blackmoon | b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-02-2025 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe
Size

15.0MB
MD5

38c64fa7d7d7478732b04c42b71afa3a
SHA1

8534bed0e1694a090c7ff9b8f010bcff02bccd3e
SHA256

b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468
SHA512

7079d628c25edb62886eab75a8fe5fec096a584bbdabf68ffba810ea0b9913a9c2e6f2366acc9ccd8859a42cb4768febdc422d23043d4252f4b97d2475aadefb
SSDEEP

196608:iQwfQzHzARHblaR6cnawftA3YTcd1Oc5h2dxDbElK:AQTzuoRbBfQYT042YdBkK

Score

10^/10

blackmoon gh0strat banker defense_evasion discovery persistence privilege_escalation rat trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/2188-1-0x0000000000400000-0x0000000001300000-memory.dmp	family_blackmoon
behavioral1/files/0x000a000000012262-2.dat	family_blackmoon
behavioral1/memory/2188-137-0x0000000000400000-0x0000000001300000-memory.dmp	family_blackmoon

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/2188-1-0x0000000000400000-0x0000000001300000-memory.dmp	family_gh0strat
behavioral1/files/0x000a000000012262-2.dat	family_gh0strat
behavioral1/memory/1868-15-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/1868-12-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/1868-10-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/1868-8-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/2188-137-0x0000000000400000-0x0000000001300000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Modifies Windows Firewall 2 TTPs 9 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2732	netsh.exe
2692	netsh.exe
2376	netsh.exe
2200	netsh.exe
2776	netsh.exe
2780	netsh.exe
2644	netsh.exe
2556	netsh.exe
2872	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GraphicsPerfSvcs\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\GraphicsPerfSvcs.dll"	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe

Deletes itself 1 IoCs

pid	Process
1872	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
1736	ctfmoon.exe
2480	traffmonetizer.exe
2164	traffmonetizer.exe
1884	traffmonetizer.exe
1016	traffmonetizer.exe
236	traffmonetizer.exe

Loads dropped DLL 4 IoCs

pid	Process
656	svchost.exe
656	svchost.exe
656	svchost.exe
656	svchost.exe

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	4	1.226.84.135	1868	svchost.exe
Destination IP	7	124.160.26.219	1868	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api6.my-ip.io

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json	traffmonetizer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid	traffmonetizer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Update[1].txt	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 656 set thread context of 1868	656	svchost.exe	52

