blackmoon | 4492433d53cefa40630f1e69e4d9faec8a3c6e053d5238f4dbf15c80f6174b3a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4492433d53cefa40630f1e69e4d9faec8a3c6e053d5238f4dbf15c80f6174b3a.dll
Size

165KB
MD5

b4e9e9c30e8bcbd772c5514eae67eb4e
SHA1

e10cc914137ca1309ab8d6ae9aa1969f6b9fe997
SHA256

4492433d53cefa40630f1e69e4d9faec8a3c6e053d5238f4dbf15c80f6174b3a
SHA512

6c1dd11263615fcf60f82e9251191eec30cc482854115baa5e126ed14b2efce8ff2c6fe58d77c41a016453a6fc94ea79a80fec1905aea35b3a0e9ec4863ad833
SSDEEP

3072:pDPoADAuj34+sqbSFEmjfv2JxhGtBxUYBN46:psAbj3yEmjfvIxhGtBy4N46

Score

10^/10

blackmoon gh0strat banker discovery evasion persistence privilege_escalation rat trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 11 IoCs

resource	yara_rule
behavioral2/memory/4932-50-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/4932-13551-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/4932-13553-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/files/0x0008000000023cdd-13555.dat	family_blackmoon
behavioral2/memory/4932-13562-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/4932-13565-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/4932-13566-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/files/0x0003000000000707-13584.dat	family_blackmoon
behavioral2/memory/8088-13592-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_blackmoon
behavioral2/memory/4932-13610-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral2/memory/4932-13741-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon

Gh0st RAT payload 12 IoCs

resource	yara_rule
behavioral2/memory/4192-0-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/4192-2-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/4192-3-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/4192-4-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/4192-8-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/memory/4192-13579-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral2/files/0x0003000000000707-13584.dat	family_gh0strat
behavioral2/memory/5392-13589-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral2/memory/5392-13588-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral2/memory/8088-13592-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_gh0strat
behavioral2/memory/5392-13587-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral2/memory/5392-13591-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 12 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6712	netsh.exe
5016	netsh.exe
7192	netsh.exe
2276	netsh.exe
6448	netsh.exe
6184	netsh.exe
6264	netsh.exe
5244	netsh.exe
5424	netsh.exe
7780	netsh.exe
3160	netsh.exe
2580	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\GraphicsPerfSvcs\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\GraphicsPerfSvcs.dll"	Hooks.exe

Executes dropped EXE 7 IoCs

pid	Process
4932	MpMgSvc.exe
7580	Wmicc.exe
7844	GetPassword.exe
8088	Hooks.exe
1832	ctfmoon.exe
6836	Meson.exe
4044	traffmonetizer.exe

Loads dropped DLL 1 IoCs

pid	Process
8152	svchost.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	110.11.158.238
Destination IP	1.226.84.135
Destination IP	124.160.26.219

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15897	api6.my-ip.io

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\64[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid	traffmonetizer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\storage.json	traffmonetizer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 4192	2472	rundll32.exe	83
PID 2472 set thread context of 1072	2472	rundll32.exe	86
PID 8152 set thread context of 5392	8152	svchost.exe	103

