xworm | 7bdd0af1bd40c6f7267a83218a882962067867e1a65a84e3ff1198f21b5a8baf

Analysis

max time kernel
1799s
max time network
1800s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizClient.rar
Size

26KB
MD5

8c20b4eece51e9c8a4dab876cc9c9dba
SHA1

a6176ec2bf842203667dbf5658d5dc524727c7a6
SHA256

7bdd0af1bd40c6f7267a83218a882962067867e1a65a84e3ff1198f21b5a8baf
SHA512

7bfae6417fd3dd4b40d806eb2526826dbe23e0bb2e1e02a940f2a42ed3f0234263d6bcc307c3e88fb6e68f55ed354e4ef8eee8e18f85dd0e8a61d29efa56cc79
SSDEEP

768:PXX2e+Zk7JpO/B3+m4SQl8qlI5SZQus3pLVhoo3d:PXOO7JpmXlS8qlI5SeftN

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

programme-garden.gl.at.ply.gg:42957

wiz.bounceme.net:6000

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\WizClient.exe	family_xworm
behavioral1/memory/3036-332-0x0000000000210000-0x0000000000224000-memory.dmp	family_xworm
behavioral1/memory/3036-400-0x000000001C070000-0x000000001C07E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2580 powershell.exe
3772 powershell.exe
1704 powershell.exe

pid	process
2580	powershell.exe
3772	powershell.exe
1704	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WizClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WizClient.exe

Drops startup file 2 IoCs

Processes:

WizClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe

Executes dropped EXE 27 IoCs

Processes:

WizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exe

pid	process
3036	WizClient.exe
2412	WizClient.exe
4812	WizClient.exe
4516	WizClient.exe
1960	WizClient.exe
3276	WizClient.exe
1296	WizClient.exe
1508	WizClient.exe
3760	WizClient.exe
3516	WizClient.exe
2656	WizClient.exe
2432	WizClient.exe
4976	WizClient.exe
932	WizClient.exe
2532	WizClient.exe
3012	WizClient.exe
2260	WizClient.exe
4296	WizClient.exe
4808	WizClient.exe
3424	WizClient.exe
4996	WizClient.exe
3248	WizClient.exe
320	WizClient.exe
4748	WizClient.exe
2984	WizClient.exe
448	WizClient.exe
2328	WizClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WizClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizClient = "C:\\ProgramData\\WizClient.exe"	WizClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2340 schtasks.exe

pid	process
2340	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629041691907984"	chrome.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AcroRd32.exechrome.exechrome.exepowershell.exetaskmgr.exepowershell.exepowershell.exe

pid	process
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
800	chrome.exe
800	chrome.exe
4372	chrome.exe
4372	chrome.exe
2580	powershell.exe
2580	powershell.exe
2396	taskmgr.exe
2396	taskmgr.exe
3772	powershell.exe
3772	powershell.exe
2396	taskmgr.exe
1704	powershell.exe
1704	powershell.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exetaskmgr.exe

pid process

2344 OpenWith.exe
2396 taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

chrome.exe

pid	process
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe
Token: SeShutdownPrivilege	800	chrome.exe
Token: SeCreatePagefilePrivilege	800	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exetaskmgr.exe

pid	process
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
3856	7zG.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
800	chrome.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

OpenWith.exeAcroRd32.exe

pid	process
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe
5028	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2344 wrote to memory of 5028	2344	OpenWith.exe	AcroRd32.exe
PID 2344 wrote to memory of 5028	2344	OpenWith.exe	AcroRd32.exe
PID 2344 wrote to memory of 5028	2344	OpenWith.exe	AcroRd32.exe
PID 5028 wrote to memory of 4060	5028	AcroRd32.exe	RdrCEF.exe
PID 5028 wrote to memory of 4060	5028	AcroRd32.exe	RdrCEF.exe
PID 5028 wrote to memory of 4060	5028	AcroRd32.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 1972	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe
PID 4060 wrote to memory of 3528	4060	RdrCEF.exe	RdrCEF.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WizClient.rar
1⤵
- Modifies registry class
PID:2484

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\WizClient.rar"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B8ED88EB397721798C67FA50D37CF1F --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1972

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=37A3E4210D2AECAAEEA9A350CBD6243B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=37A3E4210D2AECAAEEA9A350CBD6243B --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3528

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=71E45F55D3C83496B1D62CF652AC540D --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2104