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-1-0x0000000000400000-0x0000000001300000-memory.dmp	upx
behavioral1/memory/2188-137-0x0000000000400000-0x0000000001300000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Metadata.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Console.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Sockets.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.VisualC.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Json.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Data.Common.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.FileVersionInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Ping.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Bcl.AsyncInterfaces.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Memory.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encoding.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.FileVersionInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Handles.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebHeaderCollection.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.SecureString.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TraceSource.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Http.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Immutable.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.Calendars.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XPath.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Specialized.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Tasks.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TextWriterTraceListener.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.Parallel.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.InteropServices.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.StackTrace.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Csp.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Concurrent.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Algorithms.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Base.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Security.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Encoding.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.RegularExpressions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Thread.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XmlDocument.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Buffers.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.NonGeneric.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Tasks.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe.config	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.UnmanagedMemoryStream.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encodings.Web.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.Unsafe.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Drawing.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebSockets.Client.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Numerics.Vectors.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Claims.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.Reader.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.Writer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.EventBasedAsync.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Tools.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.Watcher.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\ctfmoon.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.ResourceManager.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmoon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-24-85-1a-77-7a\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	traffmonetizer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	traffmonetizer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{26AB04F6-76D5-4F31-BB5A-206374F87812}\WpadNetworkName = "Network 3"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-24-85-1a-77-7a\WpadDecisionTime = 301a5380d381db01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	traffmonetizer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	traffmonetizer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	traffmonetizer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus\FontCachePath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local"	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{26AB04F6-76D5-4F31-BB5A-206374F87812}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-24-85-1a-77-7a\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	traffmonetizer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{26AB04F6-76D5-4F31-BB5A-206374F87812}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-24-85-1a-77-7a	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	traffmonetizer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{26AB04F6-76D5-4F31-BB5A-206374F87812}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{26AB04F6-76D5-4F31-BB5A-206374F87812}\WpadDecisionTime = 301a5380d381db01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{26AB04F6-76D5-4F31-BB5A-206374F87812}\52-24-85-1a-77-7a	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	traffmonetizer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
656	svchost.exe
1872	powershell.exe
656	svchost.exe
2164	traffmonetizer.exe
2164	traffmonetizer.exe
2164	traffmonetizer.exe
2164	traffmonetizer.exe
1884	traffmonetizer.exe
1884	traffmonetizer.exe
1884	traffmonetizer.exe
1884	traffmonetizer.exe
1016	traffmonetizer.exe
1016	traffmonetizer.exe
1016	traffmonetizer.exe
1016	traffmonetizer.exe
236	traffmonetizer.exe
236	traffmonetizer.exe
236	traffmonetizer.exe
236	traffmonetizer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1868	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2480	traffmonetizer.exe
Token: SeDebugPrivilege	2164	traffmonetizer.exe
Token: SeDebugPrivilege	1884	traffmonetizer.exe
Token: SeDebugPrivilege	1016	traffmonetizer.exe
Token: SeDebugPrivilege	236	traffmonetizer.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2480	traffmonetizer.exe
2164	traffmonetizer.exe
1884	traffmonetizer.exe
1016	traffmonetizer.exe
236	traffmonetizer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2556	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	31
PID 2188 wrote to memory of 2556	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	31
PID 2188 wrote to memory of 2556	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	31
PID 2188 wrote to memory of 2556	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	31
PID 2188 wrote to memory of 2200	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	33
PID 2188 wrote to memory of 2200	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	33
PID 2188 wrote to memory of 2200	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	33
PID 2188 wrote to memory of 2200	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	33
PID 2188 wrote to memory of 2872	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	35
PID 2188 wrote to memory of 2872	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	35
PID 2188 wrote to memory of 2872	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	35
PID 2188 wrote to memory of 2872	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	35
PID 2188 wrote to memory of 2776	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	37
PID 2188 wrote to memory of 2776	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	37
PID 2188 wrote to memory of 2776	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	37
PID 2188 wrote to memory of 2776	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	37
PID 2188 wrote to memory of 2780	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	39
PID 2188 wrote to memory of 2780	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	39
PID 2188 wrote to memory of 2780	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	39
PID 2188 wrote to memory of 2780	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	39
PID 2188 wrote to memory of 2644	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	41
PID 2188 wrote to memory of 2644	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	41
PID 2188 wrote to memory of 2644	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	41
PID 2188 wrote to memory of 2644	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	41
PID 2188 wrote to memory of 2732	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	43
PID 2188 wrote to memory of 2732	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	43
PID 2188 wrote to memory of 2732	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	43
PID 2188 wrote to memory of 2732	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	43
PID 2188 wrote to memory of 2692	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	45
PID 2188 wrote to memory of 2692	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	45
PID 2188 wrote to memory of 2692	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	45
PID 2188 wrote to memory of 2692	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	45
PID 2188 wrote to memory of 2376	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	47
PID 2188 wrote to memory of 2376	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	47
PID 2188 wrote to memory of 2376	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	47
PID 2188 wrote to memory of 2376	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	47
PID 2188 wrote to memory of 1872	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	50
PID 2188 wrote to memory of 1872	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	50
PID 2188 wrote to memory of 1872	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	50
PID 2188 wrote to memory of 1872	2188	b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe	50
PID 656 wrote to memory of 1868	656	svchost.exe	52
PID 656 wrote to memory of 1868	656	svchost.exe	52
PID 656 wrote to memory of 1868	656	svchost.exe	52
PID 656 wrote to memory of 1868	656	svchost.exe	52
PID 656 wrote to memory of 1868	656	svchost.exe	52
PID 656 wrote to memory of 1868	656	svchost.exe	52
PID 656 wrote to memory of 1868	656	svchost.exe	52
PID 656 wrote to memory of 1868	656	svchost.exe	52
PID 656 wrote to memory of 1868	656	svchost.exe	52
PID 656 wrote to memory of 1736	656	svchost.exe	53
PID 656 wrote to memory of 1736	656	svchost.exe	53
PID 656 wrote to memory of 1736	656	svchost.exe	53
PID 656 wrote to memory of 1736	656	svchost.exe	53
PID 656 wrote to memory of 2480	656	svchost.exe	55
PID 656 wrote to memory of 2480	656	svchost.exe	55
PID 656 wrote to memory of 2480	656	svchost.exe	55
PID 656 wrote to memory of 2480	656	svchost.exe	55
PID 2480 wrote to memory of 2164	2480	traffmonetizer.exe	56
PID 2480 wrote to memory of 2164	2480	traffmonetizer.exe	56
PID 2480 wrote to memory of 2164	2480	traffmonetizer.exe	56
PID 2480 wrote to memory of 3020	2480	traffmonetizer.exe	57
PID 2480 wrote to memory of 3020	2480	traffmonetizer.exe	57
PID 2480 wrote to memory of 3020	2480	traffmonetizer.exe	57
PID 2164 wrote to memory of 1884	2164	traffmonetizer.exe	58

