Analysis

  • max time kernel
    154s
  • max time network
    297s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 21:34

General

  • Target

    WizWorm.exe

  • Size

    99KB

  • MD5

    a9b00ac5f9c02e540c61381a5fae62c3

  • SHA1

    273e272cc73d519c5cba2839de4e6043fd8977b0

  • SHA256

    3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38

  • SHA512

    924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570

  • SSDEEP

    1536:n1vP5KmktoR0wQNB+QC+ZMh/uFPah6x2C4bFwOL/n6106/Y7FwoOLTrXatVSFayK:VxLCLN06PahfLbFZL/6PWZOL6GPPy

Malware Config

Extracted

Family

xworm

C2

auto-london.gl.at.ply.gg:51655

wiz.bounceme.net:6000

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    NigNigRat.exe

aes.plain

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables Task Manager via registry modification
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 7 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 53 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
    "C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WizWorm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4852
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWorm" /tr "C:\Users\Admin\AppData\Local\WizWorm.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1096
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies registry class
      PID:2844
    • C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3968
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:408
  • C:\Users\Admin\AppData\Local\WizWorm.exe
    C:\Users\Admin\AppData\Local\WizWorm.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4952
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3584
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3128
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
        PID:4972
      • C:\Users\Admin\AppData\Local\WizWorm.exe
        C:\Users\Admin\AppData\Local\WizWorm.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3584
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4c0 0x314
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4156
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3676
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3272
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3132
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:4132
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4988
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2516
      • C:\Users\Admin\AppData\Local\WizWorm.exe
        C:\Users\Admin\AppData\Local\WizWorm.exe
        1⤵
        • Executes dropped EXE
        PID:5652
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:5696
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:6020
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:5128
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:2328
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:5392
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:4916
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:4444
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:5384
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                          PID:1252
                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                          1⤵
                            PID:996
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:4236
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:5756
                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                1⤵
                                  PID:5204
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                    PID:4540
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                      PID:3488
                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                      1⤵
                                        PID:4340
                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                        1⤵
                                          PID:5624
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          1⤵
                                            PID:1456
                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                            1⤵
                                              PID:1636
                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                                PID:1236
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:2664
                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                  1⤵
                                                    PID:5544
                                                  • C:\Windows\explorer.exe
                                                    explorer.exe
                                                    1⤵
                                                      PID:2516
                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                      1⤵
                                                        PID:5180
                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                        1⤵
                                                          PID:5380
                                                        • C:\Users\Admin\AppData\Local\WizWorm.exe
                                                          C:\Users\Admin\AppData\Local\WizWorm.exe
                                                          1⤵
                                                            PID:5732
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:5428
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                                PID:5700
                                                              • C:\Windows\explorer.exe
                                                                explorer.exe
                                                                1⤵
                                                                  PID:1948
                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                  1⤵
                                                                    PID:2528
                                                                  • C:\Windows\explorer.exe
                                                                    explorer.exe
                                                                    1⤵
                                                                      PID:5668
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                      1⤵
                                                                        PID:772
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                        1⤵
                                                                          PID:6032
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                            PID:1436
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                            1⤵
                                                                              PID:2528
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                              1⤵
                                                                                PID:6132
                                                                              • C:\Windows\explorer.exe
                                                                                explorer.exe
                                                                                1⤵
                                                                                  PID:5672
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                  1⤵
                                                                                    PID:5316
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                    1⤵
                                                                                      PID:6136
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:4256
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                        1⤵
                                                                                          PID:408
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                          1⤵
                                                                                            PID:3628
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:3644
                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                              1⤵
                                                                                                PID:4128
                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                1⤵
                                                                                                  PID:6100
                                                                                                • C:\Users\Admin\AppData\Local\WizWorm.exe
                                                                                                  C:\Users\Admin\AppData\Local\WizWorm.exe
                                                                                                  1⤵
                                                                                                    PID:6008
                                                                                                  • C:\Windows\explorer.exe
                                                                                                    explorer.exe
                                                                                                    1⤵
                                                                                                      PID:5484
                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
                                                                                                      1⤵
                                                                                                        PID:5284
                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                                                                                                        1⤵
                                                                                                          PID:5424
                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                          1⤵
                                                                                                            PID:4216
                                                                                                          • C:\Windows\explorer.exe
                                                                                                            explorer.exe
                                                                                                            1⤵
                                                                                                              PID:920
                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                              1⤵
                                                                                                                PID:4324
                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                1⤵
                                                                                                                  PID:5228
                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                  "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
                                                                                                                  1⤵
                                                                                                                    PID:1672

