f976368908d75ad474cb16762742852803ae91d1727197a80e9c55ec9e910b89

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PhantomSolutions.exe
Size

4.2MB
MD5

09ba36b3539981f4f69de454cb97c0df
SHA1

53ec52c277921e020770e54450988df8189378de
SHA256

f976368908d75ad474cb16762742852803ae91d1727197a80e9c55ec9e910b89
SHA512

8f6a533a930e7b7285afc0ce87b57f147db6a73322263fd762b097f73a6d232237d907b8b0e3ebd57da568a618267d6f2d9cf33d00d1b729d86f20bba8be32e6
SSDEEP

98304:7d7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6K:o+y4ihkl/Wo/afHP

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
820	sc.exe
1480	sc.exe
2516	sc.exe
3024	sc.exe
2788	sc.exe
2936	sc.exe
2820	sc.exe
2544	sc.exe
2684	sc.exe
1792	sc.exe
1268	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1392	2372	WerFault.exe	27

Kills process with taskkill 40 IoCs

evasion

pid	Process
1644	taskkill.exe
2292	taskkill.exe
2068	taskkill.exe
3048	taskkill.exe
304	taskkill.exe
2892	taskkill.exe
1556	taskkill.exe
2604	taskkill.exe
2616	taskkill.exe
2960	taskkill.exe
828	taskkill.exe
1304	taskkill.exe
1892	taskkill.exe
1812	taskkill.exe
636	taskkill.exe
236	taskkill.exe
2592	taskkill.exe
1560	taskkill.exe
2776	taskkill.exe
2960	taskkill.exe
1080	taskkill.exe
2088	taskkill.exe
1952	taskkill.exe
1872	taskkill.exe
2336	taskkill.exe
1628	taskkill.exe
3020	taskkill.exe
2616	taskkill.exe
820	taskkill.exe
1548	taskkill.exe
2256	taskkill.exe
2664	taskkill.exe
2080	taskkill.exe
1356	taskkill.exe
628	taskkill.exe
1136	taskkill.exe
628	taskkill.exe
408	taskkill.exe
2892	taskkill.exe
320	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	PhantomSolutions.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	PhantomSolutions.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	PhantomSolutions.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PhantomSolutions.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PhantomSolutions.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PhantomSolutions.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe
Token: SeIncBasePriorityPrivilege	2372	PhantomSolutions.exe
Token: 33	2372	PhantomSolutions.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 316	2372	PhantomSolutions.exe	29
PID 2372 wrote to memory of 316	2372	PhantomSolutions.exe	29
PID 2372 wrote to memory of 316	2372	PhantomSolutions.exe	29
PID 2372 wrote to memory of 316	2372	PhantomSolutions.exe	29
PID 316 wrote to memory of 2256	316	cmd.exe	31
PID 316 wrote to memory of 2256	316	cmd.exe	31
PID 316 wrote to memory of 2256	316	cmd.exe	31
PID 316 wrote to memory of 2256	316	cmd.exe	31
PID 2372 wrote to memory of 2880	2372	PhantomSolutions.exe	33
PID 2372 wrote to memory of 2880	2372	PhantomSolutions.exe	33
PID 2372 wrote to memory of 2880	2372	PhantomSolutions.exe	33
PID 2372 wrote to memory of 2880	2372	PhantomSolutions.exe	33
PID 2880 wrote to memory of 3020	2880	cmd.exe	35
PID 2880 wrote to memory of 3020	2880	cmd.exe	35
PID 2880 wrote to memory of 3020	2880	cmd.exe	35
PID 2880 wrote to memory of 3020	2880	cmd.exe	35
PID 2372 wrote to memory of 1132	2372	PhantomSolutions.exe	36
PID 2372 wrote to memory of 1132	2372	PhantomSolutions.exe	36
PID 2372 wrote to memory of 1132	2372	PhantomSolutions.exe	36
PID 2372 wrote to memory of 1132	2372	PhantomSolutions.exe	36
PID 1132 wrote to memory of 1304	1132	cmd.exe	38
PID 1132 wrote to memory of 1304	1132	cmd.exe	38
PID 1132 wrote to memory of 1304	1132	cmd.exe	38
PID 1132 wrote to memory of 1304	1132	cmd.exe	38
PID 2372 wrote to memory of 2424	2372	PhantomSolutions.exe	39
PID 2372 wrote to memory of 2424	2372	PhantomSolutions.exe	39
PID 2372 wrote to memory of 2424	2372	PhantomSolutions.exe	39
PID 2372 wrote to memory of 2424	2372	PhantomSolutions.exe	39
PID 2424 wrote to memory of 1628	2424	cmd.exe	41