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cc8-13.dat	upx
behavioral2/memory/4932-23-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4932-50-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4932-13551-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4932-13553-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4932-13562-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4932-13565-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4932-13566-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/files/0x0008000000023cfb-13571.dat	upx
behavioral2/memory/8088-13582-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx
behavioral2/memory/8088-13592-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx
behavioral2/memory/4932-13610-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral2/memory/4932-13741-0x0000000000400000-0x0000000000D25000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Data.Common.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encoding.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.TypeConverter.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Http.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TextWriterTraceListener.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Metadata.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Tasks.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XmlDocument.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.Queryable.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Xml.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encodings.Web.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Overlapped.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.StackTrace.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Drawing.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.DriveInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Claims.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Requests.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Principal.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Contracts.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.Parallel.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Win32.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.ReaderWriter.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Sockets.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Bcl.AsyncInterfaces.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.MemoryMappedFiles.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebSockets.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.Reader.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XmlSerializer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Diagnostics.Runtime.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.EventBasedAsync.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Debug.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Numerics.Vectors.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.Writer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Json.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.AppContext.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Buffers.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Formatters.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.Calendars.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.Pipes.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebSockets.Client.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Csp.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Encoding.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.SecureString.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TraceSource.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.ResourceManager.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Numerics.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Json.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XDocument.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Base.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Tasks.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe.config	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.VisualC.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.ThreadPool.dll	svchost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meson.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpMgSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmoon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hooks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wmicc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-492 = "India Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	Meson.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	Meson.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4932	MpMgSvc.exe
4932	MpMgSvc.exe
4932	MpMgSvc.exe
4932	MpMgSvc.exe
4932	MpMgSvc.exe
4932	MpMgSvc.exe
7844	GetPassword.exe
7844	GetPassword.exe
3292	powershell.exe
3292	powershell.exe
8152	svchost.exe
8152	svchost.exe
8152	svchost.exe
8152	svchost.exe
8152	svchost.exe
8152	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5392	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	7844	GetPassword.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	4044	traffmonetizer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4044	traffmonetizer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4932	MpMgSvc.exe
4932	MpMgSvc.exe
7580	Wmicc.exe
8088	Hooks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2472	4916	rundll32.exe	82
PID 4916 wrote to memory of 2472	4916	rundll32.exe	82
PID 4916 wrote to memory of 2472	4916	rundll32.exe	82
PID 2472 wrote to memory of 4192	2472	rundll32.exe	83
PID 2472 wrote to memory of 4192	2472	rundll32.exe	83
PID 2472 wrote to memory of 4192	2472	rundll32.exe	83
PID 2472 wrote to memory of 4192	2472	rundll32.exe	83
PID 2472 wrote to memory of 4192	2472	rundll32.exe	83
PID 2472 wrote to memory of 4192	2472	rundll32.exe	83
PID 2472 wrote to memory of 4192	2472	rundll32.exe	83
PID 2472 wrote to memory of 4192	2472	rundll32.exe	83
PID 2472 wrote to memory of 1072	2472	rundll32.exe	86
PID 2472 wrote to memory of 1072	2472	rundll32.exe	86
PID 2472 wrote to memory of 1072	2472	rundll32.exe	86
PID 2472 wrote to memory of 1072	2472	rundll32.exe	86
PID 2472 wrote to memory of 1072	2472	rundll32.exe	86
PID 2472 wrote to memory of 1072	2472	rundll32.exe	86
PID 2472 wrote to memory of 1072	2472	rundll32.exe	86
PID 2472 wrote to memory of 1072	2472	rundll32.exe	86
PID 4192 wrote to memory of 4932	4192	svchost.exe	92
PID 4192 wrote to memory of 4932	4192	svchost.exe	92
PID 4192 wrote to memory of 4932	4192	svchost.exe	92
PID 4932 wrote to memory of 7580	4932	MpMgSvc.exe	95
PID 4932 wrote to memory of 7580	4932	MpMgSvc.exe	95
PID 4932 wrote to memory of 7580	4932	MpMgSvc.exe	95
PID 7580 wrote to memory of 7696	7580	Wmicc.exe	96
PID 7580 wrote to memory of 7696	7580	Wmicc.exe	96
PID 7580 wrote to memory of 7696	7580	Wmicc.exe	96
PID 7696 wrote to memory of 7844	7696	cmd.exe	98
PID 7696 wrote to memory of 7844	7696	cmd.exe	98
PID 4192 wrote to memory of 8088	4192	svchost.exe	99
PID 4192 wrote to memory of 8088	4192	svchost.exe	99
PID 4192 wrote to memory of 8088	4192	svchost.exe	99
PID 8088 wrote to memory of 3292	8088	Hooks.exe	101
PID 8088 wrote to memory of 3292	8088	Hooks.exe	101
PID 8088 wrote to memory of 3292	8088	Hooks.exe	101
PID 8152 wrote to memory of 5392	8152	svchost.exe	103
PID 8152 wrote to memory of 5392	8152	svchost.exe	103
PID 8152 wrote to memory of 5392	8152	svchost.exe	103
PID 8152 wrote to memory of 5392	8152	svchost.exe	103
PID 8152 wrote to memory of 5392	8152	svchost.exe	103
PID 8152 wrote to memory of 5392	8152	svchost.exe	103
PID 8152 wrote to memory of 5392	8152	svchost.exe	103
PID 8152 wrote to memory of 5392	8152	svchost.exe	103
PID 8152 wrote to memory of 5244	8152	svchost.exe	104
PID 8152 wrote to memory of 5244	8152	svchost.exe	104
PID 8152 wrote to memory of 5244	8152	svchost.exe	104
PID 8152 wrote to memory of 6712	8152	svchost.exe	106
PID 8152 wrote to memory of 6712	8152	svchost.exe	106
PID 8152 wrote to memory of 6712	8152	svchost.exe	106
PID 8152 wrote to memory of 5424	8152	svchost.exe	108
PID 8152 wrote to memory of 5424	8152	svchost.exe	108
PID 8152 wrote to memory of 5424	8152	svchost.exe	108
PID 8152 wrote to memory of 5016	8152	svchost.exe	110
PID 8152 wrote to memory of 5016	8152	svchost.exe	110
PID 8152 wrote to memory of 5016	8152	svchost.exe	110
PID 8152 wrote to memory of 7780	8152	svchost.exe	112
PID 8152 wrote to memory of 7780	8152	svchost.exe	112
PID 8152 wrote to memory of 7780	8152	svchost.exe	112
PID 8152 wrote to memory of 3160	8152	svchost.exe	114
PID 8152 wrote to memory of 3160	8152	svchost.exe	114
PID 8152 wrote to memory of 3160	8152	svchost.exe	114
PID 8152 wrote to memory of 7192	8152	svchost.exe	116
PID 8152 wrote to memory of 7192	8152	svchost.exe	116

