xworm | 8367b712426af8646d6350d302a0cd406413fa9a2f28d1bde1df0236282a15ef

Resubmissions

20/02/2024, 17:31

240220-v341kscc7s 10

20/02/2024, 16:50

240220-vcd2gacc66 10

Analysis

max time kernel
252s
max time network
256s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

76KB
MD5

d3953f8988cf3b75478a3c8d103d1e1e
SHA1

19a8d8f0c06902af448800faf29761a5dba7344c
SHA256

8367b712426af8646d6350d302a0cd406413fa9a2f28d1bde1df0236282a15ef
SHA512

cb4436f73f4c7762c4fcc07947f4144b0e8ec8923ff8609532271cdc231f665c36369dc29f013712c90dabb77b960fec4babfc1cff912394fa1de0e53e8aec11
SSDEEP

1536:0hy4PT1ivp6kJ4pHbkQBh7Q4iMnMg6jOjUKHq:W0Q1bD5iWcOjtq

Score

10^/10

xworm evasion persistence rat trojan

Malware Config

Extracted

Family

xworm

hydraforce-45677.portmap.io:45677

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/2952-101-0x000000001B460000-0x000000001B46E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2952-0-0x00000000005F0000-0x000000000060A000-memory.dmp	family_xworm
behavioral2/files/0x000f00000001e6d5-70.dat	family_xworm

Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2952 created 668	2952	XClient.exe	1

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
3780	XClient.exe
4120	XClient.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4120	sc.exe
2652	sc.exe
4796	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3336	schtasks.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings	taskmgr.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
32	powershell.exe
32	powershell.exe
4156	powershell.exe
4156	powershell.exe
5108	powershell.exe
5108	powershell.exe
3632	powershell.exe
3632	powershell.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
2952	XClient.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4192	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	XClient.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	2952	XClient.exe
Token: SeDebugPrivilege	3780	XClient.exe
Token: SeDebugPrivilege	4192	taskmgr.exe
Token: SeSystemProfilePrivilege	4192	taskmgr.exe
Token: SeCreateGlobalPrivilege	4192	taskmgr.exe
Token: SeDebugPrivilege	4120	XClient.exe
Token: 33	4192	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4192	taskmgr.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	384	whoami.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	3480	whoami.exe
Token: SeDebugPrivilege	3480	whoami.exe
Token: SeDebugPrivilege	3480	whoami.exe
Token: SeDebugPrivilege	3480	whoami.exe
Token: SeDebugPrivilege	3480	whoami.exe
Token: SeDebugPrivilege	3480	whoami.exe
Token: SeDebugPrivilege	3480	whoami.exe
Token: SeDebugPrivilege	3480	whoami.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2952	XClient.exe
212	vbc.exe
1876	vbc.exe
3844	vbc.exe
4964	vbc.exe
4744	vbc.exe
4488	vbc.exe
4692	vbc.exe
4328	vbc.exe
2940	vbc.exe
4076	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 32	2952	XClient.exe	93
PID 2952 wrote to memory of 32	2952	XClient.exe	93
PID 2952 wrote to memory of 4156	2952	XClient.exe	95
PID 2952 wrote to memory of 4156	2952	XClient.exe	95
PID 2952 wrote to memory of 5108	2952	XClient.exe	98
PID 2952 wrote to memory of 5108	2952	XClient.exe	98
PID 2952 wrote to memory of 3632	2952	XClient.exe	100
PID 2952 wrote to memory of 3632	2952	XClient.exe	100
PID 2952 wrote to memory of 3336	2952	XClient.exe	102
PID 2952 wrote to memory of 3336	2952	XClient.exe	102
PID 2952 wrote to memory of 4120	2952	XClient.exe	117
PID 2952 wrote to memory of 4120	2952	XClient.exe	117
PID 2952 wrote to memory of 2004	2952	XClient.exe	118
PID 2952 wrote to memory of 2004	2952	XClient.exe	118
PID 2952 wrote to memory of 384	2952	XClient.exe	120
PID 2952 wrote to memory of 384	2952	XClient.exe	120
PID 2952 wrote to memory of 2820	2952	XClient.exe	121
PID 2952 wrote to memory of 2820	2952	XClient.exe	121
PID 2952 wrote to memory of 444	2952	XClient.exe	122
PID 2952 wrote to memory of 444	2952	XClient.exe	122
PID 2952 wrote to memory of 1828	2952	XClient.exe	123
PID 2952 wrote to memory of 1828	2952	XClient.exe	123
PID 1828 wrote to memory of 2652	1828	powershell.exe	125
PID 1828 wrote to memory of 2652	1828	powershell.exe	125
PID 1828 wrote to memory of 5068	1828	powershell.exe	126
PID 1828 wrote to memory of 5068	1828	powershell.exe	126
PID 1828 wrote to memory of 3480	1828	powershell.exe	128
PID 1828 wrote to memory of 3480	1828	powershell.exe	128
PID 1828 wrote to memory of 4688	1828	powershell.exe	129
PID 1828 wrote to memory of 4688	1828	powershell.exe	129
PID 1828 wrote to memory of 4796	1828	powershell.exe	130
PID 1828 wrote to memory of 4796	1828	powershell.exe	130
PID 2952 wrote to memory of 212	2952	XClient.exe	131
PID 2952 wrote to memory of 212	2952	XClient.exe	131
PID 212 wrote to memory of 1312	212	vbc.exe	132
PID 212 wrote to memory of 1312	212	vbc.exe	132
PID 2952 wrote to memory of 1876	2952	XClient.exe	133
PID 2952 wrote to memory of 1876	2952	XClient.exe	133
PID 1876 wrote to memory of 2732	1876	vbc.exe	134
PID 1876 wrote to memory of 2732	1876	vbc.exe	134
PID 2952 wrote to memory of 3844	2952	XClient.exe	135
PID 2952 wrote to memory of 3844	2952	XClient.exe	135
PID 3844 wrote to memory of 1084	3844	vbc.exe	136
PID 3844 wrote to memory of 1084	3844	vbc.exe	136
PID 2952 wrote to memory of 4964	2952	XClient.exe	137
PID 2952 wrote to memory of 4964	2952	XClient.exe	137
PID 4964 wrote to memory of 2796	4964	vbc.exe	138
PID 4964 wrote to memory of 2796	4964	vbc.exe	138
PID 2952 wrote to memory of 4744	2952	XClient.exe	139
PID 2952 wrote to memory of 4744	2952	XClient.exe	139
PID 4744 wrote to memory of 1176	4744	vbc.exe	140
PID 4744 wrote to memory of 1176	4744	vbc.exe	140
PID 2952 wrote to memory of 4488	2952	XClient.exe	141
PID 2952 wrote to memory of 4488	2952	XClient.exe	141
PID 4488 wrote to memory of 2676	4488	vbc.exe	142
PID 4488 wrote to memory of 2676	4488	vbc.exe	142
PID 2952 wrote to memory of 4692	2952	XClient.exe	143
PID 2952 wrote to memory of 4692	2952	XClient.exe	143
PID 4692 wrote to memory of 5044	4692	vbc.exe	144
PID 4692 wrote to memory of 5044	4692	vbc.exe	144
PID 2952 wrote to memory of 4328	2952	XClient.exe	145
PID 2952 wrote to memory of 4328	2952	XClient.exe	145
PID 4328 wrote to memory of 4548	4328	vbc.exe	146
PID 4328 wrote to memory of 4548	4328	vbc.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:2652
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:5068
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3480
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    PID:4688
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    PID:4796