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=408E1C78BC3C4DB439690E5DFD6D5799 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1480

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC6F06C4CE6932C26C82C7ACFE5E264F --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc39eaab58,0x7ffc39eaab68,0x7ffc39eaab78
2⤵
PID:864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:2
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
2⤵
PID:552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
2⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3628 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2508 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4852 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4772 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2424 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3508 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2424 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3124 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5472 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
2⤵
PID:3332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5788 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5876 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
2⤵
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
2⤵
PID:3248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3796

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2765:80:7zEvent4264
1⤵
- Suspicious use of FindShellTrayWindow
PID:3856

C:\Users\Admin\Downloads\WizClient.exe
"C:\Users\Admin\Downloads\WizClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\WizClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\ProgramData\WizClient.exe"
2⤵
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2396

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:2412

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:4812

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:4516

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:1960

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:3276

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:1296

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:1508

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:3760

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:3516

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:2656

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:2432

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:4976

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:932

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:2532

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:3012

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:2260

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:4296

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:4808

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:3424

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:4996

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:3248

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:320

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:4748

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:2984

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:448

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:2328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
5598a2b191aeb28ad369a6f993f57864

SHA1
a6fc04bcc17fd85f6222ca662514eae7e12ab575

SHA256
b455606dc32215ea8b8695a25d3c3d7992070060d2dd2ea1e942e28b6c7c2526

SHA512
cc02343a9b878e176ed6e0e974d3ac3e39ecbdde6953f611883327492912fc44e8efce6cd0bb24266ef0708ba0ff460c075b8e597f759fba063b5399ab66b1eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
1e561ad763ec7ef98a384c5486829ce9

SHA1
abbcd5583ac2668aae9765001ae78cc5b73be78b

SHA256
8b07561cbe089e053eee31df63dc2620e4e443190cc1efb48f5c3fdb72a81fd2

SHA512
214e6b98aabc805773252a868257202082dec3b5c2f104f52d0275b84038aba82df1147dc8efdda884dfe6d4f402071e4d6352ebadd694bdcd5f117d6bed739d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
3dfcd3bd86f0807f7599b4ba72e433ed

SHA1
caa8e9cca12063bcbf65dbac3b23a373e63e89c4

SHA256
ee519c2e47b38cd3428e95fa4f516768f3ed2bb999afd2eed98b192e8fd73a2c

SHA512
6689adc4dc4a612800b7d489609b388124a45d857d1b72caa2321b798ef4ae0507474cb990ba79ae3820d1249a5276ed0d3c7883bc05663f04ee6fa2946c88c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
97f327c1338a0d819ffa5ab89257373e

SHA1
f1f723d16f40de9305f6a8ee4a636f1822af155b

SHA256
1dc6dabe1e0dc072202680239d3545cc5048c3ce21b9e6c0bf49b70ad97d98c7

SHA512
ccf4e51854dff870b488123893882908a51619fa9e770908ab9ca77c8409effb3e293ec11ccd1a08e8ca9957d4b13e3894b3775478fe6369683887d92cf66c35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
4515f4569ffce29b9c10e9baaada4347

SHA1
7140adc7025d3de41b1b34a435abbdd0213de8ad

SHA256
356924712657f60304d21c9ae8210bcc9033ca6053298f1e9b094d42a6d71d96

SHA512
4e14066577d0915b1a9d8d799302e0256d8681c120615164e5aaa882ba2122906e3827615dd2250207cc0cbbb18d4a95ae023523018acfb6fdc3293e827060cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
44abbd2c8223f68e184335c160e55e6e

SHA1
53735d4d00e6d073d89b357a4a3a536b95aa245e

SHA256
13268ace27340754e5c2cc04f72de572eb141b62cbdac339dcd99f8a40f88eab

SHA512
4304aa9f39053e90dc6928141be845439ee9ada430127930148ab1ab47cbfeb73a144dbb4b730e04ad21322c086147672c5b21ca3e96da16c70cb13e86be02cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fc0b31662894549daf7f7b2aca2f0dce

SHA1
81f1a5f5abce04b8672bd2650331db71dbb03f75

SHA256
77cd047a1ce19188e5466465ce63fa62564fadcdc31a40ba5f1ee01c2a778284

SHA512
d63404c01b65475dad46a6bed932216108fa29be0efc000a67b201fd79668c16e52db1fc738f614fe43ab4f3967387cbcabd8a954504b2cad695f56ceb8555ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
9569d45f631e484810d43ab912f8e407