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4492433d53cefa40630f1e69e4d9faec8a3c6e053d5238f4dbf15c80f6174b3a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4492433d53cefa40630f1e69e4d9faec8a3c6e053d5238f4dbf15c80f6174b3a.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\WINDOWS\Temp\MpMgSvc.exe
      "C:\WINDOWS\Temp\MpMgSvc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\Temp\Wmicc.exe
        
        "C:\Windows\Temp\Wmicc.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:7580
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Windows\Temp\GetPassword.exe >C:\Windows\Temp\PWD.txt
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:7696
        
        C:\Windows\Temp\GetPassword.exe
        
        C:\Windows\Temp\GetPassword.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7844
  - - C:\WINDOWS\Temp\Hooks.exe
      "C:\WINDOWS\Temp\Hooks.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:8088
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\WINDOWS\Temp\Hooks.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:1072

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k GraphicsPerfSvcsGroup -s GraphicsPerfSvcs
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8152
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5392
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=in program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5244
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:6712
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_ctfmoon new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5424
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Edge dir=in program=C:\Windows\Microsoft.NET\Meson.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5016
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Edge dir=out program=C:\Windows\Microsoft.NET\Meson.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:7780
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Edge new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3160
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Dcom dir=in program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:7192
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Dcom dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2276
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Dcom new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:6448
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Store dir=in program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:6184
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Store dir=out program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:6264
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Store new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Windows\Microsoft.NET\ctfmoon.exe
  C:\Windows\Microsoft.NET\ctfmoon.exe [email protected] -password=123456Aa. -device-name=Win32 -accept-tos
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Windows\Microsoft.NET\Meson.exe
  C:\Windows\Microsoft.NET\Meson.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:6836
- C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
  C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whbkqkoc.y5d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Microsoft.NET\Meson.exe

Filesize
8.9MB

MD5
87c8b215c031443d630da6c18088f89a

SHA1
7a17a9026ec093c4571c13c2fc128b27fbd66a11

SHA256
0caedcf61c3bfe2da33b30adf2f5f2c1530b6907f133f4289519a56cc5c1bae6

SHA512
48d5565f5da60371b79d2c380a63c7b416a220ae7f52656ba4ed9447cf55ab73a05c4165c61c2a95c4e586b2baf483b0b97dcff77c76cadfe039690ded35c43e

Download Submit
C:\Windows\Microsoft.NET\ctfmoon.exe

Filesize
9.1MB

MD5
1de26ef85f7218e1df4ed675fa2b05d4

SHA1
e5217fa3b50f625d84d5e5c4b66c031f7a2446ae

SHA256
fdd762192d351cea051c0170840f1d8d171f334f06313a17eba97cacb5f1e6e1

SHA512
ada80a9f97bec76899eccc40c646387a067a201663d4d0f4537af450ea7c92df877f017862634e32e9e2ba08ca6d41806dc03f0dfd7f811ca303b56b1ac17d92