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:32
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3336
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" qc windefend
  2⤵
  - Launches sc.exe
  PID:4120
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
  2⤵
  PID:2004
- C:\Windows\system32\whoami.exe
  "C:\Windows\system32\whoami.exe" /groups
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start TrustedInstaller
  2⤵
  PID:2820
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start lsass
  2⤵
  PID:444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jepifs52\jepifs52.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7CBC1B8C284AD38CE6F8A1ABA2686A.TMP"
    3⤵
    PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hkjhapaf\hkjhapaf.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA01A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DCD953DC122420A8D448F49E2E660E0.TMP"
    3⤵
    PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k2ffpnx0\k2ffpnx0.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF9A4F0622A74B93BE6829E19B7732DD.TMP"
    3⤵
    PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5h5ohn4k\5h5ohn4k.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8CFD40144B044258B95BEDF9D1A8AAD.TMP"
    3⤵
    PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qpli4ksi\qpli4ksi.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA569.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDCD0DC9744824AD982AFE3E4615A93F0.TMP"
    3⤵
    PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xzdrqhtn\xzdrqhtn.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA72E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3FA5F073E274E7780ADF3B79E3C7F37.TMP"
    3⤵
    PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kzbm5hxo\kzbm5hxo.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA895.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76785C97A2544EB5B5E5AFAE5CA62F.TMP"
    3⤵
    PID:5044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mq0qux5v\mq0qux5v.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA2C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBFECA18317E49DB86EBFE3BC5FB1F64.TMP"
    3⤵
    PID:4548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xmyrcxje\xmyrcxje.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2940
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8631DC0C281D452D9FFDDC273960629.TMP"
    3⤵
    PID:5112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tzr020r4\tzr020r4.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4076
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF06C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB7929CD28F64F1EBF67E5FFC95883E3.TMP"
    3⤵
    PID:3864

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4192

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2624

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5544648ec2b8ad99cb8f017c92cc4ca7

SHA1
c4ef1b16da76bfaada1fb8159dba4563a51a4579

SHA256
f712b8a8ac579dcc654927aec6190c0cdd63600d3dfb00b4376c013430b144de

SHA512
e858801c04fff897327ce4e6f09fb7b180b0578e40fc1868c749c742ca5ce1a4386433169b1a965923d359b8699ea311c2ce0f12ae72c122872f5c42f4572940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cd45d3053b83a6d98faa6d537067c146

SHA1
95551608cf71043c5bf0118047d2757eda2c58c1

SHA256
89b2b0fd08974cdf85a79adbead6ca157d49e0d38678d5f25f250f1fcb5f04ba

SHA512
23d5fa616f7f3efe05a06e8624faf490eacf7d9924b50be555ba390b2e93c4cbdd7341a20c2055300f1fb887b7a5cc500c1fea4d079f8fddd56e1ba93b566276

