\WpadDecision = "0"	dwuoia.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dwuoia.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dwuoia.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}	dwuoia.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\WpadDecisionReason = "1"	dwuoia.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\WpadDecisionTime = 306a1af26a52db01	dwuoia.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dwuoia.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	dwuoia.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dwuoia.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\WpadDecision = "0"	dwuoia.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	dwuoia.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	dwuoia.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-46-17-3d-55-f3	dwuoia.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\ea-46-17-3d-55-f3	dwuoia.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2856	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
2492	dwuoia.exe
2196	dwuoia.exe
2308	uin77.exe
2308	uin77.exe
2308	uin77.exe
2308	uin77.exe
2696	f740976a.exe
2696	f740976a.exe
2696	f740976a.exe
2696	f740976a.exe
2364	uin77.exe
2364	uin77.exe
2364	uin77.exe
2364	uin77.exe
2808	f1fb20e3.exe
2808	f1fb20e3.exe
2808	f1fb20e3.exe
2808	f1fb20e3.exe
1640	uin77.exe
1640	uin77.exe
1640	uin77.exe
1640	uin77.exe
2316	fbb5ba5c.exe
2316	fbb5ba5c.exe
2316	fbb5ba5c.exe
2316	fbb5ba5c.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
264	9211179932460464.exe
1400	uin77.exe
1400	uin77.exe
1400	uin77.exe
1400	uin77.exe
2672	fbfca6e3.exe
2672	fbfca6e3.exe
2672	fbfca6e3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2372	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
Token: SeDebugPrivilege	2492	dwuoia.exe
Token: SeDebugPrivilege	2196	dwuoia.exe
Token: SeDebugPrivilege	2308	uin77.exe
Token: SeDebugPrivilege	2696	f740976a.exe
Token: SeAssignPrimaryTokenPrivilege	2596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe
Token: SeBackupPrivilege	2596	WMIC.exe
Token: SeRestorePrivilege	2596	WMIC.exe
Token: SeShutdownPrivilege	2596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2596	WMIC.exe
Token: SeUndockPrivilege	2596	WMIC.exe
Token: SeManageVolumePrivilege	2596	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe
Token: SeBackupPrivilege	2596	WMIC.exe
Token: SeRestorePrivilege	2596	WMIC.exe
Token: SeShutdownPrivilege	2596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2596	WMIC.exe
Token: SeUndockPrivilege	2596	WMIC.exe
Token: SeManageVolumePrivilege	2596	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2576	WMIC.exe
Token: SeSecurityPrivilege	2576	WMIC.exe
Token: SeTakeOwnershipPrivilege	2576	WMIC.exe
Token: SeLoadDriverPrivilege	2576	WMIC.exe
Token: SeSystemtimePrivilege	2576	WMIC.exe
Token: SeBackupPrivilege	2576	WMIC.exe
Token: SeRestorePrivilege	2576	WMIC.exe
Token: SeShutdownPrivilege	2576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2576	WMIC.exe
Token: SeUndockPrivilege	2576	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2372	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
2492	dwuoia.exe
2196	dwuoia.exe
264	9211179932460464.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1808	2372	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe	30
PID 2372 wrote to memory of 1808	2372	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe	30