Download Submit
C:\Windows\Microsoft.NET\root_conf\default.toml

Filesize
390B

MD5
9e3d810a244768218af8fc0499bd5dd7

SHA1
660cb236baf95c83e0acd64e3f607fbeb199a1e0

SHA256
e864d44ec86eaa38112c3bfcfc21b078cc59e11f984c0441989e8606197357e2

SHA512
8f9ac0dede89a68202eb858cda086727ebbba3fdfb4fa43ce2d52cdd5e69c89f66a171fae371ca29b4d65dc04862cbcb71e58be48e8dcc520e1db3b27a093f2b

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\Base.dll

Filesize
106KB

MD5
c3935313bbf380cd8d3cb336a5e3c8e8

SHA1
c09f0b894ee5a6a59dea194e94b42fff29b53f38

SHA256
4d0409c6db0b0af97f5fc57ebe2248c1632aeb836a5ea1eeaad64f57a4eb662b

SHA512
6525f98811cb277fbae75e278fca7997c6a6993b3f3f163a3c98da85055305d7a61917981625f113c448b8a397d3c5a143db2c8b131e5e4395205e34dc7c48a2

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
20KB

MD5
1ee251645b8a54a116d6d06c83a2bd85

SHA1
5dbf1534ffbff016cc45559eb5eff3dc4252a522

SHA256
075ce79e84041137c78885b3738c1b5a03547d0ae2a79916e844196a9d0ec1db

SHA512
9f67fd0566eac2da4253d08697daab427e4e85780615d940f086a88424dcbb0563abae7e4824088e64ef7024c1bb3bbf324f2d07bc7ba55f79e4af3c9ea88e97

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Memory.dll

Filesize
137KB

MD5
6fb95a357a3f7e88ade5c1629e2801f8

SHA1
19bf79600b716523b5317b9a7b68760ae5d55741

SHA256
8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7

SHA512
293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Http.dll

Filesize
193KB

MD5
665e355cbed5fe5f7bebc3cb23e68649

SHA1
1c2cefafba48ba7aaab746f660debd34f2f4b14c

SHA256
b5d20736f84f335ef4c918a5ba41c3a0d7189397c71b166ccc6c342427a94ece

SHA512
5300d39365e84a67010ae4c282d7e05172563119afb84dc1b0610217683c7d110803aef02945034a939262f6a7ecf629b52c0e93c1cd63d52ca7a3b3e607bb7d

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Numerics.Vectors.dll

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.Unsafe.dll

Filesize
16KB

MD5
9a341540899dcc5630886f2d921be78f

SHA1
bab44612721c3dc91ac3d9dfca7c961a3a511508

SHA256
3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5

SHA512
066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encodings.Web.dll

Filesize
66KB

MD5
e8cdacfd2ef2f4b3d1a8e6d59b6e3027

SHA1
9a85d938d8430a73255a65ea002a7709c81a4cf3

SHA256
edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30

SHA512
ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Json.dll

Filesize
347KB

MD5
38470ca21414a8827c24d8fe0438e84b

SHA1
1c394a150c5693c69f85403f201caa501594b7ab

SHA256
2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c

SHA512
079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.ValueTuple.dll

Filesize
77KB

MD5
8c9424e37a28db7d70e7d52f0df33cf8

SHA1
81cd1acb53d493c54c8d56f379d790a901a355ac

SHA256
e4774aead2793f440e0ced6c097048423d118e0b6ed238c6fe5b456acb07817f

SHA512
cb6364c136f9d07191cf89ea2d3b89e08db0cd5911bf835c32ae81e4d51e0789ddc92d47e80b7ff7e24985890ed29a00b0a391834b43cf11db303cd980d834f4

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe

Filesize
680KB

MD5
2884fdeaa62f29861ce2645dde0040f6

SHA1
01a775a431f6e4da49f5c5da2dab74cc4d770021

SHA256
2923eacd0c99a2d385f7c989882b7cca83bff133ecf176fdb411f8d17e7ef265

SHA512
470ce2cf25d7ee66f4ceb197e218872ea1b865de7029fadb0d41f3324a213b94c668968f20e228e87a879c1f0c13c9827f3b8881820d02e780d567d791ad159f