Download Submit
C:\Users\Admin\AppData\Local\Temp\5h5ohn4k\5h5ohn4k.cmdline

Filesize
313B

MD5
fca692bab267b8f75212721143c734e0

SHA1
a70128b55280d0f83585b282887485df1ef78ec1

SHA256
eea613e5da41222d7dde45a46cbc5c223e5c917d7c2a447360ec385327353fc4

SHA512
858034875b82320835fddec0e1ec10618f269e576a45c072d26672bdbc146a3d1cb8c870a60e08cf60bc59dfcdd2750df33e164ccc602c78b075b3e1382cc2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5h5ohn4k\5h5ohn4k.exe

Filesize
6KB

MD5
b2eb23fad692ac36983614cbba01d87b

SHA1
d687b2c82cdf7c0a70fa15a48e7257f1ea9371f1

SHA256
54222fd35d75326d39ced7f19d5e5932823929676717ccc3e81b288c19170eee

SHA512
52a16cecdf4295006dfffac86b2dd103067b10b9fa0720d5bc4ea46e6df9572d94f108229515e8faf11badaaefd5ae0afbeca2be011296b3c2a1a261fa6c5a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F00.tmp

Filesize
1KB

MD5
67fe907447b481f5bfbb17b65c599935

SHA1
a39aaf77a79d3f87ccf78ed11680c7112831fcb5

SHA256
be48c57bdf5b4fe2e84f4c5ce18e15388c7e7a7d7ae6bc2d748a3d9c7d818150

SHA512
4649383181862bd70ec3d12fc2e17ada75d705e4dd6ed64fa3586fb189d593dbf3a504c46a971be8fcc3abed0e01d2c771b49c513bb015f9ad1d65f3680a22c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA01A.tmp

Filesize
1KB

MD5
1f8e1b2819a3dfb031a96e0e97a92351

SHA1
32ab4e94c51b1d75312fc50100020b89ebcd861a

SHA256
d5de5cf45931ea5fdec15641451f4f8fdf3dad1d8b47f42f2093d576c173d69d

SHA512
e98ed3554ef724d53643490646e698fb1783965f00241bbb93f50d8595d195b3df5acf43df3fabbdc9f004ed0dd95f77ea441d9850a16ea643cdea1127f42030

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA1B0.tmp

Filesize
1KB

MD5
e9b6448d0469999884ec1f44d032b940

SHA1
c1c5ee56ecd0998c82804d5d2b4390bb06c40043

SHA256
b331a88e576815e44e8b8751c2c263eee78bd4087ddb1edb50d7ba0f286971e9

SHA512
df00215dcde365b170884f75eb07b566a01240196b699d1efff1c017c8566c39fb9e89f67d8565a56f19701bf08ad8569645401c7f878bbb625624d12f872175

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3E2.tmp

Filesize
1KB

MD5
6de7397754c7825398687a233f54ce9f

SHA1
0588a1c4362f72b5ce8b2d593e3aba23305c16ea

SHA256
4bc07b0d39087137ba93dcb5a6f84026d14ef0038d7bf7d325ad0c00e821bbd2

SHA512
b8f83d9f5e44ac6b52100f878dbbc7a5b8f31f202369f7e46a64259e6bc985b8b820ac4bbbee7b1a36387147b09f8893b50c92d261d7a0054f7e711cc27a7fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA569.tmp

Filesize
1KB

MD5
df2ce325de6927fd0ad40e467eb803fb

SHA1
278c7a02d30b1defc5cf6f9923d6a6e58f3169e7

SHA256
8e8b104687240f4801e21457bfe2a3f68e226c6dada57021c5e32964b3099376

SHA512
8ca67e0a8235103852715d4ca946b0d4afa9b5cbf0c948f45afcf48eb4e659b929ad607651fccf3c9847b0e6f71ac4259f19b37cb28f7a2d2334161fce96b6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA72E.tmp

Filesize
1KB

MD5
5079883b7407e67570a6722eefb736c3

SHA1
fe64e7492ceed42218e727a561991eeee55565c0

SHA256
125ebfb0510f97e469980204f3bc2fe4f3a4ce4079ea01884b0a680dd3d2225a

SHA512
7d7bd2c1cc15f44344120dbeaff7a71ee21680e9789ec6acbed11b9470f737f9e5197da9ee10a8483f6ba9224ce23a63c592acb353056e12cc52aaf407aa004c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA895.tmp

Filesize
1KB

MD5
259946c6f409b3ed7cb4188d457f5170

SHA1
c1d1586f73f6cc33a04275378a83319b8e5d290b

SHA256
d39ed6693e9876c58f4e7bc90d5bf9b763fc768993ad7ad1c255f6ca97b53c2d

SHA512
4f2bc4a159bcdcb4ba63d905d4909621ab9a8c27aa4766d4b9877391e4c587f6e58331cd4f43b912a9495ebf9fe80d3310102b3ad8d1f793419ae08ee753c864