PID 2424 wrote to memory of 1628	2424	cmd.exe	41
PID 2424 wrote to memory of 1628	2424	cmd.exe	41
PID 2424 wrote to memory of 1628	2424	cmd.exe	41
PID 2372 wrote to memory of 2580	2372	PhantomSolutions.exe	42
PID 2372 wrote to memory of 2580	2372	PhantomSolutions.exe	42
PID 2372 wrote to memory of 2580	2372	PhantomSolutions.exe	42
PID 2372 wrote to memory of 2580	2372	PhantomSolutions.exe	42
PID 2580 wrote to memory of 304	2580	cmd.exe	44
PID 2580 wrote to memory of 304	2580	cmd.exe	44
PID 2580 wrote to memory of 304	2580	cmd.exe	44
PID 2580 wrote to memory of 304	2580	cmd.exe	44
PID 2372 wrote to memory of 1836	2372	PhantomSolutions.exe	45
PID 2372 wrote to memory of 1836	2372	PhantomSolutions.exe	45
PID 2372 wrote to memory of 1836	2372	PhantomSolutions.exe	45
PID 2372 wrote to memory of 1836	2372	PhantomSolutions.exe	45
PID 1836 wrote to memory of 3048	1836	cmd.exe	47
PID 1836 wrote to memory of 3048	1836	cmd.exe	47
PID 1836 wrote to memory of 3048	1836	cmd.exe	47
PID 1836 wrote to memory of 3048	1836	cmd.exe	47
PID 2372 wrote to memory of 2608	2372	PhantomSolutions.exe	48
PID 2372 wrote to memory of 2608	2372	PhantomSolutions.exe	48
PID 2372 wrote to memory of 2608	2372	PhantomSolutions.exe	48
PID 2372 wrote to memory of 2608	2372	PhantomSolutions.exe	48
PID 2608 wrote to memory of 820	2608	cmd.exe	50
PID 2608 wrote to memory of 820	2608	cmd.exe	50
PID 2608 wrote to memory of 820	2608	cmd.exe	50
PID 2608 wrote to memory of 820	2608	cmd.exe	50
PID 2372 wrote to memory of 1284	2372	PhantomSolutions.exe	51
PID 2372 wrote to memory of 1284	2372	PhantomSolutions.exe	51
PID 2372 wrote to memory of 1284	2372	PhantomSolutions.exe	51
PID 2372 wrote to memory of 1284	2372	PhantomSolutions.exe	51
PID 1284 wrote to memory of 628	1284	cmd.exe	53
PID 1284 wrote to memory of 628	1284	cmd.exe	53
PID 1284 wrote to memory of 628	1284	cmd.exe	53
PID 1284 wrote to memory of 628	1284	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe
"C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:304
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:740
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:408
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop wireshark >nul 2>&1
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:492
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq die*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1
  2⤵
  PID:768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebugger.exe
    3⤵
    - Kills process with taskkill
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im FolderChangesView.exe
    3⤵
    - Kills process with taskkill
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\sc.exe
    sc stop HttpDebuggerSdk
    3⤵
    - Launches sc.exe
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop npf >nul 2>&1
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:2068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1616
  2⤵
  - Program crash
  PID:1392
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7349065d221e74385374e4883862d9e0

SHA1
dbbaa297341f67f649e2d46271524aaeac21602a

SHA256
429738f82fd6755da283ab9f445a7043b03ec572198dd9641de3b0af4fc93a47

SHA512
71b68ba94f88e214862c5bf49c7ed9e4a9a315f8fc606af0525dc2323efec3c977cac0992dbc14a37b9f3c65044feb3fff9b51663fc6bbc1d67d7f53cc22a09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6B7.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar75A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2372-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000000820000-0x0000000000C52000-memory.dmp

Filesize
4.2MB

Download
memory/2372-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-69-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download