C:\Users\Admin\AppData\Local\Temp\b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe
"C:\Users\Admin\AppData\Local\Temp\b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe"
1⤵
- Server Software Component: Terminal Services DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=in program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2200
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_ctfmoon new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Dcom dir=in program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Dcom dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Dcom new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Store dir=in program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=Microsoft_Store dir=out program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name=Microsoft_Store new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\Users\Admin\AppData\Local\Temp\b4496c7be8a9258bf377204b491af1155054fff609ad9fc90966f39d9d7fd468.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k GraphicsPerfSvcsGroup
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Unexpected DNS network traffic destination
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1868
- C:\Windows\Microsoft.NET\ctfmoon.exe
  C:\Windows\Microsoft.NET\ctfmoon.exe [email protected] -password=123456Aa. -device-name=Win32 -accept-tos
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
  C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
    "C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
      "C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1884
    - - C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
        
        "C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1016
      - C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
        
        "C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:236
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1016 -s 1704
        6⤵
        
        PID:804
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1884 -s 1680
        5⤵
        
        PID:1824
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2164 -s 1536
      4⤵
      PID:2364
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2480 -s 1732
    3⤵
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\ctfmoon.exe

Filesize
9.1MB

MD5
1de26ef85f7218e1df4ed675fa2b05d4

SHA1
e5217fa3b50f625d84d5e5c4b66c031f7a2446ae

SHA256
fdd762192d351cea051c0170840f1d8d171f334f06313a17eba97cacb5f1e6e1

SHA512
ada80a9f97bec76899eccc40c646387a067a201663d4d0f4537af450ea7c92df877f017862634e32e9e2ba08ca6d41806dc03f0dfd7f811ca303b56b1ac17d92

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\Base.dll

Filesize
106KB

MD5
c3935313bbf380cd8d3cb336a5e3c8e8

SHA1
c09f0b894ee5a6a59dea194e94b42fff29b53f38

SHA256
4d0409c6db0b0af97f5fc57ebe2248c1632aeb836a5ea1eeaad64f57a4eb662b

SHA512
6525f98811cb277fbae75e278fca7997c6a6993b3f3f163a3c98da85055305d7a61917981625f113c448b8a397d3c5a143db2c8b131e5e4395205e34dc7c48a2

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
20KB

MD5
1ee251645b8a54a116d6d06c83a2bd85

SHA1
5dbf1534ffbff016cc45559eb5eff3dc4252a522

SHA256
075ce79e84041137c78885b3738c1b5a03547d0ae2a79916e844196a9d0ec1db

SHA512
9f67fd0566eac2da4253d08697daab427e4e85780615d940f086a88424dcbb0563abae7e4824088e64ef7024c1bb3bbf324f2d07bc7ba55f79e4af3c9ea88e97

