blackmoon | 360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe
Size

36KB
MD5

5f500bf425159642df0533f6cc76ad70
SHA1

5b0f9d99b7c10092fa3579eee44dd4ef30a2e18d
SHA256

360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01
SHA512

e11d34dca0d0d73a1cd40e91574cda0cb4a0f70c6b1032713b5e22560fec3cbb1c38bb9aa7ff6bb4f2762454dfa2bd18cf12add1d847ef14d255ac8a9703cf9e
SSDEEP

768:+mfjwQzmBOYMZeQEDNpPv0c3q7QZJxhJkn4l11uy:+mjzm8vzsEZaJxhS4Buy

Score

10^/10

blackmoon gh0strat banker evasion persistence privilege_escalation rat trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2672-18-0x0000000000400000-0x0000000000D0A000-memory.dmp	family_blackmoon
behavioral1/memory/2672-45-0x0000000000400000-0x0000000000D0A000-memory.dmp	family_blackmoon
behavioral1/memory/2672-46-0x0000000000400000-0x0000000000D0A000-memory.dmp	family_blackmoon
behavioral1/memory/2672-13547-0x0000000000400000-0x0000000000D0A000-memory.dmp	family_blackmoon
behavioral1/memory/2672-13591-0x0000000000400000-0x0000000000D0A000-memory.dmp	family_blackmoon
behavioral1/memory/2672-13592-0x0000000000400000-0x0000000000D0A000-memory.dmp	family_blackmoon
behavioral1/memory/4200-13609-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_blackmoon
\??\c:\users\admin\appdata\roaming\graphicsperfsvcs.dll	family_blackmoon
behavioral1/memory/4200-13612-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_blackmoon

Gh0st RAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4200-13609-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_gh0strat
\??\c:\users\admin\appdata\roaming\graphicsperfsvcs.dll	family_gh0strat
behavioral1/memory/4200-13612-0x0000000000400000-0x0000000001BF5000-memory.dmp	family_gh0strat
behavioral1/memory/1288-13620-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/1288-13618-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/1288-13616-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/memory/1288-13623-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 12 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

6068 netsh.exe
12348 netsh.exe
12408 netsh.exe
12460 netsh.exe
12660 netsh.exe
12764 netsh.exe
12800 netsh.exe
4132 netsh.exe
12492 netsh.exe
12552 netsh.exe
12612 netsh.exe
12708 netsh.exe
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
persistence

Terminal Services DLL
T1505.005

Processes:

Hooks.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GraphicsPerfSvcs\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\GraphicsPerfSvcs.dll" Hooks.exe
Executes dropped EXE 7 IoCs

Processes:

MpMgSvc.exeEternalblue-2.2.0.exeEternalblue-2.2.0.exeHooks.exectfmoon.exeMeson.exetraffmonetizer.exe

pid process

2672 MpMgSvc.exe
9648 Eternalblue-2.2.0.exe
9160 Eternalblue-2.2.0.exe
4200 Hooks.exe
13416 ctfmoon.exe
13556 Meson.exe
13676 traffmonetizer.exe

pid	process
6068	netsh.exe
12348	netsh.exe
12408	netsh.exe
12460	netsh.exe
12660	netsh.exe
12764	netsh.exe
12800	netsh.exe
4132	netsh.exe
12492	netsh.exe
12552	netsh.exe
12612	netsh.exe
12708	netsh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GraphicsPerfSvcs\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\GraphicsPerfSvcs.dll"	Hooks.exe

pid	process
2672	MpMgSvc.exe
9648	Eternalblue-2.2.0.exe
9160	Eternalblue-2.2.0.exe
4200	Hooks.exe
13416	ctfmoon.exe
13556	Meson.exe
13676	traffmonetizer.exe

Loads dropped DLL 31 IoCs

Processes:

360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exeMpMgSvc.exeEternalblue-2.2.0.exeEternalblue-2.2.0.exesvchost.exe

pid	process
2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe
2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe
2672	MpMgSvc.exe
2672	MpMgSvc.exe
9648	Eternalblue-2.2.0.exe
9648	Eternalblue-2.2.0.exe
9648	Eternalblue-2.2.0.exe
9648	Eternalblue-2.2.0.exe
9648	Eternalblue-2.2.0.exe
9648	Eternalblue-2.2.0.exe
9648	Eternalblue-2.2.0.exe
9648	Eternalblue-2.2.0.exe
9648	Eternalblue-2.2.0.exe
2672	MpMgSvc.exe
9160	Eternalblue-2.2.0.exe
9160	Eternalblue-2.2.0.exe
9160	Eternalblue-2.2.0.exe
9160	Eternalblue-2.2.0.exe
9160	Eternalblue-2.2.0.exe
9160	Eternalblue-2.2.0.exe
9160	Eternalblue-2.2.0.exe
9160	Eternalblue-2.2.0.exe
9160	Eternalblue-2.2.0.exe
2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe
2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Temp\MpMgSvc.exe	upx
behavioral1/memory/2672-18-0x0000000000400000-0x0000000000D0A000-memory.dmp	upx
behavioral1/memory/2672-45-0x0000000000400000-0x0000000000D0A000-memory.dmp	upx
behavioral1/memory/2672-46-0x0000000000400000-0x0000000000D0A000-memory.dmp	upx
behavioral1/memory/2672-13547-0x0000000000400000-0x0000000000D0A000-memory.dmp	upx
behavioral1/memory/2672-13591-0x0000000000400000-0x0000000000D0A000-memory.dmp	upx
behavioral1/memory/2672-13592-0x0000000000400000-0x0000000000D0A000-memory.dmp	upx
C:\Windows\Temp\Hooks.exe	upx
behavioral1/memory/4200-13609-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx
behavioral1/memory/4200-13612-0x0000000000400000-0x0000000001BF5000-memory.dmp	upx

Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 1.226.84.135
Destination IP 1.226.84.135
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2816 api6.my-ip.io

description	ioc
Destination IP	1.226.84.135
Destination IP	1.226.84.135

flow	ioc
2816	api6.my-ip.io

Drops file in System32 directory 6 IoCs

Processes:

svchost.exetraffmonetizer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\pid	traffmonetizer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	traffmonetizer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2068 set thread context of 1288 2068 svchost.exe svchost.exe

description	pid	process	target process
PID 2068 set thread context of 1288	2068	svchost.exe	svchost.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Globalization.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Encoding.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.AppContext.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\root_conf\default.toml	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.ReaderWriter.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Security.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Immutable.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Diagnostics.NETCore.Client.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.Reader.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.Unsafe.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.FileVersionInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.ThreadPool.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XPath.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Thread.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ComponentModel.EventBasedAsync.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.Compression.ZipFile.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Reflection.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.NameResolution.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Ping.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebHeaderCollection.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Json.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Diagnostics.Runtime.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.TextWriterTraceListener.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Csp.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\netstandard.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.IsolatedStorage.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Http.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.Serialization.Formatters.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Data.Common.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Linq.Queryable.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Memory.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.NetworkInformation.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Resources.ResourceManager.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.InteropServices.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.InteropServices.RuntimeInformation.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XPath.XDocument.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Diagnostics.Tracing.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Dynamic.Runtime.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.FileSystem.DriveInfo.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.VisualC.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Overlapped.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Drawing.Primitives.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.UnmanagedMemoryStream.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WmiPrvSER.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.MemoryMappedFiles.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\Microsoft.Bcl.AsyncInterfaces.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Cryptography.Algorithms.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.ValueTuple.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Xml.XmlSerializer.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebSockets.Client.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.Compression.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.IO.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.Principal.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Security.SecureString.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Collections.Concurrent.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Net.WebSockets.dll	svchost.exe
File created	C:\Windows\Microsoft.NET\traffmonetizer\System.Numerics.Vectors.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2824 2832 WerFault.exe 360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe

pid	pid_target	process	target process
2824	2832	WerFault.exe	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Meson.exesvchost.exetraffmonetizer.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	Meson.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local"	traffmonetizer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time"	Meson.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\6a-4f-8d-4b-10-6b	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	Meson.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-421 = "Russian Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-492 = "India Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	Meson.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = 80a7b1ef70cbda01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	Meson.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exesvchost.exe

pid process

1508 powershell.exe
2068 svchost.exe
2068 svchost.exe
2068 svchost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

