blackmoon | b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba

Analysis

max time kernel
74s
max time network
74s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
Size

2.8MB
MD5

872174dfea3ac9ff2a3c96ac1602d7ae
SHA1

61477e372556c428bb7c8ff544092b5a9a0b54fc
SHA256

b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba
SHA512

2c665ff14870f2453c54a7a531dca88a83038380a6e7b1494b95c7a9b31424b3d87526a8fa688fa422c20c1a166f8adbd5d730a493235e5274f9ecf3745f67c3
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Yo:fNKl6b8JYgyP8WTGIuhZvPqA

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

resource	yara_rule
behavioral1/memory/1048-5-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral1/memory/2236-14-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral1/memory/2920-44-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral1/memory/2844-47-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/2844-70-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/2844-156-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/2920-162-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

pid	Process
2236	fdvzwa.exe
2920	fdvzwa.exe
2844	7709402874463446.exe
1680	uin77.exe
2744	83684c80.exe
680	uin77.exe
1424	8e23d6f9.exe
1964	uin77.exe
2016	88ee6f72.exe
3048	uin77.exe
2988	87245b09.exe
1568	uin77.exe
448	876b3691.exe
1896	uin77.exe
684	8126c01a.exe
296	uin77.exe
2064	816caba1.exe
2444	uin77.exe
568	8b27351a.exe
1452	uin77.exe
1888	85d2df93.exe
2104	uin77.exe
2696	8528ba2a.exe
2736	uin77.exe
2708	8fd344a3.exe
2692	uin77.exe
2868	899edd1c.exe

Loads dropped DLL 30 IoCs

pid	Process
2612	cmd.exe
2612	cmd.exe
2920	fdvzwa.exe
2920	fdvzwa.exe
2844	7709402874463446.exe
1680	uin77.exe
2844	7709402874463446.exe
680	uin77.exe
2844	7709402874463446.exe
1964	uin77.exe
2844	7709402874463446.exe
3048	uin77.exe
2844	7709402874463446.exe
1568	uin77.exe
2844	7709402874463446.exe
1896	uin77.exe
2844	7709402874463446.exe
296	uin77.exe
2844	7709402874463446.exe
2444	uin77.exe
2844	7709402874463446.exe
1452	uin77.exe
2844	7709402874463446.exe
2104	uin77.exe
2844	7709402874463446.exe
2736	uin77.exe
2844	7709402874463446.exe
2692	uin77.exe
1968	WerFault.exe
1968	WerFault.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
1932	cmd.exe
304	cmd.exe
1776	cmd.exe
1048	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	fdvzwa.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1048-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1048-5-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/files/0x0008000000016de8-7.dat	upx
behavioral1/memory/2612-9-0x0000000002420000-0x0000000002506000-memory.dmp	upx
behavioral1/memory/2236-14-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/files/0x0009000000016d6f-15.dat	upx
behavioral1/memory/2844-24-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2920-17-0x0000000001200000-0x000000000128C000-memory.dmp	upx
behavioral1/memory/2920-44-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2920-45-0x0000000001200000-0x000000000128C000-memory.dmp	upx
behavioral1/memory/2844-47-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2844-70-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2844-156-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2920-162-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\zcamvfe\fdvzwa.exe	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
File opened for modification	\??\c:\windows\fonts\zcamvfe\fdvzwa.exe	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
File created	\??\c:\windows\fonts\epmxbc\gjsciae.exe	fdvzwa.exe
File created	\??\c:\windows\fonts\pdrinqf\adxnb.exe	fdvzwa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	2920	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7709402874463446.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdvzwa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2612	cmd.exe
3008	PING.EXE