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Diagnostics.Runtime.dll

Filesize
490KB

MD5
5dfb71a97b10d00dea71f443fdfd732f

SHA1
c7d9b0f37bf40a4677e243a4d16454f3475853a2

SHA256
d9ecb8cd1ac822a14e65f7c7f5f3fcb262fa23fb7c721a59321bdb467bcbad14

SHA512
8e84b1d442e11a5b6c16efe0cd44bc0f27bfd141a7b812ce2e32b3cc0697d8f9b2155bb60ee48934b4a907c2abd181bdcafa5d7bf4ac4dec91120733428d6eba

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Immutable.dll

Filesize
184KB

MD5
c598080fa777d6e63dfd0370e97ec8f3

SHA1
9d1236dcfb3caa07278a6d4ec751798d67d73cc2

SHA256
646d3b52a4898078f46534727bdb06ff23b72523441458b9f49ecc315bf3ef5c

SHA512
8a5b4afb4363732008c97d53f13ee430401e4a17677af37123da035f15f9e9409a2aeb74ae238379291fd5de07c3cd4e3de2778da5edf83a42649fa5b281cb32

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Memory.dll

Filesize
137KB

MD5
6fb95a357a3f7e88ade5c1629e2801f8

SHA1
19bf79600b716523b5317b9a7b68760ae5d55741

SHA256
8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7

SHA512
293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Http.dll

Filesize
193KB

MD5
665e355cbed5fe5f7bebc3cb23e68649

SHA1
1c2cefafba48ba7aaab746f660debd34f2f4b14c

SHA256
b5d20736f84f335ef4c918a5ba41c3a0d7189397c71b166ccc6c342427a94ece

SHA512
5300d39365e84a67010ae4c282d7e05172563119afb84dc1b0610217683c7d110803aef02945034a939262f6a7ecf629b52c0e93c1cd63d52ca7a3b3e607bb7d

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Numerics.Vectors.dll

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Metadata.dll

Filesize
451KB

MD5
c4ea65bd802f1ccd3ea2ad1841fd85c2

SHA1
2364d6dd5dd3b566e06e6b1dc960533d2b3017b7

SHA256
46451e1168dd11d450aa9b6119f17cec9a70928a40ac3c752abf61ce809cba6f

SHA512
fc4c18ea6a6f38d8c4b4f2e02d3d077cc729b531ca08cf9602c65e22aadc0be770e441660cc980cbfed3b27bd783e65f793838532673e2845276390b4b22d730

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.Unsafe.dll

Filesize
16KB

MD5
9a341540899dcc5630886f2d921be78f

SHA1
bab44612721c3dc91ac3d9dfca7c961a3a511508

SHA256
3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5

SHA512
066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.InteropServices.RuntimeInformation.dll

Filesize
27KB

MD5
05af54a1c6450b98ad0fb0e857b6a523

SHA1
15349e541122743a5d355946e48380ac1811b52f

SHA256
76432f414458e93b54ceb02fc348e652a84744108102f3a83792d8a804040eb8

SHA512
c763fe0e16079e431cfa13c63706b58637e3bb6e395f3c874f7ec8b1d5d5c16849d30a088e69e4ba798afaaf7066763daffff6a2880fb6c8ab838d9d721f000d

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encodings.Web.dll

Filesize
66KB

MD5
e8cdacfd2ef2f4b3d1a8e6d59b6e3027

SHA1
9a85d938d8430a73255a65ea002a7709c81a4cf3

SHA256
edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30

SHA512
ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Json.dll

Filesize
347KB

MD5
38470ca21414a8827c24d8fe0438e84b

SHA1
1c394a150c5693c69f85403f201caa501594b7ab

SHA256
2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c

SHA512
079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.ValueTuple.dll

Filesize
77KB

MD5
8c9424e37a28db7d70e7d52f0df33cf8

SHA1
81cd1acb53d493c54c8d56f379d790a901a355ac

SHA256
e4774aead2793f440e0ced6c097048423d118e0b6ed238c6fe5b456acb07817f

SHA512
cb6364c136f9d07191cf89ea2d3b89e08db0cd5911bf835c32ae81e4d51e0789ddc92d47e80b7ff7e24985890ed29a00b0a391834b43cf11db303cd980d834f4

