xworm | 4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

Analysis

max time kernel
1782s
max time network
1799s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27-11-2023 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

73KB
MD5

4bb4e54c4bbab869bb495cd8be9d1863
SHA1

3cc07ef3a842ffa9dc7a954e29ea2531d1488a24
SHA256

4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451
SHA512

c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd
SSDEEP

1536:qqnoMosrXT3g9y+b3j9OGmi776yyODJOI3/QIe+:q5Fs3Oy+bT9r75yWOIP8+

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

report-printed.gl.at.ply.gg:29872

Attributes

Install_directory
%Userprofile%
install_file
scvhost.exe

Signatures

Detect Xworm Payload 41 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2420-0-0x00000000000F0000-0x0000000000108000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120ca-61.dat	family_xworm
behavioral1/files/0x000a0000000120ca-62.dat	family_xworm
behavioral1/memory/1696-63-0x0000000000050000-0x0000000000068000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120ca-67.dat	family_xworm
behavioral1/memory/2480-68-0x0000000000160000-0x0000000000178000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120ca-71.dat	family_xworm
behavioral1/memory/1412-72-0x00000000013A0000-0x00000000013B8000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120ca-75.dat	family_xworm
behavioral1/memory/2384-76-0x0000000000230000-0x0000000000248000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120ca-79.dat	family_xworm
behavioral1/memory/2612-80-0x0000000000130000-0x0000000000148000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120ca-83.dat	family_xworm
behavioral1/memory/3024-84-0x00000000000D0000-0x00000000000E8000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120ca-87.dat	family_xworm
behavioral1/memory/1708-88-0x0000000000DC0000-0x0000000000DD8000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120ca-91.dat	family_xworm
behavioral1/memory/1876-92-0x0000000001310000-0x0000000001328000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120ca-95.dat	family_xworm
behavioral1/files/0x000a0000000120ca-98.dat	family_xworm
behavioral1/memory/1688-99-0x0000000000300000-0x0000000000318000-memory.dmp	family_xworm
behavioral1/files/0x000a0000000120ca-102.dat	family_xworm
behavioral1/files/0x000a0000000120ca-106.dat	family_xworm
behavioral1/files/0x000a0000000120ca-110.dat	family_xworm
behavioral1/files/0x000a0000000120ca-113.dat	family_xworm
behavioral1/files/0x000a0000000120ca-116.dat	family_xworm
behavioral1/files/0x000a0000000120ca-120.dat	family_xworm
behavioral1/files/0x000a0000000120ca-124.dat	family_xworm
behavioral1/files/0x000a0000000120ca-128.dat	family_xworm
behavioral1/files/0x000a0000000120ca-132.dat	family_xworm
behavioral1/files/0x000a0000000120ca-136.dat	family_xworm
behavioral1/files/0x000a0000000120ca-139.dat	family_xworm
behavioral1/files/0x000a0000000120ca-143.dat	family_xworm
behavioral1/files/0x000a0000000120ca-146.dat	family_xworm
behavioral1/files/0x000a0000000120ca-149.dat	family_xworm
behavioral1/files/0x000a0000000120ca-152.dat	family_xworm
behavioral1/files/0x000a0000000120ca-156.dat	family_xworm
behavioral1/files/0x000a0000000120ca-159.dat	family_xworm
behavioral1/files/0x000a0000000120ca-163.dat	family_xworm
behavioral1/files/0x000a0000000120ca-166.dat	family_xworm
behavioral1/files/0x000a0000000120ca-169.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

test.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.lnk	test.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.lnk	test.exe