1288 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exetraffmonetizer.exe

description pid process

Token: SeDebugPrivilege 1508 powershell.exe
Token: SeDebugPrivilege 13676 traffmonetizer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

traffmonetizer.exe

pid process

13676 traffmonetizer.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MpMgSvc.exeHooks.exe

pid process

2672 MpMgSvc.exe
2672 MpMgSvc.exe
4200 Hooks.exe

pid	process
1508	powershell.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe

pid	process
1288	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	13676	traffmonetizer.exe

pid	process
13676	traffmonetizer.exe

pid	process
2672	MpMgSvc.exe
2672	MpMgSvc.exe
4200	Hooks.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exeMpMgSvc.exeHooks.exesvchost.exe

description	pid	process	target process
PID 2832 wrote to memory of 2672	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	MpMgSvc.exe
PID 2832 wrote to memory of 2672	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	MpMgSvc.exe
PID 2832 wrote to memory of 2672	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	MpMgSvc.exe
PID 2832 wrote to memory of 2672	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	MpMgSvc.exe
PID 2672 wrote to memory of 9648	2672	MpMgSvc.exe	Eternalblue-2.2.0.exe
PID 2672 wrote to memory of 9648	2672	MpMgSvc.exe	Eternalblue-2.2.0.exe
PID 2672 wrote to memory of 9648	2672	MpMgSvc.exe	Eternalblue-2.2.0.exe
PID 2672 wrote to memory of 9648	2672	MpMgSvc.exe	Eternalblue-2.2.0.exe
PID 2672 wrote to memory of 9160	2672	MpMgSvc.exe	Eternalblue-2.2.0.exe
PID 2672 wrote to memory of 9160	2672	MpMgSvc.exe	Eternalblue-2.2.0.exe
PID 2672 wrote to memory of 9160	2672	MpMgSvc.exe	Eternalblue-2.2.0.exe
PID 2672 wrote to memory of 9160	2672	MpMgSvc.exe	Eternalblue-2.2.0.exe
PID 2832 wrote to memory of 4200	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	Hooks.exe
PID 2832 wrote to memory of 4200	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	Hooks.exe
PID 2832 wrote to memory of 4200	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	Hooks.exe
PID 2832 wrote to memory of 4200	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	Hooks.exe
PID 2832 wrote to memory of 2824	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	WerFault.exe
PID 2832 wrote to memory of 2824	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	WerFault.exe
PID 2832 wrote to memory of 2824	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	WerFault.exe
PID 2832 wrote to memory of 2824	2832	360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe	WerFault.exe
PID 4200 wrote to memory of 1508	4200	Hooks.exe	powershell.exe
PID 4200 wrote to memory of 1508	4200	Hooks.exe	powershell.exe
PID 4200 wrote to memory of 1508	4200	Hooks.exe	powershell.exe
PID 4200 wrote to memory of 1508	4200	Hooks.exe	powershell.exe
PID 2068 wrote to memory of 1288	2068	svchost.exe	svchost.exe
PID 2068 wrote to memory of 1288	2068	svchost.exe	svchost.exe
PID 2068 wrote to memory of 1288	2068	svchost.exe	svchost.exe
PID 2068 wrote to memory of 1288	2068	svchost.exe	svchost.exe
PID 2068 wrote to memory of 1288	2068	svchost.exe	svchost.exe
PID 2068 wrote to memory of 1288	2068	svchost.exe	svchost.exe
PID 2068 wrote to memory of 1288	2068	svchost.exe	svchost.exe
PID 2068 wrote to memory of 1288	2068	svchost.exe	svchost.exe
PID 2068 wrote to memory of 1288	2068	svchost.exe	svchost.exe
PID 2068 wrote to memory of 4132	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 4132	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 4132	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 4132	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 6068	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 6068	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 6068	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 6068	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12348	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12348	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12348	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12348	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12408	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12408	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12408	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12408	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12460	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12460	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12460	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12460	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12492	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12492	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12492	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12492	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12552	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12552	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12552	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12552	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12612	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12612	2068	svchost.exe	netsh.exe
PID 2068 wrote to memory of 12612	2068	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832

C:\WINDOWS\Temp\MpMgSvc.exe
"C:\WINDOWS\Temp\MpMgSvc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672

C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
Eternalblue-2.2.0.exe --TargetIp 10.127.1.35 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9648