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA2C.tmp

Filesize
1KB

MD5
2011fa531085675dff635a967621fbab

SHA1
68d042bb77e03ae93d3aaa013482464230b2b029

SHA256
db0595f5a86acef6d0d992b54b4568742c6525ce635cae169ff9c6f6f65a3c22

SHA512
226bd393e736e75031ab9ae643de453a2c576cb3b85109f6cee9d34c092189d16812dfbea9d3d9d0f1e259b7014713dddd7321bf55693d5efa6f79575d809f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEF43.tmp

Filesize
1KB

MD5
19ccee456c799ee6a23eb0442e0f25e7

SHA1
20c18942c2a402bcd4ee029a4e9e10d0461ea0aa

SHA256
9e4afe07179daf1189228962b9269a07bbc31aaf8d1d39f8168748957cf37da7

SHA512
e23bad55f576d0bc432507c50387e5adb438f209c772cb78d652e65cfcae95c33a8d6185075f771d3eceae2925d489bbf76471373292c61f2be931084a997f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF06C.tmp

Filesize
1KB

MD5
d7a3da16779e912c93b3fcccb3a7ec60

SHA1
0ca018be42e275026e26927bb750accf73b73377

SHA256
49b518d2d03db0e511dee611826b4dc707abb6125fda1f1461cbf04492cc1afe

SHA512
d6b2cdb847d60fe77c4c348de0e05ee95e0ff9a5ec8d7bb695c333bf92268b3ed4f543db2ba8106eaaeda4f79a9133bf1e5a5cb1752d3a8fdb0fcb4b22cfe04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrdgkrap.1fz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkjhapaf\hkjhapaf.cmdline

Filesize
313B

MD5
959cfa13f393ade78711a2db29dca3c0

SHA1
70b3028be14fe64f103ef0b6ca2fa8ec49ad2df3

SHA256
decc21c3ebeebc255d09a37517323cfdcbae0caf2d93ae336d6eb163644ffb2a

SHA512
dc39a09d8156575f37ef99d4e50ee9b3e0cabd864517f4a756e6ede54409918e0633794c4dca830d945135e16893a33b61e248b60fa7ee3ae0182cdcaa0e30d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkjhapaf\hkjhapaf.exe

Filesize
6KB

MD5
2cd6ed292d1135c41c0754f0c7d7c6b1

SHA1
3cd09ba88e3b4d86b00460298975b9feae6e6f7f

SHA256
420462d4706dbbb451f7c9e93a980e0e4227d611fd8ddafcb1611dd758b1f33e

SHA512
c028d54cd179a486564eb7a6388bab0edbe998ee4bb2a6bdeb9ac42dad2eb9a0cfb3b5d2d6566634d89a5dffcbf59d8e54e195f29b12558fa091bb968102922f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jepifs52\jepifs52.0.vb

Filesize
386B

MD5
156a4b3e570d9c7efc0f0094dbceb24e

SHA1
ccd7e470b9114884d6e958ab4d8b4c451f493c66

SHA256
7443a1bcd15924a389e5da2a0530b6703a35aed61e63cd1a1d7d0699d49a5a77

SHA512
90123975819cc2fc3030f94cc8bfce587e8c7efcca8c7ac8a1e99c5f3211c0a50fe16994836fb46fcb3a68b2157259a59f7a5928c19bba2fc3cb4059ecc8efa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jepifs52\jepifs52.cmdline

Filesize
313B

MD5
448b256936f35f442d26e87bf9f6b889

SHA1
359132b59efde97e59b7bde2e7edc02d6483b3f9

SHA256
6ff3b77a83ca3998a74bc48b5a5351598e64bae24828fd73f254be771708a439

SHA512
ef497b8ca0a4ef238fc9737ac4036d30e8e6ee48ab9be2b40972e7a7a7e3b3960a0f9ba37190484202f646a0f8ff439221bd4d9df75682ab81a926936cecd752

Download Submit
C:\Users\Admin\AppData\Local\Temp\jepifs52\jepifs52.exe

Filesize
6KB

MD5
b870f7c86b2e8f1af9d410f6cf63b714

SHA1
c427d5c84ff9a161299aa185eb7cf067a2b05581

SHA256
403904a40e03d5e54d44e39641f21d0bd06163ea08d236fe515f854e7b0fb3fe

SHA512
488115b6cccb9351e554eba86342f443ff031aedb551602c1732bf47f050be41a372f0c21c2eadd6d39f114b8774ac1f5fff4f9c2f356d46861e9aa534f8ba89

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2ffpnx0\k2ffpnx0.cmdline

Filesize
313B

MD5
efa39bdf1d83e6599e80ac930b00d600

SHA1
715384220660d826fc10d77044388c05c7a1f7a3

SHA256
f7bc90bfc6f37e443beb0ff92c50f4a4d3e42b6b26d6b4b38f44870f52e99fe3

SHA512
95eee3a7666d6638734a02cfa925896dcf4936622a391c857037323bdb12789e5217c9f5b0607972c1c4abb54a7ef9528fbee350471af880dc68ebf3505d505d

