blackmoon | 7694440c4a9f36249dfa3e9e00472bf22b4665b17108ea1bd6a24a9d663d4533

Analysis

max time kernel
120s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2024, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7694440c4a9f36249dfa3e9e00472bf22b4665b17108ea1bd6a24a9d663d4533N.dll
Size

163KB
MD5

56dea4858f3c7afecd014f2b53026950
SHA1

d3ae2b89b7d2ca38beef7a729ae74aed1b0f2ede
SHA256

7694440c4a9f36249dfa3e9e00472bf22b4665b17108ea1bd6a24a9d663d4533
SHA512

bf69b52ed53bf99e37e84ef4d459a3d485f1277b4b2a58a8c8bb1008ad017e99bf0df5d4c8a7709a4fff639422f63b785a8de2e3bfd54bc848b411732d101519
SSDEEP

3072:x5VK0lTSG9xoC+CQpiU5MvUOGk//qmwYre9BN0N4w:E0T9xB+CU4Gk//vwYre9BmN

Score

10^/10

blackmoon gh0strat banker discovery evasion persistence privilege_escalation rat trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 11 IoCs

resource	yara_rule
behavioral2/memory/4956-54-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/4956-13555-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/4956-13557-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/files/0x0011000000023c9c-13559.dat	family_blackmoon
behavioral2/memory/4956-13566-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/4956-13569-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/4956-13570-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/files/0x0003000000000709-13588.dat	family_blackmoon
behavioral2/memory/7088-13590-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_blackmoon
behavioral2/memory/4956-13611-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/4956-13737-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral2/memory/1124-0-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/1124-2-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/1124-4-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/1124-12-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/1124-13583-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/files/0x0003000000000709-13588.dat	family_gh0strat
behavioral2/memory/7088-13590-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_gh0strat
behavioral2/memory/4528-13593-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral2/memory/4528-13592-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral2/memory/4528-13595-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral2/memory/4528-13591-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 12 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4248	netsh.exe
5484	netsh.exe
5948	netsh.exe
4140	netsh.exe
5556	netsh.exe
2804	netsh.exe
6116	netsh.exe
5720	netsh.exe
1844	netsh.exe
4340	netsh.exe
5728	netsh.exe
7156	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\GraphicsPerfSvcs\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\GraphicsPerfSvcs.dll"	Hooks.exe

Executes dropped EXE 5 IoCs

pid	Process
4956	MpMgSvc.exe
3108	Wmicc.exe
7136	GetPassword.exe
7088	Hooks.exe
3124	ctfmoon.exe

Loads dropped DLL 1 IoCs

pid	Process
4128	svchost.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.226.84.135

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\64[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 372 set thread context of 1124	372	rundll32.exe	83
PID 372 set thread context of 3184	372	rundll32.exe	94
PID 4128 set thread context of 4528	4128	svchost.exe	195