                                                                                                                  Network

                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                  Replay Monitor

                                                                                                                  Loading Replay Monitor...

                                                                                                                  Downloads

                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

                                                                                                                    Filesize

                                                                                                                    471B

                                                                                                                    MD5

                                                                                                                    f16fdb928ddc10e8df110fa8abb38596

                                                                                                                    SHA1

                                                                                                                    6904dd8b249b070ad73240674b0a5876af8e831f

                                                                                                                    SHA256

                                                                                                                    a246c7ef36267ae1a520a9d4ba4571bf99478afb72c8f7db1df94b425963da8f

                                                                                                                    SHA512

                                                                                                                    0a394753665725c7ed77d2db28663c84d0c0613379ee5c86c7eecf7d7326e2a5863e64e8502551665c466d5ae864f8d3c3394d3948b8dab7114e50224a523abf

                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

                                                                                                                    Filesize

                                                                                                                    420B

                                                                                                                    MD5

                                                                                                                    a962530efc9c81cbbed4b7d88da80ecb

                                                                                                                    SHA1

                                                                                                                    64b9d74f1c80c52819127798875088c64c9f8de2

                                                                                                                    SHA256

                                                                                                                    4feb0e14690f83cf1cffa01aa65f0ca70da692555a5ec4d2a25641adf0a5c678

                                                                                                                    SHA512

                                                                                                                    4691fe522e2bcfb7bc5e59fc6a8dab45b8569f009f527d86984ed57baec1995c831fe52e8a10d5e16e2d1ca18836be917a3439f2280a47c7360bc2de4fc466d1

                                                                                                                  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    MD5

                                                                                                                    d2fb266b97caff2086bf0fa74eddb6b2

                                                                                                                    SHA1

                                                                                                                    2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                                                    SHA256

                                                                                                                    b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                                                    SHA512

                                                                                                                    c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                                                  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

                                                                                                                    Filesize

                                                                                                                    4B

                                                                                                                    MD5

                                                                                                                    f49655f856acb8884cc0ace29216f511

                                                                                                                    SHA1

                                                                                                                    cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                                    SHA256

                                                                                                                    7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                                    SHA512

                                                                                                                    599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                                  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

                                                                                                                    Filesize

                                                                                                                    944B

                                                                                                                    MD5

                                                                                                                    6bd369f7c74a28194c991ed1404da30f

                                                                                                                    SHA1

                                                                                                                    0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                                                    SHA256

                                                                                                                    878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                                                    SHA512

                                                                                                                    8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWorm.exe.log

                                                                                                                    Filesize

                                                                                                                    654B

                                                                                                                    MD5

                                                                                                                    2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                    SHA1

                                                                                                                    684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                    SHA256

                                                                                                                    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                    SHA512

                                                                                                                    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                    Filesize

                                                                                                                    2KB

                                                                                                                    MD5

                                                                                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                                                                                    SHA1

                                                                                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                                                    SHA256

                                                                                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                                                    SHA512

                                                                                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

                                                                                                                    Filesize

                                                                                                                    1024KB

                                                                                                                    MD5

                                                                                                                    d665f37c675ed0a5d4da5074326276ce

                                                                                                                    SHA1

                                                                                                                    714a69f40fe5d2d128ef32e2ea147d9e88af2d9b

                                                                                                                    SHA256

                                                                                                                    4d7a3d85737a43ee991b249dc7a2f57097bb73bf764d7be887203c3349705412

                                                                                                                    SHA512

                                                                                                                    ba296d0e6cfb77e4df8661e2609bd61cce88232171212df3906500ff31f23fde81f6abb418491b4bbabb41f86fee3eddd68fefa26840c6689ab5d19686dcce95