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2ffpnx0\k2ffpnx0.exe

Filesize
6KB

MD5
ed4cd9ae0dc400ceef85b2c0d76028ab

SHA1
461640c04f1358b13e44884bbef645ae0778c50a

SHA256
5de4573cec793f02169ac2bae4dc360fb1d7653356e0fd46a2b17beab2d48433

SHA512
af89bebcd4c4faf1e51145bb173b08820cdffc66bf5a1ae4457f4a04f3c79a1efdc5fe654a0d4dbee24111abf150d291e0823e5fd9a6b57221d7721a613610c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzbm5hxo\kzbm5hxo.cmdline

Filesize
313B

MD5
7047644a609e05f51e92719cf9dbe27f

SHA1
1fb6a61e89eb6484e40efa56f0d9f063eb24fff9

SHA256
b529b1bc6bafbf550af9f548508e98a2c879fce0f7fbb893c28fb07f4e267b65

SHA512
baf7aeb50b0fc978a7feefcacead4e5eaf01009e211dec1a7c1b9d492cd0ccde1da594041e16913e82831ae7873307d41496220596ff5ba60b17b728ef2eb2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzbm5hxo\kzbm5hxo.exe

Filesize
6KB

MD5
e98e40c6a0df8ca75e8cf1ee6251c331

SHA1
91cdf794fe83913c8403e0b5d014ada0e6a31671

SHA256
c1d9110fa73a4e0b1ef8a0910e5267f777d591a768a56210dbd354b5da73201c

SHA512
165806539d2cbaade9724be2d9d34208ae1b63d4a653b3dc2a5b5ce55f9f557e3c24d67b17a3425e44c28fdbad046ba74b4d985be6d3bc30bc573f75b1eff09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mq0qux5v\mq0qux5v.cmdline

Filesize
313B

MD5
6ff00347ae183dfaf7d2bb49c250a3ed

SHA1
2f9e34d4f5612e089f23512c11d76f1e8e470640

SHA256
e6a0592da7e0a0c0953e2291c4875210a750cd407284b6008ad364df23174495

SHA512
9bd3bfd4e31d333f20fe8f81d000b3feb1965ac906585c64ee06328ea4406cd08ba51d87d42260fbc4a046020c0fc4c48dee1c19a3ec2b266e73988267ff5641

Download Submit
C:\Users\Admin\AppData\Local\Temp\mq0qux5v\mq0qux5v.exe

Filesize
6KB

MD5
ce84874cd95745c35b8339b3e049b63b

SHA1
731dd340f153af9b08ef09d0bbe63feb7164c43b

SHA256
4bd83a34e163a7c5d69102ebafa6059c1c4df2a9c28dfe5f8616b56efc299301

SHA512
bbf0704ea7becebc85d71458ae68702adf8da25a2d023d78d04f3839b3af4500800ed75fbb489c30fd1113b5e7e09dbe575b7f34ca775221baf44e9977f301a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpli4ksi\qpli4ksi.cmdline

Filesize
313B

MD5
abbdeb7baae28901ed57f5d928d9b849

SHA1
a6da061a57d36c9ba7cc40efb3d26ecff6b59651

SHA256
44c7abda10885ce653889c6dcdbe544c44aa6619e8ec83f6486b0b6f15f71122

SHA512
08c6292b34c18ec1ea43794267659dc3b78fee4c946b952848874c9b9811c8d59bbee69de40b003ae3236aa3d46c34d3613c09ceaf9fe05dd8402a2809fa98b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpli4ksi\qpli4ksi.exe

Filesize
6KB

MD5
b6865091d290aaf65fbc188d7fb194db

SHA1
1faea0f02de6b94e2407fb478075cddb376e8909

SHA256
796321080b0a81d13c7f92c79003755775d9fa00826c5f5950bbd67d01814a96

SHA512
db4324d122f1b7099adadc9c2a5ece342cbd6346afaea08fe5d511eb7b8a36dac8456e1b5210059a58c60ab5fa22145d374d720c44fe1e57f7378aff23b226bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzr020r4\tzr020r4.cmdline

Filesize
313B

MD5
51ef6d62f8caa63c5a83368b6ee36470

SHA1
c8eba90620c49cd17f03d2df6402747938672752

SHA256
a2e780cf72cd6191bdb320253762ea3741b97cc995fe9421dc0ad412787de59e

SHA512
4f02afadc0b26da2306af4b996ac7948ba25bb82ddfabfa7f07bf82465874a97b492802af9840f05eecb9fa3bfa1845dc729a8445c44c2f1b28f3364b0f7839f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzr020r4\tzr020r4.exe

Filesize
6KB

MD5
e4f80c65c200489a67946eb9ae427e70

SHA1
ffad63ee53304b528be60e497fa81d3a71af302d

SHA256
ca573f1795a95ad9100a94d31baaa499a3c0d5829431eb579a70b126f8850c07

SHA512
52e83a1515d62dc9a6dc387db742243f41dd0b03af555e42cdd9351e8089c2ea730cdd8ff3b493cacc1e8e4a37ebecee2f2deaf70b6cb425913ab56298f1712a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3FA5F073E274E7780ADF3B79E3C7F37.TMP