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	fdvzwa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C0C654B5-CAF4-4C8A-AE71-778CE3C51C45}\WpadDecisionReason = "1"	fdvzwa.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C0C654B5-CAF4-4C8A-AE71-778CE3C51C45}\WpadDecisionTime = b0022c7af056db01	fdvzwa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C0C654B5-CAF4-4C8A-AE71-778CE3C51C45}\WpadDecision = "0"	fdvzwa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-78-a2-9b-02-cf	fdvzwa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	fdvzwa.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fdvzwa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	fdvzwa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	fdvzwa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-78-a2-9b-02-cf\WpadDecisionReason = "1"	fdvzwa.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-78-a2-9b-02-cf\WpadDecisionTime = b0022c7af056db01	fdvzwa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-78-a2-9b-02-cf\WpadDecision = "0"	fdvzwa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	fdvzwa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	fdvzwa.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f010c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fdvzwa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C0C654B5-CAF4-4C8A-AE71-778CE3C51C45}\1e-78-a2-9b-02-cf	fdvzwa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	fdvzwa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C0C654B5-CAF4-4C8A-AE71-778CE3C51C45}	fdvzwa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C0C654B5-CAF4-4C8A-AE71-778CE3C51C45}\WpadNetworkName = "Network 3"	fdvzwa.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fdvzwa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	fdvzwa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	fdvzwa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	fdvzwa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	fdvzwa.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3008	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1048	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
2236	fdvzwa.exe
2920	fdvzwa.exe
1680	uin77.exe
1680	uin77.exe
1680	uin77.exe
1680	uin77.exe
2744	83684c80.exe
2744	83684c80.exe
2744	83684c80.exe
2744	83684c80.exe
680	uin77.exe
680	uin77.exe
680	uin77.exe
680	uin77.exe
1424	8e23d6f9.exe
1424	8e23d6f9.exe
1424	8e23d6f9.exe
1424	8e23d6f9.exe
1964	uin77.exe
1964	uin77.exe
1964	uin77.exe
1964	uin77.exe
2016	88ee6f72.exe
2016	88ee6f72.exe
2016	88ee6f72.exe
2016	88ee6f72.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
2844	7709402874463446.exe
3048	uin77.exe
3048	uin77.exe
3048	uin77.exe
3048	uin77.exe
2988	87245b09.exe
2988	87245b09.exe
2988	87245b09.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1048	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
Token: SeDebugPrivilege	2236	fdvzwa.exe
Token: SeDebugPrivilege	2920	fdvzwa.exe
Token: SeDebugPrivilege	1680	uin77.exe
Token: SeAssignPrimaryTokenPrivilege	2712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2712	WMIC.exe
Token: SeSecurityPrivilege	2712	WMIC.exe
Token: SeTakeOwnershipPrivilege	2712	WMIC.exe
Token: SeLoadDriverPrivilege	2712	WMIC.exe
Token: SeSystemtimePrivilege	2712	WMIC.exe
Token: SeBackupPrivilege	2712	WMIC.exe
Token: SeRestorePrivilege	2712	WMIC.exe
Token: SeShutdownPrivilege	2712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2712	WMIC.exe
Token: SeUndockPrivilege	2712	WMIC.exe
Token: SeManageVolumePrivilege	2712	WMIC.exe
Token: SeDebugPrivilege	2744	83684c80.exe
Token: SeAssignPrimaryTokenPrivilege	2712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2712	WMIC.exe
Token: SeSecurityPrivilege	2712	WMIC.exe
Token: SeTakeOwnershipPrivilege	2712	WMIC.exe
Token: SeLoadDriverPrivilege	2712	WMIC.exe
Token: SeSystemtimePrivilege	2712	WMIC.exe
Token: SeBackupPrivilege	2712	WMIC.exe
Token: SeRestorePrivilege	2712	WMIC.exe
Token: SeShutdownPrivilege	2712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2712	WMIC.exe
Token: SeUndockPrivilege	2712	WMIC.exe
Token: SeManageVolumePrivilege	2712	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2752	WMIC.exe