SHA1
25c504e6186792bacdc2e22d247e5da124154c2b

SHA256
d44253fdfe2fcf81c9bf90a989db2d4de4f00c48eaced03385b1534e48994ff5

SHA512
5e826353fbfb3ca86c4ab9dcd9a78b0a5ae1caf9aaf1941e6a128f3f56df82a36fd7e2bcbf886b910ec3cb7900e710829a19e90b328dd61af9d8706c29f68242

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c790983291210af3607f5964cd232fd1

SHA1
8f8c5bf75aefa0b709431e9cb6dcec43238d9b57

SHA256
22ee885cecb14f9bab059ecf483f2e8256d5a1985c8242e0bfb650cf19c690ae

SHA512
ad0043a69be85c13f105db7de36f2921dadc88294e923188e0d3b0abc05404203eaf8bb848823ef95bd0c6338d09634a0c4db8702263c52d0e2d16be698b65de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
cfaea1201ad530cfc63261b186df16df

SHA1
5ddb421536a9decef516b7968e8f620fd017c57b

SHA256
6e71f8e0030726babcaefccacb4116d8aadb511f0f8e1ca2a4f9028cf4c4ab7f

SHA512
2afac6a5fe1361dd25db9e8b516fcaf46a81ecaecf2b9ac2c73a13d6dfbce36606be4efe4806fe875a0199a6e71fa89b4d2bc7ac7c316b704a8e103522064443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
470c484d845a561382ae7553dcc8b10e

SHA1
59cbbaee65699e659c2f521c4fad454cc3c8d7af

SHA256
813d0ce04b5fa0d06065c490f24d61694747984eb736a017b62dcf24072c61c8

SHA512
fc75d51f0ddf4d552160560bddb233a115fe19d3a073518a690b3758c756bb5f80e63742dd94c0aeaae57ae664aa1a757f8e5cc45b6f6dbe5de31ffe4244e029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f858f59b481179613c169fe3c4ce3bdd

SHA1
fb51859864974d6a1b4b72e3947b9235ac8d81b4

SHA256
77b361bc4cff94ae7922d1a8bb2a1080d85828ed7b04483d8e6273290fa78a45

SHA512
f6e2a17f86cb8d04aa7f734effe537d52f3a7c11efafb6c9a3b556f24372bb5b1e07be7e47ac5530023469907bc47e1151c08ed57256663aaf4d00226116bd72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
0820b2b709b0f77be707b11aa30eaeb2

SHA1
ece968d673dd8d0bf145ce698f0995cac58257f9

SHA256
9e772bddb0960ae387ea4145cabcad0a465e2ac2beaed8982c6c67b23117f498

SHA512
0a1c1d4ae5270026b97cc0ec16a86f0c5ebfa5af599d480aea3cafac88f58eaeeb3dd802af93cb34e608f35b90737bead348b07390f8fef80491c266e4e89078

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
276KB

MD5
1ad70578d85928dd4ed8954c04cb3950

SHA1
ec44e1dda30816a15b43ceef3b195cad5f8238e2

SHA256
570b6b7730ff809e8afd84f32cb905d594aab685d9feaa490b2e025f48906cd6

SHA512
b7804c2f611ca6aa9ee822f5319530338de9e6c142337bd79db653f199ac0c38c44e55009e5496768fde2e2160b6941504d088219d3144834600d6c09834789d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
276KB

MD5
bea8ae528e4c5a644e8b90081d301ac9

SHA1
417cea5248ba4de27c1f31de93ccae0c11be0538

SHA256
e79b8654c0460aaf0a5017b200fe5b772ae93c421701e1c6c655c7df060eeaba

SHA512
31ed61a2b628575d7a8a432f3a4d893b4b61ec1ec75642be0cba547f970a0f315d5f07c23d2d117a540247198251661a6a08167520054e702a1fe205517f1512

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
003d6a4482bde946f714924858dfb464

SHA1
3db60c25a98a513a4bd5c6af41a366d9a4e0e1e4

SHA256
f54b78473e596778d831b8b58de2c51b8173393737f8262c87c17fc9018ada85

SHA512
d32a829c27f70daea9a4d92d27d15d8f9418dc8fbd1a37b2ee2532466764ec277d8d4f9fde84b4b334e22446f78df3ec8622c4c2b9205dbfa20f765e28cda1a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
a87e0ee49c6a8073c9d01f1b42fe0bcb