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe.config

Filesize
18KB

MD5
e3f86e44d1997122912dd19c93b4cc51

SHA1
55a2abf767061a27d48fc5eda94ba8156add3e81

SHA256
8905f68562e02ca9c686f8bb6edde6643c94b2592240c6ed0d40ca380e69e62d

SHA512
314f97d7889d22d1086682c2abfcf0bcb753c2103a29127407392fa05dabb69f1528c7b8028aeac48e5fd7daf0fb1e4a367e6d83f7ca73bcea8e7c6e1d1b54d5

Download Submit
C:\Windows\Temp\GetPassword.exe

Filesize
494KB

MD5
5b6a804db0c5733d331eb126048ca73b

SHA1
f18c5acae63457ad26565d663467fa5a7fbfbee4

SHA256
5bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9

SHA512
ba6424051ab9f650967cc2ba428fd6a02ccda8f99d8b8e3f5f321a5e6bbf79a22bfc9cdd582c44980470ebbb7aea1b811fd69aab6bf51466a803c7c722fcde26

Download Submit
C:\Windows\Temp\Hooks.exe

Filesize
11.7MB

MD5
1af2da7b95cdbbd5a18461e5d5fe910a

SHA1
8540958b02170962cb958da094e059be5ff43fb0

SHA256
1b08b6f863be2c62eb5b00457475630fddb245361f1a35e4396eada29e2da64a

SHA512
bc3ea6b76cc8079871c550af197d01c227526688881b10a5192a215d9dca8cd8401408d6a6835444cab862b20856b1ad88b1450a3f93dfa8cd2ecbdc5653459a

Download Submit
C:\Windows\Temp\MpMgSvc.exe

Filesize
3.2MB

MD5
3809c59565787ee7398fe9222d4bd669

SHA1
68842768c9ae9deb1d1d7ed2b27846c392b47103

SHA256
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

SHA512
2f78ad26acfe15f4682b69090704fa8ebb24938c8a58b8d343ef0993e8234897aed53dfcea4119168f915384fe545d2cbb16bc12339d0600dafae06deefc9098

Download Submit
C:\Windows\Temp\PWD.txt

Filesize
16B

MD5
f4ee302afbce0b94cd33c6b3941d19e2

SHA1
75f98857186248ac2f9cbd0c3f07d1118b49ee10

SHA256
dfb23411a6872447e75541e6b3067026d10ebc8f76f427a5f69d795498e117f9

SHA512
ca202ca2caf8a1e9596f1187a82cd02a650aea316c9a6bf58c59a23b4922098fe3720301dbe3268514e977a5964dc746f38c862ce4cdc63573d0e69254ea0e77

Download Submit
C:\Windows\Temp\Wmicc.exe

Filesize
1.4MB

MD5
4935b75f2a23d38527cf3821c9d9dac3

SHA1
f17aa56215ab7b90da00f048fe30d39a2d671b5d

SHA256
dd2d7b07e9091590ae60b42022956319bbbbd51b457ea214fb475ecc3e9156f8

SHA512
348e041104de20b0850b19db1ebb88ae0b65ecd1695f1ade47e099d62da9cec983a1a73e7fc657509b4fc58496784e0c1681bf46265477b75fdfab440c41acbd

Download Submit
C:\Windows\Temp\ip.txt

Filesize
180KB

MD5
9bf36f99e5e75318b31319fc59c54aea

SHA1
9f8e23cfd59c542261b2b486c271f0cbb1cd6979

SHA256
e29f09e6c06315a41bb82af1e45b2d161bf506077f79f508bcbbe1a70a2170ac

SHA512
7bd18cb6bad6a0b8acf203b662b12f87bbbf91315b27febc5ca09a1a84c830f1017615f70490f0268d8d2ae45349a4396b09d07bb3e11ce6a8e060887bae2698

Download Submit
C:\Windows\Temp\ip.txt

Filesize
8KB

MD5
dab6d4954d4bce6253788b83f767813a

SHA1
b1af324e777da180a415c36818584450dd8ee650

SHA256
a1f8a37ae77b8d45e88992b6e6104d226e0490558d2adfeb144e21949f9d32d3

SHA512
491827c6387168ad410d99ef7fe0a7dd35379bf7e2f538843330e64eec088815f5e67925e3a47122922f319afb9850001390bfe2cacad173a573f9432a2dc526