                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

                                                                                                                    Filesize

                                                                                                                    7KB

                                                                                                                    MD5

                                                                                                                    394a3c2cb6ccc54900376628e9d73778

                                                                                                                    SHA1

                                                                                                                    01b89d3281860d2a037534f0d249e6079bbe278c

                                                                                                                    SHA256

                                                                                                                    a0bbb7c84673fa5b63589eb5472518a8a0a7fa542351f47981a6968a9f08bd67

                                                                                                                    SHA512

                                                                                                                    167d71364c60573cf0e29e7c643ab9a2e089fdf7e6b1e0165baf70dd4bb849a41c40e7e13c06f71e91cb8498375e086e1d7cb9ae84d97881e69aa9c1831df14f

                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\Windows[1].json

                                                                                                                    Filesize

                                                                                                                    714B

                                                                                                                    MD5

                                                                                                                    76f465a1d31632420393bdbae3d7f966

                                                                                                                    SHA1

                                                                                                                    bb5db6deb00043af62243e95cb732daed7f9d835

                                                                                                                    SHA256

                                                                                                                    f80d4b530521484358d3e676d98608d26c9622fa8b71e44af9c23969ce1cdde2

                                                                                                                    SHA512

                                                                                                                    c0b77bc63db7e54dcbc60c04cdbc21f359e69b3f1f5aa79eb286dad1904240fd2c75b4fb6451268dbbeaf37578cf9878b6afd976f0d272bbf1232ee96ba077fe

                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\Windows[2].json

                                                                                                                    Filesize

                                                                                                                    712B

                                                                                                                    MD5

                                                                                                                    c00b3f9d9cce523191a21fadff7d901e

                                                                                                                    SHA1

                                                                                                                    ac5fb9ea0f6c4a76e82368f173d5e592387088a3

                                                                                                                    SHA256

                                                                                                                    9ba404eb666e44ab21dc5b06656a1ffca0af4ab734cddc2311dca49a30df3d44

                                                                                                                    SHA512

                                                                                                                    ed027acd8c780f5c9c6d0feebdd8f0c6ae277e3f5086a6f58e21e37d641713e829e01623d0561873e0ef06edcf22aa2f526585a43ff7c0664919d2f9f3316b00

                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                    Filesize

                                                                                                                    944B

                                                                                                                    MD5

                                                                                                                    5f0ddc7f3691c81ee14d17b419ba220d

                                                                                                                    SHA1

                                                                                                                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                                                                                                    SHA256

                                                                                                                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                                                                                                    SHA512

                                                                                                                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                    Filesize

                                                                                                                    944B

                                                                                                                    MD5

                                                                                                                    f41f42c322498af0591f396c59dd4304

                                                                                                                    SHA1

                                                                                                                    e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514

                                                                                                                    SHA256

                                                                                                                    d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c

                                                                                                                    SHA512

                                                                                                                    2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f

                                                                                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

                                                                                                                    Filesize

                                                                                                                    13KB

                                                                                                                    MD5

                                                                                                                    769a4366a5c2582f8040ec5296199cc5

                                                                                                                    SHA1

                                                                                                                    0186b1f6948cc5b14f8142e13f8dd1a5ff9bc1d6

                                                                                                                    SHA256

                                                                                                                    4fe4c74d79fd94e165d0665bdaade219eb79e5fa363ad82a05ed3f261bedfe96

                                                                                                                    SHA512

                                                                                                                    cf26d252b3d6bfbd0809988f0b853eeb8a03889b6ba26003e007617fd4aa5c670b2f2d1cf487e75558d81ae9ca8ffb82f99b9496bf877d206070344f3f229e32