Executes dropped EXE 30 IoCs

Processes:

scvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exe

pid	Process
1696	scvhost.exe
2480	scvhost.exe
1412	scvhost.exe
2384	scvhost.exe
2612	scvhost.exe
3024	scvhost.exe
1708	scvhost.exe
1876	scvhost.exe
272	scvhost.exe
1688	scvhost.exe
1620	scvhost.exe
2984	scvhost.exe
2072	scvhost.exe
2624	scvhost.exe
2492	scvhost.exe
2692	scvhost.exe
2764	scvhost.exe
2812	scvhost.exe
284	scvhost.exe
616	scvhost.exe
940	scvhost.exe
1412	scvhost.exe
1772	scvhost.exe
1564	scvhost.exe
1812	scvhost.exe
2064	scvhost.exe
2612	scvhost.exe
1136	scvhost.exe
2924	scvhost.exe
3012	scvhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

test.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\scvhost.exe"	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exetest.exe

pid	Process
3060	powershell.exe
2224	powershell.exe
1064	powershell.exe
2448	powershell.exe
2420	test.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

test.exe

pid	Process
2420	test.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

test.exepowershell.exepowershell.exepowershell.exepowershell.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exe

description	pid	Process
Token: SeDebugPrivilege	2420	test.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2420	test.exe
Token: SeDebugPrivilege	1696	scvhost.exe
Token: SeDebugPrivilege	2480	scvhost.exe
Token: SeDebugPrivilege	1412	scvhost.exe
Token: SeDebugPrivilege	2384	scvhost.exe
Token: SeDebugPrivilege	2612	scvhost.exe
Token: SeDebugPrivilege	3024	scvhost.exe
Token: SeDebugPrivilege	1708	scvhost.exe
Token: SeDebugPrivilege	1876	scvhost.exe
Token: SeDebugPrivilege	272	scvhost.exe
Token: SeDebugPrivilege	1688	scvhost.exe
Token: SeDebugPrivilege	1620	scvhost.exe
Token: SeDebugPrivilege	2984	scvhost.exe
Token: SeDebugPrivilege	2072	scvhost.exe
Token: SeDebugPrivilege	2624	scvhost.exe
Token: SeDebugPrivilege	2492	scvhost.exe
Token: SeDebugPrivilege	2692	scvhost.exe
Token: SeDebugPrivilege	2764	scvhost.exe
Token: SeDebugPrivilege	2812	scvhost.exe
Token: SeDebugPrivilege	284	scvhost.exe
Token: SeDebugPrivilege	616	scvhost.exe
Token: SeDebugPrivilege	940	scvhost.exe
Token: SeDebugPrivilege	1412	scvhost.exe
Token: SeDebugPrivilege	1772	scvhost.exe
Token: SeDebugPrivilege	1564	scvhost.exe
Token: SeDebugPrivilege	1812	scvhost.exe
Token: SeDebugPrivilege	2064	scvhost.exe
Token: SeDebugPrivilege	2612	scvhost.exe
Token: SeDebugPrivilege	1136	scvhost.exe
Token: SeDebugPrivilege	2924	scvhost.exe
Token: SeDebugPrivilege	3012	scvhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