C:\WINDOWS\Temp\Eternalblue-2.2.0.exe
Eternalblue-2.2.0.exe --TargetIp 10.127.1.35 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9160

C:\WINDOWS\Temp\Hooks.exe
"C:\WINDOWS\Temp\Hooks.exe"
2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\WINDOWS\Temp\Hooks.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 564
2⤵
- Program crash
PID:2824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k GraphicsPerfSvcsGroup
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1288

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=in program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:4132

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6068

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule name=Microsoft_ctfmoon new enable=yes
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:12348

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=Microsoft_Edge dir=in program=C:\Windows\Microsoft.NET\Meson.exe action=allow
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:12408

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=Microsoft_Edge dir=out program=C:\Windows\Microsoft.NET\Meson.exe action=allow
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:12460

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule name=Microsoft_Edge new enable=yes
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:12492

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=Microsoft_Dcom dir=in program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:12552

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=Microsoft_Dcom dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:12612

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule name=Microsoft_Dcom new enable=yes
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:12660

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=Microsoft_Store dir=in program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:12708

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=Microsoft_Store dir=out program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:12764

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule name=Microsoft_Store new enable=yes
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:12800

C:\Windows\Microsoft.NET\ctfmoon.exe
C:\Windows\Microsoft.NET\ctfmoon.exe [email protected] -password=123456Aa. -device-name=Win32 -accept-tos
2⤵
- Executes dropped EXE
PID:13416

C:\Windows\Microsoft.NET\Meson.exe
C:\Windows\Microsoft.NET\Meson.exe
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:13556

C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:13676

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\root_conf\default.toml
Filesize
390B

MD5
9e3d810a244768218af8fc0499bd5dd7

SHA1
660cb236baf95c83e0acd64e3f607fbeb199a1e0

SHA256
e864d44ec86eaa38112c3bfcfc21b078cc59e11f984c0441989e8606197357e2

SHA512
8f9ac0dede89a68202eb858cda086727ebbba3fdfb4fa43ce2d52cdd5e69c89f66a171fae371ca29b4d65dc04862cbcb71e58be48e8dcc520e1db3b27a093f2b

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\Base.dll
Filesize
106KB

MD5
c3935313bbf380cd8d3cb336a5e3c8e8

SHA1
c09f0b894ee5a6a59dea194e94b42fff29b53f38

SHA256
4d0409c6db0b0af97f5fc57ebe2248c1632aeb836a5ea1eeaad64f57a4eb662b

SHA512
6525f98811cb277fbae75e278fca7997c6a6993b3f3f163a3c98da85055305d7a61917981625f113c448b8a397d3c5a143db2c8b131e5e4395205e34dc7c48a2

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Buffers.dll
Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Memory.dll
Filesize
137KB

MD5
6fb95a357a3f7e88ade5c1629e2801f8

SHA1
19bf79600b716523b5317b9a7b68760ae5d55741

SHA256
8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7

SHA512
293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Net.Http.dll
Filesize
193KB

MD5
665e355cbed5fe5f7bebc3cb23e68649

SHA1
1c2cefafba48ba7aaab746f660debd34f2f4b14c

SHA256
b5d20736f84f335ef4c918a5ba41c3a0d7189397c71b166ccc6c342427a94ece

SHA512
5300d39365e84a67010ae4c282d7e05172563119afb84dc1b0610217683c7d110803aef02945034a939262f6a7ecf629b52c0e93c1cd63d52ca7a3b3e607bb7d

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Numerics.Vectors.dll
Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Runtime.CompilerServices.Unsafe.dll
Filesize
16KB

MD5
9a341540899dcc5630886f2d921be78f

SHA1
bab44612721c3dc91ac3d9dfca7c961a3a511508

SHA256
3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5

SHA512
066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Encodings.Web.dll
Filesize
66KB

MD5
e8cdacfd2ef2f4b3d1a8e6d59b6e3027

SHA1
9a85d938d8430a73255a65ea002a7709c81a4cf3

SHA256
edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30

SHA512
ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Text.Json.dll
Filesize
347KB

MD5
38470ca21414a8827c24d8fe0438e84b

SHA1
1c394a150c5693c69f85403f201caa501594b7ab

SHA256
2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c

SHA512
079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.Threading.Tasks.Extensions.dll
Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\System.ValueTuple.dll
Filesize
77KB