PID 2372 wrote to memory of 1808	2372	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe	30
PID 2372 wrote to memory of 1808	2372	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe	30
PID 1808 wrote to memory of 2856	1808	cmd.exe	32
PID 1808 wrote to memory of 2856	1808	cmd.exe	32
PID 1808 wrote to memory of 2856	1808	cmd.exe	32
PID 1808 wrote to memory of 2856	1808	cmd.exe	32
PID 1808 wrote to memory of 2492	1808	cmd.exe	34
PID 1808 wrote to memory of 2492	1808	cmd.exe	34
PID 1808 wrote to memory of 2492	1808	cmd.exe	34
PID 1808 wrote to memory of 2492	1808	cmd.exe	34
PID 2196 wrote to memory of 264	2196	dwuoia.exe	36
PID 2196 wrote to memory of 264	2196	dwuoia.exe	36
PID 2196 wrote to memory of 264	2196	dwuoia.exe	36
PID 2196 wrote to memory of 264	2196	dwuoia.exe	36
PID 264 wrote to memory of 2780	264	9211179932460464.exe	37
PID 264 wrote to memory of 2780	264	9211179932460464.exe	37
PID 264 wrote to memory of 2780	264	9211179932460464.exe	37
PID 264 wrote to memory of 2780	264	9211179932460464.exe	37
PID 264 wrote to memory of 2784	264	9211179932460464.exe	38
PID 264 wrote to memory of 2784	264	9211179932460464.exe	38
PID 264 wrote to memory of 2784	264	9211179932460464.exe	38
PID 264 wrote to memory of 2784	264	9211179932460464.exe	38
PID 2780 wrote to memory of 2956	2780	cmd.exe	41
PID 2780 wrote to memory of 2956	2780	cmd.exe	41
PID 2780 wrote to memory of 2956	2780	cmd.exe	41
PID 2780 wrote to memory of 2956	2780	cmd.exe	41
PID 264 wrote to memory of 2308	264	9211179932460464.exe	42
PID 264 wrote to memory of 2308	264	9211179932460464.exe	42
PID 264 wrote to memory of 2308	264	9211179932460464.exe	42
PID 264 wrote to memory of 2308	264	9211179932460464.exe	42
PID 2308 wrote to memory of 2696	2308	uin77.exe	43
PID 2308 wrote to memory of 2696	2308	uin77.exe	43
PID 2308 wrote to memory of 2696	2308	uin77.exe	43
PID 2308 wrote to memory of 2696	2308	uin77.exe	43
PID 2784 wrote to memory of 2596	2784	cmd.exe	44
PID 2784 wrote to memory of 2596	2784	cmd.exe	44
PID 2784 wrote to memory of 2596	2784	cmd.exe	44
PID 2784 wrote to memory of 2596	2784	cmd.exe	44
PID 2784 wrote to memory of 2620	2784	cmd.exe	45
PID 2784 wrote to memory of 2620	2784	cmd.exe	45
PID 2784 wrote to memory of 2620	2784	cmd.exe	45
PID 2784 wrote to memory of 2620	2784	cmd.exe	45
PID 2784 wrote to memory of 2576	2784	cmd.exe	46
PID 2784 wrote to memory of 2576	2784	cmd.exe	46
PID 2784 wrote to memory of 2576	2784	cmd.exe	46
PID 2784 wrote to memory of 2576	2784	cmd.exe	46
PID 264 wrote to memory of 2364	264	9211179932460464.exe	47
PID 264 wrote to memory of 2364	264	9211179932460464.exe	47
PID 264 wrote to memory of 2364	264	9211179932460464.exe	47
PID 264 wrote to memory of 2364	264	9211179932460464.exe	47
PID 2364 wrote to memory of 2808	2364	uin77.exe	48
PID 2364 wrote to memory of 2808	2364	uin77.exe	48
PID 2364 wrote to memory of 2808	2364	uin77.exe	48
PID 2364 wrote to memory of 2808	2364	uin77.exe	48
PID 264 wrote to memory of 1640	264	9211179932460464.exe	49
PID 264 wrote to memory of 1640	264	9211179932460464.exe	49
PID 264 wrote to memory of 1640	264	9211179932460464.exe	49
PID 264 wrote to memory of 1640	264	9211179932460464.exe	49
PID 1640 wrote to memory of 2316	1640	uin77.exe	50
PID 1640 wrote to memory of 2316	1640	uin77.exe	50
PID 1640 wrote to memory of 2316	1640	uin77.exe	50
PID 1640 wrote to memory of 2316	1640	uin77.exe	50