                                                                                                                  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml

                                                                                                                    Filesize

                                                                                                                    96B

                                                                                                                    MD5

                                                                                                                    84209e171da10686915fe7efcd51552d

                                                                                                                    SHA1

                                                                                                                    6bf96e86a533a68eba4d703833de374e18ce6113

                                                                                                                    SHA256

                                                                                                                    04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

                                                                                                                    SHA512

                                                                                                                    48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_opbhkqpz.104.ps1

                                                                                                                    Filesize

                                                                                                                    60B

                                                                                                                    MD5

                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                    SHA1

                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                    SHA256

                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                    SHA512

                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                  • C:\Users\Admin\AppData\Local\WizWorm.exe

                                                                                                                    Filesize

                                                                                                                    99KB

                                                                                                                    MD5

                                                                                                                    a9b00ac5f9c02e540c61381a5fae62c3

                                                                                                                    SHA1

                                                                                                                    273e272cc73d519c5cba2839de4e6043fd8977b0

                                                                                                                    SHA256

                                                                                                                    3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38

                                                                                                                    SHA512

                                                                                                                    924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570

                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_67338D05A3B247529540EAF2B113271D.dat

                                                                                                                    Filesize

                                                                                                                    940B

                                                                                                                    MD5

                                                                                                                    ff9b0f3bb4ab37b8a39d86ee9c358588

                                                                                                                    SHA1

                                                                                                                    b0867c2f230f1c5f8bc093a5d87ecb9682e7441e

                                                                                                                    SHA256

                                                                                                                    b8cccc22bce935670de4eafa50ab9f922170484d9707738518594ed8f3beaba6

                                                                                                                    SHA512

                                                                                                                    cfe41723ad47bd2624b4984a316e627406541c580743beccbd8860cdb5c1317a9ff5c0fdfab6802e8341b228df4b8f45cd6101c7a6b12b2e879a17fcdb2a52bc

                                                                                                                  • C:\Windows\INF\machine.PNF

                                                                                                                    Filesize

                                                                                                                    150KB

                                                                                                                    MD5

                                                                                                                    ce1637d02213e1380f3a522319816a83

                                                                                                                    SHA1

                                                                                                                    00368aa3aa7ac5e5a0b0ed916a4c7e6fb5a1abef

                                                                                                                    SHA256

                                                                                                                    6c97257ea095fb66371eb677046b081f121f9130702f4c31af9461b0b2b6f5a7

                                                                                                                    SHA512

                                                                                                                    148785c9bfb3fedd3bf1793636d679161405e0688b93b83384a4abc0836776a42117ed48d08f3a079f1b53f6dc89457c6a14bb1590dea169c76846dd0db8bde7

                                                                                                                  • memory/1236-1043-0x0000020FD8790000-0x0000020FD87B0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/1236-1042-0x0000020FD8380000-0x0000020FD83A0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/1236-1012-0x0000020FD83C0000-0x0000020FD83E0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/1252-548-0x00000000048E0000-0x00000000048E1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/1456-1004-0x0000000004250000-0x0000000004251000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/1600-1379-0x000000001EC40000-0x000000001F168000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    5.2MB

                                                                                                                  • memory/1600-0-0x00007FF984463000-0x00007FF984465000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1600-54-0x00007FF984460000-0x00007FF984F21000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                  • memory/1600-1300-0x00000000012B0000-0x00000000012BE000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    56KB

                                                                                                                  • memory/1600-76-0x0000000001560000-0x000000000156C000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    48KB

                                                                                                                  • memory/1600-83-0x00000000012C0000-0x00000000012CA000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    40KB

                                                                                                                  • memory/1600-84-0x000000001DCA0000-0x000000001E3AC000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    7.0MB

                                                                                                                  • memory/1600-52-0x00007FF984463000-0x00007FF984465000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                  • memory/1600-53-0x000000001CAB0000-0x000000001CABE000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    56KB

