blackmoon | 44e9bc74393f799d862141e41c87f6e83a27d66108a93998ead04c0bd21d0916

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2025, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

9.4MB
MD5

46e8bd935752ea7e517e1e494b44ec94
SHA1

c58a29bde28c9270ec75878cdefdc8adb0578300
SHA256

44e9bc74393f799d862141e41c87f6e83a27d66108a93998ead04c0bd21d0916
SHA512

f3ee6cd2a85e703978384525552472aadb798ab16b4f2c9522fe94a474d411322dbc2b1f73d1422872b474d24f9747b240a771081d90f9f0419289df75686cde
SSDEEP

98304:os0vXTBJYa5mknGzZr+HaOKSVPFtmOZ9G1rxwFB5URUSKnaSOProSCa:o3XTYQmknGzwHaOtVPHd9swFBubKL

Score

10^/10

blackmoon mimikatz banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/5432-0-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon
behavioral1/memory/5432-4-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon
behavioral1/files/0x0008000000024073-6.dat	family_blackmoon
behavioral1/memory/4868-8-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral1/memory/5432-0-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz
behavioral1/memory/5432-4-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz
behavioral1/files/0x0008000000024073-6.dat	mimikatz
behavioral1/memory/4868-8-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz

Executes dropped EXE 2 IoCs

pid	Process
4868	utlyyzl.exe
4952	utlyyzl.exe

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	103	117.50.22.22	4488	nslookup.exe
Destination IP	163	117.50.11.11	4216	nslookup.exe
Destination IP	186	117.50.22.22	2656	nslookup.exe
Destination IP	189	208.67.222.222	1484	nslookup.exe
Destination IP	193	208.67.220.220	5224	nslookup.exe
Destination IP	188	208.67.222.222	1484	nslookup.exe
Destination IP	190	208.67.222.222	1484	nslookup.exe
Destination IP	207	117.50.22.22	760	nslookup.exe
Destination IP	210	208.67.222.222	1924	nslookup.exe
Destination IP	107	208.67.222.222	2924	nslookup.exe
Destination IP	133	208.67.222.222	3724	nslookup.exe
Destination IP	161	117.50.11.11	4216	nslookup.exe
Destination IP	169	208.67.222.222	4592	nslookup.exe
Destination IP	182	117.50.11.11	5668	nslookup.exe
Destination IP	205	117.50.11.11	4952	utlyyzl.exe
Destination IP	206	117.50.11.11	4952	utlyyzl.exe
Destination IP	208	117.50.22.22	4952	utlyyzl.exe
Destination IP	62	117.50.22.22	4216	nslookup.exe
Destination IP	80	208.67.220.220	5252	nslookup.exe
Destination IP	117	117.50.11.11	2752	nslookup.exe
Destination IP	135	208.67.220.220	5088	nslookup.exe
Destination IP	209	117.50.22.22	4952	utlyyzl.exe
Destination IP	215	208.67.220.220	4952	utlyyzl.exe
Destination IP	58	117.50.11.11	2720	nslookup.exe
Destination IP	100	117.50.11.11	2524	nslookup.exe
Destination IP	154	208.67.220.220	5720	nslookup.exe
Destination IP	150	208.67.222.222	3152	nslookup.exe
Destination IP	47	208.67.220.220	1968	nslookup.exe
Destination IP	211	208.67.222.222	4952	utlyyzl.exe
Destination IP	224	117.50.11.11	4884	nslookup.exe
Destination IP	59	117.50.11.11	2720	nslookup.exe
Destination IP	110	208.67.220.220	1536	nslookup.exe
Destination IP	131	208.67.222.222	3724	nslookup.exe
Destination IP	143	117.50.11.11	680	nslookup.exe
Destination IP	152	208.67.220.220	5720	nslookup.exe
Destination IP	166	117.50.22.22	2376	nslookup.exe
Destination IP	173	208.67.220.220	5304	nslookup.exe
Destination IP	204	117.50.11.11	4556	nslookup.exe
Destination IP	78	208.67.220.220	5252	nslookup.exe
Destination IP	126	117.50.22.22	5960	nslookup.exe
Destination IP	172	208.67.220.220	5304	nslookup.exe
Destination IP	192	208.67.220.220	5224	nslookup.exe
Destination IP	106	208.67.222.222	2924	nslookup.exe
Destination IP	108	208.67.220.220	1536	nslookup.exe
Destination IP	109	208.67.220.220	1536	nslookup.exe
Destination IP	132	208.67.222.222	3724	nslookup.exe
Destination IP	148	117.50.22.22	1560	nslookup.exe
Destination IP	151	208.67.222.222	3152	nslookup.exe
Destination IP	164	117.50.22.22	2376	nslookup.exe
Destination IP	191	208.67.220.220	5224	nslookup.exe
Destination IP	38	117.50.22.22	852	nslookup.exe
Destination IP	43	208.67.222.222	3136	nslookup.exe
Destination IP	187	117.50.22.22	2656	nslookup.exe
Destination IP	214	208.67.220.220	5300	nslookup.exe
Destination IP	32	117.50.11.11	3556	nslookup.exe
Destination IP	61	117.50.22.22	4216	nslookup.exe
Destination IP	134	208.67.220.220	5088	nslookup.exe
Destination IP	170	208.67.222.222	4592	nslookup.exe
Destination IP	174	208.67.220.220	5304	nslookup.exe
Destination IP	46	208.67.220.220	1968	nslookup.exe
Destination IP	79	208.67.220.220	5252	nslookup.exe
Destination IP	119	117.50.11.11	2752	nslookup.exe
Destination IP	153	208.67.220.220	5720	nslookup.exe
Destination IP	105	208.67.222.222	2924	nslookup.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	utlyyzl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	utlyyzl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	utlyyzl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	utlyyzl.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\batyllgl\utlyyzl.exe	2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File opened for modification	C:\Windows\batyllgl\utlyyzl.exe	2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utlyyzl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1624	cmd.exe
3972	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000024073-6.dat	nsis_installer_2