Token: SeSecurityPrivilege	2752	WMIC.exe
Token: SeTakeOwnershipPrivilege	2752	WMIC.exe
Token: SeLoadDriverPrivilege	2752	WMIC.exe
Token: SeSystemtimePrivilege	2752	WMIC.exe
Token: SeBackupPrivilege	2752	WMIC.exe
Token: SeRestorePrivilege	2752	WMIC.exe
Token: SeShutdownPrivilege	2752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2752	WMIC.exe
Token: SeUndockPrivilege	2752	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1048	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
2236	fdvzwa.exe
2920	fdvzwa.exe
2844	7709402874463446.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2612	1048	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe	30
PID 1048 wrote to memory of 2612	1048	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe	30
PID 1048 wrote to memory of 2612	1048	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe	30
PID 1048 wrote to memory of 2612	1048	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe	30
PID 2612 wrote to memory of 3008	2612	cmd.exe	32
PID 2612 wrote to memory of 3008	2612	cmd.exe	32
PID 2612 wrote to memory of 3008	2612	cmd.exe	32
PID 2612 wrote to memory of 3008	2612	cmd.exe	32
PID 2612 wrote to memory of 2236	2612	cmd.exe	33
PID 2612 wrote to memory of 2236	2612	cmd.exe	33
PID 2612 wrote to memory of 2236	2612	cmd.exe	33
PID 2612 wrote to memory of 2236	2612	cmd.exe	33
PID 2920 wrote to memory of 2844	2920	fdvzwa.exe	35
PID 2920 wrote to memory of 2844	2920	fdvzwa.exe	35
PID 2920 wrote to memory of 2844	2920	fdvzwa.exe	35
PID 2920 wrote to memory of 2844	2920	fdvzwa.exe	35
PID 2844 wrote to memory of 1932	2844	7709402874463446.exe	36
PID 2844 wrote to memory of 1932	2844	7709402874463446.exe	36
PID 2844 wrote to memory of 1932	2844	7709402874463446.exe	36
PID 2844 wrote to memory of 1932	2844	7709402874463446.exe	36
PID 2844 wrote to memory of 3004	2844	7709402874463446.exe	37
PID 2844 wrote to memory of 3004	2844	7709402874463446.exe	37
PID 2844 wrote to memory of 3004	2844	7709402874463446.exe	37
PID 2844 wrote to memory of 3004	2844	7709402874463446.exe	37
PID 1932 wrote to memory of 2888	1932	cmd.exe	40
PID 1932 wrote to memory of 2888	1932	cmd.exe	40
PID 1932 wrote to memory of 2888	1932	cmd.exe	40
PID 1932 wrote to memory of 2888	1932	cmd.exe	40
PID 2844 wrote to memory of 1680	2844	7709402874463446.exe	42
PID 2844 wrote to memory of 1680	2844	7709402874463446.exe	42
PID 2844 wrote to memory of 1680	2844	7709402874463446.exe	42
PID 2844 wrote to memory of 1680	2844	7709402874463446.exe	42
PID 3004 wrote to memory of 2712	3004	cmd.exe	41
PID 3004 wrote to memory of 2712	3004	cmd.exe	41
PID 3004 wrote to memory of 2712	3004	cmd.exe	41
PID 3004 wrote to memory of 2712	3004	cmd.exe	41
PID 1680 wrote to memory of 2744	1680	uin77.exe	43
PID 1680 wrote to memory of 2744	1680	uin77.exe	43
PID 1680 wrote to memory of 2744	1680	uin77.exe	43
PID 1680 wrote to memory of 2744	1680	uin77.exe	43
PID 3004 wrote to memory of 2768	3004	cmd.exe	44
PID 3004 wrote to memory of 2768	3004	cmd.exe	44
PID 3004 wrote to memory of 2768	3004	cmd.exe	44
PID 3004 wrote to memory of 2768	3004	cmd.exe	44
PID 3004 wrote to memory of 2752	3004	cmd.exe	45
PID 3004 wrote to memory of 2752	3004	cmd.exe	45
PID 3004 wrote to memory of 2752	3004	cmd.exe	45
PID 3004 wrote to memory of 2752	3004	cmd.exe	45
PID 2844 wrote to memory of 680	2844	7709402874463446.exe	46
PID 2844 wrote to memory of 680	2844	7709402874463446.exe	46
PID 2844 wrote to memory of 680	2844	7709402874463446.exe	46
PID 2844 wrote to memory of 680	2844	7709402874463446.exe	46
PID 680 wrote to memory of 1424	680	uin77.exe	47
PID 680 wrote to memory of 1424	680	uin77.exe	47
PID 680 wrote to memory of 1424	680	uin77.exe	47
PID 680 wrote to memory of 1424	680	uin77.exe	47
PID 2844 wrote to memory of 1964	2844	7709402874463446.exe	49
PID 2844 wrote to memory of 1964	2844	7709402874463446.exe	49
PID 2844 wrote to memory of 1964	2844	7709402874463446.exe	49
PID 2844 wrote to memory of 1964	2844	7709402874463446.exe	49
PID 1964 wrote to memory of 2016	1964	uin77.exe	50
PID 1964 wrote to memory of 2016	1964	uin77.exe	50
PID 1964 wrote to memory of 2016	1964	uin77.exe	50
PID 1964 wrote to memory of 2016	1964	uin77.exe	50