                                                                                                                  • memory/1600-2-0x00007FF984460000-0x00007FF984F21000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                  • memory/1600-1-0x0000000000C80000-0x0000000000C9E000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    120KB

                                                                                                                  • memory/2516-146-0x0000013540BD0000-0x0000013540BF0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/2516-115-0x0000013540800000-0x0000013540820000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/2516-134-0x00000135405C0000-0x00000135405E0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/2516-1150-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3308-15-0x00007FF984460000-0x00007FF984F21000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                  • memory/3308-9-0x00007FF984460000-0x00007FF984F21000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                  • memory/3308-8-0x000001955EFA0000-0x000001955EFC2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    136KB

                                                                                                                  • memory/3308-14-0x00007FF984460000-0x00007FF984F21000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                  • memory/3308-20-0x00007FF984460000-0x00007FF984F21000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                  • memory/3308-17-0x00007FF984460000-0x00007FF984F21000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                  • memory/3308-16-0x00007FF984460000-0x00007FF984F21000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                  • memory/3488-853-0x00000000028D0000-0x00000000028D1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3584-73-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3584-70-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3584-65-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3584-63-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3584-74-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3584-75-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3584-72-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3584-71-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3584-64-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/3584-69-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/4132-108-0x0000000004090000-0x0000000004091000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/4236-550-0x00000296F4E20000-0x00000296F4F20000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1024KB

                                                                                                                  • memory/4236-585-0x00000296F6350000-0x00000296F6370000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/4236-569-0x00000296F5F40000-0x00000296F5F60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/4236-556-0x00000296F5F80000-0x00000296F5FA0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/4540-708-0x000002EF31280000-0x000002EF312A0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/4540-739-0x000002EF31650000-0x000002EF31670000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/4540-737-0x000002EF31240000-0x000002EF31260000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/4540-702-0x000002EF30120000-0x000002EF30220000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1024KB

                                                                                                                  • memory/4916-411-0x00000000048F0000-0x00000000048F1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/5128-263-0x000002409B700000-0x000002409B800000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1024KB

                                                                                                                  • memory/5128-280-0x000002489D5B0000-0x000002489D5D0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5128-262-0x000002409B700000-0x000002409B800000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1024KB

                                                                                                                  • memory/5128-296-0x000002489DC50000-0x000002489DC70000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5128-268-0x000002489D800000-0x000002489D820000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5380-1152-0x0000023A94C00000-0x0000023A94D00000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1024KB

                                                                                                                  • memory/5380-1156-0x0000023A95D60000-0x0000023A95D80000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5380-1151-0x0000023A94C00000-0x0000023A94D00000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1024KB

                                                                                                                  • memory/5380-1177-0x0000023A95D20000-0x0000023A95D40000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5380-1189-0x0000023A96130000-0x0000023A96150000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5380-1153-0x0000023A94C00000-0x0000023A94D00000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1024KB

                                                                                                                  • memory/5384-442-0x0000028F800C0000-0x0000028F800E0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5384-418-0x00000297FFC60000-0x00000297FFC80000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5384-441-0x00000297FFC20000-0x00000297FFC40000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5624-879-0x00000213852B0000-0x00000213852D0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5624-891-0x00000213858C0000-0x00000213858E0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5624-860-0x00000213852F0000-0x0000021385310000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/5624-855-0x0000021383600000-0x0000021383700000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1024KB

                                                                                                                  • memory/5624-854-0x0000021383600000-0x0000021383700000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1024KB

                                                                                                                  • memory/5668-1301-0x0000000004A10000-0x0000000004A11000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/5696-260-0x00000000045D0000-0x00000000045D1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/5756-700-0x0000000004E50000-0x0000000004E51000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                  • memory/6032-1328-0x0000026A3F960000-0x0000026A3F980000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/6032-1329-0x0000026A3FE00000-0x0000026A3FE20000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/6032-1309-0x0000026A3F9A0000-0x0000026A3F9C0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    128KB

                                                                                                                  • memory/6032-1303-0x0000026A3E700000-0x0000026A3E800000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1024KB