MD5
8c9424e37a28db7d70e7d52f0df33cf8

SHA1
81cd1acb53d493c54c8d56f379d790a901a355ac

SHA256
e4774aead2793f440e0ced6c097048423d118e0b6ed238c6fe5b456acb07817f

SHA512
cb6364c136f9d07191cf89ea2d3b89e08db0cd5911bf835c32ae81e4d51e0789ddc92d47e80b7ff7e24985890ed29a00b0a391834b43cf11db303cd980d834f4

Download Submit
C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe.config
Filesize
18KB

MD5
e3f86e44d1997122912dd19c93b4cc51

SHA1
55a2abf767061a27d48fc5eda94ba8156add3e81

SHA256
8905f68562e02ca9c686f8bb6edde6643c94b2592240c6ed0d40ca380e69e62d

SHA512
314f97d7889d22d1086682c2abfcf0bcb753c2103a29127407392fa05dabb69f1528c7b8028aeac48e5fd7daf0fb1e4a367e6d83f7ca73bcea8e7c6e1d1b54d5

Download Submit
C:\Windows\Temp\Eternalblue-2.2.0.xml
Filesize
7KB

MD5
497080fed2000e8b49ee2e97e54036b1

SHA1
4af3fae881a80355dd09df6e736203c30c4faac5

SHA256
756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380

SHA512
4f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df

Download Submit
C:\Windows\Temp\Hooks.exe
Filesize
11.7MB

MD5
e5aa445a4f523de1b08d0efdd47c1fac

SHA1
62a5953f5092810669b1fdf1fd0e5918b4527174

SHA256
7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81

SHA512
ba4ccc699827cf66630a0f543cdd35ee8538be5c2c441aa851b5ccd3d29c9500cdbcca917a556ff58c0c6ac2c9943954c1775abb81f9d7d7ddf09a9569308bdc

Download Submit
C:\Windows\Temp\MpMgSvc.exe
Filesize
3.2MB

MD5
2311a69113104a760d785a79f45bab74

SHA1
32e883771883ba44715180e92a20c80638c5c78f

SHA256
f2af31b74bfe1648b8c06ce5b3869e81ce8caafe4a265e007af4036af3448ae7

SHA512
aafbd53acb886e6ab7706400852e8b79766ae99f5899b45952dc21cc55d91f0dca2d86e25f2568dc2b497a73a9c7e70682f98d8901c8089ac5650e46e1dd87e1

Download Submit
C:\Windows\Temp\ip.txt
Filesize
3KB

MD5
9870f1e4457090b618b7e735a7389022

SHA1
4566add1f238f049f2db334e62fdd0459ff9dece

SHA256
8d5132ffd47c518e7e4c18f4395808c29e4653b59b1bcc41a910fac67904d5a5

SHA512
796aaacbe3891a7fbdbc49b21a2fc7bf1a0907b8d328e06ca340b569aba80ad3196f30ddc9d99acfcc83a3d5e7f1ea8e32c92dae8dfbfc415512e2f9554b3b5b

Download Submit
C:\Windows\Temp\ip.txt
Filesize
4KB

MD5
e41f8c813be4886b874fca9131b11504

SHA1
688ad7542537c534114676b2849dd3219cbcbe67

SHA256
af4a4f1bf3fcf9f2ebd327d20b87288aee5c26fb94210c377b86bb52474e0c19

SHA512
1d11de691e27a33f7d77adb252f74df14769464e5f969187f0e20c4ef5b43ecf73ae505973faf3f5b75a315e7580342e5a5d3c7ab58abcf318c08f4ed735f33e

Download Submit
C:\Windows\Temp\ip.txt
Filesize
463B

MD5
fd9c3671b3923524f49202d9f1fb6fdc

SHA1
199bab0a4e8d1aeb51da66d0fde30d35ccb802d1

SHA256
e7f3832483bfad588e03222e9c649edce3f958ab03a2b3a0b50b6419000c0100

SHA512
63a9d805fbd5ee9ceff5a1544d490148dfc7d1fab0cfbcdae1078b266630d67f970115ccd34232e93525a5ecd316a044a2c975f9d512a4648c1e524f478b71fa

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\traffmonetizer\settings.json
Filesize
98B