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe

Filesize
680KB

MD5
2884fdeaa62f29861ce2645dde0040f6

SHA1
01a775a431f6e4da49f5c5da2dab74cc4d770021

SHA256
2923eacd0c99a2d385f7c989882b7cca83bff133ecf176fdb411f8d17e7ef265

SHA512
470ce2cf25d7ee66f4ceb197e218872ea1b865de7029fadb0d41f3324a213b94c668968f20e228e87a879c1f0c13c9827f3b8881820d02e780d567d791ad159f

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe.config

Filesize
18KB

MD5
e3f86e44d1997122912dd19c93b4cc51

SHA1
55a2abf767061a27d48fc5eda94ba8156add3e81

SHA256
8905f68562e02ca9c686f8bb6edde6643c94b2592240c6ed0d40ca380e69e62d

SHA512
314f97d7889d22d1086682c2abfcf0bcb753c2103a29127407392fa05dabb69f1528c7b8028aeac48e5fd7daf0fb1e4a367e6d83f7ca73bcea8e7c6e1d1b54d5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid

Filesize
4B

MD5
b06b5541a62ed438f956b662b4e1ec28

SHA1
6f751b16b8d2edbd6d389c5ba0ada75d78f184d6

SHA256
18167da210996cf3525e400870f7d4955d6b983a7b7d237586e242e59888ad86

SHA512
8925c60b4398efb55db246b74a2b7dfd83202b71597251efd62e5757f45d6d821959717f5a6b614589a5ff12c3a0b75db98ee04efb66bc93e31a6dff85206549

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid

Filesize
4B

MD5
c3e4035af2a1cde9f21e1ae1951ac80b

SHA1
9b94a608be732098889302c76ed74b6c025db3cc

SHA256
34df2d15ee336296547593d47aa1f39f653dcb7b76215dacccd0488e14f579e6

SHA512
440d6542c27c6415b65d796aac46e80b8b0f77dc6cdab654408ce62e86fc110fa24b049018d8ec2b99013b98fe49d0c0eb293bcbb0a18773554c7bb9c2f9ac8f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid

Filesize
4B

MD5
08fe2621d8e716b02ec0da35256a998d

SHA1
49ae64f7fd1d3f88bba01cfdf9cfbf9a68886037

SHA256
ef32cc5c2b7c62093d3ec4844b36a02b08bb83eee2efa6b6b5e85ad605790192

SHA512
63e8010a3549650629428bcc48fd8e385a10e6c8559603a7a4e47bc6ff0e05acc7b7ae6eb02c866c40ae7a5423c74326ba6e51612a8f79e0b7e6fccb974e10a9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid

Filesize
3B

MD5
01161aaa0b6d1345dd8fe4e481144d84

SHA1
5d23e965603269f7674c2fc33318f5d5af406f6f

SHA256
9a049b03f6fc40bfcf2f136320359257ed4af8513f71aa6fef47f17059bbae23

SHA512
b7c0f8fb08786d912bfac405345824108b21b5082e1614f537db65eacd97b6d90f50abc3f6f06081d91b8922b233ba5cedcf783ab4b824122b7432113654ddb4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json

Filesize
98B

MD5
2e839b7ab87694f72220658502588c41

SHA1
b3996f638b1e00b4bdf5cadeab99d05492313f37

SHA256
376a0ca610d4de58de3887a8700d3e0f64fdc2123846a4f88876751847aef519

SHA512
050fe964fbdfd1a957ef3e8a1c1ce6ada6d5473be890ea318a9720a7c8e42e9fb8afcc723a03ed9deeb3f2ccbff0fe725eb0b831a24e9e4df39b7249da5688a1