test.exe

pid	Process
2420	test.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

test.exetaskeng.exe

description	pid	Process	procid_target
PID 2420 wrote to memory of 3060	2420	test.exe	28
PID 2420 wrote to memory of 3060	2420	test.exe	28
PID 2420 wrote to memory of 3060	2420	test.exe	28
PID 2420 wrote to memory of 2224	2420	test.exe	31
PID 2420 wrote to memory of 2224	2420	test.exe	31
PID 2420 wrote to memory of 2224	2420	test.exe	31
PID 2420 wrote to memory of 1064	2420	test.exe	33
PID 2420 wrote to memory of 1064	2420	test.exe	33
PID 2420 wrote to memory of 1064	2420	test.exe	33
PID 2420 wrote to memory of 2448	2420	test.exe	35
PID 2420 wrote to memory of 2448	2420	test.exe	35
PID 2420 wrote to memory of 2448	2420	test.exe	35
PID 2420 wrote to memory of 2672	2420	test.exe	36
PID 2420 wrote to memory of 2672	2420	test.exe	36
PID 2420 wrote to memory of 2672	2420	test.exe	36
PID 1980 wrote to memory of 1696	1980	taskeng.exe	42
PID 1980 wrote to memory of 1696	1980	taskeng.exe	42
PID 1980 wrote to memory of 1696	1980	taskeng.exe	42
PID 1980 wrote to memory of 2480	1980	taskeng.exe	43
PID 1980 wrote to memory of 2480	1980	taskeng.exe	43
PID 1980 wrote to memory of 2480	1980	taskeng.exe	43
PID 1980 wrote to memory of 1412	1980	taskeng.exe	44
PID 1980 wrote to memory of 1412	1980	taskeng.exe	44
PID 1980 wrote to memory of 1412	1980	taskeng.exe	44
PID 1980 wrote to memory of 2384	1980	taskeng.exe	45
PID 1980 wrote to memory of 2384	1980	taskeng.exe	45
PID 1980 wrote to memory of 2384	1980	taskeng.exe	45
PID 1980 wrote to memory of 2612	1980	taskeng.exe	46
PID 1980 wrote to memory of 2612	1980	taskeng.exe	46
PID 1980 wrote to memory of 2612	1980	taskeng.exe	46
PID 1980 wrote to memory of 3024	1980	taskeng.exe	47
PID 1980 wrote to memory of 3024	1980	taskeng.exe	47
PID 1980 wrote to memory of 3024	1980	taskeng.exe	47
PID 1980 wrote to memory of 1708	1980	taskeng.exe	48
PID 1980 wrote to memory of 1708	1980	taskeng.exe	48
PID 1980 wrote to memory of 1708	1980	taskeng.exe	48
PID 1980 wrote to memory of 1876	1980	taskeng.exe	49
PID 1980 wrote to memory of 1876	1980	taskeng.exe	49
PID 1980 wrote to memory of 1876	1980	taskeng.exe	49
PID 1980 wrote to memory of 272	1980	taskeng.exe	50
PID 1980 wrote to memory of 272	1980	taskeng.exe	50
PID 1980 wrote to memory of 272	1980	taskeng.exe	50
PID 1980 wrote to memory of 1688	1980	taskeng.exe	51
PID 1980 wrote to memory of 1688	1980	taskeng.exe	51
PID 1980 wrote to memory of 1688	1980	taskeng.exe	51
PID 1980 wrote to memory of 1620	1980	taskeng.exe	52
PID 1980 wrote to memory of 1620	1980	taskeng.exe	52
PID 1980 wrote to memory of 1620	1980	taskeng.exe	52
PID 1980 wrote to memory of 2984	1980	taskeng.exe	54
PID 1980 wrote to memory of 2984	1980	taskeng.exe	54
PID 1980 wrote to memory of 2984	1980	taskeng.exe	54
PID 1980 wrote to memory of 2072	1980	taskeng.exe	55
PID 1980 wrote to memory of 2072	1980	taskeng.exe	55
PID 1980 wrote to memory of 2072	1980	taskeng.exe	55
PID 1980 wrote to memory of 2624	1980	taskeng.exe	56
PID 1980 wrote to memory of 2624	1980	taskeng.exe	56
PID 1980 wrote to memory of 2624	1980	taskeng.exe	56
PID 1980 wrote to memory of 2492	1980	taskeng.exe	57
PID 1980 wrote to memory of 2492	1980	taskeng.exe	57
PID 1980 wrote to memory of 2492	1980	taskeng.exe	57
PID 1980 wrote to memory of 2692	1980	taskeng.exe	58
PID 1980 wrote to memory of 2692	1980	taskeng.exe	58
PID 1980 wrote to memory of 2692	1980	taskeng.exe	58
PID 1980 wrote to memory of 2764	1980	taskeng.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\test.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'test.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\scvhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scvhost" /tr "C:\Users\Admin\scvhost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2672

C:\Windows\system32\taskeng.exe
taskeng.exe {C90D2B2B-518B-4871-A2AD-ABAF45232622} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:272
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Users\Admin\scvhost.exe
  C:\Users\Admin\scvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
399a000d9c868ac4fc701e0e44ac69f3

SHA1
ebc083e3af9241c5791cd7602f7428521d67347e

SHA256
6cdcc552812816ca4068ddca5a0d595851a2b278332dc404fec481edf1403843

SHA512
68ab5e6a9ddb30c984668ebd21df4e06d4f5f30abef5e8efcf4685383d2cae3f7d2dd6094c4e7944951f8e3f20800e8313ae590cb1721a5cb1b28ba1f8785b38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
399a000d9c868ac4fc701e0e44ac69f3