Filesize
1KB

MD5
6e05b4b5c20362b830491d3731cb20f5

SHA1
4a4b18fde486c949ac7d1ac170d89904b9c06f67

SHA256
588fccc9247a1eba0e16c21ea072518a1fcf7ddaee5a00792a1c69c3c4596fc8

SHA512
ab702b79cb4cbb0df1b61152056370cd88a9b3515275695d0d7627d9d6c02e5ee7f6e86e27c1833061bc9da2c6ae57bb9180e53460881fd6159f26ca8fd54b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc76785C97A2544EB5B5E5AFAE5CA62F.TMP

Filesize
1KB

MD5
69d5a1edbddc535244ed154b81c98413

SHA1
372bb289a435cf3bf24b0df6dbbcbb67fc480b92

SHA256
233df5571e0a2a85df96ea60603cf7b64d3a798bd08854fd7e9b84196fd3f19a

SHA512
3ee5a9ca9b41d5903b52582ff2a071add6e45ab404e373ee32cb15698e30fa896d33d5d4dba30f74a3ffe1adc28dea40904b6f2a36da954ae3e5c194ce69f0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7DCD953DC122420A8D448F49E2E660E0.TMP

Filesize
1KB

MD5
6b27db66be27e00e5ade2611528d9497

SHA1
9772311370242eef2a019da01f015b38463168f1

SHA256
26c904a58649f6bb693d888b33a8f5029cfe491c0193833bfd441108c0fb7cf5

SHA512
dd8b3876e1f2ea0905571d9015e07e8b09c62d954125e19139effe7635823c6daa945360cca417b4ab22415038e8039d8500ad187cc55e6ebef3af145a751236

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8631DC0C281D452D9FFDDC273960629.TMP

Filesize
1KB

MD5
73ec8529ba4bedfdaac4e307980beb6c

SHA1
71a073f3bc387c205c0d8af34e28358122b1ce4d

SHA256
e362fa67bc0cbbf47fc99633b4fab930594bbe6e79fd06fcbddd2411e1708ae3

SHA512
9818e331839cf8a8eca7a929b0ebd2f6aa16be832ef87df78a2c851ae743428a170413694cde5efc7db070255e913507a42b0563d6e983d99b2c51393ed8c8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBB7929CD28F64F1EBF67E5FFC95883E3.TMP

Filesize
1KB

MD5
6773dfc96cb64e83c3fb027361e31e29

SHA1
a6edaf18dbe4846afe973e00220a8019cd6d9046

SHA256
27e24a835590abf63c85c4169b5b38622f09757d33d69a4f2db7f1d8fb3a1b96

SHA512
0fe59d14356d2c2605bd3dbbdeef89ab5e1e61aba0a6868ba432c8015eaebaf2526be72d8ca39055a73209281e41ea5b91a2ac7510c00b2fcc2684729b445c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDCD0DC9744824AD982AFE3E4615A93F0.TMP

Filesize
1KB

MD5
e0f831669fe4e41eb09f71527e424226

SHA1
5e43d585c154373ef27847f8a68e4ea4c5437d3d

SHA256
b60cb8d3ecb5b7bafa460c09d3f49d9775f3281a5b1923d9f419401f6cf02658

SHA512
66f765051a0a30d4791b7ccfacccf15812e8bd33364708a55caaed1953625e481da72e46fd06ab424d14a5e7543d443d1b7804dbecd043126cd005a60fa0bf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE7CBC1B8C284AD38CE6F8A1ABA2686A.TMP

Filesize
1KB

MD5
ac7b615bc8e1ad4400db51acffa87c7e

SHA1
d45f6992f8a06f92b2488fa563eced4c0278f191

SHA256
f2cdc4873d1bb12cf0b0a3bee188c1c3799d86017aac1c2e0f92bcdbc7aad080

SHA512
db61783a78072b9c54c55d42aeb6c2aad874aa51261f235e068c1c0dc9956a494cc401bd4b0301ba5c5874bbbc042f0d0b1bbb6b3b41cc7f8d886b3d057df9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEF9A4F0622A74B93BE6829E19B7732DD.TMP

Filesize
1KB

MD5
17b2ba23535980c0d8acba7436dda1cf

SHA1
4146f69443a700e1bdf384808f4515d303b73045

SHA256
55638655ef5a4f937811e0d37cb5daef5f800d2ee38bd907acd0f1117b7a5f57

SHA512
e7d4babc1655a9529bcb24295aa0f0bd41275ccb90786180ee4464fb8d3100bebc4014a509cde95e2272b6d331ed95eac18803582c91d2e5281b3872a84e70c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF8CFD40144B044258B95BEDF9D1A8AAD.TMP

Filesize
1KB

MD5
ff85166a44c87a1cfecaebb08205a9f0

SHA1
fc1fe35fbf4f20697db4afa6b30d9109a96d9a21

SHA256
e6b57beaa3112e53d26906071c85fd5a05463c81b3edebdf42b42790cc7c1435

SHA512
f83cb9d2105114db0d384b1a462aa6f87d27cd5fffd899fe731c94694110224cf23288c78de070beff28558f4d06aefb255ba58ba4c0f6c4b7e7f9b38969d504