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	utlyyzl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	utlyyzl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	utlyyzl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	utlyyzl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	utlyyzl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	utlyyzl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	utlyyzl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	utlyyzl.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3972	PING.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5432	2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5432	2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	4868	utlyyzl.exe
Token: SeDebugPrivilege	4952	utlyyzl.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5432	2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
4868	utlyyzl.exe
4952	utlyyzl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5432 wrote to memory of 1624	5432	2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	85
PID 5432 wrote to memory of 1624	5432	2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	85
PID 5432 wrote to memory of 1624	5432	2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	85
PID 1624 wrote to memory of 3972	1624	cmd.exe	87
PID 1624 wrote to memory of 3972	1624	cmd.exe	87
PID 1624 wrote to memory of 3972	1624	cmd.exe	87
PID 1624 wrote to memory of 4868	1624	cmd.exe	95
PID 1624 wrote to memory of 4868	1624	cmd.exe	95
PID 1624 wrote to memory of 4868	1624	cmd.exe	95
PID 4952 wrote to memory of 2352	4952	utlyyzl.exe	97
PID 4952 wrote to memory of 2352	4952	utlyyzl.exe	97
PID 4952 wrote to memory of 2352	4952	utlyyzl.exe	97
PID 2352 wrote to memory of 3732	2352	cmd.exe	99
PID 2352 wrote to memory of 3732	2352	cmd.exe	99
PID 2352 wrote to memory of 3732	2352	cmd.exe	99
PID 4952 wrote to memory of 5968	4952	utlyyzl.exe	100
PID 4952 wrote to memory of 5968	4952	utlyyzl.exe	100
PID 4952 wrote to memory of 5968	4952	utlyyzl.exe	100
PID 5968 wrote to memory of 5028	5968	cmd.exe	102
PID 5968 wrote to memory of 5028	5968	cmd.exe	102
PID 5968 wrote to memory of 5028	5968	cmd.exe	102
PID 4952 wrote to memory of 5068	4952	utlyyzl.exe	103
PID 4952 wrote to memory of 5068	4952	utlyyzl.exe	103
PID 4952 wrote to memory of 5068	4952	utlyyzl.exe	103
PID 5068 wrote to memory of 3556	5068	cmd.exe	105
PID 5068 wrote to memory of 3556	5068	cmd.exe	105
PID 5068 wrote to memory of 3556	5068	cmd.exe	105
PID 4952 wrote to memory of 3540	4952	utlyyzl.exe	108
PID 4952 wrote to memory of 3540	4952	utlyyzl.exe	108
PID 4952 wrote to memory of 3540	4952	utlyyzl.exe	108
PID 3540 wrote to memory of 852	3540	cmd.exe	110
PID 3540 wrote to memory of 852	3540	cmd.exe	110
PID 3540 wrote to memory of 852	3540	cmd.exe	110
PID 4952 wrote to memory of 3452	4952	utlyyzl.exe	112
PID 4952 wrote to memory of 3452	4952	utlyyzl.exe	112
PID 4952 wrote to memory of 3452	4952	utlyyzl.exe	112
PID 3452 wrote to memory of 3136	3452	cmd.exe	114
PID 3452 wrote to memory of 3136	3452	cmd.exe	114
PID 3452 wrote to memory of 3136	3452	cmd.exe	114
PID 4952 wrote to memory of 4416	4952	utlyyzl.exe	115
PID 4952 wrote to memory of 4416	4952	utlyyzl.exe	115
PID 4952 wrote to memory of 4416	4952	utlyyzl.exe	115
PID 4416 wrote to memory of 1968	4416	cmd.exe	117
PID 4416 wrote to memory of 1968	4416	cmd.exe	117
PID 4416 wrote to memory of 1968	4416	cmd.exe	117
PID 4952 wrote to memory of 4436	4952	utlyyzl.exe	118
PID 4952 wrote to memory of 4436	4952	utlyyzl.exe	118
PID 4952 wrote to memory of 4436	4952	utlyyzl.exe	118
PID 4436 wrote to memory of 4148	4436	cmd.exe	120
PID 4436 wrote to memory of 4148	4436	cmd.exe	120
PID 4436 wrote to memory of 4148	4436	cmd.exe	120
PID 4952 wrote to memory of 3572	4952	utlyyzl.exe	121
PID 4952 wrote to memory of 3572	4952	utlyyzl.exe	121
PID 4952 wrote to memory of 3572	4952	utlyyzl.exe	121
PID 3572 wrote to memory of 3708	3572	cmd.exe	123
PID 3572 wrote to memory of 3708	3572	cmd.exe	123
PID 3572 wrote to memory of 3708	3572	cmd.exe	123
PID 4952 wrote to memory of 1760	4952	utlyyzl.exe	124
PID 4952 wrote to memory of 1760	4952	utlyyzl.exe	124
PID 4952 wrote to memory of 1760	4952	utlyyzl.exe	124
PID 1760 wrote to memory of 2720	1760	cmd.exe	126
PID 1760 wrote to memory of 2720	1760	cmd.exe	126
PID 1760 wrote to memory of 2720	1760	cmd.exe	126
PID 4952 wrote to memory of 5152	4952	utlyyzl.exe	127