C:\Users\Admin\AppData\Local\Temp\b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
"C:\Users\Admin\AppData\Local\Temp\b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\zcamvfe\fdvzwa.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3008
- - \??\c:\windows\fonts\zcamvfe\fdvzwa.exe
    c:\windows\fonts\zcamvfe\fdvzwa.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2236

\??\c:\windows\fonts\zcamvfe\fdvzwa.exe
c:\windows\fonts\zcamvfe\fdvzwa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\TEMP\7709402874463446.exe
  C:\Windows\TEMP\7709402874463446.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN dlqai /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN dlqai /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dipyu" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="oce" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dipyu'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dipyu" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2712
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="oce" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2768
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dipyu'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2752
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\TEMP\83684c80.exe
      "C:\Windows\TEMP\83684c80.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2744
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows\TEMP\8e23d6f9.exe
      "C:\Windows\TEMP\8e23d6f9.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1424
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\TEMP\88ee6f72.exe
      "C:\Windows\TEMP\88ee6f72.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN dlqai /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:304
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN dlqai /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dipyu" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="oce" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dipyu'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dipyu" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2020
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="oce" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dipyu'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2376
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3048
  - - C:\Windows\TEMP\87245b09.exe
      "C:\Windows\TEMP\87245b09.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2988
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1568
  - - C:\Windows\TEMP\876b3691.exe
      "C:\Windows\TEMP\876b3691.exe"
      4⤵
      Executes dropped EXE
      PID:448
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1896
  - - C:\Windows\TEMP\8126c01a.exe
      "C:\Windows\TEMP\8126c01a.exe"
      4⤵
      Executes dropped EXE
      PID:684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN dlqai /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1776
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN dlqai /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dipyu" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="oce" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dipyu'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="dipyu" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2516
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="oce" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2332
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='dipyu'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1536
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:296
  - - C:\Windows\TEMP\816caba1.exe
      "C:\Windows\TEMP\816caba1.exe"
      4⤵
      Executes dropped EXE
      PID:2064
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2444
  - - C:\Windows\TEMP\8b27351a.exe
      "C:\Windows\TEMP\8b27351a.exe"
      4⤵
      Executes dropped EXE
      PID:568
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1452
  - - C:\Windows\TEMP\85d2df93.exe
      "C:\Windows\TEMP\85d2df93.exe"
      4⤵
      Executes dropped EXE
      PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN eycb /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1048
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN eycb /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="vhci" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="upgex" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='vhci'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="vhci" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2364
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="upgex" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='vhci'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2104
  - - C:\Windows\TEMP\8528ba2a.exe
      "C:\Windows\TEMP\8528ba2a.exe"
      4⤵
      Executes dropped EXE
      PID:2696
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2736
  - - C:\Windows\TEMP\8fd344a3.exe
      "C:\Windows\TEMP\8fd344a3.exe"
      4⤵
      Executes dropped EXE
      PID:2708
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2692
  - - C:\Windows\TEMP\899edd1c.exe
      "C:\Windows\TEMP\899edd1c.exe"
      4⤵
      Executes dropped EXE
      PID:2868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 792
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\816caba1.exe