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFBFECA18317E49DB86EBFE3BC5FB1F64.TMP

Filesize
1KB

MD5
af467ca3d7770d417f7b60eaa74a8734

SHA1
b3b6b8af77e6a77d53d9fd4b490c8202c02c0f7f

SHA256
aaeab25f411f9303a62750d57af658d888736cffbc8e5fbb0cb2bb7321562547

SHA512
764c0c3ca2ff45942adecf3e1ffd6358ff1c41a854de7e9190e942faf1fea1224e15fe6e28fad455b7550583dd796f0b8cf88b089652b0fa9dea6742d7e83bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmyrcxje\xmyrcxje.0.vb

Filesize
378B

MD5
f9467ec560babc647b328af403d51179

SHA1
d65bfd35ef5b1658a50c49c670b786a9ce91aeae

SHA256
e4f0ea2ea23c123d2c1bbc02c6b9496cf5ce01e6e21dafc057e6c76ac7eeb030

SHA512
788200717438f57616733eed027ecf2f3387a1b17915348faa7dd06bc9814d7fdfeb5be6da0dea142d57dad2c073f5a859bebc0584cb49b25dda333c12629bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmyrcxje\xmyrcxje.cmdline

Filesize
313B

MD5
4cee7c826e150d146cc7e6b1ed4d8cf5

SHA1
0d706b842709607f625e4b047234dfe46bdf6326

SHA256
7abc2d258dfefa784e22395d5a6ac8b3d4a0a9368d4b842e077da1d1cfdc3dff

SHA512
bf31d8b7eba1859bc2df2123e430b662c067991456f01ec2df26459a12e19077f3375ba5b1e57a1619bcadc27330dcfa4556d6af45b26a04adf2d13c4cae96a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmyrcxje\xmyrcxje.exe

Filesize
6KB

MD5
c5e78af0639970ea9e5423010e385a5d

SHA1
72ff0c84e126f5344f3e691360768b62929653de

SHA256
8e1fb3f58cfaa1a3461aceb2f73f469534a3e076b7ddf2e7665aa69cd2c879da

SHA512
2c59842df9b69d56b72e2dfd36a1d7e1affb203229b8fc23b7289c66c4d365c2fcf80e598a91325189b63be345773f9fe9b98e00deb8c3c0e60643802ee97b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzdrqhtn\xzdrqhtn.cmdline

Filesize
313B

MD5
206af1818b5b01b55ddd1a00d9f6b932

SHA1
41cc7ea0c8664ecf7ea1c0ff6824fa8d3bd2d709

SHA256
f44db57565b8d110a8b294fefe190adca543f6b5654b9f1755494cd034dd4c99

SHA512
bc85ba84899c2ace7f925e219708a521e81fa3974d18e6e8a6afa03d54dc9196d536916f36d2560f5d9b9ead3981ddf1519d2a288477d17ff52c0bdd4cb5e773

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzdrqhtn\xzdrqhtn.exe

Filesize
6KB

MD5
d4cfb776f05e2c5382b960d8258a89b4

SHA1
b7c8be7f84898fbd6dbb77ab919973a01ac8bc0a

SHA256
391820cad2b28e84e78a7fc5a2bb451267d895ec1d25d02c74a10f2997e7ac78

SHA512
5a43767ec4644ed40fd1ae4d453a3a5c4bd38424217175d981c5965d08a5a662ba22d42af1a7c8301bbc67d7138db23018e5806b07c35cb952722c6a78ba60a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
c4fe311a96d13b7c1e90afe6d371182d

SHA1
3e1e1c7e93c65e4c73827296ee9f4d02aceb2c5c

SHA256
5f7d2581b537c23cf6b2643542b44e39207d79d55defa21780f0b82e941c7dd8

SHA512
7110a498545e623cfac9203fe28fee0f10f56725cff423af59e0cf65f881b5ed871feeac5fc80978f8c1688543c2dfc8d4510a29bbb9f9c504d07afecf888c82

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
76KB

MD5
d3953f8988cf3b75478a3c8d103d1e1e

SHA1
19a8d8f0c06902af448800faf29761a5dba7344c

SHA256
8367b712426af8646d6350d302a0cd406413fa9a2f28d1bde1df0236282a15ef

SHA512
cb4436f73f4c7762c4fcc07947f4144b0e8ec8923ff8609532271cdc231f665c36369dc29f013712c90dabb77b960fec4babfc1cff912394fa1de0e53e8aec11

Download Submit
C:\Windows\System32\rsq7ks.exe

Filesize
6.1MB

MD5
bed562e3c31a0a33bb859e1f717072e8

SHA1
2e73f0fc40b4c1948aec268fee3a0f048340a08e

SHA256
813c5a2a050b54a00bedabed0c647fdc90455d2ca2b4b86650112c3af7f679a6

SHA512
2d5838f2cacbfc5145db1a120e4eeaa7d06b3f68d9238d327d6b7a8684d917fc241417e46668d03d8239695eec06f0d5b81d58a39ba5a53b9dfde3ce9841019b