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c8b-17.dat	upx
behavioral2/memory/4956-27-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4956-54-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4956-13555-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4956-13557-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4956-13566-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4956-13569-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4956-13570-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/files/0x0008000000023cbe-13575.dat	upx
behavioral2/memory/7088-13586-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx
behavioral2/memory/7088-13590-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx
behavioral2/memory/4956-13611-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4956-13737-0x0000000000400000-0x0000000000D25000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.Calendars.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Sockets.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.AppContext.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Buffers.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.FileVersionInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.InteropServices.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Algorithms.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encoding.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Win32.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Contracts.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\Meson.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.Queryable.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XDocument.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Ping.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Claims.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encodings.Web.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Console.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Http.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TraceSource.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.Unsafe.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.ReaderWriter.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WmiPrvSER.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\netstandard.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Immutable.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Principal.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encoding.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Tracing.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.DriveInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Thread.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.Reader.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Overlapped.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.Watcher.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebHeaderCollection.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Encoding.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.StackTrace.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Tasks.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.NameResolution.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.ResourceManager.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.VisualC.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.InteropServices.RuntimeInformation.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XmlSerializer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\root_conf\default.toml	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.IsolatedStorage.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.Compression.ZipFile.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Csp.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ValueTuple.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Diagnostics.Runtime.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TextWriterTraceListener.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.Expressions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Formatters.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.ThreadPool.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Data.Common.dll	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.FileVersionInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Specialized.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Extensions.dll	svchost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmoon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wmicc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hooks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpMgSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4956	MpMgSvc.exe
4956	MpMgSvc.exe
4956	MpMgSvc.exe
4956	MpMgSvc.exe
4956	MpMgSvc.exe
4956	MpMgSvc.exe
7136	GetPassword.exe
7136	GetPassword.exe
3656	powershell.exe
3656	powershell.exe
3656	powershell.exe
4128	svchost.exe
4128	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4528	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	7136	GetPassword.exe
Token: SeDebugPrivilege	3656	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4956	MpMgSvc.exe
4956	MpMgSvc.exe
3108	Wmicc.exe
7088	Hooks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1124	372	rundll32.exe	83
PID 372 wrote to memory of 1124	372	rundll32.exe	83
PID 372 wrote to memory of 1124	372	rundll32.exe	83
PID 372 wrote to memory of 1124	372	rundll32.exe	83
PID 372 wrote to memory of 1124	372	rundll32.exe	83
PID 372 wrote to memory of 1124	372	rundll32.exe	83
PID 372 wrote to memory of 1124	372	rundll32.exe	83
PID 372 wrote to memory of 1124	372	rundll32.exe	83
PID 372 wrote to memory of 732	372	rundll32.exe	91
PID 372 wrote to memory of 732	372	rundll32.exe	91
PID 372 wrote to memory of 732	372	rundll32.exe	91
PID 372 wrote to memory of 3184	372	rundll32.exe	94
PID 372 wrote to memory of 3184	372	rundll32.exe	94
PID 372 wrote to memory of 3184	372	rundll32.exe	94
PID 372 wrote to memory of 3184	372	rundll32.exe	94
PID 372 wrote to memory of 3184	372	rundll32.exe	94
PID 372 wrote to memory of 3184	372	rundll32.exe	94
PID 372 wrote to memory of 3184	372	rundll32.exe	94
PID 372 wrote to memory of 3184	372	rundll32.exe	94
PID 1124 wrote to memory of 4956	1124	svchost.exe	99
PID 1124 wrote to memory of 4956	1124	svchost.exe	99
PID 1124 wrote to memory of 4956	1124	svchost.exe	99
PID 4956 wrote to memory of 3108	4956	MpMgSvc.exe	105
PID 4956 wrote to memory of 3108	4956	MpMgSvc.exe	105
PID 4956 wrote to memory of 3108	4956	MpMgSvc.exe	105
PID 3108 wrote to memory of 7016	3108	Wmicc.exe	106
PID 3108 wrote to memory of 7016	3108	Wmicc.exe	106
PID 3108 wrote to memory of 7016	3108	Wmicc.exe	106
PID 7016 wrote to memory of 7136	7016	cmd.exe	108
PID 7016 wrote to memory of 7136	7016	cmd.exe	108
PID 1124 wrote to memory of 7088	1124	svchost.exe	191
PID 1124 wrote to memory of 7088	1124	svchost.exe	191
PID 1124 wrote to memory of 7088	1124	svchost.exe	191
PID 7088 wrote to memory of 3656	7088	Hooks.exe	193
PID 7088 wrote to memory of 3656	7088	Hooks.exe	193
PID 7088 wrote to memory of 3656	7088	Hooks.exe	193
PID 4128 wrote to memory of 4528	4128	svchost.exe	195
PID 4128 wrote to memory of 4528	4128	svchost.exe	195
PID 4128 wrote to memory of 4528	4128	svchost.exe	195
PID 4128 wrote to memory of 4528	4128	svchost.exe	195
PID 4128 wrote to memory of 4528	4128	svchost.exe	195
PID 4128 wrote to memory of 4528	4128	svchost.exe	195
PID 4128 wrote to memory of 4528	4128	svchost.exe	195
PID 4128 wrote to memory of 4528	4128	svchost.exe	195
PID 4128 wrote to memory of 7156	4128	svchost.exe	196
PID 4128 wrote to memory of 7156	4128	svchost.exe	196
PID 4128 wrote to memory of 7156	4128	svchost.exe	196
PID 4128 wrote to memory of 5556	4128	svchost.exe	199
PID 4128 wrote to memory of 5556	4128	svchost.exe	199
PID 4128 wrote to memory of 5556	4128	svchost.exe	199
PID 4128 wrote to memory of 2804	4128	svchost.exe	218
PID 4128 wrote to memory of 2804	4128	svchost.exe	218
PID 4128 wrote to memory of 2804	4128	svchost.exe	218
PID 4128 wrote to memory of 6116	4128	svchost.exe	203
PID 4128 wrote to memory of 6116	4128	svchost.exe	203
PID 4128 wrote to memory of 6116	4128	svchost.exe	203
PID 4128 wrote to memory of 4248	4128	svchost.exe	205
PID 4128 wrote to memory of 4248	4128	svchost.exe	205
PID 4128 wrote to memory of 4248	4128	svchost.exe	205
PID 4128 wrote to memory of 5720	4128	svchost.exe	207
PID 4128 wrote to memory of 5720	4128	svchost.exe	207
PID 4128 wrote to memory of 5720	4128	svchost.exe	207
PID 4128 wrote to memory of 5484	4128	svchost.exe	209
PID 4128 wrote to memory of 5484	4128	svchost.exe	209