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json

Filesize
98B

MD5
2e839b7ab87694f72220658502588c41

SHA1
b3996f638b1e00b4bdf5cadeab99d05492313f37

SHA256
376a0ca610d4de58de3887a8700d3e0f64fdc2123846a4f88876751847aef519

SHA512
050fe964fbdfd1a957ef3e8a1c1ce6ada6d5473be890ea318a9720a7c8e42e9fb8afcc723a03ed9deeb3f2ccbff0fe725eb0b831a24e9e4df39b7249da5688a1

Download Submit
\??\c:\users\admin\appdata\roaming\graphicsperfsvcs.dll

Filesize
23.7MB

MD5
effda8dc24b5465dd1424177160a5f1a

SHA1
9c3267d98ec841d4debda61d7c6aa158e6750996

SHA256
2bfbf9d0ed537106096a2dbfdb4bc1bbc1818c8d5befbad46fe872dfb2e5ee0b

SHA512
98e4155193e06baaec900d423eee3069809dbe5d26d401ce4508b79e4874b9014c3d6a8f36416074a369e17b089cd081820c01dc6cdd6743ece01e2ac182ac79

Download Submit
memory/3292-13612-0x0000000006520000-0x000000000653A000-memory.dmp

Filesize
104KB

Download
memory/3292-13729-0x00000000072D0000-0x0000000007366000-memory.dmp

Filesize
600KB

Download
memory/3292-13594-0x0000000005240000-0x0000000005868000-memory.dmp

Filesize
6.2MB

Download
memory/3292-13595-0x0000000005080000-0x00000000050A2000-memory.dmp

Filesize
136KB

Download
memory/3292-13597-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/3292-13596-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/3292-13593-0x0000000002700000-0x0000000002736000-memory.dmp

Filesize
216KB

Download
memory/3292-13607-0x0000000005A40000-0x0000000005D94000-memory.dmp

Filesize
3.3MB

Download
memory/3292-13608-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/3292-13609-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/3292-13731-0x0000000008380000-0x0000000008924000-memory.dmp

Filesize
5.6MB

Download
memory/3292-13730-0x0000000006600000-0x0000000006622000-memory.dmp

Filesize
136KB

Download
memory/3292-13611-0x0000000007750000-0x0000000007DCA000-memory.dmp

Filesize
6.5MB

Download
memory/4044-13766-0x000001F2DE800000-0x000001F2DE808000-memory.dmp

Filesize
32KB

Download
memory/4044-13764-0x000001F2DE860000-0x000001F2DE876000-memory.dmp

Filesize
88KB

Download
memory/4044-13776-0x000001F2F7EF0000-0x000001F2F7EFA000-memory.dmp

Filesize
40KB

Download
memory/4044-13774-0x000001F2F71C0000-0x000001F2F71CA000-memory.dmp

Filesize
40KB

Download
memory/4044-13772-0x000001F2F71F0000-0x000001F2F7222000-memory.dmp

Filesize
200KB

Download
memory/4044-13770-0x000001F2F7110000-0x000001F2F712E000-memory.dmp

Filesize
120KB

Download
memory/4044-13768-0x000001F2DE910000-0x000001F2DE924000-memory.dmp

Filesize
80KB

Download
memory/4044-13762-0x000001F2DE7F0000-0x000001F2DE7FA000-memory.dmp

Filesize
40KB

Download
memory/4044-13760-0x000001F2DE820000-0x000001F2DE846000-memory.dmp

Filesize
152KB

Download
memory/4044-13752-0x000001F2DDDA0000-0x000001F2DDE4C000-memory.dmp

Filesize
688KB

Download
memory/4044-13757-0x000001F2DE8B0000-0x000001F2DE90A000-memory.dmp

Filesize
360KB

Download
memory/4044-13754-0x000001F2DE790000-0x000001F2DE7AE000-memory.dmp

Filesize
120KB

Download
memory/4192-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4192-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4192-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4192-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4192-13579-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4192-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4932-13741-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4932-13553-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4932-13551-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4932-50-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4932-13565-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4932-13610-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4932-13562-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4932-23-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/4932-13566-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/5392-13589-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5392-13588-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5392-13587-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5392-13591-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/8088-13592-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/8088-13582-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download