MD5
2e839b7ab87694f72220658502588c41

SHA1
b3996f638b1e00b4bdf5cadeab99d05492313f37

SHA256
376a0ca610d4de58de3887a8700d3e0f64fdc2123846a4f88876751847aef519

SHA512
050fe964fbdfd1a957ef3e8a1c1ce6ada6d5473be890ea318a9720a7c8e42e9fb8afcc723a03ed9deeb3f2ccbff0fe725eb0b831a24e9e4df39b7249da5688a1

Download Submit
\??\c:\users\admin\appdata\roaming\graphicsperfsvcs.dll
Filesize
23.7MB

MD5
070c358598e30c4300caef33ec7fdda3

SHA1
76b1d2b6cd781e1f0bb8cd601ea740d1602fc096

SHA256
2dc754845d02d1d9e3757f1b9d0023bede2893e80fdf75d016ebbc008c910ff9

SHA512
f8a690bea6ff7a77a844e15e5705698add1cf807fdb0b7f2443cf787b809f3dc94ee744cca4f3b2687c2f138547610db24bff096ddda99240ebca69b1bc8428a

Download Submit
\Windows\Microsoft.NET\Meson.exe
Filesize
8.9MB

MD5
87c8b215c031443d630da6c18088f89a

SHA1
7a17a9026ec093c4571c13c2fc128b27fbd66a11

SHA256
0caedcf61c3bfe2da33b30adf2f5f2c1530b6907f133f4289519a56cc5c1bae6

SHA512
48d5565f5da60371b79d2c380a63c7b416a220ae7f52656ba4ed9447cf55ab73a05c4165c61c2a95c4e586b2baf483b0b97dcff77c76cadfe039690ded35c43e

Download Submit
\Windows\Microsoft.NET\ctfmoon.exe
Filesize
9.1MB

MD5
1de26ef85f7218e1df4ed675fa2b05d4

SHA1
e5217fa3b50f625d84d5e5c4b66c031f7a2446ae

SHA256
fdd762192d351cea051c0170840f1d8d171f334f06313a17eba97cacb5f1e6e1

SHA512
ada80a9f97bec76899eccc40c646387a067a201663d4d0f4537af450ea7c92df877f017862634e32e9e2ba08ca6d41806dc03f0dfd7f811ca303b56b1ac17d92

Download Submit
\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe
Filesize
680KB

MD5
2884fdeaa62f29861ce2645dde0040f6

SHA1
01a775a431f6e4da49f5c5da2dab74cc4d770021

SHA256
2923eacd0c99a2d385f7c989882b7cca83bff133ecf176fdb411f8d17e7ef265

SHA512
470ce2cf25d7ee66f4ceb197e218872ea1b865de7029fadb0d41f3324a213b94c668968f20e228e87a879c1f0c13c9827f3b8881820d02e780d567d791ad159f