Download Submit
memory/32-12-0x0000024313550000-0x0000024313560000-memory.dmp

Filesize
64KB

Download
memory/32-4-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/32-17-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/32-3-0x0000024313560000-0x0000024313582000-memory.dmp

Filesize
136KB

Download
memory/32-10-0x0000024313550000-0x0000024313560000-memory.dmp

Filesize
64KB

Download
memory/1828-130-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/1828-128-0x0000018FA6510000-0x0000018FA6520000-memory.dmp

Filesize
64KB

Download
memory/1828-115-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/1828-117-0x0000018FA6510000-0x0000018FA6520000-memory.dmp

Filesize
64KB

Download
memory/1828-116-0x0000018FA6510000-0x0000018FA6520000-memory.dmp

Filesize
64KB

Download
memory/2952-103-0x000000001B470000-0x000000001B47A000-memory.dmp

Filesize
40KB

Download
memory/2952-1-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/2952-148-0x000000001C430000-0x000000001C438000-memory.dmp

Filesize
32KB

Download
memory/2952-131-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

Filesize
64KB

Download
memory/2952-132-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

Filesize
64KB

Download
memory/2952-114-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

Filesize
64KB

Download
memory/2952-113-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

Filesize
64KB

Download
memory/2952-164-0x000000001DC00000-0x000000001DC08000-memory.dmp

Filesize
32KB

Download
memory/2952-228-0x000000001EA10000-0x000000001EA18000-memory.dmp

Filesize
32KB

Download
memory/2952-101-0x000000001B460000-0x000000001B46E000-memory.dmp

Filesize
56KB

Download
memory/2952-292-0x000000001DC30000-0x000000001DC38000-memory.dmp

Filesize
32KB

Download
memory/2952-0-0x00000000005F0000-0x000000000060A000-memory.dmp

Filesize
104KB

Download
memory/2952-180-0x000000001DC20000-0x000000001DC28000-memory.dmp

Filesize
32KB

Download
memory/2952-2-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

Filesize
64KB

Download
memory/2952-276-0x000000001C5B0000-0x000000001C5B8000-memory.dmp

Filesize
32KB

Download
memory/2952-260-0x00000000203B0000-0x00000000203B8000-memory.dmp

Filesize
32KB

Download
memory/2952-133-0x000000001C420000-0x000000001C42A000-memory.dmp

Filesize
40KB

Download
memory/2952-196-0x000000001C140000-0x000000001C148000-memory.dmp

Filesize
32KB

Download
memory/2952-244-0x000000001EA30000-0x000000001EA38000-memory.dmp

Filesize
32KB

Download
memory/2952-61-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/2952-68-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

Filesize
64KB

Download
memory/2952-69-0x000000001B230000-0x000000001B23C000-memory.dmp

Filesize
48KB

Download
memory/2952-212-0x000000001DC50000-0x000000001DC58000-memory.dmp

Filesize
32KB

Download
memory/3632-60-0x0000019998610000-0x0000019998620000-memory.dmp

Filesize
64KB

Download
memory/3632-59-0x0000019998610000-0x0000019998620000-memory.dmp

Filesize
64KB

Download
memory/3632-58-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/3632-63-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/3780-74-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/3780-72-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/4120-97-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/4120-96-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/4156-30-0x00000164EFCB0000-0x00000164EFCC0000-memory.dmp

Filesize
64KB

Download
memory/4156-28-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/4156-29-0x00000164EFCB0000-0x00000164EFCC0000-memory.dmp

Filesize
64KB

Download
memory/4156-32-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/4192-89-0x0000016DEBE10000-0x0000016DEBE11000-memory.dmp

Filesize
4KB

Download
memory/4192-88-0x0000016DEBE10000-0x0000016DEBE11000-memory.dmp

Filesize
4KB

Download
memory/4192-90-0x0000016DEBE10000-0x0000016DEBE11000-memory.dmp

Filesize
4KB

Download
memory/4192-81-0x0000016DEBE10000-0x0000016DEBE11000-memory.dmp

Filesize
4KB

Download
memory/4192-82-0x0000016DEBE10000-0x0000016DEBE11000-memory.dmp

Filesize
4KB

Download
memory/4192-92-0x0000016DEBE10000-0x0000016DEBE11000-memory.dmp

Filesize
4KB

Download
memory/4192-86-0x0000016DEBE10000-0x0000016DEBE11000-memory.dmp

Filesize
4KB

Download
memory/4192-80-0x0000016DEBE10000-0x0000016DEBE11000-memory.dmp

Filesize
4KB

Download
memory/4192-91-0x0000016DEBE10000-0x0000016DEBE11000-memory.dmp

Filesize
4KB

Download
memory/4192-87-0x0000016DEBE10000-0x0000016DEBE11000-memory.dmp

Filesize
4KB

Download
memory/5108-47-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download
memory/5108-44-0x000001AB4A110000-0x000001AB4A120000-memory.dmp

Filesize
64KB

Download
memory/5108-45-0x000001AB4A110000-0x000001AB4A120000-memory.dmp

Filesize
64KB

Download
memory/5108-43-0x00007FFE9F5B0000-0x00007FFEA0071000-memory.dmp

Filesize
10.8MB

Download