Filesize
95KB

MD5
27c166feb44800f499c03663e8cfa902

SHA1
1b09987b1287f6836aabf6af60d86c16f4060d55

SHA256
92ef5cb8148e9fdfb46b5729336ed0f71431b2378aa1031a66e07a9d1f3437d5

SHA512
88c51f0580f980387f6f9fe0ef4a7e08c80f02c8b5fb7d7582ca920d41f738cd3a691a4e038bfc645aad93ce1e0152c188d13b70251f4ba73ab43c6d3c916fa6

Download Submit
C:\Windows\Temp\83684c80.exe

Filesize
95KB

MD5
0009762b28d326191a98c2b987d70521

SHA1
d889f6b05c3cb1dd1b4a0bff0c98decf1b76d0b6

SHA256
7f4f1cedfdbc7311ed34084a85097ff2a3641545cbffc23c2c02417917f4e166

SHA512
0ea64bb35c4c3e13b204148ddfacf8d30beb179acc70798ad072d8a5740df07d7f70c009f886a7b7d67a6af29297717fcc683b2cd2fdc3db39275feaba711a28

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
86ed969d5268a53a293fd463819f23cc

SHA1
f407e346d7b77304a13bd72ec0001c1ca0a38113

SHA256
87d003edaaad114b7ca40f9d92948d43ef9cd6adc22e2016041c3daf9c2c6656

SHA512
6d74b092d98c9b0ef961df7bc5a4b238258a1100a7a2beb34dff4974ba1aa0ce1ec02e498a4a3a8ed12a2ac169d6e4387ccdd6c92cade0966c3fd0f6ea8eec3a

Download Submit
\??\c:\windows\fonts\zcamvfe\fdvzwa.exe

Filesize
2.9MB

MD5
888f61cadc2a2f2598b09a02f0a32ce7

SHA1
67e1f471a178f26aa3420f9c4f86e2f222a5e2d1

SHA256
bcbffb66c698855e4bc89b0ad973f20c8822ae1f8a523e30ab2dc0a116ec1485

SHA512
b0682da439e7ae7da24fb1b548a60c6f0be6e497b7d275cf10de90a5e1fb0d55db2fb1c6cfc07fb9f8ee23a8803ec3a7463d830409bc1b4581d45247d5b71c54

Download Submit
\Windows\Temp\7709402874463446.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
\Windows\Temp\uin77.exe

Filesize
173KB

MD5
52ca0950a9c49b592c8caddf4d735747

SHA1
d9f6da64bf0e536443b3b3bbaa050003d52c2e72

SHA256
0445d3d7415ebe97d09b8a35cc3254041a52f53bf97924a9a2119d81be683c59

SHA512
79c962d6b14b9604a72cf72e3d76cc53a07a2e92ab9d9d5daef5676107de83c67fa6b3bd2543951c2a2c763ad801ff9db0f66ff10a3369e97a7b0e9d7459dd54

Download Submit
memory/1048-5-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1048-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2236-14-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2612-9-0x0000000002420000-0x0000000002506000-memory.dmp

Filesize
920KB

Download
memory/2844-70-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2844-24-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2844-156-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2844-47-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2920-44-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2920-48-0x0000000001200000-0x000000000128C000-memory.dmp

Filesize
560KB

Download
memory/2920-45-0x0000000001200000-0x000000000128C000-memory.dmp

Filesize
560KB

Download
memory/2920-17-0x0000000001200000-0x000000000128C000-memory.dmp

Filesize
560KB

Download
memory/2920-23-0x0000000001200000-0x000000000128C000-memory.dmp

Filesize
560KB

Download
memory/2920-162-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download