Download Submit
\Windows\Temp\Eternalblue-2.2.0.exe
Filesize
126KB

MD5
8c80dd97c37525927c1e549cb59bcbf3

SHA1
4e80fa7d98c8e87facecdef0fc7de0d957d809e1

SHA256
85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

SHA512
50e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e

Download Submit
\Windows\Temp\coli-0.dll
Filesize
15KB

MD5
3c2fe2dbdf09cfa869344fdb53307cb2

SHA1
b67a8475e6076a24066b7cb6b36d307244bb741f

SHA256
0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887

SHA512
d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c

Download Submit
\Windows\Temp\exma-1.dll
Filesize
10KB

MD5
ba629216db6cf7c0c720054b0c9a13f3

SHA1
37bb800b2bb812d4430e2510f14b5b717099abaa

SHA256
15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9

SHA512
c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9

Download Submit
\Windows\Temp\libxml2.dll
Filesize
807KB

MD5
9a5cec05e9c158cbc51cdc972693363d

SHA1
ca4d1bb44c64a85871944f3913ca6ccddfa2dc04

SHA256
aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3

SHA512
8af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94

Download Submit
\Windows\Temp\posh-0.dll
Filesize
11KB

MD5
2f0a52ce4f445c6e656ecebbcaceade5

SHA1
35493e06b0b2cdab2211c0fc02286f45d5e2606d

SHA256
cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb

SHA512
88151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1

Download Submit
\Windows\Temp\tibe-2.dll
Filesize
232KB

MD5
f0881d5a7f75389deba3eff3f4df09ac

SHA1
8404f2776fa8f7f8eaffb7a1859c19b0817b147a

SHA256
ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362

SHA512
f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e

Download Submit
\Windows\Temp\trch-1.dll
Filesize
58KB

MD5
838ceb02081ac27de43da56bec20fc76

SHA1
972ab587cdb63c8263eb977f10977fd7d27ecf7b

SHA256
0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f

SHA512
bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22

Download Submit
\Windows\Temp\trfo-2.dll
Filesize
29KB

MD5
3e89c56056e5525bf4d9e52b28fbbca7

SHA1
08f93ab25190a44c4e29bee5e8aacecc90dab80c

SHA256
b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa

SHA512
32487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6

Download Submit
\Windows\Temp\tucl-1.dll
Filesize
9KB

MD5
83076104ae977d850d1e015704e5730a

SHA1
776e7079734bc4817e3af0049f42524404a55310

SHA256
cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12

SHA512
bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8

Download Submit
\Windows\Temp\ucl.dll
Filesize
57KB

MD5
6b7276e4aa7a1e50735d2f6923b40de4

SHA1
db8603ac6cac7eb3690f67af7b8d081aa9ce3075

SHA256
f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a

SHA512
58e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa

Download Submit
memory/1288-13621-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1288-13620-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1288-13618-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1288-13616-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1288-13615-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1288-13623-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1288-13614-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2672-46-0x0000000000400000-0x0000000000D0A000-memory.dmp

Filesize
9.0MB

Download
memory/2672-18-0x0000000000400000-0x0000000000D0A000-memory.dmp

Filesize
9.0MB

Download
memory/2672-45-0x0000000000400000-0x0000000000D0A000-memory.dmp

Filesize
9.0MB

Download
memory/2672-13547-0x0000000000400000-0x0000000000D0A000-memory.dmp

Filesize
9.0MB

Download
memory/2672-13592-0x0000000000400000-0x0000000000D0A000-memory.dmp

Filesize
9.0MB

Download
memory/2672-13591-0x0000000000400000-0x0000000000D0A000-memory.dmp

Filesize
9.0MB

Download
memory/2832-13753-0x00000000036D0000-0x0000000004EC5000-memory.dmp

Filesize
24.0MB

Download
memory/2832-17-0x00000000036D0000-0x0000000003FDA000-memory.dmp

Filesize
9.0MB

Download
memory/2832-16-0x00000000036D0000-0x0000000003FDA000-memory.dmp

Filesize
9.0MB

Download
memory/2832-13754-0x00000000036D0000-0x0000000004EC5000-memory.dmp

Filesize
24.0MB

Download
memory/2832-13606-0x00000000036D0000-0x0000000004EC5000-memory.dmp

Filesize
24.0MB

Download
memory/2832-13608-0x00000000036D0000-0x0000000004EC5000-memory.dmp

Filesize
24.0MB

Download
memory/2832-10644-0x00000000036D0000-0x0000000003FDA000-memory.dmp

Filesize
9.0MB

Download
memory/4200-13612-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/4200-13609-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/9160-13589-0x0000000000130000-0x0000000000141000-memory.dmp

Filesize
68KB

Download
memory/9648-13573-0x00000000000E0000-0x00000000000F1000-memory.dmp

Filesize
68KB

Download
memory/13676-13777-0x00000000005C0000-0x00000000005E6000-memory.dmp

Filesize
152KB

Download
memory/13676-13781-0x0000000000680000-0x0000000000696000-memory.dmp

Filesize
88KB

Download
memory/13676-13783-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/13676-13779-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/13676-13785-0x00000000006A0000-0x00000000006B4000-memory.dmp

Filesize
80KB

Download
memory/13676-13774-0x0000000000620000-0x000000000067A000-memory.dmp

Filesize
360KB

Download
memory/13676-13787-0x00000000006C0000-0x00000000006DE000-memory.dmp

Filesize
120KB

Download
memory/13676-13771-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/13676-13789-0x0000000000C20000-0x0000000000C52000-memory.dmp

Filesize
200KB

Download
memory/13676-13769-0x0000000001280000-0x000000000132C000-memory.dmp

Filesize
688KB

Download
memory/13676-13791-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download