SHA1
5e6b6dc09cf64c518915b315da7ddcdbebd7173a

SHA256
2689a7194bfc2171f69825ea18b5b34786a72c03c9bd75513deb818e18f1b5e9

SHA512
1055e1923d94a63ebaa36228c34ad3d239fcc53708059ecab303d6637e6d75bee503dd732795b43d9c8b0d844a4abb080d7a56e3e859ea7aeb66f048a1f10472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59214a.TMP
Filesize
89KB

MD5
648b024a2ee417a6ea9fabd9de1de356

SHA1
9ece8d0d26f823aabe19cfa6248c7a635b91c126

SHA256
540f1d089b57239086f6d5f8de9a2c9cfc311fc2fc8c92150b560ba791a715dd

SHA512
4cf8c4ab350ae6bc99147b3f566c591a5905b48882e46f1dad7e0dd0c09de31dda0d5bba5a831932af51abdec369d234509de8a98e038ce555111b5b1fe7f81d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizClient.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3khkchi.isp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk
Filesize
682B

MD5
ae567b6278ed0b0191179dd1bd37c5fe

SHA1
72f6e061d27d2964e5cd80700669c1c5c46ea4a9

SHA256
41773ad30dec8ffdd8fa6bc9dbbac7b74e48ad591d85b5d79d51f18204af58bf

SHA512
3b1747fe9f4a2fa96b14c7f802debd6adcd22d57c4b6a5ccb8886a0fb97a1dec1ca3499689d9afbb9bad50ed80119eead801c3384970e27fa74fdbe46866ab2b

Download Submit
C:\Users\Admin\Downloads\WizClient.exe
Filesize
58KB

MD5
6f262adee7c149b7346d2d85087541dd

SHA1
dcd1a1c19b41af259946654bf3b17bf4cf6d3466

SHA256
55c9dc86e15768f647ca1f042c8786dee53387125f2f26e87c2ff0ebb42eb5e8

SHA512
e6e85b2fb893a7769519719c05c0ec2b58687e87bc9af1e564628aca3ceec3aef8092955e889ac687aef7f250bd937a4442c2153252a0aceee1b8daa7ceefbdb

Download Submit
C:\Users\Admin\Downloads\WizClient.rar
Filesize
26KB

MD5
8c20b4eece51e9c8a4dab876cc9c9dba

SHA1
a6176ec2bf842203667dbf5658d5dc524727c7a6

SHA256
7bdd0af1bd40c6f7267a83218a882962067867e1a65a84e3ff1198f21b5a8baf

SHA512
7bfae6417fd3dd4b40d806eb2526826dbe23e0bb2e1e02a940f2a42ed3f0234263d6bcc307c3e88fb6e68f55ed354e4ef8eee8e18f85dd0e8a61d29efa56cc79

Download Submit
\??\pipe\crashpad_800_MRODZXBLVCVNRSSG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2396-365-0x000001E705050000-0x000001E705051000-memory.dmp

Filesize
4KB

Download
memory/2396-377-0x000001E705050000-0x000001E705051000-memory.dmp

Filesize
4KB

Download
memory/2396-376-0x000001E705050000-0x000001E705051000-memory.dmp

Filesize
4KB

Download
memory/2396-375-0x000001E705050000-0x000001E705051000-memory.dmp

Filesize
4KB

Download
memory/2396-374-0x000001E705050000-0x000001E705051000-memory.dmp

Filesize
4KB

Download
memory/2396-373-0x000001E705050000-0x000001E705051000-memory.dmp

Filesize
4KB

Download
memory/2396-371-0x000001E705050000-0x000001E705051000-memory.dmp

Filesize
4KB

Download
memory/2396-372-0x000001E705050000-0x000001E705051000-memory.dmp

Filesize
4KB

Download
memory/2396-366-0x000001E705050000-0x000001E705051000-memory.dmp

Filesize
4KB

Download
memory/2396-367-0x000001E705050000-0x000001E705051000-memory.dmp

Filesize
4KB

Download
memory/2580-342-0x000001D0E1540000-0x000001D0E1562000-memory.dmp

Filesize
136KB

Download
memory/3036-400-0x000000001C070000-0x000000001C07E000-memory.dmp

Filesize
56KB

Download
memory/3036-332-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download