C:\Users\Admin\AppData\Local\Temp\2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-21_46e8bd935752ea7e517e1e494b44ec94_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\batyllgl\utlyyzl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3972
- - C:\Windows\batyllgl\utlyyzl.exe
    C:\Windows\batyllgl\utlyyzl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4868

C:\Windows\batyllgl\utlyyzl.exe
C:\Windows\batyllgl\utlyyzl.exe
1⤵
- Executes dropped EXE
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 8.8.8.8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 8.8.8.8
    3⤵
    PID:3732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5968
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 1.1.1.1
    3⤵
    PID:5028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.11.11
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.220.220
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 8.8.8.8
    3⤵
    PID:4148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.22.22
  2⤵
  PID:5152
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1356
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5428
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4616
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 1.1.1.1
    3⤵
    PID:6128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.11.11
  2⤵
  PID:5948
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:528
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.222.222
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4580
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 1.1.1.1
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:372
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3100
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    PID:5960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 208.67.222.222
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 208.67.220.220
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 8.8.8.8
  2⤵
  PID:5944
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3556
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 117.50.11.11
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 117.50.22.22
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 208.67.222.222
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 208.67.220.220
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 1.1.1.1
  2⤵
  PID:5176
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:640
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.222.222
  2⤵
  PID:228
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.220.220
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    PID:5304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6012
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3884
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1768
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 208.67.220.220
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    PID:5224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 8.8.8.8
  2⤵
  PID:5516
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 1.1.1.1
  2⤵
  PID:700
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 117.50.11.11
  2⤵
  PID:4164
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 117.50.22.22
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 208.67.222.222
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 208.67.220.220
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    PID:5300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.in 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1300
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.in 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.in 1.1.1.1
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.in 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.in 117.50.11.11
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.in 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4884

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\batyllgl\utlyyzl.exe

Filesize
9.5MB

MD5
879799e7665877bdd8a99086e1088b09

SHA1
d2922723ae3095603546647b405735abba521b99

SHA256
089da08b5a761613f4bc4ad0a72b65c304038f7336a9a7960ec7757ecf2236a7

SHA512
6a462f8f8ce1fca5660038a236d5d9ca8cf762f11ae543e7f80b7ac63ad7a19b3302a3b2757669a8a51e87b4ad25815e560ab02e125c884a26b1c40fb5124e38

Download Submit
memory/4868-8-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download
memory/5432-0-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download
memory/5432-4-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download