SHA1
ebc083e3af9241c5791cd7602f7428521d67347e

SHA256
6cdcc552812816ca4068ddca5a0d595851a2b278332dc404fec481edf1403843

SHA512
68ab5e6a9ddb30c984668ebd21df4e06d4f5f30abef5e8efcf4685383d2cae3f7d2dd6094c4e7944951f8e3f20800e8313ae590cb1721a5cb1b28ba1f8785b38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
399a000d9c868ac4fc701e0e44ac69f3

SHA1
ebc083e3af9241c5791cd7602f7428521d67347e

SHA256
6cdcc552812816ca4068ddca5a0d595851a2b278332dc404fec481edf1403843

SHA512
68ab5e6a9ddb30c984668ebd21df4e06d4f5f30abef5e8efcf4685383d2cae3f7d2dd6094c4e7944951f8e3f20800e8313ae590cb1721a5cb1b28ba1f8785b38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LSIX9QP144S6Z7LWPRBW.temp

Filesize
7KB

MD5
399a000d9c868ac4fc701e0e44ac69f3

SHA1
ebc083e3af9241c5791cd7602f7428521d67347e

SHA256
6cdcc552812816ca4068ddca5a0d595851a2b278332dc404fec481edf1403843

SHA512
68ab5e6a9ddb30c984668ebd21df4e06d4f5f30abef5e8efcf4685383d2cae3f7d2dd6094c4e7944951f8e3f20800e8313ae590cb1721a5cb1b28ba1f8785b38

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
C:\Users\Admin\scvhost.exe

Filesize
73KB

MD5
4bb4e54c4bbab869bb495cd8be9d1863

SHA1
3cc07ef3a842ffa9dc7a954e29ea2531d1488a24

SHA256
4ed78e72909f121e0fe00e8bbf84262ae1f83894d97dd6e083e7a25cbba28451

SHA512
c21614dc3d06a26927f11c9bac613ef0faab8590029899ca7991f64f53b28c25fbc2a6b3ff9e1691ab62ed2c0800c29951a9adad7aebf6a18c39326308ffc0bd

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/272-96-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/272-97-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1064-36-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/1064-33-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

Filesize
9.6MB

Download
memory/1064-34-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/1064-39-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

Filesize
9.6MB

Download
memory/1064-35-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

Filesize
9.6MB

Download
memory/1064-38-0x00000000026AB000-0x0000000002712000-memory.dmp

Filesize
412KB

Download
memory/1064-37-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/1412-72-0x00000000013A0000-0x00000000013B8000-memory.dmp

Filesize
96KB

Download
memory/1412-74-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1412-73-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-100-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-99-0x0000000000300000-0x0000000000318000-memory.dmp

Filesize
96KB

Download
memory/1696-64-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1696-65-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1696-63-0x0000000000050000-0x0000000000068000-memory.dmp

Filesize
96KB

Download
memory/1708-88-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

Filesize
96KB

Download
memory/1708-90-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1708-89-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-94-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-93-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-92-0x0000000001310000-0x0000000001328000-memory.dmp

Filesize
96KB

Download
memory/2224-26-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2224-27-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/2224-19-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2224-21-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/2224-20-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2224-22-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2224-23-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/2224-24-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2224-25-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2384-77-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-76-0x0000000000230000-0x0000000000248000-memory.dmp

Filesize
96KB

Download
memory/2384-78-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-0-0x00000000000F0000-0x0000000000108000-memory.dmp

Filesize
96KB

Download
memory/2420-1-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-58-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2420-59-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2420-51-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2448-50-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2448-52-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2448-53-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-49-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2448-47-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2448-48-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-46-0x000007FEEE7F0000-0x000007FEEF18D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-68-0x0000000000160000-0x0000000000178000-memory.dmp

Filesize
96KB

Download
memory/2480-69-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2480-70-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-80-0x0000000000130000-0x0000000000148000-memory.dmp

Filesize
96KB

Download
memory/2612-82-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-81-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-84-0x00000000000D0000-0x00000000000E8000-memory.dmp

Filesize
96KB

Download
memory/3024-85-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-86-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-11-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/3060-12-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/3060-10-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-9-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/3060-8-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-6-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/3060-7-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/3060-13-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

Filesize
9.6MB

Download