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7694440c4a9f36249dfa3e9e00472bf22b4665b17108ea1bd6a24a9d663d4533N.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\WINDOWS\Temp\MpMgSvc.exe
    "C:\WINDOWS\Temp\MpMgSvc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\Temp\Wmicc.exe
      "C:\Windows\Temp\Wmicc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Windows\Temp\GetPassword.exe >C:\Windows\Temp\PWD.txt
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:7016
      - C:\Windows\Temp\GetPassword.exe
        
        C:\Windows\Temp\GetPassword.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7136
- - C:\WINDOWS\Temp\Hooks.exe
    "C:\WINDOWS\Temp\Hooks.exe"
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:7088
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\WINDOWS\Temp\Hooks.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3656
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:732
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:3184

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k GraphicsPerfSvcsGroup -s GraphicsPerfSvcs
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4528
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=in program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:7156
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5556
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_ctfmoon new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Edge dir=in program=C:\Windows\Microsoft.NET\Meson.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:6116
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Edge dir=out program=C:\Windows\Microsoft.NET\Meson.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4248
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Edge new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5720
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Dcom dir=in program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5484
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Dcom dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5948
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Dcom new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4140
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Store dir=in program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1844
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Store dir=out program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4340
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2804
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Store new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5948
- C:\Windows\Microsoft.NET\ctfmoon.exe
  C:\Windows\Microsoft.NET\ctfmoon.exe [email protected] -password=123456Aa. -device-name=Win32 -accept-tos
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atcys0m1.ev5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Microsoft.NET\ctfmoon.exe

Filesize
9.1MB

MD5
1de26ef85f7218e1df4ed675fa2b05d4

SHA1
e5217fa3b50f625d84d5e5c4b66c031f7a2446ae

SHA256
fdd762192d351cea051c0170840f1d8d171f334f06313a17eba97cacb5f1e6e1

SHA512
ada80a9f97bec76899eccc40c646387a067a201663d4d0f4537af450ea7c92df877f017862634e32e9e2ba08ca6d41806dc03f0dfd7f811ca303b56b1ac17d92

Download Submit
C:\Windows\Temp\GetPassword.exe

Filesize
494KB

MD5
5b6a804db0c5733d331eb126048ca73b

SHA1
f18c5acae63457ad26565d663467fa5a7fbfbee4

SHA256
5bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9

SHA512
ba6424051ab9f650967cc2ba428fd6a02ccda8f99d8b8e3f5f321a5e6bbf79a22bfc9cdd582c44980470ebbb7aea1b811fd69aab6bf51466a803c7c722fcde26

Download Submit
C:\Windows\Temp\Hooks.exe

Filesize
11.7MB

MD5
1af2da7b95cdbbd5a18461e5d5fe910a

SHA1
8540958b02170962cb958da094e059be5ff43fb0

SHA256
1b08b6f863be2c62eb5b00457475630fddb245361f1a35e4396eada29e2da64a

SHA512
bc3ea6b76cc8079871c550af197d01c227526688881b10a5192a215d9dca8cd8401408d6a6835444cab862b20856b1ad88b1450a3f93dfa8cd2ecbdc5653459a

Download Submit
C:\Windows\Temp\MpMgSvc.exe

Filesize
3.2MB

MD5
3809c59565787ee7398fe9222d4bd669

SHA1
68842768c9ae9deb1d1d7ed2b27846c392b47103

SHA256
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

SHA512
2f78ad26acfe15f4682b69090704fa8ebb24938c8a58b8d343ef0993e8234897aed53dfcea4119168f915384fe545d2cbb16bc12339d0600dafae06deefc9098

Download Submit
C:\Windows\Temp\PWD.txt

Filesize
16B

MD5
f4ee302afbce0b94cd33c6b3941d19e2

SHA1
75f98857186248ac2f9cbd0c3f07d1118b49ee10

SHA256
dfb23411a6872447e75541e6b3067026d10ebc8f76f427a5f69d795498e117f9

SHA512
ca202ca2caf8a1e9596f1187a82cd02a650aea316c9a6bf58c59a23b4922098fe3720301dbe3268514e977a5964dc746f38c862ce4cdc63573d0e69254ea0e77

Download Submit
C:\Windows\Temp\Wmicc.exe

Filesize
1.4MB

MD5
4935b75f2a23d38527cf3821c9d9dac3

SHA1
f17aa56215ab7b90da00f048fe30d39a2d671b5d

SHA256
dd2d7b07e9091590ae60b42022956319bbbbd51b457ea214fb475ecc3e9156f8

SHA512
348e041104de20b0850b19db1ebb88ae0b65ecd1695f1ade47e099d62da9cec983a1a73e7fc657509b4fc58496784e0c1681bf46265477b75fdfab440c41acbd