C:\Users\Admin\AppData\Local\Temp\6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
"C:\Users\Admin\AppData\Local\Temp\6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\nvbceq\dwuoia.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2856
- - \??\c:\windows\fonts\nvbceq\dwuoia.exe
    c:\windows\fonts\nvbceq\dwuoia.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2492

\??\c:\windows\fonts\nvbceq\dwuoia.exe
c:\windows\fonts\nvbceq\dwuoia.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\TEMP\9211179932460464.exe
  C:\Windows\TEMP\9211179932460464.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN zgdif /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN zgdif /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dfev" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="bcnz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dfev'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dfev" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2596
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="bcnz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2620
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dfev'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2576
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\TEMP\f740976a.exe
      "C:\Windows\TEMP\f740976a.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2696
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\TEMP\f1fb20e3.exe
      "C:\Windows\TEMP\f1fb20e3.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2808
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\TEMP\fbb5ba5c.exe
      "C:\Windows\TEMP\fbb5ba5c.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN zgdif /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1912
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN zgdif /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dfev" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="bcnz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dfev'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1236
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dfev" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="bcnz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1516
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dfev'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1400
  - - C:\Windows\TEMP\fbfca6e3.exe
      "C:\Windows\TEMP\fbfca6e3.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2672
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2220
  - - C:\Windows\TEMP\f5b73f6c.exe
      "C:\Windows\TEMP\f5b73f6c.exe"
      4⤵
      Executes dropped EXE
      PID:3040
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1856
  - - C:\Windows\TEMP\f4fd1bf3.exe
      "C:\Windows\TEMP\f4fd1bf3.exe"
      4⤵
      Executes dropped EXE
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN zgdif /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1052
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN zgdif /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dfev" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="bcnz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dfev'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dfev" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="bcnz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1704
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dfev'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2552
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1260
  - - C:\Windows\TEMP\f444f68b.exe
      "C:\Windows\TEMP\f444f68b.exe"
      4⤵
      Executes dropped EXE
      PID:1360
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2176
  - - C:\Windows\TEMP\fefe8004.exe
      "C:\Windows\TEMP\fefe8004.exe"
      4⤵
      Executes dropped EXE
      PID:2448
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:952
  - - C:\Windows\TEMP\f8b9297c.exe
      "C:\Windows\TEMP\f8b9297c.exe"
      4⤵
      Executes dropped EXE
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN axvu /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:2056
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN axvu /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="prmqxa" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="rayu" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='prmqxa'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="prmqxa" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="rayu" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2084
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='prmqxa'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2856
  - - C:\Windows\TEMP\f8f00514.exe
      "C:\Windows\TEMP\f8f00514.exe"
      4⤵
      Executes dropped EXE
      PID:2500
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2728
  - - C:\Windows\TEMP\f2ba9e8d.exe
      "C:\Windows\TEMP\f2ba9e8d.exe"
      4⤵
      Executes dropped EXE
      PID:2736
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2628
  - - C:\Windows\TEMP\fc652806.exe
      "C:\Windows\TEMP\fc652806.exe"
      4⤵
      Executes dropped EXE
      PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 792
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\f444f68b.exe

Filesize
95KB

MD5
91f0d00a0c598c304667ab2d8d03e060

SHA1
33ae82fbfa62ad35b42180c0a1bb9e5fb51f2e5a

SHA256
be115e5ec4e824fe31088f98742699b883ce8dcca406f043445e5173bf09e019

SHA512
802d5421a962b4df541a4d9bb098366866050abc0abbdea0da9e36b589a682622cd42b2c7c6a16fb0f473ddcc577a35b30eb9edc5014a50f53014aca9e0fddf5

Download Submit
C:\Windows\Temp\f740976a.exe

Filesize
95KB

MD5
6f331aaa1ecc93421fd388687ec77388

SHA1
7575d311605df949af04aec7f65421a6f3fb85de

SHA256
6eb958b4d772777a1f14cc0414ed199aa995a95b9ae3338041036e399303a754

SHA512
4125bea31e2fb167e9485d46fb2331564e2c7744c0c4db31e41d45c01ed47a5fcd0ee1c335af71c78e57286486813c8fc2546b68c88c630ce3a8df4fb06c2f8c

Download Submit
\Windows\Fonts\nvbceq\dwuoia.exe

Filesize
2.1MB

MD5
ca11b59a335ed2de832db2c4216036b4

SHA1
fc5c2fd2d74b3b4e98ff31f5af3e6cf4621b69f5

SHA256
b634bc537ecafcf847ef33dcd720ae260cc56ca072f91947b2e89f5b092dca5f

SHA512
ed607023f620396897fc457a9ef64b24039464b0972ab308c395ee381949fb0907ed8e4049d8c22bd7dacd9f3b11ac98c55f7863a0fb28e5aa0fbc0dd4a8c642

Download Submit
\Windows\Temp\9211179932460464.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
\Windows\Temp\uin77.exe

Filesize
173KB

MD5
6d29bb9b7d54f692771e5b0b132e42ec

SHA1
bbc1416ef3b836af9612c700fa2f64d658fed2b5

SHA256
32531da87b989bb2c7e9421db9fea0e8341f73f4bdc93ff64b30ae77e624ea21

SHA512
a8ebbc18b40aa6f3a0b89df5e481d33812b689175df68b241ba597d191276f3b00d4b5dc73abed281c9b56bb97cbfad268dc1eb73b407d91b3ec2094415f1209

Download Submit
\Windows\Temp\uin77.exe

Filesize
173KB

MD5
5be2182dfb5868535f6e2399d5e45b4f

SHA1
83de2740833388427de4af29bb9bc50ae6d0b4f5

SHA256
16c5a6d878f760c51ad58f45c7eeeb0c61d510736151ea12314031aa2fb4bccc

SHA512
1eec53bebe89bf1cdb56c2bb3234dfaa014a8a80c5447b94f849c0c29b2741c44daeac3277b96ebef2fe983a06a57fad16aa312ab4915f2a1db032e28b3b2be6

Download Submit
memory/264-44-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/264-154-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/264-22-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/264-68-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1808-8-0x00000000022F0000-0x00000000023D6000-memory.dmp

Filesize
920KB

Download
memory/2196-43-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/2196-42-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2196-20-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/2196-21-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/2196-160-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2372-4-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2372-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2492-11-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download