Download Submit
\??\c:\users\admin\appdata\roaming\graphicsperfsvcs.dll

Filesize
14.7MB

MD5
a83318068ed77eef71f9d28e4731c179

SHA1
347f97b17ccb4f22a4e201009b6145066b600e1d

SHA256
89cd66e51f490dba5a818525bab15810604b895cebb2a5bfb4fb670ca229f972

SHA512
e790bd6cde5fc3440560d5267f3a50f3ac04ccb123d3b52608579e76877477aa630d94683e84a6cf69ea6cfc862569cc923d216185f19a934797c81eea712fbe

Download Submit
memory/1868-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1868-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1868-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1868-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1868-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1868-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1868-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1884-201-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1884-199-0x0000000000280000-0x00000000002DA000-memory.dmp

Filesize
360KB

Download
memory/1884-202-0x00000000007F0000-0x0000000000806000-memory.dmp

Filesize
88KB

Download
memory/1884-200-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download
memory/1884-203-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/2164-188-0x0000000000C80000-0x0000000000C9E000-memory.dmp

Filesize
120KB

Download
memory/2164-190-0x00000000010E0000-0x00000000010EA000-memory.dmp

Filesize
40KB

Download
memory/2164-189-0x0000000000F50000-0x0000000000F82000-memory.dmp

Filesize
200KB

Download
memory/2164-194-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/2164-195-0x000000001BDF0000-0x000000001BE66000-memory.dmp

Filesize
472KB

Download
memory/2164-193-0x0000000019C50000-0x0000000019C82000-memory.dmp

Filesize
200KB

Download
memory/2164-192-0x000000001BBA0000-0x000000001BC1E000-memory.dmp

Filesize
504KB

Download
memory/2164-184-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2164-183-0x00000000005F0000-0x0000000000616000-memory.dmp

Filesize
152KB

Download
memory/2164-186-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/2164-185-0x0000000000830000-0x0000000000846000-memory.dmp

Filesize
88KB

Download
memory/2164-187-0x0000000000C60000-0x0000000000C74000-memory.dmp

Filesize
80KB

Download
memory/2188-1-0x0000000000400000-0x0000000001300000-memory.dmp

Filesize
15.0MB

Download
memory/2188-137-0x0000000000400000-0x0000000001300000-memory.dmp

Filesize
15.0MB

Download
memory/2480-161-0x0000000019540000-0x000000001955E000-memory.dmp

Filesize
120KB

Download
memory/2480-176-0x0000000019990000-0x000000001999A000-memory.dmp

Filesize
40KB

Download
memory/2480-151-0x0000000001010000-0x0000000001036000-memory.dmp

Filesize
152KB

Download
memory/2480-172-0x000000001ACB0000-0x000000001AD2E000-memory.dmp

Filesize
504KB

Download
memory/2480-163-0x0000000019940000-0x0000000019972000-memory.dmp

Filesize
200KB

Download
memory/2480-165-0x00000000010E0000-0x00000000010EA000-memory.dmp

Filesize
40KB

Download
memory/2480-178-0x000000001B7D0000-0x000000001B846000-memory.dmp

Filesize
472KB

Download
memory/2480-174-0x000000001A1A0000-0x000000001A1D2000-memory.dmp

Filesize
200KB

Download
memory/2480-159-0x0000000019520000-0x0000000019534000-memory.dmp

Filesize
80KB

Download
memory/2480-157-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

Filesize
32KB

Download
memory/2480-155-0x0000000001040000-0x0000000001056000-memory.dmp

Filesize
88KB

Download
memory/2480-153-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/2480-148-0x0000000000FB0000-0x000000000100A000-memory.dmp

Filesize
360KB

Download
memory/2480-145-0x0000000000460000-0x000000000047E000-memory.dmp

Filesize
120KB

Download
memory/2480-143-0x00000000010F0000-0x000000000119C000-memory.dmp

Filesize
688KB

Download
memory/2480-167-0x0000000019560000-0x000000001956A000-memory.dmp

Filesize
40KB

Download