Download Submit
C:\Windows\Temp\ip.txt

Filesize
1013B

MD5
82f29d4cf7921dcd4a20f63b6b391705

SHA1
afca27669c0f4eabe82db00416ff4680a154adf4

SHA256
28b7dbe5031baa246ec4e0dd354c12ba60efbafaa985623819adbaa975608a53

SHA512
b14da6f92c8461fe30dde33e063fbf7dba2eb47802b0ee3c442f7e1e88fc6fbbf23479e4b983af7c68bcd4a8f066d3e3ea2b2454d032607edbe0cf5728577f2b

Download Submit
C:\Windows\Temp\ip.txt

Filesize
180KB

MD5
6f140fdca99fda3c8b9b2ebc63f8e152

SHA1
52a649792620d0a8c75586320711564c5851c527

SHA256
2285241b438cd4314958529c4abed06c75c8bd87f769af371e5b1042d63a5328

SHA512
0a57558ecc503da509b1ec1a0d5cd805c824c651ab6b552bccced84bfee8b6e627249e10450eef8614adc739cb476547ed0ecfd33284cb1248b208d1794d4861

Download Submit
C:\Windows\Temp\ip.txt

Filesize
2KB

MD5
ad26172a880ed9562ac0a045e442b9e8

SHA1
20af3fd15664a2720ed4f51f432d5c02aa4e18c1

SHA256
617d07bac6d796ff78e57f542a42afc4f6d4e302f1b091a4402aeb01ac6b4ea0

SHA512
f4d63b6269498e9a7322fced318552e03592d8550a0e23b08d649ced4eb7469b2dd0ee9f27126015bbc8999d121e66247667fd9c907808986c21048a390ad151

Download Submit
C:\Windows\Temp\ip.txt

Filesize
4KB

MD5
6081908fcc742c8b19d6e9924f50fc94

SHA1
d3ce3e17bdcef108388710f6adabc8133363c375

SHA256
3d8c5c32763e46cf2be89b2f2d039865d316f82d7504e23e9f435b94b79b72c4

SHA512
5838c1c052a8eb8ad304179ca461b7505d095c9cf6c1e0a25c6edc530afbd7ece50d3e2e4cdbf7f20b4c4bcb558618bf9c41ae71c0f9caadc26673828bd7b266

Download Submit
\??\c:\users\admin\appdata\roaming\graphicsperfsvcs.dll

Filesize
23.7MB

MD5
effda8dc24b5465dd1424177160a5f1a

SHA1
9c3267d98ec841d4debda61d7c6aa158e6750996

SHA256
2bfbf9d0ed537106096a2dbfdb4bc1bbc1818c8d5befbad46fe872dfb2e5ee0b

SHA512
98e4155193e06baaec900d423eee3069809dbe5d26d401ce4508b79e4874b9014c3d6a8f36416074a369e17b089cd081820c01dc6cdd6743ece01e2ac182ac79

Download Submit
memory/1124-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1124-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1124-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1124-13583-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1124-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3656-13613-0x0000000005D80000-0x0000000005DCC000-memory.dmp

Filesize
304KB

Download
memory/3656-13598-0x0000000004D90000-0x0000000004DB2000-memory.dmp

Filesize
136KB

Download
memory/3656-13615-0x0000000006230000-0x000000000624A000-memory.dmp

Filesize
104KB

Download
memory/3656-13734-0x0000000007FF0000-0x0000000008594000-memory.dmp

Filesize
5.6MB

Download
memory/3656-13732-0x0000000006DE0000-0x0000000006E76000-memory.dmp

Filesize
600KB

Download
memory/3656-13610-0x0000000005740000-0x0000000005A94000-memory.dmp

Filesize
3.3MB

Download
memory/3656-13612-0x0000000005D40000-0x0000000005D5E000-memory.dmp

Filesize
120KB

Download
memory/3656-13599-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/3656-13600-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/3656-13733-0x00000000062F0000-0x0000000006312000-memory.dmp

Filesize
136KB

Download
memory/3656-13614-0x00000000073C0000-0x0000000007A3A000-memory.dmp

Filesize
6.5MB

Download
memory/3656-13596-0x00000000024A0000-0x00000000024D6000-memory.dmp

Filesize
216KB

Download
memory/3656-13597-0x0000000004FC0000-0x00000000055E8000-memory.dmp

Filesize
6.2MB

Download
memory/4528-13591-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4528-13595-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4528-13592-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4528-13593-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4956-13555-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4956-13611-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4956-13570-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4956-13569-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4956-13566-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4956-13557-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4956-54-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4956-13737-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4956-27-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/7088-13590-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/7088-13586-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download